Hi,
I'm having issues authenticating against my AD server from Special:UserLogin page. I tried running the "CheckLogin.php" with the account which returned a "FAILED". Utilizing the same account I'm able to login to the Active Directory server locally, and from the mediawiki server, perform an ldapsearch w/ bind successfully. The end goal is for any user that exist in Active directory to be able to authenticate and log into the wiki.
I've been at this for 2-3 weeks now, unfortunately...
Below is the version numbers for all relevant components.
Here is my LocalSettings.php:
# Degbugging!
4
5 error_reporting( E_ALL );
6 ini_set( 'display_errors', 1 );
7 $wgShowExceptionDetails = true;
8 $wgDebugToolbar = true;
9 $wgShowErrors = true;
10 $wgShowError = true;
11 $wgShowDebug = true;
12 $wgDebugLogFile = '/tmp/debug.log';
13
14 $wgDebugLogGroups = array(
15 'PluggableAuth' => '/tmp/pa.log',
16 'LDAP' => '/tmp/LDAP.log',
17 'LDAPProvider' => '/tmp/LDAPProvider.log',
18 'LDAPAuthentication2' => '/tmp/LDAPAuthentication2.log',
19 'LDAPAuthorization' => '/tmp/LDAPAuthorization.log',
20 'LDAPUserInfo' => '/tmp/LDAPUser.log',
21 'LDAPGroups' => '/tmp/LDAPGroups.log',
22 'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/ldapprovider_client.log'
23 );
462 ##################################################################
463 # LDAP JSON FILE #
464 ##################################################################
465
466 $safeIPs = array('127.0.0.1','localhost');
467 $ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');
468 foreach ($ipsVars as $ipsVar) {
469 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar];
470 break; }
471 }
472 $wikiRequestSafe = ( isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
473
474 // Create Wiki-Group 'engineering' from default user group
475 $wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];
476
477 // Private Wiki. External LDAP Login. Default NS requires login.
478 $wgEmailConfirmToEdit = false;
479 $wgGroupPermissions['*']['edit'] = false;
480 $wgGroupPermissions['*']['read'] = false;
481 $wgGroupPermissions['*']['createaccount'] = false;
482 $wgGroupPermissions['sysop']['createaccount'] = false;
483 $wgGroupPermissions['*']['autocreateaccount'] = true;
484 $wgBlockDisablesLogin = true;
485
486 $ldapConfig = false;
487 $ldapJsonFile = "/var/www/ldapprovider.json";
488 if (is_file($ldapJsonFile) && is_dir("/var/www/mediawiki/w/extensions/LDAPProvider")) {
489 $testJson = @json_decode(file_get_contents($ldapJsonFile), true);
490 if (is_array($testJson)) {
491 $ldapConfig = true;
492
493 } else {
494 error_log("Found invalid JSON in file: /var/www/ldapprovider.json");
495 }
496 }
497
498 if ($ldapConfig) {
499
500 wfLoadExtension('LDAPProvider');
501 wfLoadExtension('LDAPAuthentication2');
502 #wfLoadExtension('LDAPAuthorization');
503 #wfLoadExtension('LDAPUserInfo');
504 #wfLoadExtension('LDAPGroups');
505 wfLoadExtension('PluggableAuth');
$LDAPProviderDomainConfigs = $ldapJsonFile;
509
510 $wgLDAPDebug = 3;//for debugging LDAP
511
512 $wgLDAPProvider["CacheType"] = "CACHE_NONE";
513 $wgLDAPProvider["CacheTime"] = 3600;
514
515 // Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldapprovider.json)
516 $LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));
517
518 $wgPluggableAuth_EnableAutoLogin = false;
519 $wgPluggableAuth_EnableLocalLogin = false; # required to show the username and password field on login page
520 $wgPluggableAuth_EnableFastLogout = true;
521
522
523 $wgPluggableAuth_Config = array(
524 array(
525 "plugin" => "LDAPAuthentication2",
526 "buttonLabelMessage" => "Domain Login",
527 "data" => ["domain" => $LDAPProviderDefaultDomain]
528 ),
529 #array("plugin" => "LDAPAuthorization"),
530 );
531
532 if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }
533 }
534
# LDAPAuthentication2
608
609 // Whether or not to display a "local" psuedo-domain in the domain selector on "Special:Login", thus allowing to authenticate against the local user database. (defaults to false if not specified)
610 $LDAPAuthentication2AllowLocalLogin = true;
611
612 // Use this function for normalizing username for LDAP, for example 'strtolower'. (defaults to "")
613 $LDAPAuthentication2UsernameNormalizer = "";
614
615 # Auth_remoteuser
616 // Set the name for mapping into the local wiki user database. If the value is `null`, the extension defaults to using the enviornment variables `REMOTE_USER` and `REDIRECT_REMOTE_USER`
617
618 $wgAuthRemoteuserUserName = null; //default
619
620 #$wgAuthRemoteuserUserName = [
621 # $_SERVER[ 'REMOTE_USER' ],
622 # $_SERVER[ 'REDIRECT_REMOTE_USER' ]
623 #];
624
625 $wgAuthRemoteuserUserNameReplaceFilter = null; //default
626
627
628
629
630 # PluggableAuth Extension Configuration
631
632 // Should user login occur automatically when a user visits the wiki?
633 $wgPluggableAuth_EnableAutoLogin = true;
634
635 // Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki
636 $wgPluggableAuth_EnableLocalLogin = true;
Here is my ldapprovider.json located at /var/www/:
{
"test.local": {
"connection": {
"server": "{IP_ADDRESS_HERE}",
"port": "389",
"user": "CN=XXXXX,CN=Users,DC=test,DC=local",
"pass": "XXXXXXX",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=test,dc=local",
"userbasedn": "dc=test,dc=local",
"groupbasedn": "dc=test,dc=local",
"searchattributes": {
"realname": "cn",
"username": "samaccountname"
},
"grouprequest": {
"groupAttribute": "member",
"isMemberCritical": true
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mapping": {
"bureaucrat": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],
"interface-admin": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],
"sysop": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"]
}
}
}
}
}