Extension talk:LDAPAuthentication2

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Start a new topic

setting up LDAP

12 comments • 13:17, 8 April 2024 11 days ago

12

Summary by Wikiphpnoob

moving from LDAP to Azure/Entra

65.207.72.210 (talkcontribs)

Hello, I have Windows Server 2016, with IIS version 10, with PHP 8.3.3, with MediaWiki 1.41.0

i am new to setting all of this up and at points can be rather confusing.

i have been trying to set up LDAP and thus far used extensions LDAPProvider, LDAPAuthentication2, LDAPAuthorization.

with LDAPProvider, i also have a ldapprovider.json

FIRST, i'd like to know which extensions would best support the following:

after authenticating to LDAP/active directory, i want permissions set where certain users only have access to certain pages in the wiki

here's my LocalSettings.php and ldapprovider.json as currently i'm getting HTTP ERROR 500. any assistance would be appreciated...

<?php

# This file was automatically generated by the MediaWiki 1.41.0

# installer. If you make manual changes, please keep track in case you

# need to recreate them later.

#

# See includes/MainConfigSchema.php for all configurable settings

# and their default values, but don't forget to make changes in _this_

# file, not there.

#

# Further documentation for configuration settings may be found at:

# https://www.mediawiki.org/wiki/Manual:Configuration_settings

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

## Uncomment this to disable output compression

# $wgDisableOutputCompression = true;

$wgSitename = "raa ems wiki";

$wgMetaNamespace = "Raa ems wiki";

## The URL base path to the directory containing the wiki;

## defaults for all runtime URL paths are based off of this.

## For more information on customizing the URLs

## (like /w/index.php/Page_title to /wiki/Page_title) please see:

## https://www.mediawiki.org/wiki/Manual:Short_URL

$wgScriptPath = "/raaemsitwiki/mediawiki-1.41.0";

## The protocol and server name to use in fully-qualified URLs

$wgServer = "XXX";

## The URL path to static resources (images, scripts, etc.)

$wgResourceBasePath = $wgScriptPath;

## The URL paths to the logo. Make sure you change this from the default,

## or else you'll overwrite your logo when you upgrade!

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/RAAEMS-Image.svg",

'icon' => "$wgResourceBasePath/resources/assets/RAAEMS-Image.svg",

];

## UPO means: this is also a user preference option

$wgEnableEmail = false;

$wgEnableUserEmail = false; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "raaemsitwiki";

$wgDBuser = "XXX";

$wgDBpassword = "XXX";

# MySQL specific settings

$wgDBprefix = "";

$wgDBssl = false;

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

$wgMemCachedServers = [];

## To enable image uploads, make sure the 'images' directory

## is writable, then set this to true:

$wgEnableUploads = true;

#$wgUseImageMagick = true;

#$wgImageMagickConvertCommand = "/usr/bin/convert";

# InstantCommons allows wiki to use images from https://commons.wikimedia.org

$wgUseInstantCommons = false;

# Periodically send a pingback to https://www.mediawiki.org/ with basic data

# about this MediaWiki instance. The Wikimedia Foundation shares this data

# with MediaWiki developers to help guide future development efforts.

$wgPingback = false;

# Site language code, should be one of the list in ./includes/languages/data/Names.php

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "UTC";

## Set $wgCacheDirectory to a writable directory on the web server

## to make your wiki go slightly faster. The directory should not

## be publicly accessible from the web.

#$wgCacheDirectory = "$IP/cache";

$wgSecretKey = "3f3c74223135b08da57eeffcc1fae44b00656ec470ff2b2abfc8b8286f82aa53";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "f697fe884146d13d";

## For attaching licensing metadata to pages, and displaying an

## appropriate copyright notice / icon. GNU Free Documentation

## License and Creative Commons licenses are supported so far.

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['edit'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "timeless";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'Timeless' );

# Enabled extensions. Most of the extensions are enabled by adding

# wfLoadExtension( 'ExtensionName' );

# to LocalSettings.php. Check specific extension documentation for more details.

# The following extensions were automatically enabled:

wfLoadExtension( 'CategoryTree' );

wfLoadExtension( 'Cite' );

wfLoadExtension( 'CiteThisPage' );

wfLoadExtension( 'CodeEditor' );

wfLoadExtension( 'Echo' );

wfLoadExtension( 'InputBox' );

wfLoadExtension( 'Nuke' );

wfLoadExtension( 'ParserFunctions' );

wfLoadExtension( 'ReplaceText' );

wfLoadExtension( 'WikiEditor' );

wfLoadExtension( 'CSS' );

# End of automatically generated settings.

# Add more configuration options below.

# Enable LDAPProvider extension

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

//wfLoadExtension( 'LDAPAuthorization' );

//wfLoadExtension( 'Lockdown' );

# Configure LDAP settings

$LDAPProviderDomainConfigs = "$IP/extensions/LDAPProvider/ldapprovider.json";

$LDAPProviderPreSearchUsernameModifierRegistry['strtolower'] = function (&$username) {

$username = strtolower($username);

};

$wgLDAPProvider['CacheType'] = 'internal';

$wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = false;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

************************

{

"raaric.org": {

"connection": {

"server": "XXX",

"port": "XXX",

"use-tls": "true",

"user": "CN=mediawiki,OU=XXX,DC=XXX,DC=XXX",

"pass": "XXX",

"enctype": "ssl",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=XXX,dc=XXX",

"userbasedn": "dc=XXX,dc=XXX",

"groupbasedn": "dc=XXX,dc=XXX",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayName",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "strtolower" ]

}

21:57, 27 February 2024 1 month ago

Osnard (talkcontribs)

FIRST, i'd like to know which extensions would best support the following: after authenticating to LDAP/active directory, i want permissions set where certain users only have access to certain pages in the wiki

For basic authentication, you need Extension:LDAPAuthentication2. If you want to restrict login to users of certain LDAP groups you need Extension:LDAPAuthorization. Permissions in MediaWiki are assigned to usergroups, not to particular users. Therefore if you want to set up some permissions, you'll most likely want to use Extension:LDAPGroups for sychronization of LDAP groups into the wiki. Hope that helps.

Regarding the error 500: The JSON file and the PHP settings file look good. There must be something in the error logs. only this can give you a clue about what's wrong.

Just a hint: Windows Server 2016 is no longer maintained. Consider migrating your application to a more up to date environment.

08:16, 1 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

thanks @Osnard for the update. i have since moved beyond previous issues. for the time being, i'm stuck with windows server 2016 trying to make do.

i have LDAPAuthentication2 3.0.0-alpha, LDAPAuthentication 3.0.0-alpha, LDAPGroups 3.0.0-alpha, LDAPProvider 3.0.0-alpha, LDAPUserInfo 3.0.0-alpha, PluggableAuth 7.1.0

right now i'm having issue authenticating using LDAP, i can use an internal mediawiki admin account, but once $wgPluggableAuth_EnableLocalLogin = false, and i Log in, instant "The supplied credentials could not be authenticated." log in prompts are never provided.

getting [authentication] Login failed in primary authentication because no provider accepted

20:18, 1 March 2024 1 month ago

Osnard (talkcontribs)

Have you tried the CLI tools like extensions/LDAPProvider/maintenance/CheckLogin.php?

08:55, 4 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

thank you thank you @Osnard, your suggestion was very helpful, but i still immediately get to the "The supplied credentials could not be authenticated" without even showing prompts to enter username/password and i find a log that shows :

[authentication] Login failed in primary authentication because no provider accepted

it appears to look locally in mediawiki, and not reach out using ldap.

this is my LocalSettings:

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

$wikiRequestIP = $_SERVER[$ipsVar];

break;

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

$testJson = @json_decode(file_get_contents($ldapJsonFile), true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $ldapJsonFile");

}

# Activate extensions

if ($ldapConfig) {

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

$wgDebugLogGroups['PluggableAuth'] = 'C:\\Windows\\Temp\\PLUG.log';

$wgDebugLogGroups['LDAP'] = 'C:\\Windows\\Temp\\LDAP.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:\\Windows\\Temp\\LDprov.log';

$wgDebugLogGroups['LDAPGroups'] = 'C:\\Windows\\Temp\\LDgrp.log';

$wgDebugLogGroups['LDAPUserInfo'] = 'C:\\Windows\\Temp\\LDui.log';

$wgDebugLogGroups['LDAPAuthorization'] = 'C:\\Windows\\Temp\\LDAPauthor.log';

$wgDebugLogFile = 'C:\\Windows\\Temp\\wikidbg.log';

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPProviderPreSearchUsernameModifierRegistry = [

'strtolower' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

},

'removespaces' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();

}

];

$wgLDAPProvider['CacheType'] = 'CACHE_NONE'; //internal when not debugging

$wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

# Configure PluggableAuth settings

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = true;

$wgPluggableAuth_Config = [

"My LDAP Login" => [

'plugin' => 'PluggableAuth',

'data' => [

'server' => 'ldap://acme.org', // LDAP server hostname or IP address

'port' => 389, // LDAP server port

'basedn' => 'dc=acme,dc=org', // Base DN for LDAP searches

'groupbasedn' => 'dc=acme,dc=org', // Base DN for LDAP groups

'userbasedn' => 'dc=acme,dc=org', // Base DN for LDAP users

'usersearch' => '(samaccountName=media wiki)', // LDAP search filter for users

'groupsearch' => '(member=$dn)', // LDAP search filter for groups

'options' => [

LDAP_OPT_DEREF => 1, // LDAP options

],

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => ['groups' => 'Information Technology'],

'human_resources' => ['groups' => 'Human Resournces']

]

],

];

$LDAPGroupsSyncMechanismRegistry = [

'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

];

} // end to activate extensions

any advice or questions to make my issue make more sense?

20:41, 12 March 2024 1 month ago

Osnard (talkcontribs)

Looks like you may have mixed $wgPluggableAuth_Config from Extension:PluggableAuth#Configuration and $LDAPProviderDomainConfigs from Extension:LDAPProvider#Static_JSON_file.

Just put all what you currently have in 'data' into the domain configs and reference only the domain in 'data'

$wgPluggableAuth_Config = [
        "My LDAP Login" => [
            'plugin' => 'PluggableAuth',
            'data' => [
                    'domain' => '<domain-specified-in-domainconfigs>
            ]
];

And e.g. ldapprovider.json with

{
	"<domain-specified-in-domainconfigs>": {
		"connection": {
			"server": "...",
            ...

Edited 07:44, 13 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

@Osnard eternally grateful for the assist, i see you are busy around here...

getting ...

[error] [d06bae5a95d5d9585f8e5074] /raaemsitwiki/mediawiki-1.41.0/index.php?title=Special:UserLogin&returnto=Main+Page PHP Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$password is deprecated

[error] [d06bae5a95d5d9585f8e5074] /raaemsitwiki/mediawiki-1.41.0/index.php?title=Special:UserLogin&returnto=Main+Page PHP Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$password is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

LOCALSETTINGS...

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

$wikiRequestIP = $_SERVER[$ipsVar];

break;

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

$testJson = @json_decode(file_get_contents($ldapJsonFile), true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $ldapJsonFile");

}

# Activate extensions

if ($ldapConfig) {

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

$wgDebugLogGroups['PluggableAuth'] = 'C:\\Windows\\Temp\\PLUG.log';

$wgDebugLogGroups['LDAP'] = 'C:\\Windows\\Temp\\LDAP.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:\\Windows\\Temp\\LDprov.log';

$wgDebugLogGroups['LDAPGroups'] = 'C:\\Windows\\Temp\\LDgrp.log';

$wgDebugLogGroups['LDAPUserInfo'] = 'C:\\Windows\\Temp\\LDui.log';

$wgDebugLogGroups['LDAPAuthorization'] = 'C:\\Windows\\Temp\\LDAPauthor.log';

$wgDebugLogFile = 'C:\\Windows\\Temp\\wikidbg.log';

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPProviderPreSearchUsernameModifierRegistry = [

'strtolower' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

},

'removespaces' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();

}

];

$wgLDAPProvider['CacheType'] = 'CACHE_NONE'; //internal when not debugging

$wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

# Configure PluggableAuth settings

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = true;

$wgPluggableAuth_Config = [

"My LDAP Login" => [

'plugin' => 'LDAPAuthentication2',

'data' => [

'domain' => 'acme.org'

]

];

$LDAPGroupsSyncMechanismRegistry = [

'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

];

} // end to activate extensions

LDAPPROVIDER.JSON

{

"acme.org": {

"connection": {

"server": "acme.org",

"port": 389,

"use-tls": "true",

"user": "media wiki",

"pass": "XXX",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=org",

"userbasedn": "dc=acme,dc=org",

"groupbasedn": "dc=acme,dc=org",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "strtolower" ]

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"

}

},

"userinfo": {

"realname": "displayName"

}

19:36, 13 March 2024 1 month ago

Osnard (talkcontribs)

Well, die messages from above are only "deprecation warnings". Nothing that should break things. If those are actually visible in your browser, you should diable show_errors in your php.ini. Also consider adding ~E_USER_DEPRECATED to the list of your display_errors setting.

13:42, 14 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

ty again @Osnard

i can get checklogin,php and showuserinfo.php to succeed. but CheckConnection keeps giving :

MWException from line 236 of C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\src\Client.php: Error in LDAP search: Bad search filter

#0 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\maintenance\CheckConnection.php(40): MediaWiki\Extension\LDAPProvider\Client->search()
#1 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\maintenance\includes\MaintenanceRunner.php(703): MediaWiki\Extension\LDAPProvider\Maintenance\CheckConnection->execute()
#2 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\maintenance\doMaintenance.php(100): MediaWiki\Maintenance\MaintenanceRunner->run()
#3 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\maintenance\CheckConnection.php(72): require_once('...')
#4 {main}

and i'm having a hard time finding in the json where it may be hanging up:

{
    "acme.org": {
        "connection": {
            "server": "acme.ORG",
            "port": 389,
            "enctype": "clear",
            "user": "CN=media wiki,OU=user accounts,DC=acme,DC=ORG",
            "pass": "XXX",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "dc=acme,dc=org",
            "userbasedn": "dc=acme,dc=org",
            "groupbasedn": "dc=acme,dc=org",
            "searchattribute": "samaccountname",
            "usernameattribute": "samaccountname",
            "realnameattribute": "cn",
            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
            "presearchusernamemodifiers": [
                "strtolower"
            ]
        },
        "authorization": {
            "rules": {
                "groups": {
                    "required": [
                        "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",
                        "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"
                    ]
                }
            }
        },
        "groupsync": {
            "mechanism": "mappedgroups",
            "mapping": {
                "information_technology": "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",
                "human_resources": "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"
            }
        },
        "userinfo": {
            "realname": "displayName"
        }
    }
}

Also, when attempting to log in from the wiki site with the ldap binding account, i get "could not authenticate credentials against domain"

and when i try my AD log in, i get "incorrect username or password entered"

logs show no attempt made against LDAP when using anything other that the LDAP binding account

Edited by Osnard 13:04, 15 March 2024 1 month ago

Osnard (talkcontribs)

Error in LDAP search: Bad search filter is odd. I believe we hat it here on the talk pages already, please do some search. Also you can enable debug logging, so we can find the root cause.

13:02, 15 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

@Osnard

CheckConnection debug log shows :

Start command line script CheckConnection.php

[session] SessionManager using store SqlBagOStuff

[localisation] LocalisationCache using store LCStoreDB

[objectcache] MainWANObjectCache using store EmptyBagOStuff

[LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3

[LDAPProvider] Setting LDAP_OPT_REFERRALS to 0

[LDAPProvider] Setting LDAP_OPT_DEREF to 1

15:32, 15 March 2024 1 month ago

Wikiphpnoob (talkcontribs)

hello @Osnard

when attempting to authenticate with a local AD account, i get the following:

Could not authenticate credentials against domain "acme.org"

I run ShowUserInfo and CheckConnection using the same local AD account and both run successfully

as you can see below, i've tried to play around with little settings here and there in the .json:

"acme.org": {

"connection": {

"server": "IP address",

"port": 389,

"enctype": "clear",

"user": "CN=media wiki,OU=Managed Service Accounts,DC=ACME,DC=ORG",

"pass": "XXX",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=RAARIC,DC=ORG",

"userbasedn": "OU=RAA Users,DC=ACME,DC=ORG",

"groupbasedn": "OU=GROUPS,DC=ACME,DC=ORG",

"usersearch": "samaccountname",

"groupsearch": "$dn",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "lowercase" ],

"searchstring": "samaccountname"

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

}

},

"userinfo": {

"realname": "samaccountname"

}

any ideas where i need to look? what i need to edit/refactor? any further questions to help you in helping me?

15:09, 18 March 2024 1 month ago

Populate the ldap_domains database

8 comments • 07:51, 7 March 2024 1 month ago

8

GregANICO (talkcontribs)

Reply Edited 17:06, 1 March 2024 1 month ago

GregANICO (talkcontribs)

I am running MediaWiki 1.39 with LDAPAuthentication2: REL1_39 and PluggableAuth: REL1_39. For some reason it seems my database table is empty for ldap_domains:

MariaDB [redacted_wikidb]> SELECT * FROM `ldap_domains`;

Empty set (0.000 sec)

I have ran the maintance/update.php and it doesn't populate that table. Any way I can populate it by hand to get this to work?

Thanks,

Greg

Reply 17:09, 1 March 2024 1 month ago

Osnard (talkcontribs)

It will populate itself, when the users log in.

Reply 08:56, 4 March 2024 1 month ago

GregANICO (talkcontribs)

That must not be the issue then. When I go to login to the site with my domain credentials I get the following error message: Please choose a valid domain

Reply 19:44, 4 March 2024 1 month ago

GregANICO (talkcontribs)

This is what I see

Reply 21:28, 4 March 2024 1 month ago

Osnard (talkcontribs)

Can you please share the $wgPluggableAuth_Config setting?

Reply 12:11, 5 March 2024 1 month ago

GregANICO (talkcontribs)

Sure, here it is I placed DOMAIN and subdomain.domain just on here for security purpose but left them case sensitive as they are in the configuration:

$wgPluggableAuth_Config['Log In (DOMAIN)'] = [

'plugin' => 'LDAPAuthentication2',

'data' => [

'domain' => 'subdomain.domain.com'

]

];

Reply 13:32, 6 March 2024 1 month ago

Osnard (talkcontribs)

And subdomain.domain.com is configured in Extension:LDAPProviders "domain config"?

Do CLI tools like extensions/LDAPProvider/maintenance/CheckLogin.php work?

Reply Edited 07:51, 7 March 2024 1 month ago

Reply to "Populate the ldap_domains database"

MediaWiki version >1.35

4 comments • 15:41, 8 February 2024 2 months ago

4

Issiegainsley (talkcontribs)

Has anyone got LDAP login to work on a mediawiki install later than 1.35?

Reply 18:35, 24 January 2024 2 months ago

Osnard (talkcontribs)

Yes, MediaWiki 1.39 works very well. But also other version should work

Reply 14:45, 25 January 2024 2 months ago

Issiegainsley (talkcontribs)

I have downloaded 1.39 and installed in on MediaWiki 1.39.6 and it fails. I have ran composer in the LDAP folder. I have installed:

PluggableAuth for 1.39.

LDAPProvider for 1.39.

Any suggestions?

I can log in locally. But when I log in with a domain, I get this error:

[3a3fdccb6706559f14f51d46] 2024-02-02 15:32:31: Fatal exception of type "Wikimedia\Rdbms\DBQueryError"

Once I put the following code in my localsettings file it worked. ????

$wgDebugLogGroups['LDAPAuthorization'] = '/log/LDAP.log';

These are the errors I get in the log file.

2024-02-02 17:23:38 MSPM1BAPPD1117 my_wiki: Getting PluggableAuth instance

2024-02-02 17:23:38 MSPM1BAPPD1117 my_wiki: Could not get authentication plugin instance.

I GUESS IT IS WORKING?

Reply Edited 17:27, 2 February 2024 2 months ago

Osnard (talkcontribs)

Can you please share how $wgPluggableAuth_Config is set up?

Reply 15:41, 8 February 2024 2 months ago

Reply to "MediaWiki version >1.35"

LDAP-User cannot be authenticated

2 comments • 07:46, 22 December 2023 3 months ago

2

Julio1501 (talkcontribs)

MediaWiki 1.39.4

PHP 8.0.30 (apache2handler)

MariaDB 10.5.19-MariaDB-0+deb11u2

BlueSpice 4.3.2 (build:20230907155405)

All LDAP Test from the maintenance folder work. But LDAP authentication fails

The LocalSettings.php is configured like below:

$LDAPProviderCacheType = CACHE_NONE;

$wgGroupPermissions['*']['autocreateaccount'] = true;

//$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "/var/www/ldap.json";

$ldapConfig = true;

// Activate Extension

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' ); //"version": "7.0.0"

wfLoadExtension( 'LDAPProvider' ); //"version": "2.0.1"

wfLoadExtension( 'LDAPAuthentication2' ); //"version": "2.0.2"

wfLoadExtension( 'LDAPAuthorization' ); //"version": "2.0.1"

wfLoadExtension( 'LDAPUserInfo' ); //"version": "2.0.0"

wfLoadExtension( 'LDAPGroups' ); //"version": "2.0.1"

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPAuthentication2AllowLocalLogin = true;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_ButtonLabel = "Log In";

// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)

$LDAPProviderDefaultDomain = "mydomain.local";

}

$wgLDAPDebug = 3; //for debugging LDAP

$wgDebugLogGroups['LDAP'] = "/var/log/mediawiki/ldap_debug.log";

$wgDebugLogGroups['LDAPGroups'] = "/var/log/mediawiki/LDAPGroups.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "/var/log/mediawiki/LDAPauth.log";

my ldap.json:

{

"mydomain.local": {

"connection": {

"server": "mydomain.local",

"port": "389",

"user": "binduser@mydomain.local",

"pass": "mysecret",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=mydomain,DC=local",

"userbasedn": "DC=mydomain,DC=local",

"groupbasedn": "DC=mydomain,DC=local",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": ["spacestounderscores", "lowercase"]

},

"userinfo": [],

"authorization": {

"rules": {

"groups": {

"required": [""]

}

},

"groupsync": {

"mapping": {

"sysop": ""

}

Thanks!

Reply Edited 14:10, 25 October 2023 5 months ago

Osnard (talkcontribs)

So is there anything on the logs?

Reply 07:46, 22 December 2023 3 months ago

Reply to "LDAP-User cannot be authenticated"

SSO not working using LDAPAuthentication2

8 comments • 06:51, 17 November 2023 5 months ago

8

Testergt1302 (talkcontribs)

Hi,

We had MW 1.35 in Prod and SSO was working when using extension LDAPAuthentication. But when we upgraded to MW 1.39, we are advised to use extension LDAPAuthentication2 with LDAPProvider & PluggableAuth. But the SSO is not working with this Formbased solution.

Please let us know how can we achieve SSO with this form based approach?

Thanks,

GT

Reply 15:41, 8 November 2023 5 months ago

Osnard (talkcontribs)

For SSO you need to use Extension:Auth_remoteuser in conjuction with Kerberos-Authentication in the webserver.

Reply 15:56, 8 November 2023 5 months ago

Testergt1302 (talkcontribs)

Ok, we are currently using this one only. If the user id is present in wiki DB, the extension allows user to access wiki. But noticed that, new user acc is being created in wiki DB only with the user name. Email id and other things are not added in the user table. For existing users I can see email id and other details since it was done by LDAP extension.

Not sure if this will be a problem in the future if we plan to move to other SSO method like SAML.

Reply 10:55, 9 November 2023 5 months ago

Osnard (talkcontribs)

If you use Auth_remoteuser for SSO you can use extensions LDAPProvider, LDAPGroups and LDAPUserInfo in addition to do the synchronization of "realname", "e-mail" and "group assignments" after the SSO has happened.

If you switch to Extension:SimpleSAMLphp or Extension:OpenIDConnect all those things will be implicitly be handled in the SSO process.

Reply Edited 07:10, 10 November 2023 5 months ago

Testergt1302 (talkcontribs)

We had some challenges in the networking and AD side while configuring the SAML SSO, this may take some time to setup. Meanwhile we have to use the AuthRemoteUser.

By the way, I tried installing extensions LDAPProvider, LDAPGroups and LDAPUserInfo in wiki. But not sure if it is able to do the synchronization. Is there any special setting/variable to do the sync in backend ?

Reply 10:34, 10 November 2023 5 months ago

Osnard (talkcontribs)

No. As you can see from here, Sync is being done in the UserLoadFromSession hook

Reply Edited 06:52, 13 November 2023 5 months ago

Testergt1302 (talkcontribs)

Hi Osnard,

I think I have done this. I can see these lines in the logs:

"wiki: Set 'realname' with raw value <My Full Name>"

But there is another problem here. Now I am not able to do upload while editing page. There is upload dialog which we use to upload files directly from editing a page inserting it into the page. This was easier than going to upload page, upload file there, then edit page embed it.

Now if I try to upload in edit page, it shows: You dont have permission to upload this file.

Tried to allow upload for all by setting: $wgGroupPermissions['*']['upload'] = true;

but then it says: You must be logged in to upload file.

Does this mean that I am still not logged in. Then how I can access our private wiki, edit pages and do all other things there ?

I dont understand this behavior..

Can please you help here ?

Thanks- GT

Reply 10:53, 15 November 2023 5 months ago

Osnard (talkcontribs)

Can you please check the following things:

Are session cookies included in the Upload-API call? Use the "network" panel in the browser development tools (F12) to check this.
Is Kerberos authentication enabled in conext of the api.php entrypoint? Look into the LDAP releated logs when the API endpoint gets called.

Reply Edited 06:51, 17 November 2023 5 months ago

Reply to "SSO not working using LDAPAuthentication2"

Kerberos/SSO could not established for Mediawiki v1.39.4

2 comments • 13:37, 18 October 2023 6 months ago

2

202.91.136.46 (talkcontribs)

we have configured following extensions to enable auth from the LDAP/AD/Kerberos.

And we are able to connect LDAP server and get authenticated and authorized for all AD users. But, still SSO is not working for below extension configuration. any help appreciated.

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

Reply 11:56, 18 October 2023 6 months ago

Osnard (talkcontribs)

For Kerberos based authentication you will also need Extension:Auth_remoteuser. Learn more about it on LDAP_hub.

Reply 13:37, 18 October 2023 6 months ago

Reply to "Kerberos/SSO could not established for Mediawiki v1.39.4"

The user cannot be authenticated

10 comments • 19:43, 21 September 2023 6 months ago

10

189.9.13.89 (talkcontribs)

Hi! I've been having some problems while trying to make AD ldap authentication in my 1.39 version mediaWiki. I did fix a lot congrats to Cindy. But now i have this little problem. When i try to login it returns to me that the user cannot be authenticated. I checked the configuration files, php, LDAP connection, fixed some issues, but that problem still there. May someone help me? In the logs i'd not get some resourceful information, but i'm trying to collect more data. Thanks!

Reply 18:13, 19 September 2023 7 months ago

Osnard (talkcontribs)

Which logs are you looking at? LDAP logs should give you all information you need.

Reply 05:45, 20 September 2023 6 months ago

2804:14C:658F:8EAA:BDFC:E27E:C859:12F7 (talkcontribs)

When i set mediawii them up they just don't work, just the db queries work

Reply 18:54, 20 September 2023 6 months ago

2804:14C:658F:8EAA:BDFC:E27E:C859:12F7 (talkcontribs)

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain YourDomain --username SomeUser php extensions/LDAPProvider/maintenance/CheckLogin.php --domain YourDomain --username SomeUser

These tests works fine

Reply 19:28, 20 September 2023 6 months ago

Osnard (talkcontribs)

Can you give me some more insight into the configuration? Have you enabled additional extensions?

Reply 09:37, 21 September 2023 6 months ago

2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talkcontribs)

No, just the requested by the tutorial

The configuration matches the tutorial too, but i can't make logs work, it's like the tutorial that you gave me.

Reply 12:57, 21 September 2023 6 months ago

2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talkcontribs)

2023-09-21 19:01:47 servername wiki: In execute()

2023-09-21 19:01:47 servername wiki: Getting PluggableAuth instance

2023-09-21 19:01:47 servername wiki: Plugin name: LDAPAuthentication2

2023-09-21 19:01:48 servername wiki: Try to authenticate user: user

2023-09-21 19:01:48 servername wiki: Not local login. Checking LDAP...

2023-09-21 19:01:48 servername wiki: LDAP domain: my.domain

2023-09-21 19:01:48 servername wiki: Username not found in user info provided by LDAP!Please check LDAP domain configuration. Specifically usernameattribute

2023-09-21 19:01:48 servername wiki: LDAP user info results for user user: Array

(

[cn] => user

[sn] => user

[givenname] => user

[distinguishedname] => CN=user,OU=Users,DC=my,DC=domain

[displayname] => user

[memberof] => CN=user_wiki,OU=Groups,DC=my,DC=domain

[name] => user

[samaccountname] => user

[userprincipalname] => user@my.domain

[objectcategory] => CN=Person,CN=Schema,CN=Configuration,DC=my,DC=domain

[dn] => CN=user,OU=Users,DC=my,DC=domain

)

2023-09-21 19:01:48 servername wiki: Authentication failure.

Reply 19:07, 21 September 2023 6 months ago

2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talkcontribs)

that's the error

Reply 19:07, 21 September 2023 6 months ago

2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talkcontribs)

I've got it! Actualli in the ldap.json file, in usernameattribute, i had to put a different value than "samaccountname", it was just "name". Thank you a lot for the support!

Reply 19:42, 21 September 2023 6 months ago

2804:14C:658F:8EAA:D54F:4EC2:2B64:DDAB (talkcontribs)

That information i've got in that part of the ad search return [name] => user, if someone's facing the same problem, i suggest to do that, watch the ad's return and match with the ldap.json file.

Reply 19:43, 21 September 2023 6 months ago

Reply to "The user cannot be authenticated"

LDAPProvider (3.0.0-alpha) compatibility issues with LDAPAuthentication2

6 comments • 19:27, 21 September 2023 6 months ago

6

Lordgarmadon77 (talkcontribs)

php maintenance/update.php

PHP Fatal error: Uncaught ExtensionDependencyError: LDAPAuthentication2 is not compatible with the current installed version of LDAPProvider (3.0.0-alpha), it requires: 2.*.

I have looked into the documentation and there wasnt any mentioning of this issue.

Edit: I am testing this with LDAPAuthentication2-master-b6f37c6 and LDAPAuthentication2-REL1_40-2864ae9 but same error, my mediawiki version is 1.40

Reply 20:20, 20 September 2023 6 months ago

AKulbii (talkcontribs)

Hi!

Unfortunately, LDAPAuthentication2 is currently incompatible with MediaWiki 1.40. The latest supported MediaWiki version is 1.39

Reply 08:39, 21 September 2023 6 months ago

AKulbii (talkcontribs)

I got information that LDAPAuthentication2 may work with MediaWiki 1.40. But for that you need to use REL1_39 branch of LDAPAuthentication2 extension. Please try that and tell me if it works.

Reply 08:54, 21 September 2023 6 months ago

Lordgarmadon77 (talkcontribs)

Thank you @AKulbii, just got a chance to look into it. And ufortunately REL1_39 branch of LDAPAuthentication2 extension is also not working. So I might have to downgrade mediawiki to 1.39 or unless there are any plans to support latest stable 1.40 version anytime soon?

Reply 09:39, 21 September 2023 6 months ago

AKulbii (talkcontribs)

It also seems that you use wrong LDAPProvider branch (master instead of REL1_39). Please try to download REL1_39 branch for each of LDAP* extensions and check if it will work.

Reply 10:25, 21 September 2023 6 months ago

Lordgarmadon77 (talkcontribs)

Thank you, as it was a fresh installation, I decided to use 1.39LTS

Reply 19:27, 21 September 2023 6 months ago

Reply to "LDAPProvider (3.0.0-alpha) compatibility issues with LDAPAuthentication2"

Error "The supplied credentials could not be authenticated."

9 comments • 06:07, 19 September 2023 7 months ago

9

155.190.21.26 (talkcontribs)

I'm trying to upgrade to MediaWiki 1.40. I have grabbed the latest versions of PluggableAuth, LDAPAuthentication, etc. I updated the configuration as directed for PluggableAuth 6 (using wgPluggableAuth_Config).

When going to the login page, all I get is a message that says "The supplied credentials could not be authenticated."

I saw some old discussions that this was because LDAPAuthentication2 did not support PluggableAuth 6, but looks like the latest verison does. Any advice?

Reply 17:14, 18 August 2023 8 months ago

Osnard (talkcontribs)

PluggableAuth 7 (current latest) is fully supported by LDAPAuthentication2.

Please check LDAP_hub#Debugging on how to set up logs and use the CheckLogin.php maintenance script from LDAPProvider to verify your configuration.

Reply 06:16, 21 August 2023 7 months ago

Mri irm (talkcontribs)

I am facing the same issue. Mediawiki 1.39 LDAPAuthentication2 2.0.1 and PluggableAuth 7.0.0. No login form, only the error message "The supplied credentials could not be authenticated". The CheckLogin.php maintenance Script is running without problems and results in "OK". The debug options seem to have no effect is there something else to configure?

Reply 14:49, 21 August 2023 7 months ago

155.190.21.26 (talkcontribs)

I have also run the CheckLogin.php, which results in OK. I have configured an LDAP.log, but it never gets created. It used to when I debugged the previous versions for issues.

Reply 15:39, 21 August 2023 7 months ago

155.190.21.26 (talkcontribs)

Well I got further along by downloading specific versions of all the LDAP components. It appears that when you use the download tool and select MediaWiki 1.40, you are not getting compatable versions. Here is what I have currently:

MediaWiki 1.40

PHP 8.2.4

MariaDB 10.4.28

LDAP Authenticaiton2 3.0.0-alpha

LDAPAuthorization 2.0.0

LDAPGroups 2.0.0

LDAPProvider 2.0.0

PluggableAuth 7.0.0

Now I am getting a different error. Some say things points to issues with the LDAP extension for PHP, but the CheckLogin.php still works fine. Here is the full error message

[0ac0ee606e106e460649b256] /wiki/Special:PluggableAuthLogin Error: Call to undefined function ldap_connect()

Backtrace:

from D:\Apps\FEWS\Wiki\extensions\LDAPProvider\src\PlatformFunctionWrapper.php(263)

#0 D:\Apps\FEWS\Wiki\extensions\LDAPProvider\src\PlatformFunctionWrapper.php(280): MediaWiki\Extension\LDAPProvider\PlatformFunctionWrapper->connect(string)

#1 D:\Apps\FEWS\Wiki\extensions\LDAPProvider\src\Client.php(127): MediaWiki\Extension\LDAPProvider\PlatformFunctionWrapper::getConnection(string)

#2 D:\Apps\FEWS\Wiki\extensions\LDAPProvider\src\Client.php(115): MediaWiki\Extension\LDAPProvider\Client->makeNewConnection()

#3 D:\Apps\FEWS\Wiki\extensions\LDAPProvider\src\Client.php(366): MediaWiki\Extension\LDAPProvider\Client->init()

#4 D:\Apps\FEWS\Wiki\extensions\LDAPAuthentication2\src\PluggableAuth.php(262): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)

#5 D:\Apps\FEWS\Wiki\extensions\LDAPAuthentication2\src\PluggableAuth.php(122): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin(string, string, string, NULL, NULL, NULL)

#6 D:\Apps\FEWS\Wiki\extensions\PluggableAuth\includes\PluggableAuthLogin.php(101): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)

#7 D:\Apps\FEWS\Wiki\includes\specialpage\SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute(NULL)

#8 D:\Apps\FEWS\Wiki\includes\specialpage\SpecialPageFactory.php(1475): SpecialPage->run(NULL)

#9 D:\Apps\FEWS\Wiki\includes\MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath(string, RequestContext)

#10 D:\Apps\FEWS\Wiki\includes\MediaWiki.php(923): MediaWiki->performRequest()

#11 D:\Apps\FEWS\Wiki\includes\MediaWiki.php(576): MediaWiki->main()

#12 D:\Apps\FEWS\Wiki\index.php(50): MediaWiki->run()

#13 D:\Apps\FEWS\Wiki\index.php(46): wfIndexMain()

#14 {main}

Reply 18:09, 21 August 2023 7 months ago

155.190.21.26 (talkcontribs)

Well that was easy. I forgot to restart my apache server after enabling LDAP on PHP. I switched to the latest version 2.0 with everything and PluggableAuth 7. I recommend hopefully all the LDAP plugins will get updated so that if you download the versions for MediaWiki 1.40 it will actually get you the correct version!

Reply 18:29, 21 August 2023 7 months ago

132.168.89.106 (talkcontribs)

I have the same issue. Can you provide the configuration in LocalSettings.php?

Reply 12:15, 24 August 2023 7 months ago

189.9.13.89 (talkcontribs)

Hi! I'm having the same issue, it redirects automatically to that error, may you provide your ldap configuration? Thanks!

Reply 16:10, 18 September 2023 7 months ago

Osnard (talkcontribs)

Have you enabled the PHP LDAP extension in php.ini?

Reply 06:07, 19 September 2023 7 months ago

Reply to "Error "The supplied credentials could not be authenticated.""

LDAP LDAPAuthentication2 for mediawiki 1.39.3

2 comments • 08:49, 22 June 2023 9 months ago

2

Adugna.assefa (talkcontribs)

The LocalSettings.php is configured like below

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['sysop']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("extensions/LDAPProvider") ) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: ldap.json");

$ldapConfig = true;

}

$wgShowExceptionDetails = true;

//$wgShowSQLErrors = true;

//$wgShowDBErrorBacktrace = true;

// $wgPluggableAuth_EnableAutoLogin = false;

// $wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ExtraLoginFields=[];

$wgPluggableAuth_Class = "MediaWiki\\Extension\\LDAPAuthentication2\\PluggableAuth";

//$wgPluggableAuth_Class="MediaWiki\Extension\PluggableAuth\PluggableAuth";

// $wgPluggableAuth_ButtonLabel = "Log In";

$wgPluggableAuth_Config['Log In (xxx.local)'] = [

'plugin' => 'LDAPAuthentication2',

'data' => [

'domain' => 'xxx.local'

]

];

$LDAPAuthentication2AllowLocalLogin=true;

$LDAPAuthentication2UsernameNormalizer= "";

// Activate Extension

if($ldapConfig) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)

$LDAPProviderDefaultDomain = "xxx.local";

//if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

and the ldap.json file configuration is

{

"xxx.local":{

"connection": {

"server": "dc,xxx.local",

"port": "389",

"user": "CN=dcadmin,OU=Users,DC=xxx,DC=local",

"pass": "dc@#xyz",

"options": {

"LDAP_OPT_REFERRALS": 1

},

"basedn": "dc=xxx,dc=local",

"groupbasedn": "cn=zzz xxx family,ou=Distribution Group,dc=xxx,dc=local",

"userbasedn": "cn=zzz xxx family,ou=Distribution Group,dc=ethio,dc=local",

"searchattribute": "sAMAccountName",

"searchstring": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"bureaucrat": "CN=zzz xxx family,OU=Distribution Group,DC=XXX,DC=local",

"engineering": "CN=ZZZ Software Development Section,OU=Distribution Group,DC=XXX,DC=locall",

"interface-admin": "CN=ZZZ Software Development Section,OU=Distribution Group,DC=XXX,DC=local",

"sysop": "CN=ZZZ Software Development Section,OU=Distribution Group,DC=XXX,DC=local"

}

The error output is

Deprecated: Use of PersonalUrls hook (used in PluggableAuthHooks::modifyLoginURLs) was deprecated in MediaWiki 1.39. [Called from MediaWiki\HookContainer\HookContainer::run in C:\xampp\htdocs\ethiowiki\includes\HookContainer\HookContainer.php at line 137] in C:\xampp\htdocs\ethiowiki\includes\debug\MWDebug.php on line 381

MediaWiki internal error.

Original exception: [5e0d07f782094fdb33f0a479] /ethiowiki/index.php Error: Call to undefined method PluggableAuthHooks::modifyLoginURLs()

Backtrace:

from C:\xampp\htdocs\ethiowiki\includes\HookContainer\HookContainer.php(338)

#0 C:\xampp\htdocs\ethiowiki\includes\HookContainer\HookContainer.php(137): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

#1 C:\xampp\htdocs\ethiowiki\includes\HookContainer\HookRunner.php(3045): MediaWiki\HookContainer\HookContainer->run(string, array, array)

#2 C:\xampp\htdocs\ethiowiki\includes\skins\SkinTemplate.php(582): MediaWiki\HookContainer\HookRunner->onPersonalUrls(array, Title, MediaWiki\Skins\Vector\SkinVectorLegacy)

#3 C:\xampp\htdocs\ethiowiki\includes\skins\SkinTemplate.php(1262): SkinTemplate->buildPersonalUrls(boolean)

#4 C:\xampp\htdocs\ethiowiki\includes\skins\SkinTemplate.php(790): SkinTemplate->buildContentNavigationUrlsInternal()

#5 C:\xampp\htdocs\ethiowiki\includes\skins\SkinTemplate.php(229): SkinTemplate->getPortletsTemplateData()

#6 C:\xampp\htdocs\ethiowiki\includes\skins\SkinMustache.php(88): SkinTemplate->getTemplateData()

#7 C:\xampp\htdocs\ethiowiki\skins\Vector\includes\SkinVector.php(450): SkinMustache->getTemplateData()

#8 C:\xampp\htdocs\ethiowiki\includes\skins\SkinMustache.php(58): MediaWiki\Skins\Vector\SkinVector->getTemplateData()

#9 C:\xampp\htdocs\ethiowiki\includes\skins\SkinTemplate.php(177): SkinMustache->generateHTML()

#10 C:\xampp\htdocs\ethiowiki\includes\OutputPage.php(2874): SkinTemplate->outputPage()

#11 C:\xampp\htdocs\ethiowiki\includes\MediaWiki.php(922): OutputPage->output(boolean)

#12 C:\xampp\htdocs\ethiowiki\includes\MediaWiki.php(562): MediaWiki->main()

#13 C:\xampp\htdocs\ethiowiki\index.php(50): MediaWiki->run()

#14 C:\xampp\htdocs\ethiowiki\index.php(46): wfIndexMain()

#15 {main}

Exception caught inside exception handler: [5e0d07f782094fdb33f0a479] /ethiowiki/index.php Error: Call to undefined method PluggableAuthHooks::modifyLoginURLs()