Topic on Extension talk:PluggableAuth

'local' domain configuration error

13
Dancabcaltech (talkcontribs)

I have a working LDAP configuration using PluggableAuth, LDAPAuthentication2, LDAPProvider, LDAPAuthorization and LDAPUserInfo.

However, I also have a need to manage local accounts. This includes a local 'Admin' account as well as legacy local user accounts which are not in LDAP.

I've tried the various 'enable local' configurations with no luck.


       $wgPluggableAuth_ButtonLabel = "Domain Log In";

       $wgPluggableAuth_EnableLocalLogin = true;

       $wgPluggableAuth_EnableLocalProperties = true;

       $LDAPAuthentication2AllowLocalLogin = true;


I'm persistently getting an error about an unconfigured 'local' domain. See error below. The only way for me to login with a local account without LDAP is to disable the LDAP* extensions. We need to have both options available. Please advise. I'm using MediaWiki 1.35.


<[f90402a644c3c663020eca3e] /Special:PluggableAuthLogin MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException from line 61 of /var/www/html/extensions/LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain 'local'!>

MarkAHershberger (talkcontribs)

Is it possible to move the Local users to LDAP? I just released WikiToLDAP that could help in this regard.

Otherwise, I'm not sure what to tell you. Using Local and LDAP logins worked for me. Maybe @Osnard has a hint?

Dancabcaltech (talkcontribs)

Thanks for the quick reply. We also need to keep the local login option in order to add new users that are not part of our LDAP.


Here's the full error message with Backtrace...


< [3a2917944f5439fb20ec8bcc] /Special:PluggableAuthLogin MediaWiki\Extension\LDAPProvider\LDAPNoDomainConfigException from line 61 of /var/www/html/extensions/LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain 'local'!


Backtrace:


#0 /var/www/html/extensions/LDAPProvider/src/ClientFactory.php(61): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#1 /var/www/html/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(55): MediaWiki\Extension\LDAPProvider\ClientFactory->getForDomain(string)

#2 /var/www/html/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(69): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct(User, boolean)

#3 /var/www/html/includes/Hooks.php(174): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#4 /var/www/html/includes/Hooks.php(202): Hooks::callHook(string, array, array, NULL)

#5 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(54): Hooks::run(string, array)

#6 /var/www/html/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)

#7 /var/www/html/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)

#8 /var/www/html/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)

#9 /var/www/html/includes/MediaWiki.php(900): MediaWiki->performRequest()

#10 /var/www/html/includes/MediaWiki.php(527): MediaWiki->main()

#11 /var/www/html/index.php(44): MediaWiki->run()

#12 {main}>

Dancabcaltech (talkcontribs)

@Osnard @MarkAHershberger

I'm trying to troubleshoot this further. Is there anywhere else in the database that the 'local' domain is configured for the extensions?

I'm using a test site which has exactly one 'local' user and one LDAP 'Caltech' user. As I mentioned, if I disable the LDAP extensions then I'm able to login using the 'local'. I can leave PluggableAuth enabled and use the local login button instead of the "Use Pluggable Auth" button.


Also, fwiw, I have a separate, older wiki installation using MW 1.32 and the simpler LDAPAuthentication extension. I have no problems there with being able to login using either 'local' or LDAP accounts.

Thanks for your help.


select * from "wikis_ldap_domains" \G

*************************** 1. row ***************************

domain_id: 1

   domain: local

  user_id: 1

*************************** 2. row ***************************

domain_id: 2

   domain: Caltech

  user_id: 2

MarkAHershberger (talkcontribs)

I'm looking over your config above and I notice that you have two local login config parameters. What happens if you take out:

 $wgPluggableAuth_EnableLocalLogin = true;
Dancabcaltech (talkcontribs)

I get the same error. I didn't have that initially but added that hoping it would help but no change.

Dancabcaltech (talkcontribs)

@Osnard @MarkAHershberger does that error message or backtrace help at all? Could this be a bug of some kind? Let me know if you need more information.

Thanks for your help.

Dancabcaltech (talkcontribs)

I was able to spend more time on troubleshooting this today by setting up a fresh test installation of MediaWiki 1.35.

I am using the LDAPAuthorization extension to restrict access to a specific LDAP group. If I disable LDAPAuthorization and allow any LDAP user then 'local' login works for the admin (sysop) user once again.

In addition, it seems the error about a 'local' domain is coming from the ldap_domains table which has that entry in my production database. My production database was upgraded from earlier versions of MediaWiki so that 'local' domain entry may just be an artefact from older wiki versions.


I'm not sure what can be done to have LDAPAuthorization enabled and still allow local logins for the admin/sysop user.

Osnard (talkcontribs)

I see ... LDAPAuthorization will check the requirements regardless of where the user is coming from. We will probably need to patch this behavior. Could you create a Phabricator task here?

73.142.152.222 (talkcontribs)

I'm seeing this exact issue after upgrading from 1.32 where I was also previously using the simple ldap plugin.

DaveMow (talkcontribs)

Previous post was mine.


Another interesting behavioral item... when:

$LDAPAuthentication2AllowLocalLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;


Not only does the error about no "local" domain pop up, but entering an LDAP username and password and hitting <enter> on the keyboard fails to authenticate to the domain in the dropdown box below and attempts to use local authentication instead. However, if you click the actual login button, LDAP authentication will be used. Changing these to:

$LDAPAuthentication2AllowLocalLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

removes this behavior and hitting <enter> with LDAP credentials uses LDAP authentication correctly.

DaveMow (talkcontribs)

It's potentially also worth noting that, when upgrading from previous version of the LDAPAuthentication plugin to the LDAP Authentication2 plugin, you specified domain name must be the same as it was in the previous configuration as the user accounts are tied to THAT, not to the actual LDAP domain name.

E.g. If I previously specified an entry for my.domain.com as:

$wgLDAPDomainNames = array(

  'My_Domain_com'

);

My new ldap.json file should be:

{

        "My_Domain_com": {

                "connection": {


These items ARE case-sensitive. If you create the new ldap.json using my.domain.com instead of the originally specified domain name and try to login, you will receive errors.

Platinops (talkcontribs)

I had the same issue for my local accounts. Temporarily disabling LDAPProvider would get rid of the error message for the local accounts.


As @Dancabcaltech mentioned, the error message only popped up for users that had a "local" row in the ldap_domains table. So in the end, I was able to solve the issue by removing rows for these users in the table: DELETE FROM ldap_domains WHERE user_id=13 OR user_id=14 OR user_id=15;


My local users and LDAP users can now log in normally.

Reply to "'local' domain configuration error"