Topic on Talk:LDAP hub

LDAP auto account creation not working

5 comments • 14:19, 7 June 2021 2 years ago

5

2001:7C0:3100:10:0:0:0:1C4 (talkcontribs)

I Installed the LDAP Stack on my Mediawiki (version 1.35.1) and connected LDAP to my Active Directory following the linked guide Manual:Active Directory Integration.

When trying to log in, the LDAP stack successfully authenticates the user from the AD. However, I get the following error message:

"Die angegebenen Anmeldeinformationen sind mit keinem Benutzer auf diesem Wiki verknüpft." which is the German equivalent for "Credentials are not associated with any user on this wiki."

I therefore suspected, that the automatic account creation does not work. But my LocalSettings.php contains $wgGroupPermissions['*']['autocreateaccount'] = true;.

LocalSettings.php:

#

# LDAP Settings

#

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

#console_log($ipsVar . " ".$_SERVER[$ipsVar]);

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

#$ldapConfig = true;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $IP/ldap.json");

}

// Activate Extension

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'Auth_remoteuser' );

wfLoadExtension( 'LDAPSyncAll' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

#$wgPluggableAuth_ButtonLabel = "Log In";

$wgPluggableAuth_ButtonLabel = "Mit LDAP anmelden";

#$wgPluggableAuth_EnableLocalLogin = true;

#$LDAPAuthentication2AllowLocalLogin = true;

#

#console_log("WikiRequestSafe:" . " " . $wikiRequestIP . " safe: " . implode("|",$safeIPs) . " ipsvars: " . implode("|",$ipsVars));

if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

PluggableAuth Log:

2021-05-26 17:16:19 wiki-test my_wiki: In execute()

2021-05-26 17:16:19 wiki-test my_wiki: Getting PluggableAuth singleton

2021-05-26 17:16:19 wiki-test my_wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2021-05-26 17:16:19 wiki-test my_wiki: Authenticated new user:

2021-05-26 17:16:20 wiki-test my_wiki: User is authorized.

LDAP Log:

2021-05-26 17:24:40 wiki-test my_wiki: ldap_connect( $hostname = 'ldap://MyActiveDirectory:389', $port = 389 );

2021-05-26 17:24:40 wiki-test my_wiki: # __METHOD__ returns Resource id #31

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=myldapuser,cn=users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,dc=MyActiveDirectory', $filter = '(samaccountname=test.user)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #46

2021-05-26 17:24:40 wiki-test my_wiki: ldap_count_entries( $linkiID, $result = 'Resource id #46' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

'count' => 1,

0 =>

array (

'objectclass' =>

array (

'count' => 4,

0 => 'top',

1 => 'person',

2 => 'organizationalPerson',

3 => 'user',

),

0 => 'objectclass',

'cn' =>

array (

'count' => 1,

0 => 'test.user',

),

1 => 'cn',

'sn' =>

array (

'count' => 1,

0 => 'user',

),

2 => 'sn',

'givenname' =>

array (

'count' => 1,

0 => 'test',

),

3 => 'givenname',

'distinguishedname' =>

array (

'count' => 1,

0 => 'CN=test.user,CN=Users,dc=MyActiveDirectory',

),

4 => 'distinguishedname',

'instancetype' =>

array (

'count' => 1,

0 => '4',

),

5 => 'instancetype',

'whencreated' =>

array (

'count' => 1,

0 => '20201106163057.0Z',

),

6 => 'whencreated',

'whenchanged' =>

array (

'count' => 1,

0 => '20210524142647.0Z',

),

7 => 'whenchanged',

'displayname' =>

array (

'count' => 1,

0 => 'test.user',

),

8 => 'displayname',

'usncreated' =>

array (

'count' => 1,

0 => '98434',

),

9 => 'usncreated',

'memberof' =>

array (

'count' => 1,

0 => 'CN=mydomain-test,OU=Groups,OU=User,dc=MyActiveDirectory',

),

10 => 'memberof',

'usnchanged' =>

array (

'count' => 1,

0 => '2560462',

),

11 => 'usnchanged',

'name' =>

array (

'count' => 1,

0 => 'test.user',

),

12 => 'name',

'objectguid' =>

array (

'count' => 1,

0 => '±ÆÓ¿Hh±J¢jÊ(B4¦ð',

),

13 => 'objectguid',

'useraccountcontrol' =>

array (

'count' => 1,

0 => '512',

),

14 => 'useraccountcontrol',

'badpwdcount' =>

array (

'count' => 1,

0 => '0',

),

15 => 'badpwdcount',

'codepage' =>

array (

'count' => 1,

0 => '0',

),

16 => 'codepage',

'countrycode' =>

array (

'count' => 1,

0 => '0',

),

17 => 'countrycode',

'homedirectory' =>

array (

'count' => 1,

0 => '\\\\cifs\\users\\test.user',

),

18 => 'homedirectory',

'homedrive' =>

array (

'count' => 1,

0 => 'M:',

),

19 => 'homedrive',

'badpasswordtime' =>

array (

'count' => 1,

0 => '132665098264743610',

),

20 => 'badpasswordtime',

'lastlogoff' =>

array (

'count' => 1,

0 => '0',

),

21 => 'lastlogoff',

'lastlogon' =>

array (

'count' => 1,

0 => '132665098371930786',

),

22 => 'lastlogon',

'logonhours' =>

array (

'count' => 1,

0 => 'ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ',

),

23 => 'logonhours',

'pwdlastset' =>

array (

'count' => 1,

0 => '132535516035944362',

),

24 => 'pwdlastset',

'primarygroupid' =>

array (

'count' => 1,

0 => '513',

),

25 => 'primarygroupid',

'profilepath' =>

array (

'count' => 1,

0 => '\\\\cifs\\profiles\\test.user',

),

26 => 'profilepath',

'objectsid' =>

array (

'count' => 1,

0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . 'üâîxc��LY±S…0�' . "\0" . '' . "\0" . '',

),

27 => 'objectsid',

'accountexpires' =>

array (

'count' => 1,

0 => '0',

),

28 => 'accountexpires',

'logoncount' =>

array (

'count' => 1,

0 => '22',

),

29 => 'logoncount',

'samaccountname' =>

array (

'count' => 1,

0 => 'test.user',

),

30 => 'samaccountname',

'samaccounttype' =>

array (

'count' => 1,

0 => '805306368',

),

31 => 'samaccounttype',

'userprincipalname' =>

array (

'count' => 1,

0 => 'test.user@mydomain.mydomain.de',

),

32 => 'userprincipalname',

'lockouttime' =>

array (

'count' => 1,

0 => '0',

),

33 => 'lockouttime',

'objectcategory' =>

array (

'count' => 1,

0 => 'CN=Person,CN=Schema,CN=Configuration,dc=MyActiveDirectory',

),

34 => 'objectcategory',

'dscorepropagationdata' =>

array (

'count' => 3,

0 => '20210111164144.0Z',

1 => '20201228231658.0Z',

2 => '16010101000000.0Z',

),

35 => 'dscorepropagationdata',

'lastlogontimestamp' =>

array (

'count' => 1,

0 => '132663400070044244',

),

36 => 'lastlogontimestamp',

'uid' =>

array (

'count' => 1,

0 => 'test.user',

),

37 => 'uid',

'mssfu30name' =>

array (

'count' => 1,

0 => 'test.user',

),

38 => 'mssfu30name',

'mssfu30nisdomain' =>

array (

'count' => 1,

0 => 'mydomain',

),

39 => 'mssfu30nisdomain',

'uidnumber' =>

array (

'count' => 1,

0 => '10006',

),

40 => 'uidnumber',

'gidnumber' =>

array (

'count' => 1,

0 => '10000',

),

41 => 'gidnumber',

'unixhomedirectory' =>

array (

'count' => 1,

0 => '/users/test.user',

),

42 => 'unixhomedirectory',

'loginshell' =>

array (

'count' => 1,

0 => '/bin/bash',

),

43 => 'loginshell',

'count' => 44,

'dn' => 'CN=test.user,CN=Users,dc=MyActiveDirectory',

),

)

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=test.user,CN=Users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=myldapuser,cn=users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=test.user)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #59

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

'count' => 0,

)

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #75

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

'count' => 0,

)

Reply 17:34, 26 May 2021 2 years ago

Osnard (talkcontribs)

First, there are two strange entries in the logs:

samaccountname=test.user --> 0 results
samaccountname=<empty> --> 0 results

Looks like something is wrong with the DNs:

$baseDN = 'cn=users,dc=MyActiveDirectory',          $filter = '(samaccountname=test.user)'
$baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=test.user)'

No idea where this could come from. Do you have any?

Regarding the error message: I'd think Extension:LDAPAuthentication2 probably returns an empty string.

Maybe you want to debug here: https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.2/src/PluggableAuth.php#L178

Do the regular PHP logs show anything? Like a "Notice" or "Warning" that something is not set?

Reply 13:38, 27 May 2021 2 years ago

134.60.112.70 (talkcontribs)

Thank you for the response.

The PHP logs do indeed show notices for samaccountname, cn and memberof not being set. This would mean, that the LDAP-Connection does not work as intended. However, I am confused since the initial login is working and the above mentioned error message is only displayed if correct credentials are used. In other cases the error message says: <<Could not authenticate credentials against domain "myActiveDirectory">>

You mentioned there might something wrong with the DNs. To be honest I'm quite new to LDAP. But I have successfully used these baseDNs for multiple other applications like nextcloud. So I don't know what would be wrong with these but am open for infos on what attribute might be missing. I also checked in my Active Directory and samaccountname is definitely set for the users including the testuser. So if the logs show "samaccountname=test.user --> 0 results" there must be something wrong with the query, right?

PHP Error Log:

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin ErrorException from line 178 of /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: samaccountname

#0 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(178): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(48): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin(string, string, string, NULL, NULL, NULL)

#2 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)

#3 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#4 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#5 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#6 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#7 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#8 /var/www/mediawiki/index.php(53): MediaWiki->run()

#9 /var/www/mediawiki/index.php(46): wfIndexMain()

#10 {main}

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin ErrorException from line 179 of /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: cn

#0 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(179): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(48): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin(string, NULL, string, NULL, NULL, NULL)

#2 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, NULL, NULL, NULL, NULL)

#3 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#4 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#5 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#6 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#7 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#8 /var/www/mediawiki/index.php(53): MediaWiki->run()

#9 /var/www/mediawiki/index.php(46): wfIndexMain()

#10 {main}

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin ErrorException from line 17 of /var/www/mediawiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php: PHP Notice: Undefined index: memberof

#0 /var/www/mediawiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php(17): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPProvider/src/Client.php(361): MediaWiki\Extension\LDAPProvider\UserGroupsRequest\UserMemberOf->getUserGroups(string)

#2 /var/www/mediawiki/includes/libs/objectcache/BagOStuff.php(149): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}(integer)

#3 /var/www/mediawiki/extensions/LDAPProvider/src/Client.php(362): BagOStuff->getWithSetCallback(string, integer, Closure)

#4 /var/www/mediawiki/extensions/LDAPAuthorization/src/RequirementsChecker.php(69): MediaWiki\Extension\LDAPProvider\Client->getUserGroups(string)

#5 /var/www/mediawiki/extensions/LDAPAuthorization/src/RequirementsChecker.php(47): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->makeGroupRequirements(NULL, array)

#6 /var/www/mediawiki/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(82): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->allSatisfiedBy(NULL)

#7 /var/www/mediawiki/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(70): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->process()

#8 /var/www/mediawiki/includes/HookContainer/HookContainer.php(320): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#9 /var/www/mediawiki/includes/HookContainer/HookContainer.php(131): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

#10 /var/www/mediawiki/includes/Hooks.php(137): MediaWiki\HookContainer\HookContainer->run(string, array, array)

#11 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(53): Hooks::run(string, array)

#12 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#13 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#14 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#15 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#16 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#17 /var/www/mediawiki/index.php(53): MediaWiki->run()

#18 /var/www/mediawiki/index.php(46): wfIndexMain()

#19 {main}

Reply 13:54, 28 May 2021 2 years ago

2001:7C0:3100:10:0:0:0:8C (talkcontribs)

Correction: The LDAP-Query does indeed return the correct attributes to the LDAP-User. But still the PHP error says that cn and samaccountname are undefined.

Reply 16:22, 31 May 2021 2 years ago

Osnard (talkcontribs)

Have you tried to create a standalone script like described here https://www.php.net/manual/en/function.ldap-search.php#refsect1-function.ldap-search-examples and see what ldap_search( $linkID, 'cn=users,cd=mydomain,dc=mydomain,dc=de', '(samaccountname=test.user)', [ '*', 'memberof' ] ); actually returns? Be aware that $linkID would need to be constructed with the same credentials as your wiki configuration has.

Reply 14:19, 7 June 2021 2 years ago

Reply to "LDAP auto account creation not working"