Topic on Talk:LDAP hub

Could not authenticate credentials against domain xxxx

7 comments • 08:06, 31 March 2022 2 years ago

7

Ctorrestesam (talkcontribs)

Hi, i think i'm getting pretty close.

I'm not getting errors on the loging page except for "Could not authenticate credentials against domain XXXX"

when i run php CheckLogin.php --domain XXXX --username ctorres

i get an "OK"

php ShowUserGroupsphp --domain XXXX --username ctorres

i get Full DN: (blank) and Short names: (blank)

php ShowUserInfo.php --domain XXXX --username ctorres

brings back all my info from AD so tha's ok i guess:

Here's my LocalSettings.php.

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = "XXXX\username";

// Create Wiki-Group 'marketing' from default user group

$wgGroupPermissions['marketing'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "var/www/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$var/www/docs.XXXX.net/extensions/LDAPProvider")) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $IP/ldap.json");

}

// Activate Extension

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$WikiToLDAPMigrationInProgress = false;

$LDAPProviderDomainConfigs = "$etc/mediawiki/ldapprovider.json";

$wgPluggableAuth_ButtonLabel = "Log In";

$LDAPAuthentication2AllowLocalLogin = true;

// Force LDAPGroups to sync by choosing a domain ( e.g. first JSON object in ldap.json )

$LDAPProviderDefaultDomain = "dc.XXXX.net";

if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

$wgShowExceptionDetails = true;

$wgShowSQLErrors = true;

$wgShowDBErrorBacktrace = true;

$wgDebugLogGroups['PluggableAuth'] = '/var/log/mediawiki/PluggableAuth.log';

$wgDebugLogGroups['LDAP'] = '/var/log/mediawiki/LDAPGen.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = '/var/log/mediawiki/LDAPProviderClient.log';

$wgDebugLogGroups['LDAPGroups'] = '/var/log/mediawiki/LDAPGroups.log';

$wgDebugLogGroups['LDAPUserInfo'] ='/var/log/mediawiki/LDAPUserInfo.log';

$wgDebugLogGroups['LDAPAuthorization'] = '/var/log/mediawiki/LDAP.log';

$wgDebugLogGroups['LDAPAuthentication2'] = '/var/log/mediawiki/LDAPAuthentication2.log';

$LDAPProviderCacheType = CACHE_NONE;

$LDAPAuthorizationAutoAuthRemoteUserStringParserRegistry = "username@XXXX.net";

$wgShowExceptionDetails = true;

$wgShowDBErrorBacktrace = true;

##SQL Error ###

$wgDebugDumpSql = true;

#LDAP binding

$LDAPProviderDomainConfigProvider = function() {

$config = [

"XXX.net" => [

"connection" => [

"server" => "XXX.net",

"user" => "ctorres@XXXX.net",

"pass" => "XXXX",

"options" => [

"LDAP_OPT_DEREF" => 1

],

"basedn" => "dc=XXXX,dc=net",

"groupbasedn" => "dc=XXXX,dc=net",

"userbasedn" => "dc=XXXX,dc=net",

"searchattribute" => "samaccountname",

"searchstring" => "USER-NAME@XXXX.net",

"usernameattribute" => "samaccountname",

"realnameattribute" => "cn",

"emailattribute" => "mail"

]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

heres my ldap.json

{

"XXXX": {

"connection": {

"server": "dc.XXXX.net",

"port": "389",

"user": "ctorres@XXXX.net",

"pass": "XXX",

"enctype": "ssl",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

"userbasedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

"groupbasedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

#"groupsync": {

#"mapping": {

# "marketing": "CN=EngineeringCoreTeam,OU=XXXX.net,DC=XXXX,DC=local",

# "Comercial": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

# "logistica": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

# "sistemas": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local"

}

Reply 21:13, 29 March 2022 2 years ago

Osnard (talkcontribs)

This config looks like it has may redundancies. You only need either ldap.json or $LDAPProviderDomainConfigProvider. Not both.

Also it looks like you enable several extensions multiple times.

Could you please enable the debug log and share its contents?

Reply 08:32, 30 March 2022 2 years ago

Ctorrestesam (talkcontribs)

Hey Osnard, yeap sorry for that i'm a first timer with php/linux/mediawiki so i'm trying my best hahaha.

Yeap, i corrected and i'm only calling ldap.json and when i run the test CheckLogin.php-ShowUserInfo.php-ShowUserGroups.php and all is OK.

And for the logs, i only receive two logs-

First log is LDAPGen.log

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns 49

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns 49

XXXX@mediawiki-prod-std:/var/log/mediawiki$

and the second log is LDAPProvider.log

XXXX@mediawiki-prod-std:/var/log/mediawiki$ cat LDAPProviderClient.log

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1

XXXX@mediawiki-prod-std:/var/log/mediawiki$

Reply 14:04, 30 March 2022 2 years ago

Osnard (talkcontribs)

The value in "connection/user" should be a valid user DN rather than a <user>@<domain>. Also you may want to try to remove the "connection/searchstring" entry.

Reply 14:35, 30 March 2022 2 years ago

Ctorrestesam (talkcontribs)

Now the output i get on the page is:

[70d4cfa798867676a180850d] /index.php/Especial:PluggableAuthLogin MWException: Could not bind to LDAP: (49) Invalid credentials

Backtrace:

from /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(195)

#0 /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(118): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(355): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/docs.XXXX.net/extensions/LDAPAuthentication2/src/PluggableAuth.php(184): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/docs.XXXX.net/extensions/LDAPAuthentication2/src/PluggableAuth.php(55): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin()

#4 /var/www/docs.XXXX.net/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#5 /var/www/docs.XXXX.net/includes/specialpage/SpecialPage.php(646): PluggableAuthLogin->execute()

#6 /var/www/docs.XXXX.net/includes/specialpage/SpecialPageFactory.php(1386): SpecialPage->run()

#7 /var/www/docs.XXXX.net/includes/MediaWiki.php(309): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#8 /var/www/docs.XXXX.net/includes/MediaWiki.php(913): MediaWiki->performRequest()

#9 /var/www/docs.XXXX.net/includes/MediaWiki.php(546): MediaWiki->main()

#10 /var/www/docs.XXXX.net/index.php(53): MediaWiki->run()

#11 /var/www/docs.XXXX.net/index.php(46): wfIndexMain()

#12 {main}

fixed on ldap.json

{

"XXXX.net": {

"connection": {

"server": "dc.XXXX.net",

// "port": "389",

"user": "cn=torres,dc=XXXX,dc=net",

"pass": "C8rlos21",

// "enctype": "ssl",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=XXXX,dc=net",

"userbasedn": "dc=XXXX,dc=net",

"groupbasedn": "dc=XXXX,dc=net",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

#"groupsync": {

#"mapping": {

# "marketing": "CN=EngineeringCoreTeam,OU=XXXX.net,DC=XXXX,DC=local",

# "Comercial": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

# "logistica": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

# "sistemas": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local"

}

the logs pretty much remain the same

LDAPProviderClient.log =