Topic on Project:Support desk

Various Error with LDAP modules

6 comments 15:04, 9 August 2022 1 year ago
6
Summary last edited by Jl-mws 15:04, 9 August 2022 1 year ago

Mostly weird invalid synthax you should guess on your own.

LDAP stack should be more tolerant to syntax, because it will generate a lot of avoidable bugs.

Jl-mws (talkcontribs)

Try and errors

When I try to authenticate as

an LDAP User , I got this error : [ec6935bb5d6a9b7d0d944cdd] 2022-08-05 13:21:20: Erreur fatale de type « MWException »

a Local User : I got this error : Could not authenticate

All the /LDAPProvider/maintenance/ scripts works fine ie : CheckConnection.php CheckLogin.php ConvertLdapAuthenticationConfig.php ShowUserGroups.php ShowUserInfo.php

Versions

MediaWiki 1.35.4
PHP 7.4.30 (apache2handler)
MariaDB 10.5.15-MariaDB-0+deb11u1
ICU 67.1

LDAPAuthentication 2 1.0.3 (6bc5848) 22 juillet 2022 à 10:15
LDAPAuthorization 1.1.0 (a0d1a5b) 4 juillet 2022 à 07:18
LDAPProvider 1.0.5 (80f8cc8) 22 juillet 2022 à 11:29
PluggableAuth 5.7 (a932c78) 23 mai 2022 à 21:17

Configs

  • ldapprovider-aaa.json
{
        "example.com": {
                "connection": {
                        "server": "ad.example.com",
                        "port": "636",
                        "enctype": "ssl",
                        "user": "cn=ldap-connect,cn=Users,dc=example,dc=com",
                        "pass": "********",
                        "options": {
                                "LDAP_OPT_DEREF": 1
                        },
                        "basedn": "cn=Users,dc=example,dc=com",
                        "groupbasedn": "cn=Users,dc=example,dc=com",
                        "userbasedn": "cn=Users,dc=example,dc=com",
                        "searchattribute": "sAMAccountName",
                        "searchstring": "cn=USER-NAME,cn=Users,dc=example,dc=com",
                        "usernameattribute": "sAMAccountName",
                        "realnameattribute": "displayName",
                        "emailattribute": "mail",
                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"
                },
                "authorization": {
                        "rules": {
                                "groups": {
                                       "required": [ "CN=wikiaaa,CN=Users,dc=example,dc=com" ]

                                }
                        }
                }
        }
}
  • LocalSettings.php
<?php
if ( !defined( 'MEDIAWIKI' ) ) {
        exit;
}
$wgSitename      = "Wiki aaa";
$wgScriptPath       = "";
$wgScriptExtension  = ".php";
$wgServer           = "https://wikiaaa.example.com";
$wgStylePath        = "$wgScriptPath/skins";
$wgLogo             = "$wgStylePath/common/images/logo_aaa.png";
$wgGroupPermissions['*']['createaccount']   = false;
$wgGroupPermissions['user']['createaccount']   = true;
$wgGroupPermissions['wikiaaa']['createaccount']   = true;
$wgGroupPermissions['*']['read']            = false;
$wgGroupPermissions['*']['edit']            = false;
$wgGroupPermissions['sysop']['edit']            = true;
$wgGroupPermissions['user']['edit']            = true;
$wgGroupPermissions['aaa']['edit']            = true;
$wgEnableEmail      = false;
$wgEnableUserEmail  = true; # UPO
$wgEmergencyContact = "apache@wikiaaa.example.com";
$wgPasswordSender   = "apache@wikiaaa.example.com";
$wgEnotifUserTalk      = false; # UPO
$wgEnotifWatchlist     = false; # UPO
$wgEmailAuthentication = true;
$wgDBtype           = "mysql";
$wgDBserver         = "localhost";
$wgDBname           = "wikiaaa";
$wgDBuser           = "userwikiaaa";
$wgDBpassword       = "**********";
$wgDBprefix         = "";
$wgDBTableOptions   = "ENGINE=InnoDB, DEFAULT CHARSET=utf8";
$wgDBmysql5 = false;
$wgMainCacheType    = CACHE_NONE;
$wgMemCachedServers = array();
$wgEnableUploads  = true;
$wgUseImageMagick = true;
$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgFileExtensions = array('png', 'gif', 'jpg', 'jpeg', 'pdf', 'dmg', 'ppd', 'zip', 'doc', 'docx');
$wgUseInstantCommons  = false;
$wgShellLocale = "fr_FR.utf8";
$wgLanguageCode = "fr";
$wgSecretKey = "6gyo8sj9a2d20vsdh7t51r080s0kqk5tdlx08zxolbxrtui8e7frd0hkxv7xoki825n756";
$wgUpgradeKey = "jbkvvpd7nr";
$wgDefaultSkin = "vector";
wfLoadSkin( 'Vector' );
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl  = "";
$wgRightsText = "";
$wgRightsIcon = "";
$wgDiff3 = "/usr/bin/diff3";
if (is_file("/etc/mediawiki-extensions/extensions.php")) {
        include("/etc/mediawiki-extensions/extensions.php");
}
$wgResourceLoaderMaxQueryLength = -1;
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
wfLoadExtension( 'AccessControl' );
wfLoadExtension( 'Math' );
wfLoadExtension( 'WikiEditor' );
wfLoadExtension( 'LabeledSectionTransclusion' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
$LDAPAuthentication2AllowLocalLogin = true;
$LDAPAuthentication2UsernameNormalizer = true;
$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider-aaa.json";
$wgDebugLogGroups['PluggableAuth'] = "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgDebugLogGroups['LDAPAuthentication2'] =  "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgDebugLogGroups['LDAPAuthorization'] = "/var/log/mediawiki/debug-{$wgDBname}.log";
$wgDebugLogGroups['LDAPProvider'] = "/var/log/mediawiki/debug-{$wgDBname}.log";
wfLoadExtension( 'Cite' );
wfLoadExtension( 'Mpdf' );
$wgMpdfTab = true;
$wgMpdfToolboxLink = true;

Logs

#Local user

2022-08-05 13:43:13 wikiaaa.example.com wikiaaa: In execute()
2022-08-05 13:43:13 wikiaaa.example.com wikiaaa: Getting PluggableAuth singleton
2022-08-05 13:43:13 wikiaaa.example.com wikiaaa: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2022-08-05 13:43:13 wikiaaa.example.com wikiaaa: Authentication failure.
2022-08-05 13:43:13 wikiaaa.example.com wikiaaa: ERROR: Could not authenticate

# LDAP user
2022-08-05 13:45:34 wikiaaa.example.com wikiaaa: In execute()
2022-08-05 13:45:34 wikiaaa.example.com wikiaaa: Getting PluggableAuth singleton
2022-08-05 13:45:34 wikiaaa.example.com wikiaaa: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth
2022-08-05 13:45:35 wikiaaa.example.com wikiaaa: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2022-08-05 13:45:35 wikiaaa.example.com wikiaaa: Setting LDAP_OPT_REFERRALS to 0
2022-08-05 13:45:35 wikiaaa.example.com wikiaaa: Setting LDAP_OPT_DEREF to 1
2022-08-05 13:45:35 wikiaaa.example.com wikiaaa: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'cn=user1,cn=Users,dc=example,dc=com'
2022-08-05 13:45:35 wikiaaa.example.com wikiaaa: Ran LDAP search for '(sAMAccountName=user1)' in 0,0016958713531494 seconds.
Edited 13:52, 5 August 2022 1 year ago
Bawolff (talkcontribs)

please set $wgShowExceptionDetails=true;

17:30, 5 August 2022 1 year ago
Jl-mws (talkcontribs)

For an LDAP User, I got

[7dfc41e030b5d57f84ec0e88] /index.php/Sp%C3%A9cial:PluggableAuthLogin MWException from line 89 of /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: The UsernameNormalizer for LDAPAuthentiation2 should be callable

Backtrace:

#0 /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(60): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->normalizeUsername()
#1 /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()
#2 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute()
#3 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run()
#4 /usr/share/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
#5 /usr/share/mediawiki/includes/MediaWiki.php(945): MediaWiki->performRequest()
#6 /usr/share/mediawiki/includes/MediaWiki.php(548): MediaWiki->main()
#7 /usr/share/mediawiki/index.php(53): MediaWiki->run()
#8 /usr/share/mediawiki/index.php(46): wfIndexMain()
#9 {main}

It works, with errors, for a local account

08:10, 8 August 2022 1 year ago
Malyacko (talkcontribs)

@Jl-mws If you still run MediaWiki 1.35.4 then you run an outdated insecure software version. Please update to a supported version for your own safety.

09:42, 8 August 2022 1 year ago
Jl-mws (talkcontribs)
10:07, 8 August 2022 1 year ago
Jl-mws (talkcontribs)

Several points, for your information:

In the ldapprovider.json :

  • the attributes requires lowercase despite their regular name ie 'displayName' for example

so ldapprovider.json (extract) become :

                        "usernameattribute": "samaccountname",
                        "realnameattribute": "displayname",
                        "emailattribute": "mail",
                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
                        "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
  • the require.group require the "Full DN name" ie "CN=wikiaaa,CN=Users,dc=example,dc=com" even if short name are show and revolved by LDAPProvider/maintenance/ShowUserGroups.php

I was using the short name for configuration clarity, it doesn't work

15:01, 9 August 2022 1 year ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:X0nmop482b47l3wk"