Extension talk:LdapAuth/Configuration

About this board

OpenLDAP - Incorrect username or password

1
173.150.79.116 (talkcontribs)

I am not using AD, only one LDAP server (Openldap) on debian, connecting to the localhost with no encryption. The debug log is reporting:

[authentication] Attempting to bind to LDAP for search with DN "cn=ro_admin,dc=domain,dc=com@domain.com".

[authentication] Bound successfully.

[authentication] Incorrect username or password entered.

Please try again.

[authentication] Invalid DN syntax

[GlobalTitleFail] MessageCache::parse called by Shanept\LdapAuth\Exceptions\ConnectionException->__construct/Exception->__construct/Message->__toString/Message->toString/Message->parseText/MessageCache->parse with no title set.

[authentication] Login failed in primary authentication by Shanept\LdapAuth\Auth\PrimaryAuthenticationProvider

[session] SessionBackend "utel4av22kqlfkdnt9ss4ib5gfmg8psv" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->beginAuthentication/MediaWiki\Auth\AuthManager->continueAuthentication/$

[session] SessionBackend "utel4av22kqlfkdnt9ss4ib5gfmg8psv" save: dataDirty=1 metaDirty=0 forcePersist=0

[authevents] Login attempt


Obviously, I am not using domain.com - I replaced it above from the log, and ro_admin is my read-only account. My OpenLDAP will refuse any bind attempts with the @domain.com added to the end, so I am curious if this extension will not work properly in this environment? I can successfully bind to the server and perform all kinds of queries using LDAP Admin, but this is the consistent debug message in LdapAuth. The 'Invalid DN syntax' message is drawing me to this extension trying to add the @domain.com to the end. If I try connecting using LDAP Admin with user@domain.com, I receive 'Invalid DN syntax' as the error message.


My Config:

wfLoadExtension( 'LdapAuth' );

$wgLdapAuthDomainNames = 'domain.com';

$wgLdapAuthRequireDomain = false;

$wgLdapAuthServers = 'localhost';

$wgLdapAuthBindDN = 'cn=ro_admin,dc=domain,dc=com';

$wgLdapAuthBindPass = 'password';

$wgLdapAuthBaseDN = 'dc=domain,dc=com';

$wgLdapAuthSearchFilter = '(&(objectClass=posixAccount)(uid=%1$s))';

$wgLdapAuthUsernameField = 'uid';

$wgLdapAuthIsActiveDirectory = false;


I have done it with and without the $wgLdapAuthUsernameField and $wgLdapAuthIsActiveDirectory variables set, no luck either way / any combination.

Will this extension work successfully with a non AD server? I have limited experience with LDAP, but I don't recall seeing the use of @ symbols in LDAP authentication outside of AD. Suggestions on what could be causing the issues here?

Thanks!

Reply to "OpenLDAP - Incorrect username or password"
85.22.153.10 (talkcontribs)

Hello,

I have changed my apache on CentOS so that only https connections to mediawiki are allowed.

The mediawiki page is shown and I can read pages when I am not logged in.


When I try to log in via AD/LDAP I get the wrong user/wrong password message


I tried the following encryption settings. All settings gave me the wrong user/wrong password message:


$wgLdapAuthEncryptionType = [ 'ta' => 'none' ]; # OK -> SSL is active, so error is shown, because credentials are encrypted.


I would suppose that one of the following settings should work but I get the wrong user/password message


$wgLdapAuthEncryptionType = [ 'ta' => 'ssl' ];

$wgLdapAuthEncryptionType = [ 'ta' => 'tls' ];


I have restarted the httpd service and cleared my browser cache after parameter change but still no success.

Local log in as admin still works.


What am I missing?

85.22.153.10 (talkcontribs)

I have found and solved the problem:

It was not a problem with the encryption type. After changing my Apache to redirect http to https the system could not find the LDAP servers because their names were suddenly unknown to LINUX. After changing the /etc/hosts file the system works now with HTTPS and LDAP authentication

Reply to "Encryption problem"

LdapAuthDomainNames format

5
213.21.176.129 (talkcontribs)

Greetings,

I'm trying to configure LdapAuth with FreeIPA Ldap. So far My configuration does not allow me to login. If I try to login with a valid user/password I get an "incorrect login/password" error from mediawiki. According to tcpdump the bind has success, so I do not know what is the problem.

My guess is about the LdapAuthDomainNames which accept only domain in "Microsoft Active Directory" format, instead of full ldap format.


This is my configuration:

wfLoadExtension( 'LdapAuth' );

#$wgLdapAuthDomainNames = 'uid={0},cn=users,cn=accounts,dc=ipa,dc=company,dc=it';

$wgLdapAuthDomainNames = 'IPA.company.IT';

$wgLdapAuthServers = 'freeipa.company.it';

$wgLdapAuthBindDN = 'uid=binduser,cn=users,cn=accounts,dc=ipa,dc=company,dc=it';

$wgLdapAuthBindPass = 'binduserpass';

$wgLdapAuthUseLocal = true;


Can you please help me out?

AFAbbasi87 (talkcontribs)

Try this config, It works for users in OU but I'm struggling with setting trhis against AD groups members

wfLoadExtension( 'LdapAuth' );

$wgLdapAuthDomainNames = 'example.local';

$wgLdapAuthServers = 'DC.example.LOCAL';

$wgLdapAuthBindDN = 'serviceaccountinAD@example.local';

$wgLdapAuthBindPass = 'Password';

$wgLdapAuthBaseDN = 'OU=Example Users,DC=example,DC=local';

$wgShowExceptionDetails = true;

213.21.176.129 (talkcontribs)

Thank you for your suggestion, anyway I got the error "The use of this username and password has been forbidden." with this configuration... no errors in apache's logs

213.21.176.129 (talkcontribs)

Solved the problem with the latest build.

131.215.234.24 (talkcontribs)

Is it possible to do anonymous bind? My MediaWiki is within a trusted private network. I didn't need to use a BindDN for the earlier version of this extension.

Reply to "LdapAuthDomainNames format"

LdapAuth cannot connect to server

1
Tmhoskins (talkcontribs)

Running on Ubuntu 19.04. UFW is disabled, iptables is set to accept all, and selinux is disabled on the webserver. Domain Controller isn't blocking LDAP connections because our entire environment is set to use LDAP. I can ping the DC from the webserver and vice versa. I am having trouble binding to the LDAP server with ldapsearch. I can search the naming contexts on the server so it's obviously talking to the LDAP server just won't bind because it won't accept the password for my users account. So that could be my issue LDAP server may be blocking it. When I try to bind to the LDAP server this is the error I get:

$ ldapsearch -H ldap://coruscant.snrt.io -x -D "cn=Administrator,cn=Users,dc=snrt,dc=io" -W

Enter LDAP Password:

# extended LDIF

#

# LDAPv3

# base <> (default) with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# search result

search: 2

result: 32 No such object

text: 0000208D: NameErr: DSID-031001EE, problem 2001 (NO_OBJECT), data 0, best

match of:

''

# numResponses: 1

Checked the firewall running on the DC that is also the LDAP/AD server and all the LDAP ports:389, 636 are open to any connection.

I completely turned off the firewall on the LDAP/AD server and I still could not establish a connection from mediawiki. I assume something on the Ubuntu box is blocking it.

Reply to "LdapAuth cannot connect to server"
There are no older topics
Return to "LdapAuth/Configuration" page.