Hello, dear support!
I am trying to connect my instance of MW to our AD exactly as explained in this page, to which I am adding this topic. I spent a lot of time, reading such discussions on the subject, but cannot get it working.
Here, to save your time, I am attaching my ldap.json and LocalSettings.php (sure, with dummy data replaced sensitive information).
The symptoms:
- I still see both username and password fields on the login page, but without the standard button "Log in", only with the LDAP log in button, which is.. strange
- On clicking the LDAP login button I see error message: Could not authenticate credentials against domain "mydomainname.com"
- php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain ldap.service --username ldap.user returns only this: Full DNs: Short names:
- php extensions/LDAPProvider/maintenance/CheckConnection.php --config /path/to/ldap.json --domain ldap.service "(samaccountname=*)" returns tons of information, related to our LDAP server (DNs)
- php extensions/LDAPProvider/maintenance/CheckLogin.php --domain ldap.service --username ldap.user when then I enter correct password it said FAILD, but if I just hit Enter on the password prompt it says OK
- php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain ldap.service --username ldap.user returns nothing
ldapsearch returns correct output on test connection.
We restarted Apache after adding PHP modules, we did update.php after applying this new LDAP extensions, as advised in the topic.
Please, help!
ldap.json:
{
"ldap.service": {
"connection": {
"server": "01.myldapservice.com",
"port": "389",
"use-tls": "false",
"user": "CN=ldap.user,OU=IT,DC=myldapservice,DC=com",
"pass": "passwordtoprotectmygreatldapnetwork",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "DC=myldapservice,DC=com",
"userbasedn": "DC=myldapservice,DC=com",
"groupbasedn": "DC=myldapservice,DC=com",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"searchstring": "samaccountname",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"developer": "CN=WIKI - Сообщество,OU=Группы доступа Wiki,OU=IT,DC=myldapservice,DC=com"
}
}
}
}
The system and plugins information:
Installed software
Product | Version |
---|---|
MediaWiki | 1.39.3 (1a4ca63)
12:21, 12 August 2023 |
PHP | 8.2.10 (fpm-fcgi) |
MySQL | 8.0.34-0ubuntu0.22.04.1 |
ICU | 70.1 |
Lua | 5.1.5 |
Pygments | 2.11.2 |
Entry point URLs
Entry point | URL |
---|---|
Article path | /index.php?title=$1 |
Script path | / |
index.php | /index.php |
api.php | /api.php |
rest.php | /rest.php |
Installed extensions
Special pages | |
---|---|
Extension | Version |
CiteThisPage | – |
Interwiki | 3.2 |
Nuke | – |
Renameuser | – |
Replace Text | 1.7 |
UserMerge | 1.10.1 (a6fd7d8) 05:50, 1 August 2023 |
Editors | |
Extension | Version |
CodeEditor | – |
VisualEditor | 0.1.2 |
WikiEditor | 0.5.3 |
Parser hooks | |
Extension | Version |
CategoryTree | – |
Cite | – |
CSS | 3.5.0 (035e731) 03:47, 4 December 2022 |
ImageMap | – |
InputBox | 0.3.0 |
Math | 3.0.0 |
ParserFunctions | 1.6.0 |
Poem | – |
Scribunto | – |
SyntaxHighlight | 2.0 |
TemplateData | 0.1.2 |
Media handlers | |
Extension | Version |
PDF Handler | – |
API | |
Extension | Version |
PageImages | – |
Other | |
Extension | Version |
Gadgets | – |
LDAPAuthentication2 | 2.0.2 (b83f5d1) 07:23, 4 September 2023 |
LDAPAuthorization | 2.0.1 (fbb1c3b) 07:23, 4 September 2023 |
LDAPGroups | 2.0.1 (1f945ca) 07:23, 4 September 2023 |
LDAPProvider | 2.0.1 (dc89b2f) 07:23, 4 September 2023 |
LDAPUserInfo | 2.0.0 (01a4b9e) 10:03, 14 June 2023 |
MultimediaViewer | – |
OATHAuth | 0.5.0 |
PluggableAuth | 7.0.0 (1cbf448) 05:33, 29 August 2023 |
SecureLinkFixer | – |
TextExtracts | – |
LocalSettings.php:
<?php
//error_reporting( -1 ); // Debug
//ini_set( 'display_errors', 1 ); / Debug
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
## Uncomment this to disable output compression
# $wgDisableOutputCompression = true;
$wgSitename = "Wiki name";
$wgMetaNamespace = "wiki_name";
$wgScriptPath = "";
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://myserver.com";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL paths to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/logo.png",
'icon' => "$wgResourceBasePath/resources/assets/logo.png",
];
$wgDebugLogFile = "$wgResourceBasePath/logs/mw.log";
## UPO means: this is also a user preference option
$wgEnableEmail = false;
$wgEnableUserEmail = true; # UPO
$wgEmergencyContact = "";
$wgPasswordSender = "";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "localhost";
$wgDBname = "dbname";
$wgDBuser = "dbuser";
$wgDBpassword = "thestrongestpasswordinthewordforthedatabaseandmediawikionecouldeverguess";
# MySQL specific settings
$wgDBprefix = "wiki_";
# MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
# Shared database table
# This has no effect unless $wgSharedDB is also set.
$wgSharedTables[] = "actor";
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
#$wgUseImageMagick = true;
#$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgUseInstantCommons = false;
$wgPingback = false;
# Site language code, should be one of the list in ./includes/languages/data/Names.php
$wgLanguageCode = "gb";
# CSS path
$wgCSSPath = '';
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addScriptFile( '/js/jquery.js' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addScriptFile( '/js/bpmn-navigated-viewer.development.js' );
};
#$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
# $out->addScriptFile( '/js/bpmn-viewer.development.js' );
#};
$wgHooks['MimeMagicInit'][] = static function ( MimeAnalyzer $mime ) {
$mime->addExtraTypes( 'application/xml bpmn' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/fontawesome.css' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/solid.css' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/regular.css' );
};
// Adding help to the footer
$wgHooks['SkinAddFooterLinks'][] = function ( Skin $skin, string $key, array &$footerlinks ) {
if ( $key === 'places' ) {
$footerlinks['helper-page'] = $skin->footerLink( 'Help-link-text', 'Help-Link' );
$footerlinks['glossary-page'] = $skin->footerLink( 'Glossary-link-text', 'Glossary-Link' );
};
};
$wgUploadDirectory = 'uploads';
$wgUploadPath = 'uploads';
$wgFileExtensions[] = 'bpmn';
# Time zone
$wgLocaltimezone = "UTC";
## Set $wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publicly accessible from the web.
#$wgCacheDirectory = "$IP/cache";
$wgSecretKey = "mysecretkeyforthisgreatwikiofalltimes";
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "1";
# Site upgrade key. Must be set to a string (default provided) to turn on the
# web installer while LocalSettings.php is in place
$wgUpgradeKey = "myupgradekeyforthiswiki";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";
# The following permissions were set based on your choice in the installer
$wgAddGroups['sysop'] = ['bureaucrat', 'sysop'];
$wgRemoveGroups['sysop'] = ['bureaucrat', 'sysop'];
## Default skin: you can change the default skin. Use the internal symbolic
## names, e.g. 'vector' or 'monobook':
$wgDefaultSkin = "Medik";
$wgMedikColor = "#347291";
# Enabled skins.
# The following skins were automatically enabled:
wfLoadSkin( 'Medik' );
// DEBUG //
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgShowDebug = true;
$wgDevelopmentWarnings = true;
// <ActiveDirectorty integration> //
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));
// Create Wiki-Group 'engineering' from default user group
$wgGroupPermissions['developer'] = $wgGroupPermissions['user'];
// Private Wiki. External LDAP login. Default NS requires login.
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = "/path/to/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: /path/to/ldap.json");
}
}
// Activate Extension
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgPluggableAuth_Config['Enter, using LDAP service'] = [
'plugin' => 'LDAPAuthentication2',
'data' => [
'domain' => 'ldap.service'
]
];
$wgPluggableAuth_Class = "MediaWiki\\Extension\\LDAPAuthentication2\\PluggableAuth";
// $wgPluggableAuth_Config = array(
// array('plugin' => 'LDAPAuthentication2'),
// array('plugin' => 'LDAPAuthorization'),
//// array('plugin' => 'LDAPUserInfo'),
//// array('plugin' => 'LDAPGroups'),
//// array('plugin' => 'LDAPProvider')
// );
// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)
$LDAPProviderDefaultDomain = "ldap.service";
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
}
// </ActiveDirectorty integration> //
$wgUserMergeProtectedGroups = [];
$wgGroupPermissions['sysop']['usermerge'] = true;
$wgGroupPermissions['sysop']['usermerge'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
# Enabled extensions. Most of the extensions are enabled by adding
# wfLoadExtension( 'ExtensionName' );
# to LocalSettings.php. Check specific extension documentation for more details.
# The following extensions were automatically enabled:
wfLoadExtension( 'CategoryTree' );
wfLoadExtension( 'Cite' );
wfLoadExtension( 'CiteThisPage' );
wfLoadExtension( 'CodeEditor' );
wfLoadExtension( 'CSS' );
wfLoadExtension( 'Gadgets' );
wfLoadExtension( 'ImageMap' );
wfLoadExtension( 'InputBox' );
wfLoadExtension( 'Interwiki' );
wfLoadExtension( 'Math' );
wfLoadExtension( 'MultimediaViewer' );
wfLoadExtension( 'Nuke' );
wfLoadExtension( 'OATHAuth' );
wfLoadExtension( 'PageImages' );
wfLoadExtension( 'ParserFunctions' );
wfLoadExtension( 'PdfHandler' );
wfLoadExtension( 'Poem' );
wfLoadExtension( 'Renameuser' );
wfLoadExtension( 'ReplaceText' );
wfLoadExtension( 'Scribunto' );
wfLoadExtension( 'SecureLinkFixer' );
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
wfLoadExtension( 'TemplateData' );
wfLoadExtension( 'TextExtracts' );
wfLoadExtension( 'UserMerge' );
wfLoadExtension( 'VisualEditor' );
wfLoadExtension( 'WikiEditor' );
# End of automatically generated settings.
# Add more configuration options below.
$wgShowExceptionDetails = true;