After updating from Mediawiki 1.34.0 to 1.34.2 and more importantly updating to the latest version of LDAP stack for Mediawiki 1.31 we noticed users were being removed from their groups after about an hour. Enabled Debug logs for the LDAP stack it was observed that the pre search modifier are not being utilized by groupsync after the cache expires (500 seconds by default)
I found out that manually running the groupsync maintenance script also removes the users from their groups. So created a new wiki and used this for troubleshooting.
After reinstalling a brand new test wiki and loging in for the first time we observe:
2020-08-25 16:47:58 testwiki.wiki.internal wikis: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array ( 'base' => 'dc=acme,dc=com', 'filter' => '(samaccountname=caleb_cooper)', 'attributes' => array ( 0 => '*', 1 => 'memberof', ), ) 2020-08-25 16:47:58 testwiki.wiki.internal wikis: ldap_search( $linkID, $baseDN = 'dc=acme,dc=com', $filter = '(samaccountname=caleb_cooper)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $tim elimit = , $deref = );
Note the search string for my samaccount name is caleb_cooper converting to lower case and replacing spaces with underscores. As per pre search modifier configuration in ldap,json.
At this point group sync can be run many times manually and successfully, until 500 seconds passes, and the cache expires:
bash-5.0# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Caleb_Cooper Syncing groups for 'Caleb Cooper' (ID:3) ... Old groups: * bureaucrat * editor * interface-admin * sysop * tech-L2 New groups: * bureaucrat * editor * interface-admin * sysop * tech-L2
After 500 seconds this is the response from groupsync:
bash-5.0# php extensions/LDAPGroups/maintenance/SyncGroups.php --user Caleb_Cooper Syncing groups for 'Caleb Cooper' (ID:3) ... Old groups: * bureaucrat * editor * interface-admin * sysop * tech-L2 New groups: * bureaucrat * editor
And this is noticed in the debug logs:
2020-08-25 16:56:39 testwiki.wiki.internal wikis: Ran LDAP search for '(samaccountname=Caleb Cooper)' in 0.010628938674927 seconds. 2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'bureaucrat' from 'Caleb Cooper'. 2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'editor' from 'Caleb Cooper'. 2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'interface-admin' from 'Caleb Cooper'. 2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'sysop' from 'Caleb Cooper'. 2020-08-25 16:56:39 testwiki.wiki.internal wikis: Removing 'tech-L2' from 'Caleb Cooper'.
Note the search string for my samaccount name is Caleb Cooper and is not obeying the pre search modifiers in ldap.json shown below:
{ "acme.com": { "connection": { "server": "10.24.27.5", "port": "3268", "user": "CN=Servicets-ola-dev,OU=Service Accounts,DC=emea,DC=acme,DC=com", "pass": "-oV~;j87NXa0IKg5mUw3r?b:", "enctype": "clear", "options": { "LDAP_OPT_DEREF": 1 }, "basedn": "dc=acme,dc=com", "userbasedn": "dc=acme,dc=com", "groupbasedn": "dc=acme,dc=com", "searchattribute": "samaccountname", "usernameattribute": "samaccountname", "realnameattribute": "cn", "emailattribute": "mail", "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory", "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ], "cachetime": "60" }, "userinfo": [], "authorization": [], "groupsync": { "mapping": { "editor": "CN=Wiki_L2,OU=Groups,DC=emea,DC=acme,DC=com", "tech-L2": "CN=Wiki_L2,OU=Groups,DC=emea,DC=acme,DC=com", "reviewer": "CN=Wiki_L3,OU=Groups,DC=emea,DC=acme,DC=com", "tech-L3": "CN=Wiki_L3,OU=Groups,DC=emea,DC=acme,DC=com", "sysop": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com", "bureaucrat": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com", "interface-admin": "CN=Support_Wikis_Admins,OU=Groups,DC=emea,DC=acme,DC=com" } } } }
I have bugged this here: