Extension talk:LDAPAuthentication2

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Fatal error authenticating user (only a specific user)

4
AdamX8888 (talkcontribs)

I have an entirely new wiki / database / extensions setup (first time doing this).

I am using the full LDAP stack loaded as extenstions, using a LDAP.json file to configure.

I've tested the php commands by hand, they query LDAP server fine and get user info, etc.

My users get a login box, with domain in the drop down, can log in fine.


One user got in once, then got errors. Now she still gets this same error above. Only her, so far. Five other users have had no problem. I've used the UserMerge extention to delete her old user. Still has this error. She has cleared her cache, used two different machines, still the same problem. She is in the correct AD group as the rest of us.


I have the extended debugging still turned on, and she is getting

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44)


these are the extensions I'm loading, and the order.


wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  wfLoadExtension( 'Auth_remoteuser' );


Any ideas? The 'realnames' isn't working either, but maybe that's a separate issue.

Cannot figure out why this one user cannot log in but the others can.

Osnard (talkcontribs)

"trying to access array offset on value of type null in PluggableAuth.php" (on lines 42, 43, 44) means that the code can not extract "username", "password" and "domain" from the session data [1]. Can you please check if the client sends the session cookie and if the session id stays the same between the request of Special:Login and the POST request when the form is sumbitted.

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/519d88ed2429157bb6cae800295d34a072e292cc/src/PluggableAuth.php#L42-L44

AdamX8888 (talkcontribs)

I will check when I can - I am currently blocked from Github.

Can you think of any reason this wouldn't be functioning on only one user? All of us should be using similar machines & browser configs, etc. I am going to have her try directly on the server IE11 itself as my login works fine there, just to see if there is any different behavior.


Thanks

Osnard (talkcontribs)

No idea. Especially as you have already tried different machines/browsers.

Reply to "Fatal error authenticating user (only a specific user)"

Fatal error authenticating on Active Directory

6
Abiuan (talkcontribs)

Hello,

I'm trying to configure a MW installation to use AD for authentication. I modified LocalSettings.php and created ldap.json.

I run extensions/LDAPProvider/maintenance/ShowUserInfo.php, ShowUserGroups.php and CheckLogin.php scripts and all three works fine. Therefore at this point I was confident. But...

When I try to login I receive the message "Fatal error authenticating user" and I find three lines like the following in the log file:

ErrorException from line 42 of /var/www/mediawiki-1.34.1/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Trying to access array offset on value of type null

The same for lines 43 and 44. This means that the variable $extraLoginFields is empty. But why? Why it needs extra login fields? Documentation, about $wgPluggableAuth_ExtraLoginFields says "This configuration variable may be set by authentication plugins and should not be set by wiki site administrators".

It happens even if I use a fake username or a wrong password therefore it seems it's not an authentication issue.

I tried with or without LDAPAuthorization and LDAPGroup extensions enabled but the result is the same.


Any suggest?


Best regards


My configuration:

MW: 1.34.1

Php: 7.4.3

LDAPAuthentication2, LDAPAuthorization, LDAPGroups, LDAPProvider, LDAPUserInfo, PluggableAuth: latest version


my LocalSettings.php modifications:

$ldapJsonFile = "$IP/ldap.json";

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPAuthentication2AllowLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Log In";


my ldap.json:

{

   "MY.DOMAIN": {

       "connection": {

           "server": "adserver.ip.domain",

           "user": "aduser",

           "pass": "pass",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "port": "636",

           "enctype": "ssl",

           "basedn": "DC=my,DC=domain",

           "userbasedn": "OU=Users,OU=organization,DC=my,DC=domain",

           "groupbasedn": "OU=Groups,OU=organization,DC=my,DC=domain",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "groupsync": []

   }

}

Osnard (talkcontribs)

The values for $wgPluggableAuth_ExtraLoginFields are defined in LDAPAuthentication2/src/ExtraLoginFields.php. It is set in Setup.php of the same extension. Could you try to debug this, by checking whether the variable is properly set in that function?

Abiuan (talkcontribs)

I did some debug. It seems it is not a problem with ExtraLoginFields. It is set and has original values form DOMAIN, USERNAME and PASSWORD attributes.

The issue is with the call of AuthManager->getAuthenticationSessionData() method.

Authmanager is set using

$authManager = AuthManager::singleton();

It is defined and it seems correct.

Instead, the call of $authManager->getAuthenticationSessionData(PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY) returns null;

PluggableAuthLogin::EXTRALOGINFIELDS_SESSION_KEY has the value "PluggableAuthLoginExtraLoginFields".


I did some debug on authManager->getAuthenticationSessionData().

Before the login, if I do a refresh of the page, it works and gives the values of the previous login attempt. After click on "Login" button the call of

$this->request->getSession()->getSecret( 'authData' );

returns null.

Quite strange.


Sorry if it is not clear but I not a big expert of php.


Osnard (talkcontribs)

This looks like you might have an issue with the session storage in general. If you disable the LDAP-Stack extension, can you log in with a local user and stay logged in?

Abiuan (talkcontribs)

You put me on the right direction. I set up the local authentication before. Then, after some tweaking, it works now.


Thank you

Osnard (talkcontribs)

Glad I could help

Reply to "Fatal error authenticating on Active Directory"

LDAPSearch: Custom Filter, Result Search and List of mapping fields

2
Guims08 (talkcontribs)

MW. 1.34.1

PHP. 7.2.18

LDAPAuthentication2. 1.0.1

LDAPProvider 1.0.3

PluggableAuth. 5.7

extensions/LDAPProvider/src/PlatformFunctionWrapper.php


Hello every one, I do not know if it is the right place, because I have no bug but a request for advice.

I recently upgrade my MW, installed LDAPAuthentication2 and use it with Sun Directory Server Enterprise Edition 7.

Everything works fine.


But when I look at the logs (/var/www/mediawiki/debug.log). I note that the search filter is not optimal, that the search result returns me all the LDAP attributes of the user (which is useless).

It seems that the LDAP search function is in the file "extensions/LDAPProvider/src/PlatformFunctionWrapper.php " but i don't know how to "custom" it, it's frustrating.

I think we should modify this request [ldap_search( $linkID, $baseDN = 'dc=mycompagny,dc=country,dc=glob', $filter = '(uid=guims08)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );]

but maybe it's not here.


Anyone know where can I custom filter and search results ?

Last point: Where i can find a list of Mappings Data ?


If anyone can answer my questions.


Thank you very much

Osnard (talkcontribs)

Hi!

Thanks for your request!

  • Q: Anyone know where can I custom filter and search results?
    • At the moment there is no good way to do it. You will probably need to hack UserInfoRequest.php . If you explain your motivation of changing the filtering, maybe I can implement something that suits your needs.
  • Q: Where i can find a list of Mappings Data ?
    • Unfortunately I don't understand completely. "LDAPAuthentication2" will only sync "username", "realname" and "email". If you need further syncing you will probably need Extension:LDAPUserInfo. This allows you to map whatever field is available in the "UserInfoRequest"-reponse to a MediaWiki user property. You can also specify a callback function that allows additional processing of user info data.
Reply to "LDAPSearch: Custom Filter, Result Search and List of mapping fields"

Credentials are not associated with any user on this wiki.

8
109.197.247.94 (talkcontribs)

Hello,

I recently upgraded the mediawiki package on a debian buster server and i am configuring the ldap authentication with LDAPAuthentication2 instead of the old extension 'LdapAuthentication'.

When i try the ldap authentication, i got the message "The supplied credentials are not associated with any user on this wiki".

This 2 scripts below are ok and retrieve information from our ldap directory.

  1. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain "ldap.sub.mydomain.com" --username Nicolasgo
  2. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain "ldap.sub.mydomain.com" --username Nicolasgo

Password:mypass OK

Here is my LDAP section from LocalSettings.php

... $wgShowDBErrorBacktrace = false; $wgDebugDumpSql = false; $wgShowSQLErrors = false; $wgShowExceptionDetails = true; $wgDebugToolbar = true; $wgDebugLogFile = "/tmp/wikimedia.log";

wfLoadExtension( 'PluggableAuth' ); wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'LDAPAuthentication2' ); wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPUserInfo' );

//$LDAPAuthentication2UsernameNormalizer = 'strtolower'; $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; ...

Here is my ldapprovider.json configuration :

{

       "ldap.sub.mydomain.com": {
               "connection": {
                       "server": "ldap.sub.mydomain.com",
                       "user": "loginId=nicolasgo,ou=users,dc=sub,dc=mydomain,dc=com",
                       "pass": "mypass",
                       "options": {
                               "LDAP_OPT_DEREF": 1
                       },
                       "port": 636,
                       "enctype": "ssl",
                       "basedn": "dc=sub,dc=mydomain,dc=com",
                       "groupbasedn": "dc=sub,dc=mydomain,dc=com",
                       "userbasedn": "ou=users,dc=sub,dc=mydomain,dc=com",
                       "searchattribute": "loginId",
                       "searchstring": "loginId=USER-NAME,ou=users,dc=sub,dc=mydomain,dc=com",
                       "usernameattribute": "loginId",
                       "realnameattribute": "cn",
                       "emailattribute": "mail"
               },
               "authorization": {
                       "rules": {
                       }
               },
               "userinfo": {
                       "attributes-map": {
                               "email": "mail",
                               "realname": "cn"
                       }
               }
       }

}

Here are some lines from /tmp/wikimedia.log when trying to authenticate :

"Start request GET /index.php?title=Sp%C3%A9cial:Connexion HTTP HEADERS: COOKIE: mediawiki_dbUserName=Nicolasgo; mediawiki_db_session=e4gn5jc5la5rbtd82k6ffihsl6isr4ib TE: trailers UPGRADE-INSECURE-REQUESTS: 1 REFERER: h t t p s : / / wiki2.sub.mydomain.com/index.php?title=Sp%C3%A9cial:Connexion ACCEPT-ENCODING: gzip, deflate, br ACCEPT-LANGUAGE: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3 ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 USER-AGENT: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 HOST: wiki2.sub.mydomain.com CONTENT-LENGTH: CONTENT-TYPE: [caches] cluster: APCUBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCUBagOStuff, session: APCUBagOStuff [caches] LocalisationCache: using store LCStoreDB [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. [DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. [DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info { "IPAddress": "10.XX.XX.XX", "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/61.0.3163.100 Safari\/537.36", "ChronologyProtection": false, "ChronologyPositionIndex": 0 } [DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'. [session] Session "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" requested without UserID cookie Unstubbing $wgParser on call of $wgParser::setHook from require_once Parser: using preprocessor: Preprocessor_DOM [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [MessageCache] MessageCache::load: Loading fr... local cache is empty, got from global cache Unstubbing $wgLang on call of $wgLang::_unstub from ParserOptions->__construct QuickTemplate::__construct was called with no Config instance passed to it [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): PluggableAuthContinueAuthenticationRequest->loadFromSubmission/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded [authentication] Primary login with PluggableAuthPrimaryAuthenticationProvider succeeded, but returned no user [CryptRand] 0 bytes of randomness leftover in the buffer. [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "e4gn5jc5la5rbtd82k6ffihsl6isr4ib" save: dataDirty=1 metaDirty=0 forcePersist=0 [authevents] Login attempt QuickTemplate::__construct was called with no Config instance passed to it MediaWiki::preOutputCommit: primary transaction round committed MediaWiki::preOutputCommit: pre-send deferred updates completed MediaWiki::preOutputCommit: LBFactory shutdown completed [MessageCache] MessageCache::load: Loading en... local cache is empty, got from global cache [gitinfo] Computed cacheFile=/usr/share/mediawiki/gitinfo.json for /usr/share/mediawiki [gitinfo] Cache incomplete for /usr/share/mediawiki"

Here are some observation :

- MediaWiki: 1.31.7 PHP: 7.3.14-1~deb10u1 Time: 1.01150 Memory: 20,48 Mio (Peak: 20,66 Mio) - If i comment out '$LDAPAuthentication2UsernameNormalizer = 'strtolower';' i got a backtrace with error 'DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username'

Could you give me some hints to resolve this please ? Thank you in advance.

Nicolas

Osnard (talkcontribs)

Please try to remove the "authorization" section from your domain config completely.

109.197.247.94 (talkcontribs)

Hello,

Thank you for your answer. I removed the "authorization" section from ldapprovider.json file and i don't load LDAPAuthorization extension anymore from LocalSettings.php.

But the result is the same. Do you have an other idea ?

Best regards, Nicolas.

109.197.247.94 (talkcontribs)

I'm not sure if i am using the right version of php, i notice this PHP warning in the PluggableAuthLogin logs.

"[error] [72c6d20312d838d0d3ef852a] /index.php?title=Sp%C3%A9cial:PluggableAuthLogin ErrorException from line 89 of /var/lib/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Warning: count(): Parameter must be an array or an object that implements Countable"

Do you already seen this error ?

I tried to get around this count function in "PluggableAuth/includes/PluggableAuthLogin.php" (because my $returnToUrl variable is not null, but it seems to be a string instead of array), but always the same result.

Thank you.

Osnard (talkcontribs)

If you are getting a DomainException you might set $LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";

109.197.247.94 (talkcontribs)

Hello, thank you for the hint.

I added "$LDAPProviderDefaultDomain = "ldap.sub.mydomain.com";" in my LocalSettings.php. I still have the Domain Exception.

Here is the full backtrace i didn't post the last time :

[c6dab44f11ea607a1a3646b7] /index.php?title=Sp%C3%A9cial:Connexion DomainException from line 616 of /usr/share/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

  1. 0 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)
  2. 1 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)
  3. 2 /usr/share/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)
  4. 3 /usr/share/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()
  5. 4 /usr/share/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()
  6. 5 /usr/share/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)
  7. 6 /usr/share/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)
  8. 7 /usr/share/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)
  9. 8 /usr/share/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()
  10. 9 /usr/share/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()
  11. 10 /usr/share/mediawiki/index.php(42): MediaWiki->run()
  12. 11 {main}

In the "Debug log", i got this line : "[authentication] [Auth] username: , user"

I checked in /usr/share/mediawiki/includes/auth/AuthManager.php, line 612. $res->username is empty

Best regards.

Osnard (talkcontribs)

Which version of PluggableAuth are you using? There is no call to count in PluggableAuthLogin.php anymore. Please check whether the field "loginId" is actually listed in the result of LDAPProvider/maintenance/ShowUserInfo.php. Be aware that the extension is case sensitive here. You might check other variants like "loginid" or "loginID".

109.197.247.94 (talkcontribs)

Thank you Osnard, you find the solution. Authentication works now.

I am using PluggableAuth: REL1_31 (2019-05-20T02:40:46).

The field "loginid" is listed in the result of LDAPProvider/maintenance/ShowUserInfo.php but i was using "loginId" in my ldapprovider.json configuration.

Reply to "Credentials are not associated with any user on this wiki."

autocreateaccount throwing no such table: ldap_domains

4
2601:46:C702:5634:6124:8B90:4DDC:DE67 (talkcontribs)

Hi,

I'm trying to setup ldap authentication on a mediawiki docker instance. I've gotten to the point where the ShowUserInfo.php and CheckLogin.php work correctly. I am also able to login to the wiki instance with an account that already existed, but using ldap instead of the local login. The problem I run into is when i try to login with an LDAP account that doesn't already exist. When i do that i get the following error:

/var/www/html/includes/libs/rdbms/database/Database.php: A database query error has occurred. Did you forget to run your application's database schema updater after upgrading?

Function: Mediawiki\Extension\LDAPProvider\UserDomainStore::getDomainForUser

Error: 1 no such table: ldap_domains


I have searched for how to solve this error but only find solutions for LDAPAuthenticator, not LDAPAuthenticator2 (the file they say to run does not exist in the new version)

I can't include logs because this is being spun up on a confidential system.


My question is: how do i create the table ldap_domains? i have LDAPProvider, PluggableAuth, and LDAPAuthenticator2 modules installed.

Osnard (talkcontribs)

Have you run <mediawiki>/maintenance/update.php after installation/activation?

2601:46:C702:5634:D016:26C8:684E:4744 (talkcontribs)

So this is running inside of a docker container. is this something that i should add in my LocalSettings.php file as require_once("maintenance/update.php"); ?


2601:46:C702:5634:D016:26C8:684E:4744 (talkcontribs)

For others: Osnard's solution worked, as long as you have a mounted volume holding the data files and the database files this only needs to be run once. You cannot make this a require_once() call, this makes it so that the webpage only displays an error. After running the update.php file, everything works (LDAP) and the changes persist over docker container failovers, if you're using a service like me.

Reply to "autocreateaccount throwing no such table: ldap_domains"

[0d90a23077d2a1fa5d12fbea] 2020-01-28 02:02:03: Fatal exception of type "Error"

3
2601:588:C000:CC8:D49F:4C05:5318:13D (talkcontribs)

When I try to log in as any LDAP user I get the above titled error message. Can someone please help me? I don't know what to do next.


wfLoadExtension( 'PluggableAuth' );                                                                         
wfLoadExtension( 'LDAPProvider' );                                                                                    
wfLoadExtension( 'LDAPAuthentication2' );                                                                             
wfLoadExtension( 'LDAPUserInfo' );                                                                                    
                                                                                                                      
$LDAPAuthentication2AllowLocalLogin = true;                                                                           
                                                                                                                      
$LDAPProviderDomainConfigProvider = function() {                                                      
        $config = [                                                                                                   
                'LDAP' => [                                                                                           
                        'connection' => [                                                                             
                                "server" => "REDACTED",                                           
                                "user" => "CN=Administrator,CN=Users,DC=it,DC=networkservice,DC=associates",
                                "pass" => 'REDACTED',                                                         
                                "options" => [                                                                        
                                        "LDAP_OPT_DEREF" => 1                                                         
                                ],                                                                    
                                "basedn" => "DC=it,DC=networkservice,DC=associates",                                  
                                "groupbasedn" => "OU=Groups,DC=it,DC=networkservice,DC=associates",                   
                                "userbasedn" => "OU=Associates,DC=it,DC=networkservice,DC=associates",                
                                "searchattribute" => "uid",                                
                                "searchstring" => "uid=USER-NAME,OU=Associates,DC=it,DC=networkservice,DC=associates",
                                "usernameattribute" => "uid",                                       
                                "realnameattribute" => "cn",                                        
                                "emailattribute" => "mail"                          
                        ]                                                                           
                ]                                                                                     
        ];                                                                                          
                                                                                                                      
        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};                                                                              
Osnard (talkcontribs)
91.135.176.46 (talkcontribs)

The error is due to lack of php package :


yum install rh-php72-php-ldap

Reply to "[0d90a23077d2a1fa5d12fbea] 2020-01-28 02:02:03: Fatal exception of type "Error""

Difficulty upgrading from LDAPAuthentication

2
Realsalt (talkcontribs)

Working on upgrading our wiki from 1.31 and though we'd upgrade our authentication app at the same time but having troubles, specifically with the upgrade script:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json


Specifically, I have this error:

php extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php --output /ext/mediawiki/ldapprovider.json

PHP Fatal error:  Uncaught Exception: /var/lib/mediawiki-1.33.1-HD-test/extensions/LdapAuthentication/extension.json does not exist! in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php:117

Stack trace:
#0 /var/lib/mediawiki-1.33.1-HD-test/includes/GlobalFunctions.php(50): ExtensionRegistry->queue('/var/lib/mediaw...')
#1 /var/lib/mediawiki-1.33.1-HD-test/LocalSettings.php(176): wfLoadExtension('LdapAuthenticat...')
#2 /var/lib/mediawiki-1.33.1-HD-test/includes/Setup.php(105): require_once('/var/lib/mediaw...')
#3 /var/lib/mediawiki-1.33.1-HD-test/maintenance/doMaintenance.php(81): require_once('/var/lib/mediaw...')
#4 /var/lib/mediawiki-1.33.1-HD-test/extensions/LDAPProvider/maintenance/ConvertLdapAuthenticationConfig.php(98): require_once('/var/lib/mediaw...')
#5 {main}
  thrown in /var/lib/mediawiki-1.33.1-HD-test/includes/registration/ExtensionRegistry.php on line 117

This is the relevant part of /includes/registration/ExtensionRegistry.php:

6		/**
   107		 * @param string $path Absolute path to the JSON file
   108		 */
   109		public function queue( $path ) {
   110			global $wgExtensionInfoMTime;
   111	
   112			$mtime = $wgExtensionInfoMTime;
   113			if ( $mtime === false ) {
   114				if ( file_exists( $path ) ) {
   115					$mtime = filemtime( $path );
   116				} else {
   117					throw new Exception( "$path does not exist!" );
   118				}
   119				// @codeCoverageIgnoreStart
   120				if ( $mtime === false ) {
   121					$err = error_get_last();
   122					throw new Exception( "Couldn't stat $path: {$err['message']}" );
   123					// @codeCoverageIgnoreEnd
   124				}
   125			}
   126			$this->queued[$path] = $mtime;
   127		}

Here's a pastebin with the relevant parts of LocalSettings.php pastebin.com/HQ5SH4iY


I'd appreciate any insight anyone has.

Nick Parrott (talkcontribs)

I took a look at your config layout on pastebin, and I see what you're trying to do.


A few suggestions:


- Use 1.31 or 1.34. The extension-set has not been built/qualified for 1.33, and I've tried master on 1.33 to no avail

- When you install 1.31 or 1.34, consider using the approach of a JSON-config file, combined with LocalSettings.php

- You will find a full working example here: Manual:Active Directory Integration


To avoid agony, I would remove all your existing LDAP or Permission config, and try with the PHP on that page.


I don't think the maintenance script you are running will have any impact on "getting a working setup"

Reply to "Difficulty upgrading from LDAPAuthentication"

Authentication Problems with Active Directory - Credentials Not Associated with User on Wiki

5
Chattadude (talkcontribs)

Hi,

It seems that the following error is a common occurrence when someone tries to tie Mediawiki into an Active Directory domain: "The supplied credentials are not associated with any user on this wiki."


Osnard, as you know from a separate post in Extension talk:PluggableAuth, I was trying to get Mediawiki talking to a FreeIPA (Red Hat IdM) LDAP directory.

I still intend to reach out to someone with Red Hat or FreeIPA to help determine why there seems to be two "users" in the database associated with the same uid.


That said, my ultimate goal is to bind Media Wiki to an Active Directory (and use FreeIPA as a "proxy" of sorts).

In part of my troubleshooting, I decided to try to connect Mediawiki directly to AD without FreeIPA in the middle.


And that leads me to the error I'm currently getting, that "The supplied credentials are not associated with any user on this wiki."

If I enter in incorrect credentials, I confirm that there is a failure to authenticate.


I can confirm that I AM able to get correct output when I run:

php /var/www/html/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username {my-user}


My /etc/mediawiki/ldapprovider.json file contains the following:

                       "server": "10.10.10.10",

                       "user": "cn=bind_user,ou=MediaWiki,ou=Applications,ou=Foo,dc=example,dc=com",

                       "pass": "REDACTED",

                       "port":"389",

                       "enctype":"clear",

                       "basedn": "dc=example,dc=com",

                       "groupbasedn": "ou=Network Users,dc=example,dc=com",

                       "userbasedn": "ou=Network Users,dc=example,dc=com",

                       "searchattribute": "samaccountname",

                       "searchstring": "USER-NAME",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail"


My LocalSettings.php file contains:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

$LDAPAuthentication2AllowLocalLogin = false;


I have the following versions:

- Mediawiki 1.34

- PluggableAuth-REL1_34

- LDAPUserInfo-REL1_31

- LDAPAuthentication2-master-2aa5664 (I've also tried LDAPAuthentication2-REL1_31)

- LDAPProvider-master-963bd84 (I've also tried LDAPProvider-REL1_31)


I'm not sure where to go from here.

Chattadude (talkcontribs)

I have just done a "fresh install" of MediaWiki 1.34 to rule out any possible issue in the database itself.

Using the same codebase and configuration options as described above in the (new) LocalSettings.php of the new install, I am still getting the symptoms I described earlier. My user credentials are clearly working, but I keep getting the error message "The supplied credentials are not associated with any user on this wiki." when I do try to login.


I'm completely at a loss at this point.

209.3.130.226 (talkcontribs)

Have you found a solution yet, this is where I'm at.

Chattadude (talkcontribs)

Nope, I still don't have this working. I was hoping someone else would be able to provide some guidance.

I'll keep troubleshooting, and if I get it working, will be sure to post back here. If you come up with a solution for yourself, please consider posting back here with your solution as well.

80.89.157.0 (talkcontribs)

Just enable logs with


$wgDebugLogFile = "/var/www/mediawiki/debug.log";

You could see the error there

Reply to "Authentication Problems with Active Directory - Credentials Not Associated with User on Wiki"
LeavingCT (talkcontribs)

i am trying to get this working. i have recently upgraded to:

mw: 1.31.6; running php7.3. i have been able to validate using the maintenance/CheckLogin.php on the LDAPProvider extension. if i enter an incorrect password; when i login, i get the "Could not authenticate credentials against domain"; if i enter the correct password, i get the "The supplied credentials are not associated with any user on this wiki."


the PluggableAuth is also installed.


when i look at my debug log, i notice a couple of errors:

ErrorException from line 85 of /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: samaccountname

ErrorException from line 86 of /var/lib/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: cn

my settings are such:

<code>


$LDAPProviderDomainConfigProvider = function () {
   $config = [
      "ny.something.biz" => [ 
         "connection" => [
            "server" => "domain.ny.something.biz", 
            "basedn" => "dc=something,dc=biz", 
            "groupbasedn" => "dc=something,dc=biz", 
            "userbasedn" => "dc=something,dc=biz", 
            "searchattribute" => "samaccountname", 
            "searchstring" => "SOMETHING_NY_1\\USER-NAME", 
            "usernameattribute" => "samaccountname",
            "realnameattribute" => "cn",
            "emailattribute" => "mail"
         ],
      ]
   ];
   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray($config);
};

</code>

appreciate any help on this! thanks.

Osnard (talkcontribs)

Please check the output of LDAPProvider/maintenance/CheckUserInfo.php. It looks like you need to configure something else than "samacountname" for the username and "cn" for the realname.

LeavingCT (talkcontribs)

hi osnard, thanks for the help. i'm guessing you meant ShowUserInfo.php and not CheckUserInfo.php. when i try that i'm getting the:

MWException from line 197 of /var/lib/mediawiki/extensions/LDAPProvider/src/Client.php: Error in LDAP search: Operations error


ive tried setting the LDAP_OPT_REFERRALS to 0 (as well as 1); but neither seemed to help.

appreciate any further input as a cursory search seems to indicate plenty of people have similar problem.

best.

LeavingCT (talkcontribs)

hi osnard, i have played around with a bit of the config values. at 1 point, i got the ShowUserInfo to work. now it does not... however, i am now validating against AD and am successfully logging in! so thanks for the help. once i get some more time, i may come back and see where i went adrift, but for now i seem to be working. i do believe that i added our OU as well. thanks again.

Chattadude (talkcontribs)

Could you please share your resolution that lets users login?

LeavingCT (talkcontribs)

with regards to the changes i made, it is hard to tell exactly what caused the login to now work. i am not sure if a recent update to our domain controller was the culprit, or adding our organization unit (ou=) to our basedn in the above config. as i stated above, i have added the following options to the config:

                        "options" => [

                                "LDAP_OPT_DEREF" => 0

                        ],


but i'm not clear if this is part of the solution or not. unfortunately i can not say for sure what has resolved our issue, nor can i say why we are now getting the:

Error in LDAP search: Operations error

when executing the ShowUserInfo script. i know i successfully ran that maintenance script once, but now it is erroring out. i wish i could be of more help with a definitive answer. when i have more time, i will continue to play, and see if i can come up with a definitive answer. best.

Osnard (talkcontribs)

The "Operations error" may imply that the user you have use to bind to the LDAP resource is not allowed to run a "search" against LDAP. This sometimes happens in "anonymous bind" setups.

Reply to "having trouble...."
Textform (talkcontribs)

My Usernames in the AD are name_surname with underscore. I can login with name_surname. But in the login field at e new login "Name surname" is autofilled in the username login field. With that username logon fails.

Textform (talkcontribs)

I could solve this by changing $username = strtolower(str_replace(" ","_",$extraLoginFields[ExtraLoginFields::USERNAME])); in extensions\LDAPAuthentication2\src\PluggableAuth.php But group mapping does not work. All groups are removed, no matter if i login with name_surname or "Name surname".

With a username that has no underscores all works fine.

php LDAPProvider/maintenance/ShowUserGroups.php --domain textform.net --username wikiuser shows all the groups, when I use name_surname. But obvously nothing for "Name surname".

How can I tell the extension LDAPGroups to "normalize" the username to name_surname befor querying the groups?

(Maybe it would be better to move this thread to the LDAPGroups talk?)

Osnard (talkcontribs)
Reply to "Underscores in Usernames"
Return to "LDAPAuthentication2" page.