Topic on Extension talk:LDAPGroups

Groupsync doesn't sync groups

5 comments • 09:55, 29 September 2021 2 years ago
5
Janduwe (talkcontribs)

Hello, I'm trying to sync user groups from my AD source with local groups in my wiki. I'm on MediaWiki 1.35. When logging in there are no user groups synced.

After reading several threads in this page, this is my output from ShowUserGroups.php:

Full DNs:

       CN=BG Wiki Admins,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=BG IT Temp,OU=021 Abteilungen,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=BG California.pro User,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=FG Passwort-Zugriffsberechtigte,OU=044 Sonstige,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=Temporäre Mitarbeiter,OU=_Sicherheitsgruppen_löschen_nach_AD_Abschluss,OU=Steinbeiss,DC=stzegs,DC=ads

       CN=V Schreiber,OU=LW-V,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads

Short names:

       bg wiki admins

       bg it temp

       bg california.pro user

       fg passwort-zugriffsberechtigte

       temporäre mitarbeiter

       v schreiber

My LocalSettings.php:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPGroups' );

$wgGroupPermissions['bg wiki admins']['read'] = true;

#$LDAPAuthentication2AllowLocalLogin = true;

$LDAPProviderDomainConfigProvider = function() {

       $config = [

               'LDAP' => [

                       'connection' => [

                               "server" => "removed",

                               "user" => "cn=mrbs,ou=012 Servicezugänge, ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "pass" => "removed",

                               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],

                               //"basedn" => "ou=011 Benutzer,ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "basedn" => "ou=Steinbeiss,dc=stzegs,dc=ads",

                               //"basedn" => "ou=",

                               "grouprequest"=> "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                               "groupbasedn" => "ou=023 Software und Tools,ou=02 Benutzergruppen,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "userbasedn" => "ou=011 Benutzer,ou=01 Konten,ou=Steinbeiss,dc=stzegs,dc=ads",

                               "searchattribute" => "samaccountname",

                               "searchstring" => "STZEGS\\USER-NAME",

                               "usernameattribute" => "samaccountname",

                               "realnameattribute" => "cn",

                               "emailattribute" => "mail"

                       ],

                       'groupsync' => [

                               "mechanism" => "mappedgroups",

                               "mapping" => ["bg wiki admins" => "cn=BG Wiki Admins,ou=023 Software und Tools,ou=02 Benutzergruppen,ou=Steinbeiss,dc=stzegs,dc=ads"]

                       ]

               ]

       ];

       return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Please tell me if I'm missing something important here.

Kind regards, Jan

Reply 13:48, 17 September 2021 2 years ago
Osnard (talkcontribs)
Reply 07:54, 20 September 2021 2 years ago
Janduwe (talkcontribs)

With enabled debug logging like this:

$LDAPProviderCacheType = CACHE_NONE;

$wgDebugLogGroups['PluggableAuth'] = "PluggableAuth.log";

$wgDebugLogGroups['LDAP'] = "LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "LDAPProvider.log";

$wgDebugLogGroups['LDAPGroups'] = "LDAPGroups.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "LDAPAuthentication.log";

No log file for LDAPGroups shows up when I'm logging in or out with my account on the MediaWiki configuration I am using.

However my LDAP.log file shows that my user is within the group from the AD source:

12 => 'usncreated',

   'memberof' =>

   array (

     'count' => 6,

     0 => 'CN=BG Wiki Admins,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     1 => 'CN=BG IT Temp,OU=021 Abteilungen,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     2 => 'CN=BG California.pro User,OU=023 Software und Tools,OU=02 Benutzergruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     3 => 'CN=FG Passwort-Zugriffsberechtigte,OU=044 Sonstige,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

     4 => 'CN=Temporäre Mitarbeiter,OU=_Sicherheitsgruppen_löschen_nach_AD_Abschluss,OU=Steinbeiss,DC=stzegs,DC=ads',

     5 => 'CN=V Schreiber,OU=LW-V,OU=04 Freigabegruppen,OU=Steinbeiss,DC=stzegs,DC=ads',

I also get a logging file from LDAPProvider and PluggableAuth but I could find no errors related to my issue. Is there anything specific I should be looking for?

I have also run update.php multiple times if that matters and logging in/out works just fine.

Reply 11:45, 21 September 2021 2 years ago
Osnard (talkcontribs)

If you don't have entries in `LDAPGroups.log`, this means the code is not even invoked. Can you please try to set `$LDAPProviderDefaultDomain = "LDAP";`?

Reply 14:21, 22 September 2021 2 years ago
Janduwe (talkcontribs)

Sorry for the late reply, this worked.

Thank you very much for your help.

Reply 09:55, 29 September 2021 2 years ago
Reply to "Groupsync doesn't sync groups"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Wgqc2uzxaf3w511j"