Topic on Project:Support desk

Jump to navigation Jump to search

Authentication successful, Authorization fails.

This topic was hidden by Prabhu7778
Reason: na
30
Prabhu7778 (talkcontribs)

Hello Team

Please help me to configure LDAPAuthentication2.

Verson used 1.35 for media wiki and all extensions.


LDAP Authentication 'OK' from cli, could not get any groups from showgroups.php . Domain config is set in php array.

Please find y ldap debug


dap_search( $linkID, $baseDN = 'DC=internal', $filter = '(samaccountname=####)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

######i: # returns Resource id #789

i: ldap_count_entries( $linkiID, $result = 'Resource id #789' );

i: # returns 0

: Could not get user DN!

: ldap_search( $linkID, $baseDN = 'DC=internal', $filter = '(objectClass=*)', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

i: # returns Resource id #795

i: ldap_get_entries( $linkID, $resultID );

i: # returns: array (

  'count' => 0,

)

: Ran LDAP search for '(objectClass=*)' in 17.134354114532 seconds.


Local Settings PHP

Loaded extensions

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPSyncAll' );

wfLoadExtension( 'LDAPAuthorization' );


$wgPluggableAuth_ButtonLabelMessage = "Login";

$wgGroupPermissions['*']['autocreateaccount'] = true;

$LDAPGroupssyncMechanismRegistry = "MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\AllGroups::factory";

$LDAPProviderDomainConfigProvider = function(){

        $config = [

                'VDS' => [

                        'connection' => [

                                "server" => "####",

                                 "port" => 636,

                                  "enctype" => 'ssl',

                                "user" => "CN=###,OU=Service Accounts,OU=WWDEL,OU=WorldWide,DC=####,DC=##",

                                "pass" => '####',

                                 "grouprequest"   => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",

                                'authorization' => [

                                'rules' => [

                                        'groups' => [

                                                'required' => [ "OU=##,OU=##,OU=##,DC=##,DC=##t" ]

                                                     ]

                                                   ]

                                               ]



On the web i am getting : /index.php/Special:PluggableAuthLogin MWException from line 66 of /##i/extensions/LDAPProvider/src/DomainConfigFactory.php: No section 'authorization' found in configuration for domain

Prabhu7778 (talkcontribs)

PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

@Osnard could you please help me here. Please help me to convert it to the new format for ldapauthentication2.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");

require_once("includes/AuthPlugin.php");

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array(

  '###',

);

$wgLDAPServerNames = array(

 

'##' => '#####.net',

);

$wgLDAPSearchStrings = array(

 

  '##' => 'USER-NAME',

);

$wgLDAPEncryptionType = array(

 

  '##' => 'ssl',

);

$wgLDAPBaseDNs = array(

 

  '##' => 'DC=internal',

);

$wgLDAPSearchAttributes = array(

 

  '##' => 'sAMAccountName',

);

$wgLDAPProxyAgent = array(

  '###' => 'CN=##,OU=Service Accounts,OU=##,OU=##,DC=##,DC=##',

 

);

$wgLDAPProxyAgentPassword = array(

  '###' => '##',

 

);

$wgLDAPPort = array(

 

  '##' => 636,

);

Osnard (talkcontribs)

Those fields should map directly into LDAPProviders domain config. There is no difference.

Prabhu7778 (talkcontribs)

@OsnardIm getting the below error

The supplied credentials are not associated with any user on this wiki.

Loaded extensions are, LDAP2, LDAProvider, LDAPPLuggable,LDAPAuthremote user,LDAPuserinfo


I just need to authenticate the supplied credenetials against my LDAP and allow login , no matter the account already exists in wiki database or not.

Please help me here

Osnard (talkcontribs)

Can you confirm that the `LDAPProvider/maintenance/CheckLogin.php` script works properly? If you need only form based authentication you can disable "Auth_remoteuser". As long as there is no "LDAPAuthorization" enabled not authorization will be done anyways.

Prabhu7778 (talkcontribs)

@Osnard Yes, Check login script is working, I am able to bind.

I have removed Auth_remoteuser. Added extension LDAPAuthorization. I have no clue how to define it in domain config.

My old LDAP settings dont have any authorization or group settings.

Error: YTbyptaNTT60KlwEYEpCkAAAAAE] /index.php/Special:PluggableAuthLogin MWException from line 66 of /var/www/html/myitwiki/extensions/LDAPProvider/src/DomainConfigFactory.php: No section 'authorization' found in configuration for domain.

Osnard (talkcontribs)

You don't need LDAPAuthorization. If you enable it though, you must provide an 'authorization' entry in the domain config.

Prabhu7778 (talkcontribs)

@Osnard Okay I have removed LDAPAuthorization. This is my current domain config.


LDAP Error Log :###: Ran LDAP search for '(samccountName=##l)' in 0.023226976394653 seconds.

##: Authenticated new user:

##: User is authorized.


Error from web: The supplied credentials are not associated with any user on this wiki.


Note: The real name attribute, emailattribute, username attributes were not in my previous ldapauthentication. I added the default values here.


wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_ButtonLabelMessage = "Login";

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPProviderDomainConfigProvider = function(){

$config = [

        'VDS' => [

                'connection' => [

                        "server" => "#####",

                        "port" => 636,

                        "enctype" => 'ssl',

                        "user" => "CN=####,OU=### Accounts,OU=####,OU=###,DC=###,DC=####",

                        "pass" => '####,

                        "options" => [

                                "LDAP_OPT_DEREF" => 1

                        ],

                                "basedn" => "DC=internal",

                                "searchattribute" => "samccountname",

                                "searchstring" => "USER-NAME",

"emailattribute" => "mail",

"usernameattribute" => "samaccountname",

realnameattribute" => "cn"

                        ]


return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

-- INSERT --

Osnard (talkcontribs)

"searchstring" => "USER-NAME", looks odd. Have you tried to remove is entirely. The "searchattribute" should be sufficient.

Prabhu7778 (talkcontribs)

@Osnard I have removed searchstring completely. I got it from my previous ldap settings.(##########$wgLDAPSearchStrings = array(

'###' => 'USER-NAME',)


Please find the error log after removing it.


ldap_search( $linkID, $baseDN = 'DC=internal', $filter = '(samaccountname=***)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

: # returns Resource id #834

i: ldap_count_entries( $linkiID, $result = 'Resource id #834' );

# returns 0

i: Could not get user DN!

i: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: ''

i: Authentication failure.

: ERROR: Could not authenticate credentials against domain "##"

Osnard (talkcontribs)

Is $baseDN = 'DC=internal' a good value? If you use some other LDAP tool like *nix ldapsearch or Windows AD browser, can you find your user with the filter (samaccountname=***) (value should be a proper samaccountname in the LDAP of course) and this base DN? Usually the base DN is a little bit more specific.

Prabhu7778 (talkcontribs)

@Osnard DC=internal is from my previous settings. Ldap worked in mediawiki 1.27 with it and its still working.

Could you please help me with the ldapsearch, I doubt if the syntax iam using is wrong.

Error: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


When I add "searchstring" => "USER-NAME", in LDAP I get the below log with an array which I have not pasted here.


ldap_search( $linkID, $baseDN = '', $filter = '(samaccountname=###l)', $attributes = [ '*', '*' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

: # returns Resource id #839

i: ldap_get_entries( $linkID, $resultID );

: # returns: array (

  'count' => 1,

Ran LDAP search for '(samaccountname=#####)' in 0.023705959320068 seconds.

i: Authenticated new user:

: User is authorized.

Osnard (talkcontribs)

Could you try to use sAMAccountName everywhere you use samaccountname currently? Unfortunately new LDAP extensions are case sensitive with the attribute names.

Prabhu7778 (talkcontribs)

@Osnard Okay I have changed it.

Ran LDAP search for '(sAMAccountname=####)' in 0.022358179092407 seconds.


LDAP Log

: Authenticated new user:

i: User is authorized


Web error:The supplied credentials are not associated with any user on this wiki.


Could it be anything related to database as LDAP is working in CLI but not able to find the user in wiki database?

Osnard (talkcontribs)

Loos like you used sAMAccountname not sAMAccountName.

Regarding your question: No. If it works on CLI (CheckLogin.php) it must work on the web (Special:Userlogin). The logs you provide look like it can not find the user name (empty value). Can you enable "Warnings" and "Notices" in the PHP error log to see it there is a "undefined index" message anywhere?

Prabhu7778 (talkcontribs)

@OsnardOkay Noted. I have changed it to sAMAccountName.

Can adding this to localsettings.php shows the php errors? Warnings and errors are On in etc/php.ini

ini_set('display_errors', 1);

ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
Osnard (talkcontribs)

This looks good, yes. Any results so far?

Prabhu7778 (talkcontribs)

@OsnardNo the only error i see in the web is :The supplied credentials are not associated with any user on this wiki.

SSL Error : RSA certificate configured for hostname:443 does NOT include an ID which matches the server name

[Wed Sep 08 10:48:45.778535 2021] [php7:notice] [pid 31159] [client 10.194.72.223:49233] PHP Notice:  Undefined index: sAMAccountName in /var/www/html/###/extensions/LDAPAuthentication2/src/PluggableAuth.php on line 192, referer: http://####/index.php?title=Special:UserLogin&returnto=Special%3AListUsers&returntoquery=dir%3Dprev%26username%3D%26group%3D%26creationSort%3D1%26wpsubmit%3D%26wpFormIdentifier%3Dmw-listusers-form

[Wed Sep 08 10:48:45.778671 2021] [php7:notice] [pid 31159] [client 10.194.72.223:49233] PHP Notice:  Undefined index: cn in /var/www/html/###/extensions/LDAPAuthentication2/src/PluggableAuth.php on line 193, referer: http://####/index.php?title=Special:UserLogin&returnto=Special%3AListUsers&returntoquery=dir%3Dprev%26username%3D%26group%3D%26creationSort%3D1%26wpsubmit%3D%26wpFormIdentifier%3Dmw-listusers-form

[Wed Sep 08 10:56:39.697401 2021] [php7:notice] [pid 31161] [client 10.194.72.223:55670] PHP Notice:  Undefined index: sAMAccountName in /var/www/html/####/extensions/LDAPAuthentication2/src/PluggableAuth.php on line 192, referer: http://###/index.php?title=Special:UserLogin&returnto=Special%3AListUsers&returntoquery=dir%3Dprev%26username%3D%26group%3D%26creationSort%3D1%26wpsubmit%3D%26wpFormIdentifier%3Dmw-listusers-form

[Wed Sep 08 10:56:39.697520 2021] [php7:notice] [pid 31161] [client ###:55670] PHP Notice:  Undefined index: cn in /var/www/html/###/extensions/LDAPAuthentication2/src/PluggableAuth.php on line 193, referer: http://###/index.php?title=Special:UserLogin&returnto=Special%3AListUsers&returntoquery=dir%3Dprev%26username%3D%26group%3D%26creationSort%3D1%26wpsubmit%3D%26wpFormIdentifier%3Dmw-listusers-form

Osnard (talkcontribs)

"Undefined index: sAMAccountName" and "Undefined index: cn" . That's the issue. Maybe you could add a error_log( var_export( [ $username, $result ], true) ); in "src/PluggableAuth.php" line 194 and share the results.

Could you also share the results of the "LDAPProvider/maintenance/ShowUserInfo.php" script for the respective user?

Prabhu7778 (talkcontribs)

NA

Osnard (talkcontribs)

This doesn't look like a user object entry. Therefore attributes like "cn" and "samaccountname" are missing. But the filter clearly says '(sAMAccountName=###)'. So how can LDAP search return such an entry? Sorry, I am out of ideas here.

Prabhu7778 (talkcontribs)

@Osnard LDAP is pointed to virtual directory , linking to the real AD

How do we define $wgLDAPProxyAgent in the new LDAP Domain config?I have defined the proxy agent as the user in LDAP domain config

Osnard (talkcontribs)

That's correct.

Prabhu7778 (talkcontribs)

@Osnard hi showuserinfo worked for once, gave the correct user object.

Prabhu7778 (talkcontribs)

@Osnard

by adding

"LDAP_OPT_DEREF" => 0,

                                      "LDAP_OPT_REFERRALS" => 1,

                                      "LDAP_OPT_PROTOCOL_VERSION" => 2,

                                      "LDAP_OPT_DEBUG_LEVEL" => 7


show userinfor worked for once, but then it is not working.

Prabhu7778 (talkcontribs)

@Osnard I changed my LDAP domain and userinfo is working good now,

But Iam getting this error LDAPProvider/src/DomainConfigFactory.php: No configuration available for domain #### and the domain in the error is removed from local settings

Osnard (talkcontribs)

You may need to update the `ldap_domains` table int the database. The old domain name probably is still associated with the user.

Prabhu7778 (talkcontribs)

okay. SSL in enabled, I need to use a entrust cert. Please let me know how to configure settings for ssl

Prabhu7778 (talkcontribs)

@Osnard

Getting the below error

AH01909: RSA certificate configured for ####443 does NOT include an ID which matches the server name

Osnard (talkcontribs)

This issue is not related to MediaWiki or the LDAP extensions, but rather an issue of the server environment. If you seek the web, you will find some resources on that particular error message.