I had been using OpenLdap already so when I install MediaWiki I hoped to use the Extension:LDAP Authentication to bridge the user hurdle for a site we could all share.
CentOS | CentOS Linux release 8.2.2004 (Core) |
OpenLdap | openldap-2.4.50 |
Apache2 | httpd-2.4.37-21.module_el8.2.0 |
PHP | php-7.2.24-1.module_el8.2.0 |
MariaDB | mariadb-server-10.3.17-1.module_el8.1.0 |
MediaWiki | 1.34.2 |
LdapAuthentication | LdapAuthentication-REL1_34-b97a26e.tar.gz |
Here was my basic config:
# Basic search criteria
$wgLDAPDomainNames = array('extra-extra.com');
$wgLDAPServerNames = array('extra-extra.com' => 'ldapmaster.extra-extra.com.com');
$wgLDAPSearchAttributes = array('extra-extra.com' => 'uid');
$wgLDAPSearchStrings = array('extra-extra.com' => 'uid=USER-NAME,ou=people,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPBaseDNs = array('extra-extra.com' => 'dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgent = array('extra-extra.com' => 'cn=readonly,ou=system,dc=ldapmaster,dc=extra-extra.com,dc=com');
$wgLDAPProxyAgentPassword = array('extra-extra.com' => 'password');
$wgLDAPLowerCaseUsername = array('extra-extra.com' => true);
$wgLDAPEncryptionType = array('extra-extra.com' => 'tls');
$wgMinimalPasswordLength = 1;
$wgLDAPUseLocal = false;
$wgLDAPDebug = 3; //for debugging LDAP
I then tried logging in quite a bit until I discovered how to enable debug logging:
$wgDebugLogFile = "/var/log/php-fpm/mw.log";
$wgDebugLogGroups["ldap"] = "/var/log/php-fpm/ldapdebug.log";
$wgShowExceptionDetails = true; //for debugging MediaWiki
Here was the debug log output:
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering strict.
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Returning true in strict().
Obviously this line was the deal breaker:
2020-07-31 00:21:23 wiki.extra-extra.com my_wiki: 2.1.0 Did not find a matching user in LDAP
I was encouraged by this comment Bernhardsmw to start looking into the basic code (always great to do when troubleshooting), and that is when I found a fix for the problem I was seeing:
diff ~/src/LdapAuthentication/LdapAuthenticationPlugin.php extensions/LdapAuthentication/
532a533,536
>
> // If we are going to find and entry we need to bind first?
> $bindval = self::ldap_bind( $this->ldapconn, $this->getConf('ProxyAgent'), $this->getConf('ProxyAgentPassword') );
as can be seen in the next debug log snippet:
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Setting domain as: extra-extra
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering Connect
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using servers: ldap://ldapmaster.extra-extra.com:389
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Using TLS
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 userdn is: uid=Wiho,ou=people,dc=ldapmaster,dc=extra-extra,dc=com
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Found a matching user in LDAP
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering authenticate for username Wiho
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 07:07:27 wiki.extra-extra.com my_wiki: 2.1.0 Entering getDomain
However I am not an expert with any of this, so I am wondering if this is worth a patch, or is there something else wrong with my config. Perhaps a bind against the Proxy might have worked, if my config was slightly different?