hello, hoping someone can shine a light for me. the site said dont take this job on as a newb and i of course totally ignored that suggestion.
i have MediaWiki 1.41.0, PHP 8.3.3 on Windows Server 2016 ( i know, its old), with IIS 10
I have extensions:
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPGroups');
wfLoadExtension( 'LDAPUserInfo');
wfLoadExtension( 'PluggableAuth' );
when using good accounts to authenticate, getting "Could not authenticate credentials against domain "LDAP"
see below, do i have too much configured? not enough? any suggestion at all would be cool. thanks to any who responds
***LOCALSETTINGS BELOW:***
# Safe IP or not (for bypassing external login via AD)
$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range
$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {
$wikiRequestIP = $_SERVER[$ipsVar];
break;
}
}
$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));
# Load LDAP Config from JSON
$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";
$ldapConfig = false;
if (is_file($ldapJsonFile)) {
$testJson = @json_decode(file_get_contents($ldapJsonFile), true);
if (is_array($testJson)) {
$LDAPProviderDomainConfigs = $testJson;
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: $ldapJsonFile");
}
}
# Activate extensions
if ($ldapConfig) {
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPGroups');
wfLoadExtension( 'LDAPUserInfo');
wfLoadExtension( 'PluggableAuth' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$LDAPProviderPreSearchUsernameModifierRegistry = [
'lowercase' => function () {
return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();
}
];
$wgLDAPProvider['CacheType'] = 'CACHE_NONE';
$wgLDAPProvider['CacheTime'] = 3600;
# LDAPAuthentication2 configuration
$LDAPAuthentication2AllowLocalLogin = true;
$LDAPAuthentication2UsernameNormalizer = 'lowercase';
$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';
# Configure PluggableAuth settings
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgPluggableAuth_EnableFastLogout = true;
$wgPluggableAuth_Config = [
"RAA Wiki Login" => [
'plugin' => 'LDAPAuthentication2',
'data' => ['domain' => 'LDAP']
]
];
$LDAPGroupsSyncMechanismRegistry = [
'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'
];
}
***LDAPPROVIDER.JSON BELOW***
"LDAP": {
"connection": {
"server": "ldap-server",
"port": 389,
"enctype": "clear",
"user": "cn=mediawiki,ou=service accounts,dc=acme,dc=org",
"pass": "pass",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=acme,dc=org",
"userbasedn": "ou=users,dc=acme,dc=org",
"groupbasedn": "ou=groups,dc=acme,dc=org",
"usersearch": "samaccountname",
"groupsearch": "$dn",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "lowercase" ],
"searchstring": "(samaccountname=%{username})"
},
"authorization": {
"rules": {
"groups": {
"required": [
"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
"human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
}
},
"userinfo": {
"realname": "samaccountname"
}
}
}
**********************************************
help me obi wan kenobi, youre my only hope