Extension talk:Auth remoteuser

About this board

Previous discussion was archived at Extension talk:Auth remoteuser/Archive on 16 June 2020.

188.28.224.232 (talkcontribs)

I currently have to manually edit the user groups for when someone is given a certain status on our wiki via auth (from database, the wiki gets username and user "roles")

Dependant on a user's "roles", I'd like it to I can give a certain group based on it, e.g. if user has the "admin" role in the database, it gives an "admin" group in the wiki

Opoplawski (talkcontribs)

I would like to be able to do this as well, perhaps just based on email address.

Reply to "Manage user groups"

Automatic login not working in MW 1.39.4

1
Testergt1302 (talkcontribs)

Hi,

I am looking for a configuration, which can be used to auto-login into wiki with LDAP.

I have a working config of Ldapauthentication2 extension. But it will login only if I provide username&password.

I want to have auto-login enabled in the wiki. is it possible through Auth_remoteuser ?

tried to enable Auth_remoteuser, then I get below error in ldapauthorization log.

##

wiki139test: MediaWiki\Extension\LDAPAuthorization\Hook\AuthRemoteuserFilterUserName: Check authorization for user 'tester'.

wiki139test: Could not check login requirements for tester

wiki139test: Unsupported format!

##

Apart from this, no other logs found. is there any other settings need to be added in my config ?


Software Versions:

MediaWiki 1.39.4

PHP 8.0.25 (apache2handler)

MySQL 8.0.26

PluggableAuth 7.0.0 (1cbf448) 05:33, 29 August 2023

LDAPAuthentication2 2.0.2 (b83f5d1) 07:23, 4 September 2023

LDAPAuthorization 2.0.1 (fbb1c3b) 07:23, 4 September 2023

LDAPProvider 2.0.1 (cc5cb2c) 14:06, 19 September 2023

Auth_remoteuser 2.1.1 (b9c4b86) 05:44, 1 August 2023

Reply to "Automatic login not working in MW 1.39.4"

Compatibility with API.php

2
NickAU83 (talkcontribs)

This extension works perfectly and does exactly what I need it to do - however I also have a need to use the api to get a token and log in remotely to provide an interface between our central management console and the wiki to create/enable/disable user accounts. I have created a bot account for doing this however when i get to the api log in the response I get is: "Cannot log in when using MediaWiki\Extension\Auth_remoteuser\AuthRemoteuserSessionProvider sessions." Is there a way to stil use api bot access whilst using this extension? My other avenue is to try and use odbc and directly do account management in the database - which I wanted to avoid.

NickAU83 (talkcontribs)

I was able to get this working using a read-only database account to directly query the user table to check if a user exists and then the createAndPromote.php and blockUsers.php maintenance scripts to build an interface function that integrates into our CMC which has the desired effects.

Reply to "Compatibility with API.php"

Auto Login vi RemoteuserUserName not working

1
107.185.133.87 (talkcontribs)

I'm using Google to authenticate users and setting

$wgAuthRemoteuserUserName

appropriately. However, the user is not automatically logged in and an account is not created.

I tracked it down to an issue in includes/session/SessionManager.php where it loads a blank session instead of one based on the request.

In the getSessionById() function, I replace the call

$session = $this->getEmptySessionInternal( $request, $id );

with

$session = self::singleton()->getSessionForRequest( $request );

and everything works beautifully.

Can someone with better knowledge of MediaWiki than me take a look and see if this should be filed as a bug against MediaWiki? or is it an improper solve, and I should be looking to adjust Auth_remoteuser in some way?

I'm using Mediawiki 1.38.4 and Auth_remoteuser REL1_38


Thanks in advance

Reply to "Auto Login vi RemoteuserUserName not working"

New version release that is compatible to MediaWiki 1.39

1
Osnard (talkcontribs)

The latest "released" version 2.1.1 is not yet compatible to MediaWiki 1.39. One needs either to use REL1_39 or master branch. Using master may be dangerous with future updates.

Unfortunately the extension description does not state an official "Compatibility policy".

Could the maintainer of this extension maybe update the "Compatibility policy" and/or release a version 3.0.0 that is compatible to MediaWiki 1.39?

Thanks in advance!

Reply to "New version release that is compatible to MediaWiki 1.39"
206.108.31.36 (talkcontribs)

looks like the new MediaWiki is throwing warning in the PHP errors log every page load


PHP Deprecated:  Use of PersonalUrls hook (used in hook-PersonalUrls-closure) was deprecated in MediaWiki 1.39. [Called from MediaWiki\HookContainer\HookContainer::run in C:\inetpub\wwwroot\wiki\includes\HookContainer\HookContainer.php at line 137] in C:\inetpub\wwwroot\wiki\includes\debug\MWDebug.php on line 381

Ciencia Al Poder (talkcontribs)

You should disable php deprecation notices on production websites. Otherwise, this may need to be a bugreport.

Huwmanbeing (talkcontribs)

Hmm, I'm getting this exact warning too, but not a problem once I turned off the notices.

204.126.253.10 (talkcontribs)

MW 1.39: Continuous Deprecation notices on Auth_remoteuser.

When Auth_remoteuser extension is active, the following depreciation notices will appear:


Deprecated: Use of PersonalUrls hook was deprecated in MediaWiki 1.39. [Called from Hooks::register in /var/www/html/includes/Hooks.php at line 55] in /var/www/html/includes/debug/MWDebug.php on line 381

Deprecated: Hook PersonalUrls was deprecated in MediaWiki 1.39 but is registered in /var/www/html/extensions/PluggableAuth/extension.json in /var/www/html/includes/debug/MWDebug.php on line 381

Deprecated: Use of PersonalUrls hook (used in hook-PersonalUrls-closure) was deprecated in MediaWiki 1.39. [Called from MediaWiki\HookContainer\HookContainer::run in /var/www/html/includes/HookContainer/HookContainer.php at line 137] in /var/www/html/includes/debug/MWDebug.php on line 381


This is regardless of debugging statements specified in LocalSettings. All extensions are at the 1.39 release. Auth_remoteuser, LDAPAuthentication2, LDAPGroups, LDAPUserInfo, PluggableAuth.

Grandeescanciano (talkcontribs)

I have the same problem, any solution provided?

Also, somehow if Auth_remoteuser always trying to create a new user even though the User provided by $_SERVER[REMOTE_USER] exists.

91.192.31.192 (talkcontribs)

MediaWiki User

I have the same problem i version 1.38.4 is there any new solution for this problem?

Ciencia Al Poder (talkcontribs)

Read comment #1

Reply to "constant warnings"

MWException CAS update failed on user_touched

8
193.54.50.250 (talkcontribs)

Heelo,

after migration to Mediwaki 1.38.0 and upgradin extension too, I run into this message :

MWException: CAS update failed on user_touched. The version of the user to be saved is older than the current version.


Backtrace: from ../includes/user/User.php(2813)

  1. 0 ../includes/libs/rdbms/database/Database.php(4428): User->{closure}()
  2. 1 ../includes/libs/rdbms/database/DBConnRef.php(69): Wikimedia\Rdbms\Database->doAtomicSection()
  3. 2 ../includes/libs/rdbms/database/DBConnRef.php(645): Wikimedia\Rdbms\DBConnRef->__call()
  4. 3 ../includes/user/User.php(2825): Wikimedia\Rdbms\DBConnRef->doAtomicSection()
  5. 4 ../extensions/Auth_remoteuser/src/UserNameSessionProvider.php(846): User->saveSettings()
  6. 5 ../extensions/Auth_remoteuser/src/UserNameSessionProvider.php(630): MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider->setUserPrefs()
  7. 6 ../includes/session/SessionManager.php(843): MediaWiki\Extension\Auth_remoteuser\UserNameSessionProvider->refreshSessionInfo()
  8. 7 ../includes/session/SessionManager.php(544): MediaWiki\Session\SessionManager->loadSessionInfoFromStore()
  9. 8 ../includes/session/SessionManager.php(247): MediaWiki\Session\SessionManager->getSessionInfoForRequest()
  10. 9 ../includes/WebRequest.php(837): MediaWiki\Session\SessionManager->getSessionForRequest()
  11. 10 ../includes/session/SessionManager.php(168): WebRequest->getSession()
  12. 11 ../includes/Setup.php(861): MediaWiki\Session\SessionManager::getGlobalSession()
  13. 12 ../includes/WebStart.php(93): require_once(string)
  14. 13 ../index.php(44): require(string)


Any idea ?


Thanks

Ciencia Al Poder (talkcontribs)

You may look at the user_touched field of the user table for that particular user, if it contains a "sane" value. It should be a number-like, "YYYYMMDDHHmmss" (year month day hour minute second), in the past, not null nor empty

For example: 20000101000000

2A01:E0A:29:9430:DB7:33C3:D4BF:80C1 (talkcontribs)

Thanks for your answer, the value stored is 20220603142256 that seems good to me.

I managed to get the extension working again (my configuration below):

 // Load extension
 wfLoadExtension( 'Auth_remoteuser' );
 
 // If account creation by anonymous users is forbidden, then allow
 // it to be created automatically.
 $wgGroupPermissions['*']['createaccount'] = false;
 $wgGroupPermissions['*']['autocreateaccount'] = true;
 
 // Remote source for user name
 $wgAuthRemoteuserUserName = $login;
 
 // Apply once on user creation
 $wgAuthRemoteuserUserPrefs = [
   'realname'    => $name,
   'language'    => 'fr',
   'email'       => $email
 ];
 
 // Apply on each request
 $wgAuthRemoteuserUserPrefsForced = [
   'realname'    => $undefined,
   'email'       => $undefined
 
 ];

in $wgAuthRemoteuserUserPrefsForced I used $undefined which is an undefined var. If I put everything that exist (such as a real var, a string or empty string) I trigger the error. The only way to make it work is to provide a variable that doesn't exist ... but it work as expected in the user profile ...

Martin schilliger (talkcontribs)

Yeah it works if I stop using `$wgAuthRemoteuserUserPrefsForced`, but that's not really a solution because I need to use it. It also only happens with one user, and the user table looks totally ordinary.

Any idea what triggers the warning and how to avoid it?

Martin schilliger (talkcontribs)

I found out that it only happens if `$wgAuthRemoteuserUserPrefsForced` contains something different than the database, eg. if it has to change something. Runnung in PHP 7.4 right now, maybe this is the reason? Would be suprised if yes…

Martin schilliger (talkcontribs)

OMG! I believe I've found the solution! After allowing sysop to change userrights it works:

`$wgGroupPermissions['sysop']['userrights'] = true`

I don't really understand why it doesn't have this right the first place, but…

That solved another problem I had, but not the one we face here. No idea what's happening. I will try to find another solution for updating the user realname and email in the Wiki DB though. :-/

Ciencia Al Poder (talkcontribs)

There's a "bureaucrat" user group that has the userrights right by default. sysops usually can do administrative tasks but not change other users' groups, unless you choose to give them that right.

Martin schilliger (talkcontribs)

I ended up commenting out in includes/user/User.php the lines 2600-2602 and now everything works like a charm:

throw new MWException( "CAS update failed on user_touched. ". 

"The version of the user to be saved is older than the current version."

);

I don't really understand why, but $dbw->affectedRows() returns 0 even the changes get written to the database this way. It sounds silly to remove the error throwing, but this way the extension works as intended.

Reply to "MWException CAS update failed on user_touched"

How To for Authenticating Against Userss In MysQL DB

1
Z929669 (talkcontribs)

For the past 11 years, our wiki has authorized access to users in the DB of my forum software. This has worked over at least two LTS MW versions using two different flavors of authentication extensions. However, in my attempt to upgrade my wiki to current 1.39.1 LTS, I've discovered that my working extension, Extension:IPBAuthLogin relies on a deprecated method, getCanonicalName(). It's a really simple extension that works very nicely for our needs. Closed wiki with access only to forum members by matching normalized user names supplied by the forum DB. Wiki user management is super simple.

So if I am unable to sort that out, I think Auth remoteuser will work if I can get some direction on how to configure for this use case ... which seems a lot simpler than the other methods where more configuration instruction is provided. I posted more detailed information about that problem on the help desk to see if I can get any general advice.

But this extension should be my ace-in-the-hole if someone would be so kind as to give me some nudges.

Thank you!

Reply to "How To for Authenticating Against Userss In MysQL DB"

LDAP AutoLogon with Windows user (but get logged in as "daemon")

3
Alenkei (talkcontribs)

I am running MediaWiki 1.38.2 on Debian 5.10.120-1:

MediaWiki 1.38.2

PHP 7.4.30 (fpm-fcgi)

MariaDB 10.6.8-MariaDB

ICU 67.1


With the following extensions:


VisualEditor        0.1.2

CategoryTree        –

ParserFunctions  1.6.0

TreeAndMenu        4.2.5, 2021-10-31

Auth_remoteuser     2.1.1 (7155b49)

CollapsibleVector    0.1.11

LDAPAuthentication 2 1.0.3

LDAPProvider        1.0.5

PluggableAuth        5.7


After much trial-and-errorI got LDAP Authentication to work.

Now I would like to get auto-login to work.


My apache runs as "daemon".

When I turn on Auth_remoteuser with:

wfLoadExtension( 'Auth_remoteuser' );

$wgAuthRemoteuserUserName =  getenv( 'USER' );


I do get automatically logged on but the user is "daemon" which is the user Apache is running I am guessing (which is a bit weird in and of itself because "daemon" is not present in LDAP...)


How can I tell it to use the requester's windows user?


Best regards,

Andrei

Ciencia Al Poder (talkcontribs)

getenv( 'USER' ) is the user running the webserver.

Look at the details of $wgAuthRemoteuserUserName for configuration examples.

Note that your apache should be configured to authenticate against Windows, and this probably requires installing an NTLM apache module and a working samba client configured on the system). Once that works (for example, requiring a valid user and displaying an error page if the user is not valid/provided/detected) you should know at which server variable is that user stored, and use it to set $wgAuthRemoteuserUserName

This post was hidden by ~aanzx (history)
Reply to "LDAP AutoLogon with Windows user (but get logged in as "daemon")"

User Name Filter deleting correctly formatted input

1
Nlazarow (talkcontribs)

Auth_remoteuser extension is deleting properly formatted usernames

when executing the "UserNameSessionProviderFilterUserName" hook

even when the $wgAuthRemoteuserUserNameReplaceFilter setting is null.


How can I bypass the hook execution if I have already determined the username

format entry is correct?


Currently using MW 1.31

Reply to "User Name Filter deleting correctly formatted input"
Return to "Auth remoteuser" page.