Extension talk:PluggableAuth

MediaWiki 1.41.0 (62e7aef)

OpenID Connect 7.0.2 (c515880)

PluggableAuth 7.0.0 (2d86d50)

PHP 8.2.17 (apache2handler)

ICU 72.1

PostgreSQL 16.0

I'm unclear on the correct way to reference field in the access_token from the OIDC payload and assign them to the default roles in mediaWiki using groupsyncs. I have the following defined in LocalSettings.php. below that I have the access_token example pulled from the jwt. Logging in works great. But auto-assigning users that have thefieldwithrole to a group doesn't seem to be working.

Any insight into what I might be doing wrong?

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data'   => [

.......

    ],

    'groupsyncs' => [

        [

          'type' => 'mapped',

          'map' => [

            'users' => [ 'thefieldwithrole' => 'roleA' ],

            'sysop' => [ 'thefieldwithrole' => 'roleB' ]

          ]

        ]

    ]

];

Example Access_Token pulled from jwt payload:

{

  "thefieldwithrole"     : "roleA",

  "aud"                  : "omitted",

  "authorization_details": [],

  "client_id"            : "theclientid",

  "client_key"           : "theclientkey",

  "Email"                : "someemailaddress",

  "exp"                  : 1234567890

  "first_name"           : "first",

  "iss"                  : "omitted",

  "jti"                  : "xf8i7vW",

  "last_name"            : "last",

  "login"                : "12345678",

  "Organization"         : "theorg",

  "samaccountname"       : "12345678",

  "scope"                : "openid profile",

  "sub"                  : "12345678",

  "subject"              : "12345678",

  "uid"                  : "12345678",

  "userid"               : "12345678",

  "userId"               : "12345678",

}

@RakingTheLeaves

hello, i'm in the process of trying to figure this out. i'm using azure ad and openid connect.

have you had any success figuring things out?

Apologies for the delay... I haven't been focused on this much this week. But, no... I haven't quite figured it out (yet). It "seems" like the code isn't seeing the "thefieldwithrole" from the access_token of the OIDC token payload.

Without any other guidance to go by, my current thinking is to try putting my authZ info into the authorization_details[] section of the payload in accordance with the intent of the RFC... maybe the extension author is expecting to find the information there... unsure. If that doesn't work, may slog through the extension code to see if I can figure it out.... just getting to the point where I can't delay the project much longer and may try something else.

https://datatracker.ietf.org/doc/html/rfc9396

"This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON [RFC8259] data structures.¶"

I will post here if I get it going.

@RakingTheLeaves

your response is greatly appreciated.

i have managed to get passed authentication. but i'm finding it difficult for my log in to pull group memberships from the local azure ad/entra. and likewise, if i find anything, i'll share it.

thanks

OK, i was able to get groupsync working between azure ad and wiki

i think something to consider is how azure ad is configured as well. on top of the claim for user info when the wiki app is registered in the azure portal, a groups claim needs to be added.

a rough instruction is :

Azure Active Directory > App registrations > the wiki app > Token configuration(might be under Manage) > is there a group claim?

if not, click Add optional claim > ID for id tokens > Group > ...hopefully you can follow from there. i think its better to use group id than samaccountname

then when configuring PluggableAuth_Confiig...

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => ['groups' => 'azure ad group id'] ]

]

]

]

'groups' is needed, though i cannot remember why. I found this explanation using ChatGPT ", the groups claim in a token can contain the IDs of the Azure AD groups to which the user belongs"

hopefully that helps some? good luck

It makes the buttons (here the standard Login-button and the Extension:OpenIDConnect-Login-button) to display all texts on the buttons, even if the texts are longer:

In LocalSettings.php add:

# https://www.mediawiki.org/w/index.php?title=Topic:Xx8ol75kyh1qejp8
# How to modify the Login-Page
$GLOBALS['wgHooks']['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
        $style = <<<EOT
            <style type="text/css">
                    button#wpLoginAttempt {
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }

                    button#mw-input-pluggableauthlogin0 {
                            background-color: salmon !important;
                            border-color: salmon !important;
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }
            </style>
EOT;

        $out->addHeadItem( 'change-login-button', $style );
        return true;
};

Was discussed here: https://www.mediawiki.org/wiki/Topic:Xx8ol75kyh1qejp8

Thank you for your contribution. Please feel free to add it to the extension wiki page as a tip.

This is quite difficult for me because of the translation tags, otherwise I would have added it there.

You can ignore the translation tags. Somebody else will come along after you and add them.

merci! I expected that but wanted to wait, thanks. Done.

I'm trying to update from MW 1.39.5 to 1.39.6 and am getting the following internal error when trying to log in:

index.php/Special:PluggableAuthLogin TypeError: Argument 1 passed to Jumbojett\OpenIDConnectClient::addScope() must be of the type array, string given, called in /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php on line 199
Backtrace:
from /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(556)
# 0 /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php(199): Jumbojett\OpenIDConnectClient->addScope()
# 1 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()
# 2 /var/www/html/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
# 3 /var/www/html/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
# 4 /var/www/html/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
# 5 /var/www/html/includes/MediaWiki.php(904): MediaWiki->performRequest()
# 6 /var/www/html/includes/MediaWiki.php(562): MediaWiki->main()
# 7 /var/www/html/index.php(50): MediaWiki->run()
# 8 /var/www/html/index.php(46): wfIndexMain()
# 9 {main}

Here is what I believe to be the relevant config from LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_Config[] = [
      'plugin' => 'OpenIDConnect',
      'buttonLabelMessage' => 'Example',
      'data' => [
          'providerURL' => 'https://example.com/auth/realms/example',
          'clientID' => getenv('OIDC_CLIENTID'),
          'clientsecret' => getenv('OIDC_CLIENTSECRET')
      ]
];
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableAutoLogin = true;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_MigrateUsersByUserName = true;

wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigProvider = function()
{
   $config =
   [
       "LDAP" =>
       [
           "connection" =>
           [
               "server" => "example.com",
               "basedn" => "ou=people,dc=example,dc=com",
               "userbasedn" => "ou=people,ou=system,dc=example,dc=com",
               "searchattribute" => "uid",
               "searchstring" => "USER-NAME",
               "usernameattribute" => "uid",
               "realnameattribute" => "displayName",
               "emailattribute" => "mail",
               "groupbasedn" => "cn=example,ou=secgroups,ou=system,dc=example,dc=com",
               "groupobjectclass" => "groupOfNames",
               "groupattribute" => "member",
               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
           ],
           "authorization" =>
           [
               "rules" =>
               [
                   "groups" =>
                   [
                       "required" => [ "cn=example,ou=secgroups,ou=system,dc=example,dc=com" ]
                   ]
               ]
           ],
       ]
   ];
   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

wfLoadExtension( 'LDAPAuthorization' );

Is there anything I should be changing before trying to update?

It looks like you are using a newer version of the jumbojett/openid-connect-php library than is supported. The OpenID Connect composer.json file specifies version 0.9.10, which looks to be compatible. A newer commit adds an array typehint to the addScope() function, causing the error. Did you edit the OpenID Connect composer.json file?

No, I haven't edited the file, and my live copy of the file is using version 0.9.10. Full contents:

{
       "name": "mediawiki/openidconnect",
       "type": "mediawiki-extension",
       "description": "Provides authentication using OpenID Connect in conjunction with PluggableAuth",
       "license": "MIT",
       "authors": [
               {
                       "name": "Cindy Cicalese",
                       "email": "cicalese@mitre.org"
               }
       ],
       "require": {
               "jumbojett/openid-connect-php": "0.9.10",
               "composer/installers": "~1.0|~2"
       },
       "require-dev": {
               "mediawiki/mediawiki-codesniffer": "39.0.0",
               "mediawiki/minus-x": "1.1.1",
               "php-parallel-lint/php-console-highlighter": "1.0.0",
               "php-parallel-lint/php-parallel-lint": "1.3.2"
       },
       "scripts": {
               "test": [
                       "parallel-lint . --exclude vendor --exclude node_modules",
                       "@phpcs",
                       "minus-x check ."
               ],
               "fix": [
                       "minus-x fix .",
                       "phpcbf"
               ],
               "phpcs": "phpcs -sp --cache"
       },
       "extra": {
               "installer-name": "OpenIDConnect"
       },
       "config": {
               "allow-plugins": {
                       "composer/installers": true
               }
       }
}

Nevermind - the deployment is containerized, and I missed that it was pulling the latest release of jumbojett/openid-connect-php in the Dockerfile, overriding individual composer.json files. I'm not exactly sure why it was set up this way (inherited code), but locking the release to v0.9.10 worked. Thanks so much!

That's very strange. When you look at vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php and search for addScope do you see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L556 (which I suspect, based on the stack trace, which is the master branch) or https://github.com/jumbojett/OpenID-Connect-PHP/blob/45aac47b525f0483dd4db3324bb1f1cab4666061/src/OpenIDConnectClient.php#L587 (whose line number do not match the stack trace, but it is version 0.9.10). The manifest on packagist agrees with the git hashes for the versions (https://packagist.org/packages/jumbojett/openid-connect-php#v0.9.10).

Ah, our messages crossed. I'm so glad you figured it out!

And now I know I'll need to change the code if I bump the version to the new 1.0.0 release! Thanks!

Sorry If I didnt see it somewhere in the docs, but do you have somewhere a minimalst auth provider example/template one could use as basis to extend?

The section "Creating an authorization plugin" talks something about a hook, but the other auth provider plugins (for 7.0) I looked through, do not use it, but extend some class?

Unless I'm completely overlooking something, could you please provide a dummy provider that say just hardcoded authorizes the user "bob" with the password "foobar"? (and thats the place I'd put my backend in)

You could look at the tests/includes/DummyAuth.php file for a minimal provider used in testing. Probably the simplest fully functional provider from a code perspective is Extension:OpenID Connect. You are correct that the group population hook was removed in version 7.0 and the documentation needs to be updated to reflect that.

Thank you! Got it and works, but had to look through other solutions for a complete API (at least I hope i have everything I need :). To be honest I got confused by "authorization" vs "authentication" thats why the doc made so little sense to me.

Hello, I'm struggling a bit with LDAP configuration on MediaWiki 1.39.5.

I know that it was discussed here before, but I was not able to make sense of the documentation or discussion on this comunity forum, to the point in which I would resolve it myself, so I decided to ask for help. I'm a bit new to this, so I suspect the main problem is with my understanding of configuration, and that it is not really a bug.

The issue I'm having is with extension PluggableAuth, which is causing the error "The supplied credentials could not be authenticated."

Please, can you help me understand, what am I doing wrong?

For context, this was the configuration of old wiki server:

_________________________________________________________________________ _________________________________________________________________________

# ---------------LDAP---------------
wfLoadExtensions( [
	'PluggableAuth',
	'Auth_remoteuser',
	'LDAPProvider',
	'LDAPAuthentication2',
	'LDAPAuthorization',
	'LDAPUserInfo'
] );
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Log In";

$wgAuthRemoteuserUserName = function() {
	$user = '';''
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
	}

	return $user;
};
$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'example.com' => [
			'connection' => [
				"server" => "ldap-1.example.com ldap-2.example.com",
                "port" => 636,
                "enctype" => "ssl",
      			"user" => "cn=anonym,ou=ldap,dc=example,dc=com",
    			"pass" => "password",
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "ou=people,ou=users,dc=example,dc=com",
				"groupbasedn" => "ou=people,ou=users,dc=example,dc=com",
				"userbasedn" => "ou=people,ou=users,dc=example,dc=com",
				"searchattribute" => "uid",
				"usernameattribute" => "uid",
				"realnameattribute" => "displayName",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			'authorization' => [],
			'userinfo' => [
				'attributes-map' => [
					'email' => 'mail',
					'realname' => 'displayName'
				]
			]
		]
	];

	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

_________________________________________________________________________ _________________________________________________________________________

Versions of extensions used in new wiki are listed below. I didn't try any other as to my understanding, these should be compatible.

• Auth_remoteuser-REL1_39-b9c4b86 (2.1.1)
• LDAPAuthentication2-REL1_39-42ec3c8 (2.0.4)
• LDAPAuthorization-REL1_39-07d09d8 (2.0.2)
• LDAPProvider-REL1_39-a3c56fa (2.0.2)
• LDAPUserInfo-REL1_39-2fda62c (2.0.1)
• PluggableAuth-REL1_39-e952f13 (7.0.0)

To rule out the problem with connection with LDAP, and or the issue with PHP module for LDAP, I've tested the connection by using the command ldapsearch as the example below with success. I did same for PHP module with simple php script.

ldapsearch -x -H ldaps://ldap-1.example.com:636 -D "cn=anonym,ou=ldap,dc=example,dc=com" -W -b "ou=people,ou=users,dc=example,dc=com" "(uid=name.surname)"

The configuration I've tested is bellow. I've tried also other configurations, but this is the state in which I'm now.

_________________________________________________________________________ _________________________________________________________________________

The LocalSettings.php configuration for LDAP is:

wfLoadExtensions([
    'PluggableAuth',
    'Auth_remoteuser',
    'LDAPProvider',
    'LDAPAuthentication2',
    'LDAPAuthorization',
    'LDAPUserInfo'
]);

$LDAPProviderDomainConfigProvider = function() {
    $config = json_decode(file_get_contents("/path/to/ldap.json"), true);
    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray($config);
};

$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Log In";

$wgAuthRemoteuserUserName = function() {
    return strtolower($_SERVER['REMOTE_USER'] ?? '');
};

_________________________________________________________________________

This is ldap.json configuration:

{
    "example.com": {
        "connection": {
            "server": "ldap-1.example.com ldap-2.example.com",
            "port": 636,
            "enctype": "ssl",
            "user": "cn=anonym,ou=ldap,dc=example,dc=com",
            "pass": "password",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "ou=people,ou=users,dc=example,dc=com",
            "groupbasedn": "ou=people,ou=users,dc=example,dc=com",
            "userbasedn": "ou=people,ou=users,dc=example,dc=com",
            "searchattribute": "uid",
            "usernameattribute": "uid",
            "realnameattribute": "displayName",
            "emailattribute": "mail"
        },
        "authorization": [],
        "userinfo": {
            "attributes-map": {
                "email": "mail",
                "realname": "displayName"
            }
        }
    }
}

_________________________________________________________________________ _________________________________________________________________________

There is likely an issue with your configuration. Your best bet for getting help is to post at Extension talk:LDAPProvider or Extension talk:LDAPAuthentication2.

Why has this hook been removed? It's such a shame... Configuring things in globals seems very dirty to me.

Per Extension:PluggableAuth#Group_Synchronization, "In version 7.0.0 and later when you are using an authentication plugin that supports retrieval of attributes from the identity provider (currently OpenID Connect, SimpleSAMLphp, WSOAuth, and JWTAuth), it is possible to synchronize groups from the identity provider to MediaWiki groups. There are two built-in group synchronization algorithms, syncall and mapped, described below. It is also possible for an extension to provide additional custom group synchronization algorithms." This more flexible functionality replaces the earlier approach that used that hook and allows a more consistent approach to group management between the plugins.

after updating wiki we are seeing that for some users after login. we use 1.39.5 (f78a5fb) 06:10, October 10, 2023 . Note some users can login , others not. here is the full error: [c1f8b982694f124ffaf407db] /mediawiki/index.php?title=Special:UserLogin&returnto=Special%3ARecentChanges TypeError: preg_match(): Argument #2 ($subject) must be of type string, array given Backtrace: from /var/www/mediawiki/includes/parser/Sanitizer.php(1899)

1. 0 /var/www/mediawiki/includes/parser/Sanitizer.php(1899): preg_match()
2. 1 /var/www/mediawiki/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(194): Sanitizer::validateEmail()
3. 2 /var/www/mediawiki/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(163): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->updateUserRealNameAndEmail()
4. 3 /var/www/mediawiki/includes/auth/AuthManager.php(606): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->continuePrimaryAuthentication()
5. 4 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(374): MediaWiki\Auth\AuthManager->continueAuthentication()
6. 5 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(504): AuthManagerSpecialPage->performAuthenticationStep()
7. 6 /var/www/mediawiki/includes/htmlform/HTMLForm.php(729): AuthManagerSpecialPage->handleFormSubmit()
8. 7 /var/www/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(435): HTMLForm->trySubmit()
9. 8 /var/www/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(320): AuthManagerSpecialPage->trySubmit()
10. 9 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()
11. 10 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
12. 11 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
13. 12 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()
14. 13 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()
15. 14 /var/www/mediawiki/index.php(50): MediaWiki->run()
16. 15 /var/www/mediawiki/index.php(46): wfIndexMain()
17. 16 {main}

note this only happens to those who have not logged in lately..

What version of PluggableAuth and other related extensions are you using?

Also, please turn on debug logging and include relevant portions of the log.

[LDAPProvider] Found user DN: 'uid=amy,ou=People,dc=test,dc=com'

[LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=amy,ou=People,dc=test,dc=com'

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[DBQuery] SqlBagOStuff::fetchBlobs [0s] localhost: SELECT keyname,value,exptime FROM `objectcache` WHERE keyname = 'fbcwiki:ldap-provider: user-info:amy:ou=People,dc=test,dc=com' AND (exptime >= '20231015232138')

[LDAPProvider] Ran LDAP search for '(uid=amy)' in 0.0020978450775146 seconds.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::getServerId [0s] localhost: SELECT @@server_id AS id

[DBQuery] SqlBagOStuff::modifyTableSpecificBlobsForSet [0.003s] localhost: REPLACE INTO `objectcache` (keyname,value,exptime) VALUES ('fbcwiki: ldap-provider:user-info:amy:ou=People,dc=test,dc=com',.......

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for localAutoCommit/0

[LDAPAuthentication2] LDAP login succeeded.

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0s] localhost: SET group_concat_max_len = 262144, `sql_mode` =

[DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: opened new connection for local/0

[DBPerformance] Expectation (masterConns <= 0) by MediaWiki::main not met (actual: 2): [connect to localhost (fbcwiki)]

1. 0 /var/www/mediawiki/includes/libs/rdbms/TransactionProfiler.php(219): Wikimedia\Rdbms\TransactionProfiler->reportExpectationViolated()
2. 1 /var/www/mediawiki/includes/libs/rdbms/loadbalancer/LoadBalancer.php(980): Wikimedia\Rdbms\TransactionProfiler->recordConnection()
3. 2 /var/www/mediawiki/includes/libs/rdbms/loadbalancer/LoadBalancer.php(944): Wikimedia\Rdbms\LoadBalancer->getServerConnection()
4. 3 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(95): Wikimedia\Rdbms\LoadBalancer->getConnectionInternal()
5. 4 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(101): Wikimedia\Rdbms\DBConnRef->ensureConnection()
6. 5 /var/www/mediawiki/includes/libs/rdbms/database/DBConnRef.php(344): Wikimedia\Rdbms\DBConnRef->__call()
7. 6 /var/www/mediawiki/includes/user/User.php(416): Wikimedia\Rdbms\DBConnRef->selectRow()
8. 7 /var/www/mediawiki/includes/user/User.php(1660): User->load()
9. 8 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(130): User->getId()
10. 9 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->aut

henticate()

1. 10 /var/www/mediawiki/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
2. 11 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
3. 12 /var/www/mediawiki/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
4. 13 /var/www/mediawiki/includes/MediaWiki.php(904): MediaWiki->performRequest()
5. 14 /var/www/mediawiki/includes/MediaWiki.php(562): MediaWiki->main()
6. 15 /var/www/mediawiki/index.php(50): MediaWiki->run()
7. 16 /var/www/mediawiki/index.php(46): wfIndexMain()
8. 17 {main}

[DBQuery] Wikimedia\Rdbms\Database::beginIfImplied (User::load) [0s] localhost: BEGIN

[DBQuery] User::load [0s] localhost: SELECT actor_id,actor_user,actor_name FROM `actor` WHERE actor_name = 'Amy' LIMIT 1 [DBConnection] Wikimedia\Rdbms\LoadBalancer::getLocalConnection: reused a connection for local/0

If you want I could email or upload a more complete log.....

Well,

TypeError: preg_match(): Argument #2 ($subject) must be of type string, array given Backtrace: from /var/www/mediawiki/includes/parser/Sanitizer.php(1899)

coming from

extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(194): Sanitizer::validateEmail()

lets me think that either the LDAP server returns an odd value for what you have configured in emailattribute. Can you please check that value, e.g. by running extensions/LDAPProvider/maintenance/ShowUserInfo.php for the affected user?

Alternatively some handler of hook IsValidEmailAddr is messing up the e-mail address. But this seems unlikely.

sudo -u www-data php  extensions/LDAPProvider/maintenance/ShowUserInfo.php --username amy  --domain test.com

uid => amy 
mail => 
  0 => amy@test.com  
memberof => 
  0 => cn=nextcloud,ou=groups,dc=test,dc=com 
  1 => cn=UNIX Users,ou=groups,dc=test,dc=com 
givenname => Amy 
sn => O'test
cn => Amy O'test 
dn => uid=amy,ou=People,dc=test,dc=com

Hello

Is there a way for me  to further debug if some handler of hook IsValidEmailAddr is messing up the e-mail address ?

Well

mail => 
  0 => amy@test.com

is probably already the explanation.

It should more be

mail => amy@test.com

Unfortunately I can not tell why your LDAP server returns this value or why this only occurs for some users.

Can you check the same command with a user that hasn't got a problem?

well in our ldap a person can have more then one email address .

the ones which have more then one email address do have an issue logging in to wiki. for instance I can login and my returned from extensions/LDAPProvider/maintenance/ShowUserInfo.php is: rob@test

amy has 5 different email addresses with these as prefix :

 0 =>
 1 =>

..

 4 =>

we use openldap .

so the ones who can log in have just one email address, and ShowUserInfo.php returns something like

rob@test

without a 0 => prefix

is there a way to turn off email checking in LocalSettings.php ?

I have created a patch for this on https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LDAPAuthentication2/+/966807

You can download the patched extension code via https://gerrit.wikimedia.org/r/changes/mediawiki%2Fextensions%2FLDAPAuthentication2~966807/revisions/2/archive?format=tgz

If you confirm this fixes the issue we can merge and release it.

I got this error after untaring the file into extensions/PluggableAuth

Fatal error: Uncaught Exception: It was attempted to load LDAPAuthentication2 twice, from /var/www/mediawiki/extensions/LDAPAuthentication2/extension.json and /var/www/mediawiki/extensions/PluggableAuth/extension.json. in /var/www/mediawiki/includes/registration/ExtensionProcessor.php:772 Stack trace: #0 /var/www/mediawiki/includes/registration/ExtensionProcessor.php(280): ExtensionProcessor->extractCredits() #1 /var/www/mediawiki/includes/registration/ExtensionRegistry.php(421): ExtensionProcessor->extractInfo() #2 /var/www/mediawiki/includes/registration/ExtensionRegistry.php(276): ExtensionRegistry->readFromQueue() #3 /var/www/mediawiki/includes/Setup.php(278): ExtensionRegistry->loadFromQueue() #4 /var/www/mediawiki/includes/WebStart.php(86): require_once('...') #5 /var/www/mediawiki/index.php(44): require('...') #6 {main} thrown in /var/www/mediawiki/includes/registration/ExtensionProcessor.php on line 772

here is a directory listing:

1. ls -l

total 236

-rw-r--r-- 1 www-data www-data 135 Oct 18 18:34 CODE_OF_CONDUCT.md

-rw-r--r-- 1 www-data www-data 1212 Oct 18 18:34 composer.json

-rw-r--r-- 1 www-data www-data 1070 Jan 27 2023 COPYING

drwxr-xr-x 2 www-data www-data 4096 Aug 16 19:33 docs/

-rw-r--r-- 1 www-data www-data 1645 Oct 18 18:34 extension.json

-rw-r--r-- 1 www-data www-data 493 Oct 18 18:34 Gruntfile.js

drwxr-xr-x 2 www-data www-data 4096 Oct 18 18:34 i18n/

drwxr-xr-x 4 www-data www-data 4096 Aug 16 19:33 includes/

-rw-r--r-- 1 www-data www-data 241 Oct 18 18:34 package.json

-rw-r--r-- 1 www-data www-data 191732 Oct 18 18:34 package-lock.json

-rw-r--r-- 1 www-data www-data 265 Oct 18 18:34 README.mediawiki

drwxr-xr-x 2 www-data www-data 4096 Oct 18 18:34 src/

drwxr-xr-x 4 www-data www-data 4096 Jan 27 2023 tests/

The patch is an update to LDAPAuthentication2, not PluggableAuth. You should be untarring it into extensions/LDAPAuthentication2, not extensions/PluggableAuth.

Hello Cindy.

the patch fixed the issue.   

thank you very much!

I'm glad that worked for you.