Extension talk:PluggableAuth

About this board

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log.

Start a new topic

Problem moving to JSON

3 comments • 20:31, 26 July 2024 16 hours ago

3

139.180.62.190 (talkcontribs)

I have had LDAP configured and working for many years, using older versions of the plugins where the config was in the LocalSettings.php file. I'm finding this is now broken with the current MediaWiki update and am trying to update the extensions for PluggableAuth and the LDAPStack. I actually tried this once before and gave up, but that appears no longer to be an option.

I am working from the manual and have created the JSON file, which I believe is correct. At this point I am getting an error when loading the site that indicates the following:

[42210a3c72f542b606307239] / TypeError: PluggableAuthHooks::doBeforeInitialize(): Argument #6 ($mw) must be of type MediaWiki, MediaWiki\Actions\ActionEntryPoint given, called in c:\pathto\mediawiki\includes\HookContainer\HookContainer.php on line 159

Backtrace:

from c:\pathto\mediawiki\extensions\PluggableAuth\includes\PluggableAuthHooks.php(113)

#0 c:\pathto\mediawiki\includes\HookContainer\HookContainer.php(159): PluggableAuthHooks::doBeforeInitialize(MediaWiki\Title\Title, NULL, MediaWiki\Output\OutputPage, MediaWiki\User\User, MediaWiki\Request\WebRequest, MediaWiki\Actions\ActionEntryPoint)

#1 c:\pathto\mediawiki\includes\HookContainer\HookRunner.php(937): MediaWiki\HookContainer\HookContainer->run(string, array)

#2 c:\pathto\mediawiki\includes\actions\ActionEntryPoint.php(384): MediaWiki\HookContainer\HookRunner->onBeforeInitialize(MediaWiki\Title\Title, NULL, MediaWiki\Output\OutputPage, MediaWiki\User\User, MediaWiki\Request\WebRequest, MediaWiki\Actions\ActionEntryPoint)

#3 c:\pathto\mediawiki\includes\actions\ActionEntryPoint.php(145): MediaWiki\Actions\ActionEntryPoint->performRequest()

#4 c:\pathto\mediawiki\includes\MediaWikiEntryPoint.php(199): MediaWiki\Actions\ActionEntryPoint->execute()

#5 c:\pathto\mediawiki\index.php(58): MediaWiki\MediaWikiEntryPoint->run()

#6 {main}

As you can infer, I am on Windows and IIS. Happy to provide any other info about the config if needed. Would genuinely appreciate any help.

Reply 14:50, 24 July 2024 2 days ago

Magicwrite (talkcontribs)

Hello,

In my case I got this same error message & stack just after upgrade MediaWiki from 1.41.2 to 1.42.1 (there are few minutes).

I downloaded latest version of PluggableAuth: Extension:PluggableAuth for my current MediaWiki version (1.42).

Remove previous extension install dir. : $MW_HOME/extensions/PluggableAuth

And extract archive in this extension directory: $MW_HOME/extensions/

And now it is work again perfectly.

I hope this solution can you help you.

Regards,

Reply 13:21, 26 July 2024 1 day ago

139.180.62.190 (talkcontribs)

Thank you very much for replying. I am also updating to 1.42.1. I was downloading updates from MediaWiki plugin page and I was able to determine that there was a different version on the linked page for direct downloads. After downloading from there and getting version 7.1.0, the error went away and I was able to login.

Reply 20:31, 26 July 2024 16 hours ago

Reply to "Problem moving to JSON"

How to show a domain selector for multi domian login , while with only one login button?

One comment • 06:26, 16 July 2024 11 days ago

1

Qyingy (talkcontribs)

I have multi domian for login ,but when I use $wgPluggableAuth_Config like this, I have two login button with the name as "Login1" and "Login2" for differrent domain login.

I want to show only one login button, to login with different domain which contain local domain.

$wgPluggableAuth_Config['Login1'] = [

'plugin' => 'LDAPAuthentication2',

'data' => [

'domain' => 'LDAP0'

]

];

$wgPluggableAuth_Config['Login2'] = [

'plugin' => 'LDAPAuthentication2',

'data' => [

'domain' => 'LDAP1'

],

];

LDAPAuthentication2	2.0.9 (1ca14ce)	GPL-2.0
LDAPProvider	2.0.7 (5f0b37f)	GPL-2.0+
LoginNotify	0.1	MIT
PluggableAuth	7.1.0 (4111a57)

Reply 06:26, 16 July 2024 11 days ago

Reply to "How to show a domain selector for multi domian login , while with only one login button?"

New Extension:AuthRemoteUser

One comment • 10:28, 2 July 2024 25 days ago

1

Oetterer (talkcontribs)

Hey

I created a new extension, using PluggableAuth. It aims to reproduce Extension:Auth remoteuser in its first incarnation: have one page in your wiki that checks for REMOTE_USER and uses it to authenticate. Unfortunately, I have only basic knowledge of remote authentication and mediawiki's authentication process. I basically just copied from here and there, so maybe someone with a bit more knowledge can have a look at the source code and check, if there is no major foo bar in it.</nowiki>

What the extension does:

it registers with pluggable auth (via callback)
creates a new unlisted special page (source code is a verbatim copy of PluggableAuth's PluggableAuthLogin.php
the authentication method in the child class of MediaWiki\Extension\PluggableAuth\PluggableAuth checks, if it is colled from the extension's special page
if not, it redirects to it (via header())
if so, it reads $_SERVER['REMOTE_USER'] and uses the username of the principal for authentication
optional: does a domain match

Help and feedback is appreciated. Thanks in advance.

Reply Edited 10:28, 2 July 2024 25 days ago

Reply to "New Extension:AuthRemoteUser"

how to define "groupsyncs" for wgPluggableAuth_Config OpenIDConnect

8 comments • 01:31, 14 May 2024 2 months ago

8

RakingTheLeaves (talkcontribs)

MediaWiki 1.41.0 (62e7aef)

OpenID Connect 7.0.2 (c515880)

PluggableAuth 7.0.0 (2d86d50)

PHP 8.2.17 (apache2handler)

ICU 72.1

PostgreSQL 16.0

I'm unclear on the correct way to reference field in the access_token from the OIDC payload and assign them to the default roles in mediaWiki using groupsyncs. I have the following defined in LocalSettings.php. below that I have the access_token example pulled from the jwt. Logging in works great. But auto-assigning users that have thefieldwithrole to a group doesn't seem to be working.

Any insight into what I might be doing wrong?

$wgPluggableAuth_Config[] = [

'plugin' => 'OpenIDConnect',

'data' => [

.......

],

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'users' => [ 'thefieldwithrole' => 'roleA' ],

'sysop' => [ 'thefieldwithrole' => 'roleB' ]

]

];

Example Access_Token pulled from jwt payload:

{

"thefieldwithrole" : "roleA",

"aud" : "omitted",

"authorization_details": [],

"client_id" : "theclientid",

"client_key" : "theclientkey",

"Email" : "someemailaddress",

"exp" : 1234567890

"first_name" : "first",

"iss" : "omitted",

"jti" : "xf8i7vW",

"last_name" : "last",

"login" : "12345678",

"Organization" : "theorg",

"samaccountname" : "12345678",

"scope" : "openid profile",

"sub" : "12345678",

"subject" : "12345678",

"uid" : "12345678",

"userid" : "12345678",

"userId" : "12345678",

}

Reply Edited 13:37, 3 April 2024 3 months ago

Wikiphpnoob (talkcontribs)

@RakingTheLeaves

hello, i'm in the process of trying to figure this out. i'm using azure ad and openid connect.

have you had any success figuring things out?

Reply 21:17, 15 April 2024 3 months ago

RakingTheLeaves (talkcontribs)

Apologies for the delay... I haven't been focused on this much this week. But, no... I haven't quite figured it out (yet). It "seems" like the code isn't seeing the "thefieldwithrole" from the access_token of the OIDC token payload.

Without any other guidance to go by, my current thinking is to try putting my authZ info into the authorization_details[] section of the payload in accordance with the intent of the RFC... maybe the extension author is expecting to find the information there... unsure. If that doesn't work, may slog through the extension code to see if I can figure it out.... just getting to the point where I can't delay the project much longer and may try something else.

https://datatracker.ietf.org/doc/html/rfc9396

"This specification introduces a new parameter authorization_details that allows clients to specify their fine-grained authorization requirements using the expressiveness of JSON [RFC8259] data structures.¶"

Reply 14:15, 19 April 2024 3 months ago

RakingTheLeaves (talkcontribs)

I will post here if I get it going.

Reply 14:19, 19 April 2024 3 months ago

Wikiphpnoob (talkcontribs)

@RakingTheLeaves

your response is greatly appreciated.

i have managed to get passed authentication. but i'm finding it difficult for my log in to pull group memberships from the local azure ad/entra. and likewise, if i find anything, i'll share it.

thanks

Reply 15:10, 19 April 2024 3 months ago

Wikiphpnoob (talkcontribs)

OK, i was able to get groupsync working between azure ad and wiki

i think something to consider is how azure ad is configured as well. on top of the claim for user info when the wiki app is registered in the azure portal, a groups claim needs to be added.

a rough instruction is :

Azure Active Directory > App registrations > the wiki app > Token configuration(might be under Manage) > is there a group claim?

if not, click Add optional claim > ID for id tokens > Group > ...hopefully you can follow from there. i think its better to use group id than samaccountname

then when configuring PluggableAuth_Confiig...

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'information_technology' => ['groups' => 'azure ad group id'] ]

]

'groups' is needed, though i cannot remember why. I found this explanation using ChatGPT ", the groups claim in a token can contain the IDs of the Azure AD groups to which the user belongs"

hopefully that helps some? good luck

Reply 22:17, 19 April 2024 3 months ago

165.225.60.203 (talkcontribs)

I tried following your solution, but it seems to still not be working for me.

Reply 01:29, 14 May 2024 2 months ago

165.225.60.203 (talkcontribs)

"The only difference is I am using the SimpleSAMLphp plugin: The following does not work. Any suggestions on what I am doing wrong?

$wgPluggableAuth_Config["Log in without Password (SSO)"] = [

"plugin" => "SimpleSAMLphp",

"data" => [

"authSourceId" => "default-sp",

"usernameAttribute" => "email",

"realNameAttribute" => "displayname",

"emailAttribute" => "email",

"groupAttributeName" => "....schemas.microsoft.com/ws/2008/06/identity/claims/role" ],

'groupsyncs' => [

[

'type' => 'mapped',

'map' => [

'sysops' => [ 'groups' => 'Admin' ],

'bureaucrat' => [ 'groups' => 'User_draft_edit' ],

'suppress' => [ 'groups' => 'User_draft_read' ]

]

];"

Reply 01:31, 14 May 2024 2 months ago

Reply to "how to define "groupsyncs" for wgPluggableAuth_Config OpenIDConnect"

Trigger group sync for all users?

One comment • 16:25, 10 May 2024 2 months ago

1

Dan-Dalpiaz (talkcontribs)

Hi,

I'm using the PluggableAuth extension in combination with the OpenIDConnect extension. When a user logs in, the groups returned by the provider (Entra in my case) will re-sync the user's groups in MediaWiki via the "syncall" configuration option for PluggableAuth.

I was wondering, is there a way to trigger a group sync besides having the user log in? Some of our users don't login in that frequently, so the groups listed in MediaWiki for the user become out-of-sync with the provider groups. This isn't necessarily an authorization problem, since a user who lost or gained a group that would revoke or permit access should have that access updated upon the next login. However, the groups listed in MediaWiki make it appear as though someone might have access who shouldn't (or vice versa).

Thanks!

Dan

Reply 16:25, 10 May 2024 2 months ago

Reply to "Trigger group sync for all users?"

Could not authenticate credentials against domain "test.local"

3 comments • 12:59, 26 April 2024 3 months ago

3

Ksmith197 (talkcontribs)

Hi,

I'm having issues authenticating against my AD server from Special:UserLogin page. I tried running the "CheckLogin.php" with the account which returned a "FAILED". Utilizing the same account I'm able to login to the Active Directory server locally, and from the mediawiki server, perform an ldapsearch w/ bind successfully. The end goal is for any user that exist in Active directory to be able to authenticate and log into the wiki.

I've been at this for 2-3 weeks now, unfortunately...

Below is the version numbers for all relevant components.

Product	Version
MediaWiki	1.39.6
PHP	7.4.33 (fpm-fcgi)
MariaDB	11.3.2-MariaDB-1:11.3.2+maria~ubu2204
ICU	67.1
Lua	5.1.5
Pygments	2.7.1

LDAPAuthentication2	2.0.5 (f303c55) 02:27, 27 November 2023	GPL-2.0	Allows authentication against a LDAP resource	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH
LDAPProvider	2.0.3 (740f097) 07:27, 19 December 2023	GPL-2.0+	Provides a common infrastructure to connect to an LDAP resource and run queries against it	Cindy Cicalese, Mark A. Hershberger and Hallo Welt! GmbH

PluggableAuth	7.0.0 (b1ca368) 10:23, 8 January 2024	MIT	Provides framework for pluggable authentication and authorization	Cindy Cicalese

Here is my LocalSettings.php:

# Degbugging!

4

5 error_reporting( E_ALL );

6 ini_set( 'display_errors', 1 );

7 $wgShowExceptionDetails = true;

8 $wgDebugToolbar = true;

9 $wgShowErrors = true;

10 $wgShowError = true;

11 $wgShowDebug = true;

12 $wgDebugLogFile = '/tmp/debug.log';

13

14 $wgDebugLogGroups = array(

15 'PluggableAuth' => '/tmp/pa.log',

16 'LDAP' => '/tmp/LDAP.log',

17 'LDAPProvider' => '/tmp/LDAPProvider.log',

18 'LDAPAuthentication2' => '/tmp/LDAPAuthentication2.log',

19 'LDAPAuthorization' => '/tmp/LDAPAuthorization.log',

20 'LDAPUserInfo' => '/tmp/LDAPUser.log',

21 'LDAPGroups' => '/tmp/LDAPGroups.log',

22 'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/ldapprovider_client.log'

23 );

462 ##################################################################

463 # LDAP JSON FILE #

464 ##################################################################

465

466 $safeIPs = array('127.0.0.1','localhost');

467 $ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

468 foreach ($ipsVars as $ipsVar) {

469 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar];

470 break; }

471 }

472 $wikiRequestSafe = ( isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

473

474 // Create Wiki-Group 'engineering' from default user group

475 $wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

476

477 // Private Wiki. External LDAP Login. Default NS requires login.

478 $wgEmailConfirmToEdit = false;

479 $wgGroupPermissions['*']['edit'] = false;

480 $wgGroupPermissions['*']['read'] = false;

481 $wgGroupPermissions['*']['createaccount'] = false;

482 $wgGroupPermissions['sysop']['createaccount'] = false;

483 $wgGroupPermissions['*']['autocreateaccount'] = true;

484 $wgBlockDisablesLogin = true;

485

486 $ldapConfig = false;

487 $ldapJsonFile = "/var/www/ldapprovider.json";

488 if (is_file($ldapJsonFile) && is_dir("/var/www/mediawiki/w/extensions/LDAPProvider")) {

489 $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

490 if (is_array($testJson)) {

491 $ldapConfig = true;

492

493 } else {

494 error_log("Found invalid JSON in file: /var/www/ldapprovider.json");

495 }

496 }

497

498 if ($ldapConfig) {

499

500 wfLoadExtension('LDAPProvider');

501 wfLoadExtension('LDAPAuthentication2');

502 #wfLoadExtension('LDAPAuthorization');

503 #wfLoadExtension('LDAPUserInfo');

504 #wfLoadExtension('LDAPGroups');

505 wfLoadExtension('PluggableAuth');

$LDAPProviderDomainConfigs = $ldapJsonFile;

509

510 $wgLDAPDebug = 3;//for debugging LDAP

511

512 $wgLDAPProvider["CacheType"] = "CACHE_NONE";

513 $wgLDAPProvider["CacheTime"] = 3600;

514

515 // Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldapprovider.json)

516 $LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));

517

518 $wgPluggableAuth_EnableAutoLogin = false;

519 $wgPluggableAuth_EnableLocalLogin = false; # required to show the username and password field on login page

520 $wgPluggableAuth_EnableFastLogout = true;

521

522

523 $wgPluggableAuth_Config = array(

524 array(

525 "plugin" => "LDAPAuthentication2",

526 "buttonLabelMessage" => "Domain Login",

527 "data" => ["domain" => $LDAPProviderDefaultDomain]

528 ),

529 #array("plugin" => "LDAPAuthorization"),

530 );

531

532 if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }

533 }

534

# LDAPAuthentication2

608

609 // Whether or not to display a "local" psuedo-domain in the domain selector on "Special:Login", thus allowing to authenticate against the local user database. (defaults to false if not specified)

610 $LDAPAuthentication2AllowLocalLogin = true;

611

612 // Use this function for normalizing username for LDAP, for example 'strtolower'. (defaults to "")

613 $LDAPAuthentication2UsernameNormalizer = "";

614

615 # Auth_remoteuser

616 // Set the name for mapping into the local wiki user database. If the value is `null`, the extension defaults to using the enviornment variables `REMOTE_USER` and `REDIRECT_REMOTE_USER`

617

618 $wgAuthRemoteuserUserName = null; //default

619

620 #$wgAuthRemoteuserUserName = [

621 # $_SERVER[ 'REMOTE_USER' ],

622 # $_SERVER[ 'REDIRECT_REMOTE_USER' ]

623 #];

624

625 $wgAuthRemoteuserUserNameReplaceFilter = null; //default

626

627

628

629

630 # PluggableAuth Extension Configuration

631

632 // Should user login occur automatically when a user visits the wiki?

633 $wgPluggableAuth_EnableAutoLogin = true;

634

635 // Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki

636 $wgPluggableAuth_EnableLocalLogin = true;

Here is my ldapprovider.json located at /var/www/:

{

"test.local": {

"connection": {

"server": "{IP_ADDRESS_HERE}",

"port": "389",

"user": "CN=XXXXX,CN=Users,DC=test,DC=local",

"pass": "XXXXXXX",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=test,dc=local",

"userbasedn": "dc=test,dc=local",

"groupbasedn": "dc=test,dc=local",

"searchattributes": {

"realname": "cn",

"username": "samaccountname"

},

"grouprequest": {

"groupAttribute": "member",

"isMemberCritical": true

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"bureaucrat": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"interface-admin": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"],

"sysop": ["CN=Domain Admins,CN=Users,DC=test,DC=local", "CN=Adminstrators,CN=Users,DN=test,DN=local"]

}

Reply 18:47, 25 April 2024 3 months ago

Cindy.cicalese (talkcontribs)

Your best bet for getting help is to post at Extension talk:LDAPAuthentication2. Include debug logs from Manual:How to debug.

Reply 21:51, 25 April 2024 3 months ago

Ksmith197 (talkcontribs)

Okay! thank you!

Reply 12:59, 26 April 2024 3 months ago

Reply to "Could not authenticate credentials against domain "test.local""

Could not authenticate credentials against domain "LDAP"

One comment • 14:32, 8 April 2024 3 months ago

1

Summary by Wikiphpnoob

moving from using LDAP to using OpenID Connect

Wikiphpnoob (talkcontribs)

hello, hoping someone can shine a light for me. the site said dont take this job on as a newb and i of course totally ignored that suggestion.

i have MediaWiki 1.41.0, PHP 8.3.3 on Windows Server 2016 ( i know, its old), with IIS 10

I have extensions:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

when using good accounts to authenticate, getting "Could not authenticate credentials against domain "LDAP"

see below, do i have too much configured? not enough? any suggestion at all would be cool. thanks to any who responds

***LOCALSETTINGS BELOW:***

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

$wikiRequestIP = $_SERVER[$ipsVar];

break;

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

$testJson = @json_decode(file_get_contents($ldapJsonFile), true);

if (is_array($testJson)) {

$LDAPProviderDomainConfigs = $testJson;

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $ldapJsonFile");

}

# Activate extensions

if ($ldapConfig) {

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$LDAPProviderPreSearchUsernameModifierRegistry = [

'lowercase' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

}

];

$wgLDAPProvider['CacheType'] = 'CACHE_NONE';

$wgLDAPProvider['CacheTime'] = 3600;

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPAuthentication2UsernameNormalizer = 'lowercase';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';

# Configure PluggableAuth settings

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = true;

$wgPluggableAuth_Config = [

"RAA Wiki Login" => [

'plugin' => 'LDAPAuthentication2',

'data' => ['domain' => 'LDAP']

]

];

$LDAPGroupsSyncMechanismRegistry = [

'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

];

}

***LDAPPROVIDER.JSON BELOW***

"LDAP": {

"connection": {

"server": "ldap-server",

"port": 389,

"enctype": "clear",

"user": "cn=mediawiki,ou=service accounts,dc=acme,dc=org",

"pass": "pass",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=org",

"userbasedn": "ou=users,dc=acme,dc=org",

"groupbasedn": "ou=groups,dc=acme,dc=org",

"usersearch": "samaccountname",

"groupsearch": "$dn",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "lowercase" ],

"searchstring": "(samaccountname=%{username})"

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

}

},

"userinfo": {

"realname": "samaccountname"

}

**********************************************

help me obi wan kenobi, youre my only hope

16:44, 19 March 2024 4 months ago

Trying to do a LDAP Login

2 comments • 14:18, 1 March 2024 4 months ago

2

GregANICO (talkcontribs)

Hi Everyone, I am wondering if anybody has ran into this issue when trying to login via ldap. I get this error after putting in my domain username and password.

ZeDJRu4hcahAMcLvtSppyAAAAMI] /mediawiki-1.39.5/index.php?title=Special:PluggableAuthLogin MediaWiki\Extension\LDAPProvider\DomainConfigProvider\ConfigException: ⧼ldapprovider-domain-config-invalid⧽

Thanks in advance,

Greg

18:21, 29 February 2024 4 months ago

GregANICO (talkcontribs)

Here is the backtrace:

Backtrace:

from /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(51)

#0 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(70): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct()

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance()

#2 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/DomainConfigFactory.php(101): call_user_func_array()

#3 /var/www/html/mediawiki-1.39.5/extensions/LDAPProvider/src/ClientFactory.php(62): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /var/www/html/mediawiki-1.39.5/extensions/LDAPAuthentication2/src/PluggableAuth.php(254): MediaWiki\Extension\LDAPProvider\ClientFactory->getForDomain()

#5 /var/www/html/mediawiki-1.39.5/extensions/LDAPAuthentication2/src/PluggableAuth.php(123): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin()

#6 /var/www/html/mediawiki-1.39.5/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#7 /var/www/html/mediawiki-1.39.5/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()

#8 /var/www/html/mediawiki-1.39.5/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()

#9 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#10 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(904): MediaWiki->performRequest()

#11 /var/www/html/mediawiki-1.39.5/includes/MediaWiki.php(562): MediaWiki->main()

#12 /var/www/html/mediawiki-1.39.5/index.php(52): MediaWiki->run()

#13 /var/www/html/mediawiki-1.39.5/index.php(48): wfIndexMain()

#14 {main}

18:24, 29 February 2024 4 months ago

Modify the login buttons to show even longer button texts (solution presented)

5 comments • 22:28, 25 January 2024 6 months ago

5

Wikinaut (talkcontribs)

It makes the buttons (here the standard Login-button and the Extension:OpenIDConnect-Login-button) to display all texts on the buttons, even if the texts are longer:

In LocalSettings.php add:

# https://www.mediawiki.org/w/index.php?title=Topic:Xx8ol75kyh1qejp8
# How to modify the Login-Page
$GLOBALS['wgHooks']['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
        $style = <<<EOT
            <style type="text/css">
                    button#wpLoginAttempt {
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }

                    button#mw-input-pluggableauthlogin0 {
                            background-color: salmon !important;
                            border-color: salmon !important;
                            white-space: normal;
                            word-wrap: break-word;
                            height: auto !important;
                    }
            </style>
EOT;

        $out->addHeadItem( 'change-login-button', $style );
        return true;
};

Was discussed here: https://www.mediawiki.org/wiki/Topic:Xx8ol75kyh1qejp8

Reply Edited 20:28, 24 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

Thank you for your contribution. Please feel free to add it to the extension wiki page as a tip.

Reply 17:54, 25 January 2024 6 months ago

Wikinaut (talkcontribs)

This is quite difficult for me because of the translation tags, otherwise I would have added it there.

Reply 19:36, 25 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

You can ignore the translation tags. Somebody else will come along after you and add them.

Reply 22:13, 25 January 2024 6 months ago

Wikinaut (talkcontribs)

merci! I expected that but wanted to wait, thanks. Done.

Reply Edited 22:28, 25 January 2024 6 months ago

Reply to "Modify the login buttons to show even longer button texts (solution presented)"

MW 1.39.6 TypeError

7 comments • 20:04, 4 January 2024 6 months ago

7

DeEliteOne (talkcontribs)

I'm trying to update from MW 1.39.5 to 1.39.6 and am getting the following internal error when trying to log in:

index.php/Special:PluggableAuthLogin TypeError: Argument 1 passed to Jumbojett\OpenIDConnectClient::addScope() must be of the type array, string given, called in /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php on line 199
Backtrace:
from /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php(556)
# 0 /var/www/html/extensions/OpenIDConnect/includes/OpenIDConnect.php(199): Jumbojett\OpenIDConnectClient->addScope()
# 1 /var/www/html/extensions/PluggableAuth/includes/PluggableAuthLogin.php(101): MediaWiki\Extension\OpenIDConnect\OpenIDConnect->authenticate()
# 2 /var/www/html/includes/specialpage/SpecialPage.php(701): MediaWiki\Extension\PluggableAuth\PluggableAuthLogin->execute()
# 3 /var/www/html/includes/specialpage/SpecialPageFactory.php(1428): SpecialPage->run()
# 4 /var/www/html/includes/MediaWiki.php(316): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
# 5 /var/www/html/includes/MediaWiki.php(904): MediaWiki->performRequest()
# 6 /var/www/html/includes/MediaWiki.php(562): MediaWiki->main()
# 7 /var/www/html/index.php(50): MediaWiki->run()
# 8 /var/www/html/index.php(46): wfIndexMain()
# 9 {main}

Here is what I believe to be the relevant config from LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );
$wgPluggableAuth_Config[] = [
      'plugin' => 'OpenIDConnect',
      'buttonLabelMessage' => 'Example',
      'data' => [
          'providerURL' => 'https://example.com/auth/realms/example',
          'clientID' => getenv('OIDC_CLIENTID'),
          'clientsecret' => getenv('OIDC_CLIENTSECRET')
      ]
];
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableAutoLogin = true;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_MigrateUsersByUserName = true;

wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigProvider = function()
{
   $config =
   [
       "LDAP" =>
       [
           "connection" =>
           [
               "server" => "example.com",
               "basedn" => "ou=people,dc=example,dc=com",
               "userbasedn" => "ou=people,ou=system,dc=example,dc=com",
               "searchattribute" => "uid",
               "searchstring" => "USER-NAME",
               "usernameattribute" => "uid",
               "realnameattribute" => "displayName",
               "emailattribute" => "mail",
               "groupbasedn" => "cn=example,ou=secgroups,ou=system,dc=example,dc=com",
               "groupobjectclass" => "groupOfNames",
               "groupattribute" => "member",
               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
           ],
           "authorization" =>
           [
               "rules" =>
               [
                   "groups" =>
                   [
                       "required" => [ "cn=example,ou=secgroups,ou=system,dc=example,dc=com" ]
                   ]
               ]
           ],
       ]
   ];
   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

wfLoadExtension( 'LDAPAuthorization' );

Is there anything I should be changing before trying to update?

Reply 17:39, 4 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

It looks like you are using a newer version of the jumbojett/openid-connect-php library than is supported. The OpenID Connect composer.json file specifies version 0.9.10, which looks to be compatible. A newer commit adds an array typehint to the addScope() function, causing the error. Did you edit the OpenID Connect composer.json file?

Reply 19:15, 4 January 2024 6 months ago

DeEliteOne (talkcontribs)

No, I haven't edited the file, and my live copy of the file is using version 0.9.10. Full contents:

{
       "name": "mediawiki/openidconnect",
       "type": "mediawiki-extension",
       "description": "Provides authentication using OpenID Connect in conjunction with PluggableAuth",
       "license": "MIT",
       "authors": [
               {
                       "name": "Cindy Cicalese",
                       "email": "cicalese@mitre.org"
               }
       ],
       "require": {
               "jumbojett/openid-connect-php": "0.9.10",
               "composer/installers": "~1.0|~2"
       },
       "require-dev": {
               "mediawiki/mediawiki-codesniffer": "39.0.0",
               "mediawiki/minus-x": "1.1.1",
               "php-parallel-lint/php-console-highlighter": "1.0.0",
               "php-parallel-lint/php-parallel-lint": "1.3.2"
       },
       "scripts": {
               "test": [
                       "parallel-lint . --exclude vendor --exclude node_modules",
                       "@phpcs",
                       "minus-x check ."
               ],
               "fix": [
                       "minus-x fix .",
                       "phpcbf"
               ],
               "phpcs": "phpcs -sp --cache"
       },
       "extra": {
               "installer-name": "OpenIDConnect"
       },
       "config": {
               "allow-plugins": {
                       "composer/installers": true
               }
       }
}

Reply 19:41, 4 January 2024 6 months ago

DeEliteOne (talkcontribs)

Nevermind - the deployment is containerized, and I missed that it was pulling the latest release of jumbojett/openid-connect-php in the Dockerfile, overriding individual composer.json files. I'm not exactly sure why it was set up this way (inherited code), but locking the release to v0.9.10 worked. Thanks so much!

Reply 19:53, 4 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

That's very strange. When you look at vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php and search for addScope do you see https://github.com/jumbojett/OpenID-Connect-PHP/blob/master/src/OpenIDConnectClient.php#L556 (which I suspect, based on the stack trace, which is the master branch) or https://github.com/jumbojett/OpenID-Connect-PHP/blob/45aac47b525f0483dd4db3324bb1f1cab4666061/src/OpenIDConnectClient.php#L587 (whose line number do not match the stack trace, but it is version 0.9.10). The manifest on packagist agrees with the git hashes for the versions (https://packagist.org/packages/jumbojett/openid-connect-php#v0.9.10).

Reply 20:02, 4 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

Ah, our messages crossed. I'm so glad you figured it out!

Reply 20:03, 4 January 2024 6 months ago

Cindy.cicalese (talkcontribs)

And now I know I'll need to change the code if I bump the version to the new 1.0.0 release! Thanks!

Reply 20:04, 4 January 2024 6 months ago

Reply to "MW 1.39.6 TypeError"