Extension talk:ConfirmAccount/2020
Latest comment: 3 years ago by Escalatr in topic ConfirmAccount missing on Login page (1.35)
| This page used the Structured Discussions extension to give structured discussions. It has since been converted to wikitext, so the content and history here are only an approximation of what was actually displayed at the time these comments were made. |
Keyword blacklisting?
editDoes anyone know if there might be a way to blacklist account requests based on keyword? My installation has been getting tons of bot-generated requests, all with seemingly random email addresses but always using roughly the same content in the biography field. Being able to blacklist requests containing certain keywords would be a great help. Huwmanbeing (talk) 21:18, 21 January 2020 (UTC)
Mark multiple requests as "spam" at once on Special:ConfirmAccounts
editThis would be a good feature. I can see the Special:ConfirmAccounts page becoming cumbersome to operate otherwise. Is anything like this possible?
(There is a similar feature on Mailman 2 mailing lists, for example.)
Thanks. Jonathan3 (talk) 22:58, 18 February 2020 (UTC)
ConfirmAccount still incompatible with ConfirmEdit in MW 1.34
editThe ConfimAccount page says: For MW 1.26, this extension is partially incompatible with the ConfirmEdit extension - it only works for logged on users (obviously, this is not necessary), but for anonymous users it displays an empty screen, but works fine when ConfirmEdit is not used.
This is actually also the case with MW 1.34. None of the remedies described in "ConfirmAccount doesn't work with MW 1.33 and 1.34 [Solved]" worked. EFFemeer (talk) 19:35, 6 April 2020 (UTC)
- Please disregard the note about MW 1.26. I remember that indeed there was an issue with that version however nobody should use that version. Thus I just removed that note.
- From experience I know that MW 1.27.x and MW 1.31.x do work without problems with this extension.
- When it comes to MW 1.34.x it seems that only "SimpleCaptcha" does not play with it. [[kgh]] (talk) 15:40, 8 April 2020 (UTC)
[SOLVED] Request account button not showing up on main page for 1.34 -- working for 1.33
editI must have done something idiotic but somehow I can't make the "request account" to appear for potential new users. The mediawiki (1.34) setup is private. The extension is also 1.34 compatible. Permissions are set up as:
$wgGroupPermissions['*']['read'] = false;
with
$wgWhitelistRead = array(
"Special:Request account",
"Spécial:Demander un compte"
);
What is missing ?
Many thanks. Paulette00 (talk) 12:36, 25 June 2020 (UTC)
- Hello, please read [[Extension talk:ConfirmAccount/2019#h-ConfirmAccount_doesn't_work_with_MW_1.33_and_1.34_[Solved]-2019-12-27T10:20:00.000Z|this post]] of mine. I think it could help. Spas.Z.Spasov (talk) 12:53, 25 June 2020 (UTC)
- Ok thanks, I've seen it, and I don't have errors (when for example using mediawiki:loginprompt to make the request account page appear).
- Nevertheless, I'll have a go at what you suggest, and report here. Paulette00 (talk) 13:55, 25 June 2020 (UTC)
- Hello, I did do as you suggested by adding/rewriting the hook to display the RequestAccount button. I did not touch at the ConfirmEdit bit: there are no errors showing up in the logs.
- But the whole lot didn't work.
- However: this feature worked with the MW version 1.33. I did not check when upgrading to 1.34 if the the feature was still alive. So, to make sure, I replaced the ConfirmAccount directory from 1.34 by the one from 1.33. And .... it did work. So I don't really know what's happening here: a quick diff on both directories didn't enlightnen me.
- Conclusion: I stay with ConfirmAccount 1.33 until I have better ideas... Paulette00 (talk) 11:50, 26 June 2020 (UTC)
- Here we go, I found my answer (got it of course from comparing 1.34 with 1.33):
- in
frontend/ConfirmAccountUI.hooks.php, line 32: - replace
if ( isset( $personal_urls['login'] ) ) {- with
if ( isset( $personal_urls['login'] )|| isset( $personal_urls['login-private'] ) ) {- ... which shows that the problem originated from my wiki being private!
Paulette00 (talk) 12:29, 26 June 2020 (UTC)- Strange how this bug has yet to be fixed in REL1_35. This makes ConfirmAccount essentially useless for private wikis. Being private doesn't mean the button shouldn't appear. Jeffrey Wang 06:46, 19 April 2021 (UTC)
- The above patch solved the issue for me too, but I had to learn first, that the "Request Account" button has moved from above the login form (where it was in 1.31) to the upper right corner of the screen (where I didn't expect it after using 1.31)... Rrosenfeld (talk) 13:18, 19 August 2021 (UTC)
- Thank you—this was a lifesaver! This was still a problem for me in version 1.36 Flyingratchet (talk) 20:59, 14 October 2021 (UTC)
Auto-creation of a local account failed: You have not specified a valid username
editHello Together
We have updated the mediawiki in our company from version 1.23.15 to version 1.27 and then to 1.34.
After we changed the login to LDAPAuthentication2 we could log in. Now we have the following problems:
1. the matching between "User" ==> "Groups" does not work correctly
2. new users can no longer register.
Below I have our LocalSettings.php, the error message when logging in is the following:
"Auto-creation of a local account failed: You have not specified a valid username"
Side note:
We want the login with the e-mail address firstname.lastname@domain
Sometime users could log in, but then the correct value was not entered into the database (Firstname Lastname) instead of (firstname.lastname@domain)
Has anyone an idea what we did wrong?
$wgDebugLogFile = '/var/www/html/wiki/debug_log.log';
$wgShowExceptionDetails;
$wgDebugToolbar;
$wgDebugLogGroups['LDAPGrops'] = '/var/www/html/wiki/LDAPGroups.log';
error_reporting( -1 );
ini_set( 'display_errors', 1 );
ini_set( 'display_startup_errors', 1 );
$wgDebugLogGroups['LDAPAuthentication2'] = "/var/www/html/wiki/LDAPAuthentication2.log";
wfLoadExtension( 'WikiEditor' );
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'ldapuser@some.domain';
$LDAPAuthentication2AllowLocalLogin = true;
$wgAuthRemoteUserAllowUserSwitch = true;
$wgPluggableAuth_ButtonLabel = "Log In";
$LDAPProviderDomainConfigProvider = function(){
$config = [
'some.domain' => [
'connection' => [
"server" => "ADServer.some.domain",
"user" => "ldapuser@some.domain",
"pass" => "LDAPPasswd",
"port" => "636",
"enctype" => "ssl",
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=some,dc=domain",
"groupbasedn" => "dc=some,dc=domain",
"userbasedn" => "dc=some,dc=domain",
"searchattribute" => "userprincipalname",
"searchstring" => "",
"realnameattribute" => "cn",
"usernameattribute" => "userprincipalname",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
],
"authorization" =>
[
"rules" =>
[
"required" =>
[
"wiki-admin",
"wiki-user"
]
]
],
"userinfo" =>
[
"attributes-map" =>
[
"email" => "mail",
"realname" => "userprincipalname"
]
],
"groupsync" =>
[
"mechanism" => "mappedgroups",
"mapping" =>
[
"sysop" => "wiki-admin",
"user" => "wiki-user"
]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
Best regards 213.55.220.217 (talk) 12:13, 16 July 2020 (UTC)
- @Osnard
- sorry i first wrote this Topic (as 213.55.220.217) and after that i created a login.
- i found out, that the login with an email address is not supported. and now i've tried to change the login with other AD Credentials.
- But now i can't login in the log i see that the user is authenticated but after that the autocreate user account wants to create an user with the ip as username.
- have anyone an idea, where i have the failure?
- i now use a file for the connection (ldap.json).
- Best regards Scoobydoo321 (talk) 08:56, 21 July 2020 (UTC)
- This is probably because the "authorization" part fails. The values "wiki-admin" and "wiki-user" in "authorization.rules.required.groups" should be DNs, like "CN=wiki-admin,OU=Groups,OU=Company,...". Check the output of "extensions/LDAPProvider/maintenance/ShowUserGroups.php" to see what you need to put in there. For testing you can also make "authorization.rules.required.groups" empty. Osnard (talk) 13:06, 21 July 2020 (UTC)
- Hi Osnard
- Thanks for the reply. I checked the output, i got some Full DNs and Short names. I copied the output from the ShowUserGroup.php but it still doesen't work.
- Sorry but im new in json, so i hope this one is correct when you mean empty:
- Scoobydoo321 (talk) 05:12, 22 July 2020 (UTC)
{ "my.domain": { "connection": { "server": "ADServer.my.domain", "port": "636", "user": "CN=ldapuser,OU=ServiceAccounts,DC=domain,DC=my", "pass": "somePassword", "enctype": "ssl", "options": { "LDAP_OPT_DEREF": "1" }, "basedn": "dc.domain,dc=my", "groupbasedn": "dc.domain,dc=my", "userbasedn": "dc.domain,dc=my", "searchattribute": "userprincipalname", "usernameattribute": "samaccountname", "realnameattribute": "cn", "emailattribute": "mail", "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory" }, "userinfo": { "attributes-map": { "email": "mail", "realname": "cn" } }, "authorization": { "rules": { "required": { "groups": [] } } }, "groupsync": { "mapping": { "sysop": "CN=WikiAdmin,OU=Groups,DC=domain,DC=my", "user": "CN=WikiUser,OU=Groups,DC=domain,DC=my", } } } } - Okay. Well, the config looks good. If ShowUserGroup.php shows an output, at least we can be sure the connection is working in general. Does "CheckLogin.php" also work?
- Please enable debug logging and share the output here.
- Do you have Extension:Auth_remoteuser enabled? If not, try to disable Extension:LDAPAuthorization. Osnard (talk) 08:53, 22 July 2020 (UTC)
- Yes the "CheckLogin.php" returns OK
- Output from ldap.log whit disabled LDAPAuthorization
- Scoobydoo321 (talk) 10:42, 22 July 2020 (UTC)
2020-07-22 09:15:08 srv-wiki-1 wiki_db: In execute() 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Getting PluggableAuth singleton 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_connect( $hostname = 'ldaps://ADServer.my.domain:636', $port = 389 ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # __METHOD__ returns Resource id #259 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_PROTOCOL_VERSION to 3 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 17, $newval = 3 ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_REFERRALS to 0 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 8, $newval = 0 ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Setting LDAP_OPT_DEREF to 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_set_option( $linkID, $option = 2, $newval = 1 ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=ldapuser,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array ( 'base' => 'DC=my,DC=domain', 'filter' => '(userprincipalname=fred@my.domain)', 'attributes' => array ( 0 => '*', 1 => 'memberof', ), ) 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #275 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_count_entries( $linkiID, $result = 'Resource id #275' ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array ( 'count' => 1, 0 => array ( 'objectclass' => array ( 'count' => 4, 0 => 'top', 1 => 'person', 2 => 'organizationalPerson', 3 => 'user', ), 0 => 'objectclass', 'cn' => array ( 'count' => 1, 0 => 'tester', ), 1 => 'cn', 'sn' => array ( 'count' => 1, 0 => 'tester', ), 2 => 'sn', 'description' => array ( 'count' => 1, 0 => 'Test User', ), 3 => 'description', 'telephonenumber' => array ( 'count' => 1, 0 => '4 52 41', ), 4 => 'telephonenumber', 'givenname' => array ( 'count' => 1, 0 => 'hp', ), 5 => 'givenname', 'initials' => array ( 'count' => 1, 0 => 'fred', ), 6 => 'initials', 'distinguishedname' => array ( 'count' => 1, 0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', ), 7 => 'distinguishedname', 'instancetype' => array ( 'count' => 1, 0 => '4', ), 8 => 'instancetype', 'whencreated' => array ( 'count' => 1, 0 => '20131218141516.0Z', ), 9 => 'whencreated', 'whenchanged' => array ( 'count' => 1, 0 => '20200716080258.0Z', ), 10 => 'whenchanged', 'displayname' => array ( 'count' => 1, 0 => 'tester', ), 11 => 'displayname', 'usncreated' => array ( 'count' => 1, 0 => '30230', ), 12 => 'usncreated', 'memberof' => array ( 'count' => 10, 0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain', 1 => '####', 2 => '####', 3 => '####', 4 => '####', 5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain', 6 => '####', 7 => '####', 8 => '####', 9 => '####', ), 13 => 'memberof', 'usnchanged' => array ( 'count' => 1, 0 => '3982289', ), 14 => 'usnchanged', 'proxyaddresses' => array ( 'count' => 7, 0 => 'smtp:####', 1 => 'smtp:####', 2 => 'smtp:####', 3 => 'SMTP:####', 4 => 'sip:####', 5 => 'smtp:####', 6 => 'smtp:####', ), 15 => 'proxyaddresses', 'homemdb' => array ( 'count' => 1, 0 => '####', ), 16 => 'homemdb', 'mdbusedefaults' => array ( 'count' => 1, 0 => 'TRUE', ), 17 => 'mdbusedefaults', 'mailnickname' => array ( 'count' => 1, 0 => 'fred', ), 18 => 'mailnickname', 'name' => array ( 'count' => 1, 0 => 'tester', ), 19 => 'name', 'objectguid' => array ( 'count' => 1, 0 => '<2‹.Àª EœÌÅï��oî', ), 20 => 'objectguid', 'useraccountcontrol' => array ( 'count' => 1, 0 => '66048', ), 21 => 'useraccountcontrol', 'badpwdcount' => array ( 'count' => 1, 0 => '0', ), 22 => 'badpwdcount', 'codepage' => array ( 'count' => 1, 0 => '0', ), 23 => 'codepage', 'countrycode' => array ( 'count' => 1, 0 => '0', ), 24 => 'countrycode', 'badpasswordtime' => array ( 'count' => 1, 0 => '132397147069218117', ), 25 => 'badpasswordtime', 'lastlogoff' => array ( 'count' => 1, 0 => '0', ), 26 => 'lastlogoff', 'lastlogon' => array ( 'count' => 1, 0 => '132397149483435657', ), 27 => 'lastlogon', 'pwdlastset' => array ( 'count' => 1, 0 => '132393601472194926', ), 28 => 'pwdlastset', 'primarygroupid' => array ( 'count' => 1, 0 => '513', ), 29 => 'primarygroupid', 'profilepath' => array ( 'count' => 1, 0 => '####', ), 30 => 'profilepath', 'objectsid' => array ( 'count' => 1, 0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '', ), 31 => 'objectsid', 'admincount' => array ( 'count' => 1, 0 => '1', ), 32 => 'admincount', 'accountexpires' => array ( 'count' => 1, 0 => '9223372036854775807', ), 33 => 'accountexpires', 'logoncount' => array ( 'count' => 1, 0 => '0', ), 34 => 'logoncount', 'samaccountname' => array ( 'count' => 1, 0 => 'fred', ), 35 => 'samaccountname', 'samaccounttype' => array ( 'count' => 1, 0 => '805306368', ), 36 => 'samaccounttype', 'showinaddressbook' => array ( 'count' => 4, 0 => '####', 1 => '####', 2 => '####', 3 => '####', ), 37 => 'showinaddressbook', 'legacyexchangedn' => array ( 'count' => 1, 0 => '####', ), 38 => 'legacyexchangedn', 'userprincipalname' => array ( 'count' => 1, 0 => 'fred@my.domain', ), 39 => 'userprincipalname', 'lockouttime' => array ( 'count' => 1, 0 => '0', ), 40 => 'lockouttime', 'lastknownparent' => array ( 'count' => 1, 0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', ), 41 => 'lastknownparent', 'objectcategory' => array ( 'count' => 1, 0 => 'CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain', ), 42 => 'objectcategory', 'dscorepropagationdata' => array ( 'count' => 1, 0 => '16010101000000.0Z', ), 43 => 'dscorepropagationdata', 'lastlogontimestamp' => array ( 'count' => 1, 0 => '132393601780066773', ), 44 => 'lastlogontimestamp', 'msds-supportedencryptiontypes' => array ( 'count' => 1, 0 => '0', ), 45 => 'msds-supportedencryptiontypes', 'msds-lastknownrdn' => array ( 'count' => 1, 0 => 'tester', ), 46 => 'msds-lastknownrdn', 'mail' => array ( 'count' => 1, 0 => 'fred@my.domain', ), 47 => 'mail', 'thumbnailphoto' => array ( 'count' => 1, 0 => '#### ), 48 => 'thumbnailphoto', 'msexchhomeservername' => array ( 'count' => 1, 0 => '####', ), 49 => 'msexchhomeservername', 'msexchmailboxsecuritydescriptor' => array ( 'count' => 1, 0 => #### ), 50 => 'msexchmailboxsecuritydescriptor', 'msexchuseraccountcontrol' => array ( 'count' => 1, 0 => '0', ), 51 => 'msexchuseraccountcontrol', 'msexchmailboxguid' => array ( 'count' => 1, 0 => 'I©�„¥CJ°ùX„Nùi', ), 52 => 'msexchmailboxguid', 'msexchpoliciesincluded' => array ( 'count' => 2, 0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4', 1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}', ), 53 => 'msexchpoliciesincluded', 'msrtcsip-internetaccessenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 54 => 'msrtcsip-internetaccessenabled', 'msexchmailboxtemplatelink' => array ( 'count' => 1, 0 => '####', ), 55 => 'msexchmailboxtemplatelink', 'msexchdelegatelistlink' => array ( 'count' => 1, 0 => '####', ), 56 => 'msexchdelegatelistlink', 'msrtcsip-optionflags' => array ( 'count' => 1, 0 => '2305', ), 57 => 'msrtcsip-optionflags', 'msrtcsip-userpolicies' => array ( 'count' => 1, 0 => '0=666577031', ), 58 => 'msrtcsip-userpolicies', 'msexchumdtmfmap' => array ( 'count' => 4, 0 => 'reversedPhone:14254', 1 => 'emailAddress:3733', 2 => 'lastNameFirstName:83783747', 3 => 'firstNameLastName:47837837', ), 59 => 'msexchumdtmfmap', 'msexchmdbrulesquota' => array ( 'count' => 1, 0 => '256', ), 60 => 'msexchmdbrulesquota', 'msexchprevioushomemdb' => array ( 'count' => 1, 0 => '####', ), 61 => 'msexchprevioushomemdb', 'msexchrecipientdisplaytype' => array ( 'count' => 1, 0 => '1073741824', ), 62 => 'msexchrecipientdisplaytype', 'msrtcsip-primaryuseraddress' => array ( 'count' => 1, 0 => 'sip:fred@my.domain', ), 63 => 'msrtcsip-primaryuseraddress', 'msrtcsip-deploymentlocator' => array ( 'count' => 1, 0 => 'SRV:', ), 64 => 'msrtcsip-deploymentlocator', 'msexchpublicfoldermailbox' => array ( 'count' => 1, 0 => '####', ), 65 => 'msexchpublicfoldermailbox', 'msrtcsip-userroutinggroupid' => array ( 'count' => 1, 0 => 'yôn×Ä�-_¬¤TòíÔ³�', ), 66 => 'msrtcsip-userroutinggroupid', 'msrtcsip-userenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 67 => 'msrtcsip-userenabled', 'msexchelcmailboxflags' => array ( 'count' => 1, 0 => '2', ), 68 => 'msexchelcmailboxflags', 'msexchwhenmailboxcreated' => array ( 'count' => 1, 0 => '20160115162536.0Z', ), 69 => 'msexchwhenmailboxcreated', 'msexchrbacpolicylink' => array ( 'count' => 1, 0 => '####', ), 70 => 'msexchrbacpolicylink', 'msrtcsip-primaryhomeserver' => array ( 'count' => 1, 0 => '####', ), 71 => 'msrtcsip-primaryhomeserver', 'msexchsafesendershash' => array ( 'count' => 1, 0 => 't¨¤§', ), 72 => 'msexchsafesendershash', 'msexchversion' => array ( 'count' => 1, 0 => '88218628259840', ), 73 => 'msexchversion', 'msrtcsip-federationenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 74 => 'msrtcsip-federationenabled', 'msexchrecipienttypedetails' => array ( 'count' => 1, 0 => '1', ), 75 => 'msexchrecipienttypedetails', 'count' => 76, 'dn' => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', ), ) 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Found user DN: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain' 2020-07-22 09:15:08 srv-wiki-1 wiki_db: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain' 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_bind( $linkID, $bindRDN = 'CN=srvwikiadauth,OU=ServiceAccounts,OU=someOU,DC=my,DC=domain', $bindPassword = 'XXXX' ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns 1 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_search( $linkID, $baseDN = 'DC=my,DC=domain', $filter = '(userprincipalname=fred@my.domain)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns Resource id #289 2020-07-22 09:15:08 srv-wiki-1 wiki_db: ldap_get_entries( $linkID, $resultID ); 2020-07-22 09:15:08 srv-wiki-1 wiki_db: # returns: array ( 'count' => 1, 0 => array ( 'objectclass' => array ( 'count' => 4, 0 => 'top', 1 => 'person', 2 => 'organizationalPerson', 3 => 'user', ), 0 => 'objectclass', 'cn' => array ( 'count' => 1, 0 => 'tester', ), 1 => 'cn', 'sn' => array ( 'count' => 1, 0 => 'tester', ), 2 => 'sn', 'description' => array ( 'count' => 1, 0 => 'Test User', ), 3 => 'description', 'telephonenumber' => array ( 'count' => 1, 0 => '4 52 41', ), 4 => 'telephonenumber', 'givenname' => array ( 'count' => 1, 0 => 'hp', ), 5 => 'givenname', 'initials' => array ( 'count' => 1, 0 => 'fred', ), 6 => 'initials', 'distinguishedname' => array ( 'count' => 1, 0 => 'CN=tester,OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', ), 7 => 'distinguishedname', 'instancetype' => array ( 'count' => 1, 0 => '4', ), 8 => 'instancetype', 'whencreated' => array ( 'count' => 1, 0 => '20131218141516.0Z', ), 9 => 'whencreated', 'whenchanged' => array ( 'count' => 1, 0 => '20200716080258.0Z', ), 10 => 'whenchanged', 'displayname' => array ( 'count' => 1, 0 => 'tester', ), 11 => 'displayname', 'usncreated' => array ( 'count' => 1, 0 => '30230', ), 12 => 'usncreated', 'memberof' => array ( 'count' => 10, 0 => 'CN=WikiAdmin,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain', 1 => '####', 2 => '####', 3 => '####', 4 => '####', 5 => 'CN=WikiUsers,OU=Application_Groups,OU=Groups,OU=someOU,DC=my,DC=domain', 6 => '####', 7 => '####', 8 => '####', 9 => '####', ), 13 => 'memberof', 'usnchanged' => array ( 'count' => 1, 0 => '3982289', ), 14 => 'usnchanged', 'proxyaddresses' => array ( 'count' => 7, 0 => '####', 1 => '####', 2 => '####', 3 => '####', 4 => '####', 5 => '####', 6 => '####', ), 15 => 'proxyaddresses', 'homemdb' => array ( 'count' => 1, 0 => '####', ), 16 => 'homemdb', 'mdbusedefaults' => array ( 'count' => 1, 0 => 'TRUE', ), 17 => 'mdbusedefaults', 'mailnickname' => array ( 'count' => 1, 0 => 'fred', ), 18 => 'mailnickname', 'name' => array ( 'count' => 1, 0 => 'tester', ), 19 => 'name', 'objectguid' => array ( 'count' => 1, 0 => '<2‹.Àª EœÌÅï��oî', ), 20 => 'objectguid', 'useraccountcontrol' => array ( 'count' => 1, 0 => '66048', ), 21 => 'useraccountcontrol', 'badpwdcount' => array ( 'count' => 1, 0 => '0', ), 22 => 'badpwdcount', 'codepage' => array ( 'count' => 1, 0 => '0', ), 23 => 'codepage', 'countrycode' => array ( 'count' => 1, 0 => '0', ), 24 => 'countrycode', 'badpasswordtime' => array ( 'count' => 1, 0 => '132397147069218117', ), 25 => 'badpasswordtime', 'lastlogoff' => array ( 'count' => 1, 0 => '0', ), 26 => 'lastlogoff', 'lastlogon' => array ( 'count' => 1, 0 => '132397149483435657', ), 27 => 'lastlogon', 'pwdlastset' => array ( 'count' => 1, 0 => '132393601472194926', ), 28 => 'pwdlastset', 'primarygroupid' => array ( 'count' => 1, 0 => '513', ), 29 => 'primarygroupid', 'profilepath' => array ( 'count' => 1, 0 => '####', ), 30 => 'profilepath', 'objectsid' => array ( 'count' => 1, 0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�P}-' . "\0" . '' . "\0" . '', ), 31 => 'objectsid', 'admincount' => array ( 'count' => 1, 0 => '1', ), 32 => 'admincount', 'accountexpires' => array ( 'count' => 1, 0 => '9223372036854775807', ), 33 => 'accountexpires', 'logoncount' => array ( 'count' => 1, 0 => '0', ), 34 => 'logoncount', 'samaccountname' => array ( 'count' => 1, 0 => 'fred', ), 35 => 'samaccountname', 'samaccounttype' => array ( 'count' => 1, 0 => '805306368', ), 36 => 'samaccounttype', 'showinaddressbook' => array ( 'count' => 4, 0 => '####', 1 => '####', 2 => '####', 3 => '####', ), 37 => 'showinaddressbook', 'legacyexchangedn' => array ( 'count' => 1, 0 => '####', ), 38 => 'legacyexchangedn', 'userprincipalname' => array ( 'count' => 1, 0 => 'fred@my.domain', ), 39 => 'userprincipalname', 'lockouttime' => array ( 'count' => 1, 0 => '0', ), 40 => 'lockouttime', 'lastknownparent' => array ( 'count' => 1, 0 => 'OU=Test,OU=Users,OU=someOU,DC=my,DC=domain', ), 41 => 'lastknownparent', 'objectcategory' => array ( 'count' => 1, 0 => '####', ), 42 => 'objectcategory', 'dscorepropagationdata' => array ( 'count' => 1, 0 => '16010101000000.0Z', ), 43 => 'dscorepropagationdata', 'lastlogontimestamp' => array ( 'count' => 1, 0 => '132393601780066773', ), 44 => 'lastlogontimestamp', 'msds-supportedencryptiontypes' => array ( 'count' => 1, 0 => '0', ), 45 => 'msds-supportedencryptiontypes', 'msds-lastknownrdn' => array ( 'count' => 1, 0 => 'tester', ), 46 => 'msds-lastknownrdn', 'mail' => array ( 'count' => 1, 0 => 'fred@my.domain', ), 47 => 'mail', 'thumbnailphoto' => array ( 'count' => 1, 0 =>#### ), 48 => 'thumbnailphoto', 'msexchhomeservername' => array ( 'count' => 1, 0 => '####', ), 49 => 'msexchhomeservername', 'msexchmailboxsecuritydescriptor' => array ( 'count' => 1, 0 => '�' . "\0" . '�Œ�' . "\0" . '' . "\0" . '' . "\0" . ' ' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . ',' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '� ' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '� ' . "\0" . '' . "\0" . '' . "\0" . '�' . "\0" . '@' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '�' . "\0" . '�' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '� ' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '�$' . "\0" . '�' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . '¶Dä#�Àê2Ûë�PÎ+' . "\0" . '' . "\0" . '', ), 50 => 'msexchmailboxsecuritydescriptor', 'msexchuseraccountcontrol' => array ( 'count' => 1, 0 => '0', ), 51 => 'msexchuseraccountcontrol', 'msexchmailboxguid' => array ( 'count' => 1, 0 => 'I©�„¥CJ°ùX„Nùi', ), 52 => 'msexchmailboxguid', 'msexchpoliciesincluded' => array ( 'count' => 2, 0 => '4dde4918-7608-4c22-b276-64f5eb00c3e4', 1 => '{26491cfc-9e50-4857-861b-0cb8df22b5d7}', ), 53 => 'msexchpoliciesincluded', 'msrtcsip-internetaccessenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 54 => 'msrtcsip-internetaccessenabled', 'msexchmailboxtemplatelink' => array ( 'count' => 1, 0 => '####', ), 55 => 'msexchmailboxtemplatelink', 'msexchdelegatelistlink' => array ( 'count' => 1, 0 => '####', ), 56 => 'msexchdelegatelistlink', 'msrtcsip-optionflags' => array ( 'count' => 1, 0 => '2305', ), 57 => 'msrtcsip-optionflags', 'msrtcsip-userpolicies' => array ( 'count' => 1, 0 => '0=666577031', ), 58 => 'msrtcsip-userpolicies', 'msexchumdtmfmap' => array ( 'count' => 4, 0 => 'reversedPhone:14254', 1 => 'emailAddress:3733', 2 => 'lastNameFirstName:83783747', 3 => 'firstNameLastName:47837837', ), 59 => 'msexchumdtmfmap', 'msexchmdbrulesquota' => array ( 'count' => 1, 0 => '256', ), 60 => 'msexchmdbrulesquota', 'msexchprevioushomemdb' => array ( 'count' => 1, 0 => '####', ), 61 => 'msexchprevioushomemdb', 'msexchrecipientdisplaytype' => array ( 'count' => 1, 0 => '1073741824', ), 62 => 'msexchrecipientdisplaytype', 'msrtcsip-primaryuseraddress' => array ( 'count' => 1, 0 => 'sip:fred@my.domain', ), 63 => 'msrtcsip-primaryuseraddress', 'msrtcsip-deploymentlocator' => array ( 'count' => 1, 0 => 'SRV:', ), 64 => 'msrtcsip-deploymentlocator', 'msexchpublicfoldermailbox' => array ( 'count' => 1, 0 => '####', ), 65 => 'msexchpublicfoldermailbox', 'msrtcsip-userroutinggroupid' => array ( 'count' => 1, 0 => 'yôn×Ä�-_¬¤TòíÔ³�', ), 66 => 'msrtcsip-userroutinggroupid', 'msrtcsip-userenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 67 => 'msrtcsip-userenabled', 'msexchelcmailboxflags' => array ( 'count' => 1, 0 => '2', ), 68 => 'msexchelcmailboxflags', 'msexchwhenmailboxcreated' => array ( 'count' => 1, 0 => '20160115162536.0Z', ), 69 => 'msexchwhenmailboxcreated', 'msexchrbacpolicylink' => array ( 'count' => 1, 0 => '####', ), 70 => 'msexchrbacpolicylink', 'msrtcsip-primaryhomeserver' => array ( 'count' => 1, 0 => '####', ), 71 => 'msrtcsip-primaryhomeserver', 'msexchsafesendershash' => array ( 'count' => 1, 0 => 't¨¤§', ), 72 => 'msexchsafesendershash', 'msexchversion' => array ( 'count' => 1, 0 => '88218628259840', ), 73 => 'msexchversion', 'msrtcsip-federationenabled' => array ( 'count' => 1, 0 => 'TRUE', ), 74 => 'msrtcsip-federationenabled', 'msexchrecipienttypedetails' => array ( 'count' => 1, 0 => '1', ), 75 => 'msexchrecipienttypedetails', 'count' => 76, 'dn' => '####', ), ) 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Ran LDAP search for '(userprincipalname=fred@my.domain)' in 0.0019741058349609 seconds. 2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred 2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized. - So the last two lines look good. So there is still the message "Auto-creation of a local account failed: You have not specified a valid username"? In which context? Osnard (talk) 07:56, 24 July 2020 (UTC)
- This message appears when i try to login with <username>@<my.domain> Scoobydoo321 (talk) 11:12, 24 July 2020 (UTC)
- And if you don't use a username with "@"? Which error do you get then? Because
2020-07-22 09:15:08 srv-wiki-1 wiki_db: Authenticated new user: fred2020-07-22 09:15:09 srv-wiki-1 wiki_db: User is authorized.- looks good. Osnard (talk) 13:42, 24 July 2020 (UTC)
- Whit the config as is i get following error
Could not authenticate credentials against domain "my.domain" - when i change the
searchattributesetting tosamaccountnamei get the same error as before. Scoobydoo321 (talk) 14:15, 24 July 2020 (UTC) - If you are getting
Could not authenticate credentials against domain "my.domain"then it is form based authentication (FBA). This should be the exact same mechanism as theCheckLogin.phpCLI script. Osnard (talk) 08:34, 25 July 2020 (UTC) - The message
Could not authenticate credentials against domain "my.domain"i get only when i have a missmatch to what i check for login and what i use. When i use the right credentials i always getAuto-creation of a local account failed: You have not specified a valid username. Scoobydoo321 (talk) 05:00, 27 July 2020 (UTC) - I have noticed a difference in the two contigutations you have shared (#1: PHP, #2: JSON):
- In the PHP configuration you have
"usernameattribute" => "userprincipalname", , while in the JSON you have"usernameattribute": "samaccountname",.- Can you tell which one of them is currently used?
- Because the one from the JSON file seems to be correct (
samaccountname ), while the one from PHP will result in a username with an "@", which could lead toAuto-creation of a local account failed: You have not specified a valid username</could>. Osnard (talk) 06:22, 27 July 2020 (UTC)- currently used is the JSON, with the
samaccountnameScoobydoo321 (talk) 08:56, 27 July 2020 (UTC) - Which element example:
usernameattributeis used for the DB columnuser_name? Have i mixed up something so that the authorization works but it uses the wrong attribute for the DB? Scoobydoo321 (talk) 08:37, 6 August 2020 (UTC) - From what I see in your logs,
samaccountnameshould be fine. It should be used to set the username for the database here: https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.1/src/PluggableAuth.php#L86 - You can try debugging this part of the code. Maybe this gives you more insight. Osnard (talk) 15:39, 6 August 2020 (UTC)
- i can now login with an administrator accoutn
samaccountname=admintestbut with an normal usersamaccountname=u12345678i still have the errorAuto-creation of a local account failed: You have not specified a valid username.i've searched this wiki i didn't found any restriction that the username can't be with a letter and numbers. Scoobydoo321 (talk) 05:28, 7 August 2020 (UTC) - Please check the value of
$usernamejust before thereturn true;in https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.1/src/PluggableAuth.php#L112 - You can do so by adding
error_log( var_export( $username, true ) );Osnard (talk) 10:16, 7 August 2020 (UTC) - in the error log i see the correct username and in the
ldap.logi get following output: MediaWiki\Extension\LDAPProvier\Client::getSearchString: User DN is 'BASE DN'ldap_bind( $linkID, $bindRDN = 'BASE DN', $bindPasswor = 'XXXX' );#returns 1Authenticated new user: usernameUser is authorizedScoobydoo321 (talk) 14:00, 10 August 2020 (UTC)- So everything is okay. Sorry, I can not spot an error. Osnard (talk) 15:37, 10 August 2020 (UTC)
- hmm ok.
- Then i have only one question, is it possible, that the old users with an "@" in the username can make some problems?
- I think they wount be a problem but this is the last thing i can imagen.
- Best regards and thanks for the perfect support! Scoobydoo321 (talk) 04:51, 11 August 2020 (UTC)
- Okay. Can you please again share you complete current configuration (PHP and JSON, is used). Don't forget to remove sensitive data of course. Also please tell me what username you enter into the "Special:Login" field and how the command line for the working "CheckLogin.php" and "ShowUserInfo.php" looks like. Thanks. Osnard (talk) 09:49, 11 August 2020 (UTC)
- I have the similar problem (Auto-creation of a local account failed: You have not specified a valid username) when a try login in a existent dababase, but in a new database created with the 1.34.2 version that's work. I use the same configuration file, changing only the database config. 2001:1284:F016:9AB4:714A:804:A9D5:8776 (talk) 18:07, 12 August 2020 (UTC)
- I have found a ugly workarround i added folowing line to the LocalSettings.php
$wgInvalidUsernameCharacters = '#€'; - The "ShowUserInfo.php" returns the user informations and the "CheckLogin.php" returns OK.
- Here is my LocalSettings.php:
<?php #This file was automatically generated by the MediaWiki 1.23.15 #installer. If you make manual changes, please keep track in case you #need to recreate them later. # #See includes/DefaultSettings.php for all configurable settings #and their default values, but don't forget to make changes in _this_ #file, not there. # #Further documentation for configuration settings may be found at: #https://www.mediawiki.org/wiki/Manual:Configuration_settings #Protect against web entry if ( !defined( 'MEDIAWIKI' ) ) { exit; } ##Uncomment this to disable output compression #$wgDisableOutputCompression = true; $wgSitename = "Wiki"; $wgOverrideHostname = "MediaWiki-Server"; ##The URL base path to the directory containing the wiki; ##defaults for all runtime URL paths are based off of this. ##For more information on customizing the URLs ##(like /w/index.php/Page_title to /wiki/Page_title) please see: ##https://www.mediawiki.org/wiki/Manual:Short_URL $wgScriptPath = ""; $wgScriptExtension = ".php"; ##The protocol and server name to use in fully-qualified URLs $wgServer = "https://MediaWiki-Server"; ##The relative URL path to the skins directory $wgStylePath = "$wgScriptPath/skins"; ##The relative URL path to the logo. Make sure you change this from the default, ##or else you'll overwrite your logo when you upgrade! $wgLogo = "$wgStylePath/common/images/logo.png"; ##UPO means: this is also a user preference option $wgEnableEmail = false; $wgEnableUserEmail = false; # UPO $wgEmergencyContact = "apache@MediaWiki-Server"; $wgPasswordSender = "apache@MediaWiki-Server"; $wgEnotifUserTalk = false; # UPO $wgEnotifWatchlist = false; # UPO #$wgEmailAuthentication = true; ##Database settings $wgDBtype = "mysql"; $wgDBserver = "MediaWiki-DB"; $wgDBname = "WikiDB"; $wgDBuser = "WikiDBUser"; $wgDBpassword = "SecretPassword"; #MySQL specific settings $wgDBprefix = ""; #MySQL table options to use during installation or update $wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary"; #Experimental charset support for MySQL 5.0. $wgDBmysql5 = false; ##Shared memory settings $wgMainCacheType = CACHE_NONE; $wgMemCachedServers = array(); ##To enable image uploads, make sure the 'images' directory ##is writable, then set this to true: $wgEnableUploads = true; #$wgUseImageMagick = true; #$wgImageMagickConvertCommand = "/usr/bin/convert"; #InstantCommons allows wiki to use images from http://commons.wikimedia.org $wgUseInstantCommons = false; ##If you use ImageMagick (or any other shell command) on a ##Linux server, this will need to be set to the name of an ##available UTF-8 locale $wgShellLocale = "en_US.utf8"; ##If you want to use image uploads under safe mode, ##create the directories images/archive, images/thumb and ##images/temp, and make them all writable. Then uncomment ##this, if it's not already uncommented: #$wgHashedUploadDirectory = false; ##Set $wgCacheDirectory to a writable directory on the web server ##to make your wiki go slightly faster. The directory should not ##be publically accessible from the web. #$wgCacheDirectory = "$IP/cache"; #Site language code, should be one of the list in ./languages/Names.php $wgLanguageCode = "en"; $wgSecretKey = "SomeSecretKey"; #Site upgrade key. Must be set to a string (default provided) to turn on the #web installer while LocalSettings.php is in place $wgUpgradeKey = "SomeUpgradeKey"; ##Default skin: you can change the default skin. Use the internal symbolic ##names, ie 'cologneblue', 'monobook', 'vector': $wgDefaultSkin = "vector"; ##For attaching licensing metadata to pages, and displaying an ##appropriate copyright notice / icon. GNU Free Documentation ##License and Creative Commons licenses are supported so far. $wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright $wgRightsUrl = ""; $wgRightsText = ""; $wgRightsIcon = ""; #Path to the GNU diff3 utility. Used for conflict resolution. $wgDiff3 = "/usr/bin/diff3"; ###Debug Log Path ### $wgShowExceptionDetails; $wgDebugLogGroups['PluggableAuth'] = $wgDebugLogGroups['LDAP'] = $wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = $wgDebugLogGroups['LDAPUserInfo'] = $wgDebugLogGroups['LDAPAuthentication2'] = $wgDebugLogGroups['LDAPAuthorization'] = '/var/www/html/wiki/ldap.log'; $wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['user']['edit'] = true; $wgGroupPermissions['user']['editsemiprotected'] = false; $wgGroupPermissions['user']['editprotected'] = false; $wgEmailConfirmToEdit = false; $wgGroupPermissions['Media-Wiki-Admin'] = $wgGroupPermissions['sysop']; $wgGroupPermissions['*']['createaccount'] = false; $wgGroupPermissions['*']['autocreateaccount'] = true; $wgBlockDisablesLogin = true; $ldapJsonFile = "$IP/ldap.json"; $ldapConfig = false; if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) { $testJson = @json_decode(file_get_contents($ldapJsonFile),true); if (is_array($testJson)) { $ldapConfig = true; } else { error_log("Found invalid JSON in file: $IP/ldap.json"); } } if ( $ldapConfig ) { ####Load Extensions ### wfLoadExtension( 'Auth_remoteuser' ); wfLoadExtension( 'WikiEditor' ); wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); #wfLoadExtension( 'LDAPAuthorization' ); #wfLoadExtension( 'LDAPUserInfo' ); wfLoadExtension( 'LDAPGroups' ); $LDAPProviderDomainConfigs = $ldapJsonFile; $wgPluggableAuth_ButtonLabel = "Json works"; #if ($wikiRequestSafe) {$LDAPAuthentication2AllowLocalLogin = true; } } $LDAPAuthentication2AllowLocalLogin = true; $wgAuthRemoteuserUserNameReplaceFilter = [ '@some.domain$' => ]; $wgInvalidUsernameCharacters = '#'; #Now the login and autocreate of User works ==> but the e-mail is in the user_name field which is not recomended by WIKI $LDAPAuthentication2UsernameNormalizer = 'strtolower'; $LDAPProviderDomainConfigs = "$IP/ldap.json"; wfLoadSkin( 'CologneBlue' ); wfLoadSkin( 'Modern' ); wfLoadSkin( 'MonoBook' ); wfLoadSkin( 'Timeless' ); wfLoadSkin( 'Vector' );- and here is my ldap.json:
{ "some.domain": { "connection": { "server": "adserver.some.domain", "port": "636", "user": "CN=srvwikiadauth,OU=ServiceAccounts,OU=other,DC=some,DC=domain", "pass": "SecretPassword", "enctype": "ssl", "options": { "LDAP_OPT_DEREF": "1" }, "basedn": "dc=some,dc=domain", "groupbasedn": "dc=some,dc=domain", "userbasedn": "dc=some,dc=domain", "searchattribute": "userprincipalname", "usernameattribute": "userprincipalname", "realnameattribute": "cn", "emailattribute": "userprincipalname", "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory" }, "userinfo": { "attributes-map": { "email": "mail", "realname": "cn" } }, "authorization": { "rules": { "groups": { "required": ["CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain", "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain"] } } }, "groupsync": { "mapping": { "Media-Wiki-Admin": "CN=Media-Wiki-Admin,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain", "user": "CN=Media-Wiki-User,OU=Application_Groups,OU=Groups,OU=other,DC=some,DC=domain" } } } }- best regards Scoobydoo321 (talk) 09:33, 13 August 2020 (UTC)
- You should not have your "ldap.json" witin $IP. The webserver might make it public.
- There is no need to have "user" in the "groupsync.mapping", as everybody that gets logged in is automatically in "user"
- You have "Extension:LDAPAuthorization" disabled, so the "authorization" section in the domain config will have no effect
- "connection.usernameattribute", as well as "connection.searchattribute" should be "samaccountname", not "userprincipalname". Users must then use "Fred" instead of "fred@some.domain" in the login form
- Looks like you are using network-based authentication (Kerberos) with "Extension:Auth_remoteuser". You should enable "Extension:LDAPAuthorization" and set
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';. You can then get rid of the$wgAuthRemoteuserUserNameReplaceFiltersetting Osnard (talk) 12:40, 14 August 2020 (UTC)
- Looks like you are using network-based authentication (Kerberos) with "Extension:Auth_remoteuser". You should enable "Extension:LDAPAuthorization" and set
- I tried your changes, the login works for the adminuser, but when i trie to login with "Fred" i get the same error.
- When i test with a normal user (samaccountname=B12345678) i get the error
Auto-creation of a local account failed: You have not specified a valid usernamedoes the wiki check if a username contains a lot of numbers? Scoobydoo321 (talk) 08:20, 17 August 2020 (UTC) - Have you re-enabled LDAPAuthorization? Does LDAPProvider/maintenance/ShowUserGroups.php list the group DNs you have configured in the "authorization.rules.groups.required" section? Osnard (talk) 08:56, 17 August 2020 (UTC)
- Yes i have re-enabled LDAPAuthorization, and the result from "ShowUserGroups.php" is like defined in the "authorization.rules.goroups.required"
- In the "ldap.log" i see Authenticated new user: fred
- User is authorized Scoobydoo321 (talk) 06:47, 19 August 2020 (UTC)
- So you are not having
$wgAuthRemoteuserUserNameReplaceFilterset anymore? But instead configured$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';? - Any other
Auth_remoteuserrelated config? - I am running out of ideas. If it says
Authenticated new user: fred User is authorizedanything should be fine. Osnard (talk) 15:13, 31 August 2020 (UTC) - i had
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';not activated, if i activate this and set"usernameattribute": "samaccountname",inldap.jsoni get the message in the UIuser u12345678 not authorizedand the log saysauthorization failureand theCheckLogin.phpreturns OK Scoobydoo321 (talk) 13:50, 17 September 2020 (UTC) - Sorry to ask again, but you are sure you have not set
$wgAuthRemoteuserUserNameReplaceFilteranymore? Please check if$usernamethat arrives here is actually in the format<username@domain. Osnard (talk) 06:49, 21 September 2020 (UTC)
Admin(s) spammed by confirmed email account requests
edit
As an admin I seem to get multiple emails asking me to approve the same account that has had its email confirmed. These all arrive within a few minutes of each other. I originally assumed this was spammers deliberately clicking on the "confirm email" link multiple times. However, since upgrading my wiki (to 1.31.8 LTS) I have been doing some testing and found that Outlook's Safelinks protection will check this link, so that would lead to me as an admin receiving an "account request with confirmed email" email even before the user would have had a chance to click on the link the "confirm email" email. Also, I suspect it is easy to accidentally click the link multiple times or a user might just think they have done something wrong when their account is not immediately activated and click the link a second or third time.
It would be useful if there was some timeout to prevent multiple emails being sent out in a short space of time to the accounts admin(s). At the moment I have hacked the code so that admins only ever receive one email for any account request. This is sufficient for my needs, as the urgency of requests is low but the frequency is sufficiently high that if I miss one I will deal with that when I get another account request a day or two later. 2.218.206.44 (talk) 09:40, 8 September 2020 (UTC)
Unreject an account request
edit
I have an account request that was rejected in error. Can it be unrejected? I asked the User to request a new account but they're receiving a message that the Username is already taken and if they try a new username, they get a message that the email address is already taken. Wmat (talk) 12:35, 30 September 2020 (UTC)
$wgConfirmAccountCaptchas
edit
I'm busy installing the ConfirmAccount extension for our wiki. I've a question: do I've to use $wgConfirmAccountCaptchas in LocalSettings.php? I read about it here https://wiki.webemotion.nl/index.php?title=Extension:ConfirmAccount# (sorry, in Dutch) and also mentioned here: https://phabricator.wikimedia.org/T15782.
But can't find anything about it in the manual pages of the extension. Waanders (talk) 16:15, 23 October 2020 (UTC)
ConfirmAccount missing on Login page (1.35)
edit
On upgrading from 1.31 to 1.35 I have the problem, that the link to the ConfirmLogin special page (requestaccount-loginnotice) is missing on the login special page.
I tracked this down to includes/frontend/ConfirmAccountUI.hooks.php where addRequestLoginText() should add this information to the hook. But addRequestLoginText() is never called in 1.35 (tried it out by adding a division by zero error at the top of addRequestLoginText() in both 1.31 and 1.35.
Any idea, what I'm doing wrong? Anything that I have to do to enforce using the hooks?
For testing reasons I tried with a freshly created LocalSettings.php with only ConfirmLogin extension enabled but with the same result: No link to Special:RequestAccount in the login form, so this should hurt every user here... Rrosenfeld (talk) 16:13, 30 December 2020 (UTC)
- Is you wiki private?
- Then compare the workaround as in https://www.mediawiki.org/w/index.php?title=Extension%20talk%3AConfirmAccount/2020#c-Paulette00-2020-06-26T12%3A29%3A00.000Z-Paulette00-2020-06-25T12%3A36%3A00.000Z Escalatr (talk) 11:47, 11 January 2022 (UTC)