Topic on Talk:LDAP hub/Migration from extension LDAPAuthentication

Hi all,

I am movin my wiki from :

mediawiki 1.26 / CentOS release 6.3 / PHP 5.3.3 / MySQL 5.1.73

to

mediawiki 1.31 / Red Hat Enterprise Linux Server release 7.8 / PHP 7.1.33 / MySQL 5.7.9

I had to change ldap auth mode from LdapAuthentication to PluggableAuth

OLD file config:

<?php

// Disable reading by anonymous users

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['unix']['read'] = true;

// allow these pages for anonymous users

$wgWhitelistRead = array ("Pagina_principale", "Admin_xxx", "Admin_xc",  "Special:Userlogin" );

// Disable anonymous editing

$wgGroupPermissions['*']['edit'] = false;


// Prevent new user registrations except by sysops

$wgGroupPermissions['*']['createaccount'] = false;

/* Extension: LDAP Authentication

        http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Enabling_the_plugin         */

require_once( "{$IP}/xxx/extensions/wikimedia-mediawiki-extensions-LdapAuthentication-07fe5c5/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

// The names of one or more domains you wish to use

// These names will be used for the other options, it is freely choosable and not dependent

// on your system. These names will show in the Login-Screen, so it is important that the user

// understands the meaning.

//

// REQUIRED

// Default: none

$wgLDAPDomainNames = array( "xxx" );

// The fully qualified name of one or more servers per domain you wish to use. If you are

// going to use SSL or StartTLS, it is important that the server names provided here exactly

// match the name provided by the SSL certificate returned by the server; otherwise, you may

// have problems.

//

// REQUIRED

// Default: none

$wgLDAPServerNames = array( "xx" => "xx.corp" );

// Allow the use of the local database as well as the LDAP database.

// Mostly for transitional purposes. Unless you *really* know what you are doing,

// don't use this option. It will likely cause you annoying problems, and

// it will cause me annoying support headaches.

// Warning: Using this option will allow MediaWiki to leak LDAP passwords into

// its local database. It's highly recommended that this setting not be used for

// anything other than transitional purposes.

//

// Default: false

$wgLDAPUseLocal = true;

// The type of encryption you would like to use when connecting to the LDAP server.

// Available options are 'tls', 'ssl', and 'clear'

//

// Default: tls

$wgLDAPEncryptionType = array( "xx" => "clear" );

// Connect with a non-standard port

// Available in 1.2b+

// Default: 389 for clear/tls, 636 for ssl

#$wgLDAPPort = array( "xx" => 389 );

// User and password used for proxyagent access.

// Please use a user with limited access, NOT your directory manager!

$wgLDAPProxyAgent = array( "xx" => "CN=xx,OU=xx,OU=xxx,OU=xx,OU=xx,DC=xx,DC=xx" );

$wgLDAPProxyAgentPassword = array( "xx" => "xx" );

// Search filter.

// These options are only needed if you want to search for users to bind with them. In otherwords,

// if you cannot do direct binds based upon $wgLDAPSearchStrings, then you'll need these two options.

// If you need a proxyagent to search, remember to set $wgLDAPProxyAgent, and $wgLDAPProxyAgentPassword.

// Anonymous searching is supported. To do an anonymous search, use SearchAttibutes and don't set a Proxy

// agent for the domain required.

#$wgLDAPSearchAttributes = array( "xx" => "cn" );

$wgLDAPSearchAttributes = array( "xx" => "sAMAccountName" );

// Base DNs. Group and User base DNs will be used if available; if they are not defined, the search

// will default to $wgLDAPBaseDNs

$wgLDAPBaseDNs = array( "xx" => "DC=xx,DC=xx" );

/* Group options

     Using LDAP groups in any way requires $wgLDAPBaseDNs to be set!                                             */

// Whether the username in the group is a full DN (AD generally does this), or

// just the username (posix groups generally do this)

// Default: false

$wgLDAPGroupUseFullDN = array( "xx" => false );

// Munge the case of the username to lowercase when doing searches in groups

// Default: false

$wgLDAPLowerCaseUsername = array( "xx" => true );

// Use the exact name retrieved from LDAP after the user has authenticated to search for groups.

// This requires the SetUsernameAttributeFromLDAP hook to be used (see the smartcard section).

// Default: false

$wgLDAPGroupUseRetrievedUsername = array( "xx" => false );

// The objectclass of the groups we want to search for

$wgLDAPGroupObjectclass = array( "xx" => "group" );

// The attribute used for group members

$wgLDAPGroupAttribute = array( "xx" => "member" );

// The naming attribute of the group

$wgLDAPGroupNameAttribute = array( "xx" => "cn" );

// Use the FullDN for the Group Search

$wgLDAPGroupUseFullDN = array("xx"=>true);

#$wgLDAPGroupBaseDNs = array("xx"=>"OU=xx,OU=XX,OU=XX,OU=XX,DC=XX,DC=corp");

// Use the memberOf attribute to find groups.

// If memberOf is used, it will be the only method used for searching for groups.

// Default: false

// Available in 1.2b+

$wgLDAPGroupsUseMemberOf = array( "XX" => false );

//

//  Group based login restriction configuration options

//

//

// An array of the groups the user is required to be a member of.

$wgLDAPRequiredGroups = array(

  "XX" => array(

   "CN=xx_Users,OU=Servizio WiKi,OU=gruppi,OU=xxx,OU=Aziende,OU=xx,DC=xx,DC=xx",

  )

);

// An array of the groups the user cannot be a member of.

// Available in 1.2b+

/*

$wgLDAPExcludedGroups = array(

  "xx" => array(

    'cn=evilgroup,dc=xx,dc=xx,dc=it',

    'cn=evilgroup2,dc=xx,dc=xx,dc=it',

     )

);

*/

now I created json file :ldapprovider.json:

{

   "LDAP": {

       "connection": {

           "server": "xx.corp",

           "user": "CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",

           "pass": "xxx",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "DC=xx,DC=corp",

           "groupbasedn": "DC=xx,DC=corp",

           "userbasedn": "DC=xx,DC=corp",

           "searchattribute": "sAMAccountName",

           "searchstring": "CN=xx_Users,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp",

           "usernameattribute": "uid",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers ": "lowercase"

       }

   }

}

and in LocalSettings.php

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'Auth_remoteuser' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = "$IP/iside/ldapprovider.json";

$LDAPProviderCacheType = CACHE_NONE;

I cannot authenticate with errors: Could not authenticate credentials against domain "LDAP"

I tried :

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username xxx

it works !!

I activate debugging:

# cat LDAP.log

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: In execute()

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Getting PluggableAuth singleton

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_connect( $hostname = 'ldap://xxx.corp:389', $port = 389 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # __METHOD__ returns Resource id #248

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_REFERRALS to 0

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Setting LDAP_OPT_DEREF to 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xxx,OU=xx,OU=xxI,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns 1

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=xx,OU=xxx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp'

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ldap_bind( $linkID, $bindRDN = 'CN=xx,OU=xx,OU=xx,OU=xx,OU=xx,OU=xx,DC=xx,DC=corp', $bindPassword = 'XXXX' );

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: # returns

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: Authentication failure.

2021-06-23 14:45:51 plb00sweb01 mediawiki_unix-wikimwdia_: ERROR: Could not authenticate credentials against domain "LDAP"

any ideas ??? Thankyou

Has a username transformation been applied maybe? Check the DN in the second `ldap_bind` call and see if the username is the same as you have entered in the CLI.