Manual talk:Active Directory Integration

Hello, dear support!

I am trying to connect my instance of MW to our AD exactly as explained in this page, to which I am adding this topic. I spent a lot of time, reading such discussions on the subject, but cannot get it working.

Here, to save your time, I am attaching my ldap.json and LocalSettings.php (sure, with dummy data replaced sensitive information).

The symptoms:

1. I still see both username and password fields on the login page, but without the standard button "Log in", only with the LDAP log in button, which is.. strange
2. On clicking the LDAP login button I see error message: Could not authenticate credentials against domain "mydomainname.com"
3. php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain ldap.service  --username ldap.user returns only this: Full DNs:     Short names:
4. php extensions/LDAPProvider/maintenance/CheckConnection.php --config /path/to/ldap.json --domain ldap.service "(samaccountname=*)" returns tons of information, related to our LDAP server (DNs)
5. php extensions/LDAPProvider/maintenance/CheckLogin.php --domain ldap.service  --username ldap.user when then I enter correct password it said FAILD, but if I just hit Enter on the password prompt it says OK
6. php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain ldap.service  --username ldap.user returns nothing

ldapsearch returns correct output on test connection.

We restarted Apache after adding PHP modules, we did update.php after applying this new LDAP extensions, as advised in the topic.

Please, help!

ldap.json:

{

  "ldap.service": {

   "connection": {

     "server": "01.myldapservice.com",

     "port": "389",

     "use-tls": "false",

     "user": "CN=ldap.user,OU=IT,DC=myldapservice,DC=com",

     "pass": "passwordtoprotectmygreatldapnetwork",

     "enctype": "clear",

     "options": {

       "LDAP_OPT_DEREF": 1

     },

     "basedn": "DC=myldapservice,DC=com",

     "userbasedn": "DC=myldapservice,DC=com",

     "groupbasedn": "DC=myldapservice,DC=com",

     "searchattribute": "samaccountname",

     "usernameattribute": "samaccountname",

     "realnameattribute": "cn",

     "searchstring": "samaccountname",

     "emailattribute": "mail",

     "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

     "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

   },

   "userinfo": [],

   "authorization": [],

   "groupsync": {

     "mechanism": "mappedgroups",

     "mapping": {

       "developer": "CN=WIKI - Сообщество,OU=Группы доступа Wiki,OU=IT,DC=myldapservice,DC=com"

     }

   }

  }

}

The system and plugins information:

Installed software

Entry point URLs

Installed extensions

LocalSettings.php:

<?php

//error_reporting( -1 ); // Debug

//ini_set( 'display_errors', 1 ); / Debug

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

## Uncomment this to disable output compression

# $wgDisableOutputCompression = true;

$wgSitename = "Wiki name";

$wgMetaNamespace = "wiki_name";

$wgScriptPath = "";

## The protocol and server name to use in fully-qualified URLs

$wgServer = "https://myserver.com";

## The URL path to static resources (images, scripts, etc.)

$wgResourceBasePath = $wgScriptPath;

## The URL paths to the logo. Make sure you change this from the default,

## or else you'll overwrite your logo when you upgrade!

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/logo.png",

'icon' => "$wgResourceBasePath/resources/assets/logo.png",

];

$wgDebugLogFile = "$wgResourceBasePath/logs/mw.log";

## UPO means: this is also a user preference option

$wgEnableEmail = false;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "dbname";

$wgDBuser = "dbuser";

$wgDBpassword = "thestrongestpasswordinthewordforthedatabaseandmediawikionecouldeverguess";

# MySQL specific settings

$wgDBprefix = "wiki_";

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

$wgMemCachedServers = [];

## To enable image uploads, make sure the 'images' directory

## is writable, then set this to true:

$wgEnableUploads = true;

#$wgUseImageMagick = true;

#$wgImageMagickConvertCommand = "/usr/bin/convert";

$wgUseInstantCommons = false;

$wgPingback = false;

# Site language code, should be one of the list in ./includes/languages/data/Names.php

$wgLanguageCode = "gb";

# CSS path

$wgCSSPath = '';

$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

  $out->addScriptFile( '/js/jquery.js' );

};

$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

  $out->addScriptFile( '/js/bpmn-navigated-viewer.development.js' );

};

#$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

#    $out->addScriptFile( '/js/bpmn-viewer.development.js' );

#};

$wgHooks['MimeMagicInit'][] = static function ( MimeAnalyzer $mime ) {

$mime->addExtraTypes( 'application/xml bpmn' );

};

$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

  $out->addStyle( '/css/fontawesome/css/fontawesome.css' );

};

$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

  $out->addStyle( '/css/fontawesome/css/solid.css' );

};

$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {

  $out->addStyle( '/css/fontawesome/css/regular.css' );

};

// Adding help to the footer

$wgHooks['SkinAddFooterLinks'][] = function ( Skin $skin, string $key, array &$footerlinks ) {

if ( $key === 'places' ) {

  $footerlinks['helper-page'] = $skin->footerLink( 'Help-link-text', 'Help-Link' );

  $footerlinks['glossary-page'] = $skin->footerLink( 'Glossary-link-text', 'Glossary-Link' );

};

};

$wgUploadDirectory = 'uploads';

$wgUploadPath = 'uploads';

$wgFileExtensions[] = 'bpmn';

# Time zone

$wgLocaltimezone = "UTC";

## Set $wgCacheDirectory to a writable directory on the web server

## to make your wiki go slightly faster. The directory should not

## be publicly accessible from the web.

#$wgCacheDirectory = "$IP/cache";

$wgSecretKey = "mysecretkeyforthisgreatwikiofalltimes";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "myupgradekeyforthiswiki";

## For attaching licensing metadata to pages, and displaying an

## appropriate copyright notice / icon. GNU Free Documentation

## License and Creative Commons licenses are supported so far.

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

# The following permissions were set based on your choice in the installer

$wgAddGroups['sysop'] = ['bureaucrat', 'sysop'];

$wgRemoveGroups['sysop'] = ['bureaucrat', 'sysop'];

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "Medik";

$wgMedikColor = "#347291";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'Medik' );

// DEBUG //

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgShowDebug = true;

$wgDevelopmentWarnings = true;

// <ActiveDirectorty integration> //

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['developer'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "/path/to/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

  $ldapConfig = true;

} else {

  error_log("Found invalid JSON in file: /path/to/ldap.json");

}

}

// Activate Extension

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgPluggableAuth_Config['Enter, using LDAP service'] = [

  'plugin' => 'LDAPAuthentication2',

  'data' => [

    'domain' => 'ldap.service'

  ]

];

$wgPluggableAuth_Class = "MediaWiki\\Extension\\LDAPAuthentication2\\PluggableAuth";

//  $wgPluggableAuth_Config = array(

//    array('plugin' => 'LDAPAuthentication2'),

//    array('plugin' => 'LDAPAuthorization'),

////    array('plugin' => 'LDAPUserInfo'),

////    array('plugin' => 'LDAPGroups'),

////    array('plugin' => 'LDAPProvider')

//  );

// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)

$LDAPProviderDefaultDomain = "ldap.service";

if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

// </ActiveDirectorty integration> //

$wgUserMergeProtectedGroups = [];

$wgGroupPermissions['sysop']['usermerge'] = true;

$wgGroupPermissions['sysop']['usermerge'] = true;

$wgGroupPermissions['sysop']['deletelogentry'] = true;

$wgGroupPermissions['sysop']['deleterevision'] = true;

# Enabled extensions. Most of the extensions are enabled by adding

# wfLoadExtension( 'ExtensionName' );

# to LocalSettings.php. Check specific extension documentation for more details.

# The following extensions were automatically enabled:

wfLoadExtension( 'CategoryTree' );

wfLoadExtension( 'Cite' );

wfLoadExtension( 'CiteThisPage' );

wfLoadExtension( 'CodeEditor' );

wfLoadExtension( 'CSS' );

wfLoadExtension( 'Gadgets' );

wfLoadExtension( 'ImageMap' );

wfLoadExtension( 'InputBox' );

wfLoadExtension( 'Interwiki' );

wfLoadExtension( 'Math' );

wfLoadExtension( 'MultimediaViewer' );

wfLoadExtension( 'Nuke' );

wfLoadExtension( 'OATHAuth' );

wfLoadExtension( 'PageImages' );

wfLoadExtension( 'ParserFunctions' );

wfLoadExtension( 'PdfHandler' );

wfLoadExtension( 'Poem' );

wfLoadExtension( 'Renameuser' );

wfLoadExtension( 'ReplaceText' );

wfLoadExtension( 'Scribunto' );

wfLoadExtension( 'SecureLinkFixer' );

wfLoadExtension( 'SyntaxHighlight_GeSHi' );

wfLoadExtension( 'TemplateData' );

wfLoadExtension( 'TextExtracts' );

wfLoadExtension( 'UserMerge' );

wfLoadExtension( 'VisualEditor' );

wfLoadExtension( 'WikiEditor' );

# End of automatically generated settings.

# Add more configuration options below.

$wgShowExceptionDetails = true;

Solved.

Hi, how did you solved?

Hi Arsenii Gorkin,

I'm getting the same exact error as you had. In the CheckLogin.php, if I entered my password it returns Failed. But if I just press enter, it returns OK. ShowUserInfo.php was giving correct results.

Can you please tell us on how you solve the issue on your side? Thank you very much

@Arsenii Gorkin

Hi Arsenii Gorkin,

I'm getting the same exact error as you had. In the CheckLogin.php, if I entered my password it returns Failed. But if I just press enter, it returns OK. ShowUserInfo.php was giving correct results.

Can you please tell us on how you solve the issue on your side? Thank you very much

Hi, i want that just one group of active directory be able to authenticate or read in the wiki.

By the configuration, it allows every user of the domain.

Hello,

Im trying to setup ldap on Mediawiki 1.39.4, all plugins also downloaded for 1.39 version. LDAP is hosted in docker with OpenLDAP, Mediawiki is hosted on xampp with MySQL database. I think i configured everything how it should be by reading Active Directory Integration manual. When im clicking on log in im getting "The data provided cannot be used for credential checks."

Below is my ldap.json (ip and password changed for posting this):

{

    "ldap.computingforgeeks.com": {

        "connection": {

            "server": "ldap://ip:389",

            "port": "389",

            "use-tls": "true",

            "user": "cn=admin,dc=computingforgeeks,dc=com",

            "pass": "password",

            "enctype": "clear",

            "options": {

                "LDAP_OPT_DEREF": 1

            },

            "basedn": "dc=computingforgeeks,dc=com",

            "userbasedn": "ou=users,dc=computingforgeeks,dc=com",

            "groupbasedn": "ou=groups,dc=computingforgeeks,dc=com",

            "searchattribute": "sAMAccountName",

            "usernameattribute": "sAMAccountName",

            "realnameattribute": "cn",

            "emailattribute": "mail",

            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

            "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

        },

        "userinfo": [],

        "authorization": [],

        "groupsync": {

            "mapping": {

                "engineering": "CN=employees,OU=Groups,DC=computingforgeeks,DC=com",

                "employer": "CN=employer,OU=Groups,DC=computingforgeeks,DC=com"

        }

        }

    }

}

Below is LocalSettings.php:

# End of automatically generated settings.

# Add more configuration options below.

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = true;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['sysop']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

    $ldapConfig = true;

  } else {

    error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

// Activate Extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  $LDAPProviderDomainConfigs = $ldapJsonFile;

  $wgPluggableAuth_ButtonLabel = "Log In";

  // Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)

  $LDAPProviderDefaultDomain = "ldap.computingforgeeks.com";

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }

}

I also checked ldap connection using python script and everything works in it. On mediawiki im getting error. Do you have any ideas what could help? Also i have deleted LDAPAuthorization plugin for a while and it changed nothing.

Hello,

I am currently setting up a wiki and would like to connect the AD. Im using MediaWiki Version 1.39.3, LDAP Stack Version 1.39, PHP 7.4.3 nts and IIS Webserver. I have done every step as described in the instructions, but when I try to log in with an AD user I get the following error message: "The username or password is incorrect. Please try again". My ldap.json seems to be correct, I can run "CheckUserLogin" and "ShowUserInfo" successfully.

Can someone help me in this case? has anyone ever had the problem before?

I also installed MediaWiki 1.35.10 with the LDAP Stack Version 1.35, but here i also get an error message, here you can see:

Notice: Undefined index: sAMAccountName in C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php on line 203

276a8d50710e0d16830c7f12] /mediawiki135/index.php?title=Spezial:PluggableAuthLogin TypeError from line 57 of C:\inetpub\wwwroot\mediawiki135\includes\user\UserFactory.php: Argument 1 passed to MediaWiki\User\UserFactory::newFromName() must be of the type string, null given, called in C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php on line 68

Backtrace:

#0 C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php(68): MediaWiki\User\UserFactory->newFromName()

#1 C:\inetpub\wwwroot\mediawiki135\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#2 C:\inetpub\wwwroot\mediawiki135\includes\specialpage\SpecialPage.php(600): PluggableAuthLogin->execute()

#3 C:\inetpub\wwwroot\mediawiki135\includes\specialpage\SpecialPageFactory.php(635): SpecialPage->run()

#4 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#5 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(947): MediaWiki->performRequest()

#6 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(547): MediaWiki->main()

#7 C:\inetpub\wwwroot\mediawiki135\index.php(53): MediaWiki->run()

#8 C:\inetpub\wwwroot\mediawiki135\index.php(46): wfIndexMain()

#9 {main}

I don't know what else I can try, can someone help me?

Thanks in Advance!

Hello,

I've installed Mediawiki 1.39.2, xamp 8.2.0 and extensions 1.39 over Microsoft Windows. I want to integrate to Active Directory.

After running update.php (which ran apparently ok), mediawiki doesn't let me login in, even with administrator user. It shows always this message:

"Las credenciales proporcionadas no se han podido autentificar."

I tested CheckLogin.php and ShowUserInfo.php. Both ran ok.

D:\xampp\php>php d:\xampp\htdocs\mediawiki\extensions\LDAPProvider\maintenance\CheckLogin.php --domain domino.local --username wikisoludepa

Password:XXXXXXXXX

OK

D:\xampp\php>php d:\xampp\htdocs\mediawiki\extensions\LDAPProvider\maintenance\ShowUserInfo.php --domain dominio.local --username marisolb

cn => marisolb

................

dn => CN=marisolb,CN=Users,DC=dominio,DC=local

I don't see error at the output of update.php.

I enabled debug and this is the output of trying to login. Can someone please help me to find the problem?

Thanks in advance.

.....................................................................................

[authentication] Login failed in primary authentication because no provider accepted

..................................................................................

[authevents] Login attempt

......................................................

[DBQuery] MediaWiki::preOutputCommit [0s] localhost: COMMIT

MediaWiki::preOutputCommit: primary transaction round committed

MediaWiki::preOutputCommit: pre-send deferred updates completed

MediaWiki::preOutputCommit: session changes committed

[DBReplication] Wikimedia\Rdbms\LBFactory::shutdown: finished ChronologyProtector shutdown

[DBReplication] LBFactory shutdown completed

.................................................................................

OutputPage::sendCacheControl: no caching **

[DBQuery] MediaWiki::restInPeace [0.002s] localhost: COMMIT

...................................................................

[DBReplication] LBFactory shutdown completed

Request ended normally

[session] Saving all sessions on shutdown

[resourceloader] Failed to find echo-badge-count (es)

[resourceloader] Failed to find templatedata-doc-subpage (es)

The instructions do no longer work since PuggableAuth v6.0. The variable wgPluggableAuth_ButtonLabel is no longer supported, instead wgPluggableAuth_Config is mandatory required.

As as documentation of PluggableAuth mentions that other plugins need to be compatible with the new version I have downloaded the old MediaWiki V1.35 compatible version 5.7 which is deprecated but still works.

The Auth_remoteuser extension is not mentioned in this article, but appears to be required for AD authentication to work.

I've setup AD integration according to this manual in my private wiki, but after perform php maintenance/update.php and restart httpd on the new browser window in incognito mode at the wiki.company.com/index.php/Special:UserLogin I see only

The supplied credentials are not associated with any user on this wiki. without option to type user or password.

My current configration:

ldap.json:

{
    "company.local": {
        "connection": {
            "server": "dc.company.local",
            "port": "389",
            "user": "CN=mediawiki,CN=Users,DC=company,DC=local",
            "pass": "P@ssw0rd",
            "enctype": "clear",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "dc=company,dc=local",
            "userbasedn": "dc=company,dc=local",
            "groupbasedn": "dc=company,dc=local",
            "searchattribute": "samaccountname",
            "usernameattribute": "samaccountname",
            "realnameattribute": "cn",
            "emailattribute": "mail",
            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
            "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
        },
        "userinfo": [],
        "authorization": [],
        "groupsync": {
            "mapping": {
                "admins": "CN=Domain Admins,CN=Users,DC=company,DC=local"
            }
        }
    }
}

LocalSettings.php:

[...]
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
$wgGroupPermissions['sysop'] = $wgGroupPermissions['user'];
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);
  if (is_array($testJson)) {
    $ldapConfig = true;
  } else {
    error_log("Found invalid JSON in file: $IP/ldap.json");
  }
}
if ( $ldapConfig ) {
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  wfLoadExtension( 'LDAPAuthorization' );
  wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Log In";
  $LDAPProviderDefaultDomain = "company.local";
  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
  $LDAPAuthentication2AllowLocalLogin = true;
}

(pretty much the same as example in manual)

I've ensured network connection (firewall, dns resolution).

I've enabled in debug LocalSettings.php by adding $wgDebugLogFile = "$IP/debug.log";

Entering login page creates almost 4k lines of code so I share it via pastebin: https://phabricator.wikimedia.org/P28279

What I check else?

Environment: PHP 7.4.6, Mediawiki 1.37.2, LDAP extensions stack: REL1_35

If I execute php extensions/LDAPProvider/maintenance/ShowUserInfo.php -d company.local -u mediawiki I see output about AD's mediawiki bind user.

ldap_domains table in database is created but it's empty

I've updated LDAP extensions to 1_37 and now works.

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                'DOMAIN' => [

                        'connection' => [

                                "server" => "AD-SERVER",

                                "port" => "3268",

                                "enctype" => "tls",

                                "user" => "CN=user,OU=stuff",

                                "pass" => "password123",

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1,

                                        "LDAP_OPT_REFERRALS" => 0,

                                        "LDAP_OPT_X_TLS_CRLCHECK" => 0,

                                        "LDAP_OPT_X_TLS_REQUIRE_CERT" => 0

                                ],

                                "basedn" => "DC=DOMAIN,DC=TLD",

                                "groupbasedn" => "...",

                                "userbasedn" => "...",

                                "searchattribute" => "cn",

                                "usernameattribute" => "cn",

                                "realnameattribute" => "mail",

                                "emailattribute" => "mail",

                                "presearchusernamemodifiers" => [ "spacestounderscores", "lowercase" ]

                        ],

                        "userinfo" => [],

                        "authorization" => [],

                        "groupsync" => [

                                "mapping" => [

                                        "user" => "GROUP-ALL-USERS-ARE-IN"

                                ]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

It will automatically be used by LDAPAuthentication2