Topic on Extension talk:LDAP Authentication

LDAP Authentication (Active Directory)

One comment • 14:27, 7 September 2022 1 year ago
1
74.218.59.41 (talkcontribs)

Hello everyone,

I feel like I am very close to getting LDAP working within Mediawiki, but may need a second set of eyes to see what I might be missing.


Mediawiki version 1.38.2 (Docker)

MySQL 8.0.30

PHP version 7.4.30


Using the latest versions available of:

LDAPAuthentication2

LDAPAuthorization

LDAPGroups

LDAPProvider

LDAPUserInfo

PluggableAuth


So far, it seems authentication is working with no issue. I can use the test scripts located at extensions/LDAPProvider/maintenance/:

CheckLogon.php returns OK

ShowUserGroups.php returns relevant information for any user I specify

ShowUserInfo.php returns relevant information for any user I specify


Where I think I am having issues is with groupsync. Despite being able to run the tests mentioned above successfully, attempting to login with any account contained in the groupsync section of my ldap.json file returns "Incorrect username or password entered." Seems to me that the groups are not syncing. I have triple checked my ldap.json config to ensure that my DN's are set correctly, but still have had no luck.


My ldap.json file:

{

        "domain.local": {

                "connection": {

                        "server": "10.10.0.2",

                        "user": "cn=ldap-services,ou=Zone0,ou=Zones,ou=Site,dc=creps,dc=local",

                        "pass": "password",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "dc=domain,dc=local",

                        "groupbasedn": "ou=Groups,ou=Site,dc=domain,dc=local",

                        "userbasedn": "ou=Zones,ou=Site,dc=domain,dc=local",

                        "searchattribute": "samaccountname",

                        "usernameattribute": "cn",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                },

                "userinfo": {

                        "attributes-map": {

                                "email": "mail",

                                "realname": "cn",

                                "nickname": "uid",

                                "language": "preferredlanguage"

                        }

                },

                "authorization": [],

                "groupsync": {

                        "mapping": {

                                "Administrators": "cn=MediaWiki_Administrators,ou=Groups,ou=Site,dc=domain,dc=local"

                        }

                }

        }

}


LocalSettings.php contains the following for LDAP:


wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

//wfLoadExtension( 'LDAPAuthorization' );

$LDAPProviderDomainConfigs = "/var/www/html/ldap.json";

$LDAPProviderDefaultDomain = "domain.local";

$LDAPAuthentication2AllowLocalLogin = true;

$wgPluggableAuth_ButtonLabel = "Log In";

$wgPluggableAuth_EnableLocalLogin = true;


I have also confirmed that the AD user I am attempting to login with is a member of the MediaWiki_Administrators group I specified in the groupsync mapping section. Any idea what I could be missing?

Reply 14:27, 7 September 2022 1 year ago
Reply to "LDAP Authentication (Active Directory)"
Retrieved from "https://www.mediawiki.org/wiki/Topic:X2p78f8s5rxsjkdh"