MediaWiki

Talk:LDAP hub

About this board

Start a new topic
You are not logged in. To receive attribution with your name instead of your IP address, you can log in or create an account.

I don't have logs

4 comments • 08:51, 13 December 2023 4 months ago
4
Lucazeo (talkcontribs)

https://www.mediawiki.org/wiki/Talk:LDAP_hub

I installed e configured:

LDAPAuthentication2

LDAPAuthorization

LDAPGroups

LDAPProvider

LDAPUserInfo

PluggableAuth

I can run with success the following scripts under extensions/LDAPProvider/maintenance/:

ShowUserInfo.php, ShowUserGroups.php, CheckLogin.php.

But when I try to login I get:

Could not authenticate credentials against domain "mydomain"

So I enabled debug log with:

$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthentication2'] =

$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

But I get no log. Nothing... /tmp/ can be written by anyone.. What can I investigate?

Reply 15:23, 1 December 2023 4 months ago
Osnard (talkcontribs)
Reply 15:03, 4 December 2023 4 months ago
Lucazeo (talkcontribs)

I did:

$wgDebugLogFile = "/tmp/debug-ldap.log";

But it is populated only by maintenance jobs.

Reply 08:29, 6 December 2023 4 months ago
Osnard (talkcontribs)

This is probably a file system permission issue. The CLI user that runs maintenance/runJobs.php hat permissions to write this file, but the webserver doesn't.

Alternatively the LDAP extensions are just not invoked in the CLI call. It there some bailout statement checking for PHP_SAPI?

Reply 08:51, 13 December 2023 4 months ago
Reply to "I don't have logs"

login screen: no place to put user name and password

9 comments 13:48, 7 August 2023 8 months ago
9
Summary by Cindy.cicalese

LDAPAuthentication2 version 2.0.0 is compatible with PluggableAuth 7.0.0.

RobFantini (talkcontribs)

After upgrading 1.37 to 1.39 , the login screen does not have data entry boxes for name , password and domain.

we authenticate to a openldap server.

I ran these tests from command line and they work okay:

php /var/www/git-v139/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php --username rob --domain redacted.com

php /var/www/git-v139/mediawiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php --username rob --domain redacted.com

also CheckLogin.php worked. I was prompted for a password and OK was returned.


If I set the following , there are places to do a local login with :

$wgPluggableAuth_EnableLocalLogin = true  ;


any suggestions to fix this?

in the mean time I'll continue to look around for the solution.

Edited 18:24, 8 December 2022 1 year ago
Luciferindcok (talkcontribs)

@RobFantinidid you get a fix for this ? ii am facing the same issue

07:56, 21 December 2022 1 year ago
RobFantini (talkcontribs)

I have not been able to fix this.


Do you happen to know where I could file a bug report?

Edited 11:10, 21 December 2022 1 year ago
194.50.65.12 (talkcontribs)

I have the same problem. After upgrading from 1.35 to 1.39.1, mediawiki does not display the login box. Ldap seems to work, according to the maintenance php script.

12:26, 17 January 2023 1 year ago
Cindy.cicalese (talkcontribs)

When you upgraded MediaWiki to version 1.39, did you upgrade PluggableAuth and the LDAP extensions as well? If so, what versions are you using? Note that LDAPAuthentication2 is not yet compatible with version 6.x of PluggableAuth. You will need to stick with version 5.7 of PluggableAuth for now.

03:28, 21 January 2023 1 year ago
RobFantini (talkcontribs)
Edited 17:06, 21 January 2023 1 year ago
Cindy.cicalese (talkcontribs)

Yes, the release branch has the most recent version of PluggableAuth. The issue is that LDAPAuthentication2 is not yet compatible with the most recent version of PluggableAuth. However, a new version of LDAPAuthentication2 should hopefully be available soon.

01:41, 22 January 2023 1 year ago
RobFantini (talkcontribs)
13:40, 7 August 2023 8 months ago
Cindy.cicalese (talkcontribs)

Yes, LDAPAuthentication2 version 2.0.0 is compatible with PluggableAuth 7.0.0.

13:48, 7 August 2023 8 months ago

FYI: Branch REL1_35 works with 1.39

2 comments • 07:47, 13 March 2023 1 year ago
2
TaylanKammer (talkcontribs)

As others here, I'm facing the issue that LDAP authentication doesn't work with the current versions of PluggableAuth and LDAPAuthencation2, giving the following error message:

The supplied credentials could not be authenticated.

But I realized that rolling back to version REL1_35 for PluggableAuth actually works fine on MediaWiki 1.39.

Note that other extensions should not be rolled back. In particular, LDAPProvider must be updated to REL1_39, or you'll face another error while logging in.

For LDAPAuthentication2 and LDAPUserInfo, either version seems to be working fine, so it's probably best to use the newer REL1_39.

Reply Edited 10:59, 24 February 2023 1 year ago
Osnard (talkcontribs)

We are currently working on a MW 1.39 and PluggableAuth 6.0 compatible version of the LDAP-Stack extensions. Please stay tuned.

Reply 07:47, 13 March 2023 1 year ago
Reply to "FYI: Branch REL1_35 works with 1.39"

Could not authenticate credentials against domain xxxx

7 comments • 08:06, 31 March 2022 2 years ago
7
Ctorrestesam (talkcontribs)

Hi, i think i'm getting pretty close.

I'm not getting errors on the loging page except for "Could not authenticate credentials against domain XXXX"


when i run php CheckLogin.php --domain XXXX --username ctorres

i get an "OK"


php ShowUserGroupsphp --domain XXXX --username ctorres

i get Full DN: (blank) and Short names: (blank)


php ShowUserInfo.php --domain XXXX --username ctorres

brings back all my info from AD so tha's ok i guess:


Here's my LocalSettings.php.


  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

$LDAPAuthorizationAutoAuthRemoteUserStringParser = "XXXX\username";

// Create Wiki-Group 'marketing' from default user group

$wgGroupPermissions['marketing'] = $wgGroupPermissions['user'];

// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = "var/www/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$var/www/docs.XXXX.net/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

    $ldapConfig = true;

  } else {

    error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

// Activate Extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  $WikiToLDAPMigrationInProgress = false;

  $LDAPProviderDomainConfigs = "$etc/mediawiki/ldapprovider.json";

  $wgPluggableAuth_ButtonLabel = "Log In";

$LDAPAuthentication2AllowLocalLogin = true;

  // Force LDAPGroups to sync by choosing a domain ( e.g. first JSON object in ldap.json )

  $LDAPProviderDefaultDomain = "dc.XXXX.net";

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

$wgShowExceptionDetails = true;

$wgShowSQLErrors = true;

$wgShowDBErrorBacktrace = true;

$wgDebugLogGroups['PluggableAuth'] =  '/var/log/mediawiki/PluggableAuth.log';

$wgDebugLogGroups['LDAP'] = '/var/log/mediawiki/LDAPGen.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = '/var/log/mediawiki/LDAPProviderClient.log';

$wgDebugLogGroups['LDAPGroups'] = '/var/log/mediawiki/LDAPGroups.log';

$wgDebugLogGroups['LDAPUserInfo'] ='/var/log/mediawiki/LDAPUserInfo.log';

$wgDebugLogGroups['LDAPAuthorization'] = '/var/log/mediawiki/LDAP.log';

$wgDebugLogGroups['LDAPAuthentication2'] = '/var/log/mediawiki/LDAPAuthentication2.log';

$LDAPProviderCacheType = CACHE_NONE;

$LDAPAuthorizationAutoAuthRemoteUserStringParserRegistry = "username@XXXX.net";

$wgShowExceptionDetails = true;

$wgShowDBErrorBacktrace = true;

##SQL Error ###

$wgDebugDumpSql = true;

#LDAP binding

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                "XXX.net" => [

                        "connection" => [

                                "server" => "XXX.net",

                                "user" => "ctorres@XXXX.net",

                                "pass" => "XXXX",

                                "options" => [

                                        "LDAP_OPT_DEREF" => 1

                                ],

                                "basedn" => "dc=XXXX,dc=net",

                                "groupbasedn" => "dc=XXXX,dc=net",

                                "userbasedn" => "dc=XXXX,dc=net",

                                "searchattribute" => "samaccountname",

                                "searchstring" => "USER-NAME@XXXX.net",

                                "usernameattribute" => "samaccountname",

                                "realnameattribute" => "cn",

                                "emailattribute" => "mail"

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};


heres my ldap.json


{

        "XXXX": {

                "connection": {

                        "server": "dc.XXXX.net",

                        "port": "389",

                        "user": "ctorres@XXXX.net",

                        "pass": "XXX",

                        "enctype": "ssl",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

                        "userbasedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

                        "groupbasedn": "ou=XXXX Argentina,dc=XXXX,dc=net",

                        "searchattribute": "samaccountname",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                        "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

                },

                "userinfo": [],

                "authorization": [],

                #"groupsync": {

                        #"mapping": {

                                # "marketing": "CN=EngineeringCoreTeam,OU=XXXX.net,DC=XXXX,DC=local",

                                # "Comercial": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

                                # "logistica": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

                                # "sistemas": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local"

                        }

                }

        }

}

Reply 21:13, 29 March 2022 2 years ago
Osnard (talkcontribs)

This config looks like it has may redundancies. You only need either ldap.json or $LDAPProviderDomainConfigProvider. Not both.

Also it looks like you enable several extensions multiple times.

Could you please enable the debug log and share its contents?

Reply 08:32, 30 March 2022 2 years ago
Ctorrestesam (talkcontribs)

Hey Osnard, yeap sorry for that i'm a first timer with php/linux/mediawiki so i'm trying my best hahaha.

Yeap, i corrected and i'm only calling ldap.json and when i run the test CheckLogin.php-ShowUserInfo.php-ShowUserGroups.php and all is OK.


And for the logs, i only receive two logs-


First log is LDAPGen.log


2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns 49

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns 49

XXXX@mediawiki-prod-std:/var/log/mediawiki$


and the second log is LDAPProvider.log


XXXX@mediawiki-prod-std:/var/log/mediawiki$ cat LDAPProviderClient.log

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1

XXXX@mediawiki-prod-std:/var/log/mediawiki$

Reply 14:04, 30 March 2022 2 years ago
Osnard (talkcontribs)

The value in "connection/user" should be a valid user DN rather than a <user>@<domain>. Also you may want to try to remove the "connection/searchstring" entry.

Reply 14:35, 30 March 2022 2 years ago
Ctorrestesam (talkcontribs)

Now the output i get on the page is:


[70d4cfa798867676a180850d] /index.php/Especial:PluggableAuthLogin MWException: Could not bind to LDAP: (49) Invalid credentials

Backtrace:

from /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(195)

#0 /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(118): MediaWiki\Extension\LDAPProvider\Client->establishBinding()

#1 /var/www/docs.XXXX.net/extensions/LDAPProvider/src/Client.php(355): MediaWiki\Extension\LDAPProvider\Client->init()

#2 /var/www/docs.XXXX.net/extensions/LDAPAuthentication2/src/PluggableAuth.php(184): MediaWiki\Extension\LDAPProvider\Client->canBindAs()

#3 /var/www/docs.XXXX.net/extensions/LDAPAuthentication2/src/PluggableAuth.php(55): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin()

#4 /var/www/docs.XXXX.net/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()

#5 /var/www/docs.XXXX.net/includes/specialpage/SpecialPage.php(646): PluggableAuthLogin->execute()

#6 /var/www/docs.XXXX.net/includes/specialpage/SpecialPageFactory.php(1386): SpecialPage->run()

#7 /var/www/docs.XXXX.net/includes/MediaWiki.php(309): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#8 /var/www/docs.XXXX.net/includes/MediaWiki.php(913): MediaWiki->performRequest()

#9 /var/www/docs.XXXX.net/includes/MediaWiki.php(546): MediaWiki->main()

#10 /var/www/docs.XXXX.net/index.php(53): MediaWiki->run()

#11 /var/www/docs.XXXX.net/index.php(46): wfIndexMain()

#12 {main}


fixed on ldap.json


{

        "XXXX.net": {

                "connection": {

                        "server": "dc.XXXX.net",

                //      "port": "389",

                        "user": "cn=torres,dc=XXXX,dc=net",

                        "pass": "C8rlos21",

                //      "enctype": "ssl",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "dc=XXXX,dc=net",

                        "userbasedn": "dc=XXXX,dc=net",

                        "groupbasedn": "dc=XXXX,dc=net",

                        "searchattribute": "samaccountname",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                        "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

                },

                "userinfo": [],

                "authorization": [],

                #"groupsync": {

                        #"mapping": {

                                # "marketing": "CN=EngineeringCoreTeam,OU=XXXX.net,DC=XXXX,DC=local",

                                # "Comercial": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

                                # "logistica": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local",

                                # "sistemas": "CN=Mediawiki Admins,OU=XXXX.net,DC=XXXX,DC=local"

                        }

                }

        }

}


the logs pretty much remain the same


LDAPProviderClient.log =


2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'ctorres@XXXX.net'

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_REFERRALS to 0

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: Setting LDAP_OPT_DEREF to 1


LDAPGen.log =

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'ctorres@XXXX.net', $bindPassword = 'XXXX' );

2022-03-29 15:33:49 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:26:56 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:01 mediawiki-prod-std my_wiki: # returns 49

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_connect( $uri = 'ldap://dc.XXXX.net:389' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # __METHOD__ returns a link id

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns true

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns false

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_error( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns Invalid credentials

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_errno( $linkID );

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns 49

Reply 16:51, 30 March 2022 2 years ago
Osnard (talkcontribs)

Be careful,you may have leaked a password accidentally. Be sure to change it, if it is used anywhere else.

Reply 07:16, 31 March 2022 2 years ago
Osnard (talkcontribs)

This is odd.

First binding seems to work

2022-03-29 15:33:32 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );
2022-03-29 15:33:32 mediawiki-prod-std my_wiki: # returns true

But then a second one fails

2022-03-29 18:27:08 mediawiki-prod-std my_wiki: ldap_bind( $linkID, $bindRDN = 'cn=ctorres,dc=XXXX,dc=net', $bindPassword = 'XXXX' );
2022-03-29 18:27:08 mediawiki-prod-std my_wiki: # returns false

There are a couple of hours in between and probably some changes to the config. Can you please give more details and make more clear which logs belong to which config?

Reply 08:06, 31 March 2022 2 years ago
Reply to "Could not authenticate credentials against domain xxxx"

v1.35 LDAP Stack Setup against AD

7 comments • 12:25, 16 December 2021 2 years ago
7
Emikulic (talkcontribs)

I just finished migrating a 1.26 setup to 1.35. The migration had a few issues but that was not over the top. The LDAP Stack for form's based Auth (Authentication & Authorization) was another issue. I just want to say it required a very large amount of work to figure out.

I suppose it is all the open source and low cost/resources to develop and document the software which I get after being a Prod Mgr for many years at Cisco.

In all, it took me about 2-3 weeks. Hopefully it all gets better. I think greater clarity in log/debug messages when there are errors can be a big help. Documentation helps as well as there are settings spread all over mediawiki doc and talk pages which hold helpful (if this , do that) settings, where each extension could have a single large page of all possible settings which would be a tremendous help.

This is a good technology and works well.

Thank you.

-Ernie

(VMware/CentOS 8/Selinux/Firewalld/TLS/MariaDB 10.3/Apache 2.4.37 Virtual Hosts/Remi php 7.3/AD Ldap/AD CA/Mediawiki 1.35 + LDAP Stack)

Reply 21:07, 8 December 2020 3 years ago
Osnard (talkcontribs)

Thanks four your feedback, much appreciated.

I am happy about any contribution for the code or the documentation. If you don't mind, could you please share the setup that finally worked for you on LDAP_hub/Migration_from_extension_LDAPAuthentication. It might help others.

Reply 14:48, 10 December 2020 3 years ago
Emikulic (talkcontribs)

Ok sure, I'll post something or maybe make a UT video of it.

Reply 19:36, 21 December 2020 3 years ago
Osnard (talkcontribs)

Awesome! Thanks.

Reply 08:50, 22 December 2020 3 years ago
Emikulic (talkcontribs)

Added a great deal of config example I used. Should help some folks. Of course the system TLS setup, SELinux, Firewall is all '''other''' settings they will need to figure out. I may add a little more to this later but this was the core of things.

LDAP hub/Migration from extension LDAPAuthentication#Example 3

Reply 00:29, 23 December 2020 3 years ago
200.169.33.133 (talkcontribs)

amigo tu pode me ajudara aqui?

Reply 12:24, 16 December 2021 2 years ago
Raphael Orleans (talkcontribs)

estou querendo entender o passo a passo pra fazer essa autenticação

Reply 12:25, 16 December 2021 2 years ago
Reply to "v1.35 LDAP Stack Setup against AD"

Could not authenticate credentials against domain

3 comments 12:33, 6 September 2021 2 years ago
3
Summary by MountainGoat92

Got it to run with the exact same ldapprovider file from this site Manual:Active Directory Integration.

I think it is mandatory to have the emtpy userinfo and authorization parts...

MountainGoat92 (talkcontribs)

Hello,

i am running a mediawiki 1.35 with the following extensions:

LDAPProvider, PluggableAuth, LDAPAuthentication2

My goal is that users can manually log in to mediawiki with their used username and password from active directory.

The users are already created in mediawiki.


When running php extensions/LDAPProvider/maintenance/ShowUserInfo.php i receive the informations from active directory.

When running php extensions/LDAPProvider/maintenance/CheckLogin.php it is just failing.


The debug log saying following at the end:

2021-08-24 09:57:14 mediawiki wiki: Ran LDAP search for '(samaccountname=mic-sma)' in 0.002122163772583 seconds.

2021-08-24 09:57:26 mediawiki wiki: ldap_connect( $hostname = 'ldap://192.168.73.250:389', $port = 389 );

2021-08-24 09:57:26 mediawiki wiki: # __METHOD__ returns Resource id #763

2021-08-24 09:57:26 mediawiki wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2021-08-24 09:57:26 mediawiki wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2021-08-24 09:57:26 mediawiki wiki: # returns 1

2021-08-24 09:57:26 mediawiki wiki: Setting LDAP_OPT_REFERRALS to 0

2021-08-24 09:57:26 mediawiki wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2021-08-24 09:57:26 mediawiki wiki: # returns 1

2021-08-24 09:57:26 mediawiki wiki: Setting LDAP_OPT_DEREF to 1

2021-08-24 09:57:26 mediawiki wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2021-08-24 09:57:26 mediawiki wiki: # returns 1

2021-08-24 09:57:26 mediawiki wiki: ldap_bind( $linkID, $bindRDN = 'wikisync', $bindPassword = 'XXXX' );

2021-08-24 09:57:26 mediawiki wiki: # returns 1

2021-08-24 09:57:26 mediawiki wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'samaccountname=mic-sma,dc=xxx,dc=xxx'

2021-08-24 09:57:26 mediawiki wiki: ldap_bind( $linkID, $bindRDN = 'samaccountname=mic-sma,dc=xxx,dc=xxx', $bindPassword = 'XXXX' );

2021-08-24 09:57:26 mediawiki wiki: # returns


Does someone can help me?

Best regards,

Manuel

Edited 07:59, 1 September 2021 2 years ago
Osnard (talkcontribs)

'samaccountname=mic-sma,dc=micado,dc=local' does not look like a proper user DN. Maybe remove the "searchtring" setting from the config.

08:16, 30 August 2021 2 years ago
MountainGoat92 (talkcontribs)

Hello @Osnard,

i removed the searchstring but now i am getting the error "Could not fetch required user info to complete login" when trying to log in via the domain in mediawiki.

When i try to enter a wrong password, i get the notification "Could not authenticate credentials against domain micado.local"


Running ShowUserInfo.php still showing the user information from the active directory.


Running CheckLogin.php is now saying "ok", so i guess we are one step closer :)

My config file looks like pretty simple like this: (i did substitue user, pass, OU and DC here)

{

   "micado.local":

       {

           "connection":

           {

               "server": "192.168.73.250",

               "user": "user",

               "pass": "pass",

               "basedn": "dc=domain,dc=local",

               "userbasedn": "dc=domain,dc=local",

               "searchattribute": "samaccountname"

               }

       }

}


The Log File after logging try to log in via web form:


2021-09-02 08:59:26 mediawiki wiki: In execute()

2021-09-02 08:59:26 mediawiki wiki: Getting PluggableAuth singleton

2021-09-02 08:59:26 mediawiki wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2021-09-02 08:59:27 mediawiki wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2021-09-02 08:59:27 mediawiki wiki: Setting LDAP_OPT_REFERRALS to 0

2021-09-02 08:59:27 mediawiki wiki: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'ou=benutzer,ou=companyname,dc=domain,dc=local',

  'filter' => '(samaccountname=mic-sma)',

  'attributes' =>

  array (

   0 => '*',

   1 => 'memberof',

  ),

)

2021-09-02 08:59:27 mediawiki wiki: Found user DN: 'CN=mic-sma,OU=BEN_IT,OU=BENUTZER,OU=companyname,DC=domain,DC=local'

2021-09-02 08:59:27 mediawiki wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=mic-sma,OU=BEN_IT,OU=BENUTZER,OU=companyname,DC=domain,DC=local'

2021-09-02 08:59:27 mediawiki wiki: Ran LDAP search for '(samaccountname=mic-sma)' in 0.0013182163238525 seconds.

2021-09-02 08:59:27 mediawiki wiki: Authentication failure.

2021-09-02 08:59:27 mediawiki wiki: ERROR: Could not fetch required user info to complete login


I can't explain the error, i can run the php CheckLogin with the same user and it works... so i don't think it is a problem with the user settings?


Best regards,

Manuel

Edited 09:17, 2 September 2021 2 years ago

LDAP auto account creation not working

5 comments • 14:19, 7 June 2021 2 years ago
5
2001:7C0:3100:10:0:0:0:1C4 (talkcontribs)

I Installed the LDAP Stack on my Mediawiki (version 1.35.1) and connected LDAP to my Active Directory following the linked guide Manual:Active Directory Integration.

When trying to log in, the LDAP stack successfully authenticates the user from the AD. However, I get the following error message:

"Die angegebenen Anmeldeinformationen sind mit keinem Benutzer auf diesem Wiki verknüpft." which is the German equivalent for "Credentials are not associated with any user on this wiki."

I therefore suspected, that the automatic account creation does not work. But my LocalSettings.php contains $wgGroupPermissions['*']['autocreateaccount'] = true;.


LocalSettings.php:

#

#

# LDAP Settings

#

#

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

#console_log($ipsVar . " ".$_SERVER[$ipsVar]);

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));


// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];


// Private Wiki. External LDAP login. Default NS requires login.

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;


// Load LDAP Config from JSON

$ldapJsonFile = "$IP/ldap.json";

#$ldapConfig = true;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

    if (is_array($testJson)) {

        $ldapConfig = true;

          } else {

              error_log("Found invalid JSON in file: $IP/ldap.json");

          }

    }


// Activate Extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  wfLoadExtension( 'Auth_remoteuser' );

  wfLoadExtension( 'LDAPSyncAll' );


  $LDAPProviderDomainConfigs = $ldapJsonFile;

  #$wgPluggableAuth_ButtonLabel = "Log In";

  $wgPluggableAuth_ButtonLabel = "Mit LDAP anmelden";

  #$wgPluggableAuth_EnableLocalLogin = true;

  #$LDAPAuthentication2AllowLocalLogin = true;

  #

  #

  #

  #

  #console_log("WikiRequestSafe:" . " " . $wikiRequestIP . " safe: " . implode("|",$safeIPs) . " ipsvars: " . implode("|",$ipsVars));

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}




PluggableAuth Log:

2021-05-26 17:16:19 wiki-test my_wiki: In execute()

2021-05-26 17:16:19 wiki-test my_wiki: Getting PluggableAuth singleton

2021-05-26 17:16:19 wiki-test my_wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2021-05-26 17:16:19 wiki-test my_wiki: Authenticated new user:

2021-05-26 17:16:20 wiki-test my_wiki: User is authorized.


LDAP Log:

2021-05-26 17:24:40 wiki-test my_wiki: ldap_connect( $hostname = 'ldap://MyActiveDirectory:389', $port = 389 );

2021-05-26 17:24:40 wiki-test my_wiki: # __METHOD__ returns Resource id #31

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=myldapuser,cn=users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,dc=MyActiveDirectory', $filter = '(samaccountname=test.user)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #46

2021-05-26 17:24:40 wiki-test my_wiki: ldap_count_entries( $linkiID, $result = 'Resource id #46' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

  'count' => 1,

  0 =>

  array (

    'objectclass' =>

    array (

      'count' => 4,

      0 => 'top',

      1 => 'person',

      2 => 'organizationalPerson',

      3 => 'user',

    ),

    0 => 'objectclass',

    'cn' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    1 => 'cn',

    'sn' =>

    array (

      'count' => 1,

      0 => 'user',

    ),

    2 => 'sn',

    'givenname' =>

    array (

      'count' => 1,

      0 => 'test',

    ),

    3 => 'givenname',

    'distinguishedname' =>

    array (

      'count' => 1,

      0 => 'CN=test.user,CN=Users,dc=MyActiveDirectory',

    ),

    4 => 'distinguishedname',

    'instancetype' =>

    array (

      'count' => 1,

      0 => '4',

    ),

    5 => 'instancetype',

    'whencreated' =>

    array (

      'count' => 1,

      0 => '20201106163057.0Z',

    ),

    6 => 'whencreated',

    'whenchanged' =>

    array (

      'count' => 1,

      0 => '20210524142647.0Z',

    ),

    7 => 'whenchanged',

    'displayname' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    8 => 'displayname',

    'usncreated' =>

    array (

      'count' => 1,

      0 => '98434',

    ),

    9 => 'usncreated',

    'memberof' =>

    array (

      'count' => 1,

      0 => 'CN=mydomain-test,OU=Groups,OU=User,dc=MyActiveDirectory',

    ),

    10 => 'memberof',

    'usnchanged' =>

    array (

      'count' => 1,

      0 => '2560462',

    ),

    11 => 'usnchanged',

    'name' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    12 => 'name',

    'objectguid' =>

    array (

      'count' => 1,

      0 => '±ÆÓ¿Hh±J¢jÊ(B4¦ð',

    ),

    13 => 'objectguid',

    'useraccountcontrol' =>

    array (

      'count' => 1,

      0 => '512',

    ),

    14 => 'useraccountcontrol',

    'badpwdcount' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    15 => 'badpwdcount',

    'codepage' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    16 => 'codepage',

    'countrycode' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    17 => 'countrycode',

    'homedirectory' =>

    array (

      'count' => 1,

      0 => '\\\\cifs\\users\\test.user',

    ),

    18 => 'homedirectory',

    'homedrive' =>

    array (

      'count' => 1,

      0 => 'M:',

    ),

    19 => 'homedrive',

    'badpasswordtime' =>

    array (

      'count' => 1,

      0 => '132665098264743610',

    ),

    20 => 'badpasswordtime',

    'lastlogoff' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    21 => 'lastlogoff',

    'lastlogon' =>

    array (

      'count' => 1,

      0 => '132665098371930786',

    ),

    22 => 'lastlogon',

    'logonhours' =>

    array (

      'count' => 1,

      0 => 'ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ',

    ),

    23 => 'logonhours',

    'pwdlastset' =>

    array (

      'count' => 1,

      0 => '132535516035944362',

    ),

    24 => 'pwdlastset',

    'primarygroupid' =>

    array (

      'count' => 1,

      0 => '513',

    ),

    25 => 'primarygroupid',

    'profilepath' =>

    array (

      'count' => 1,

      0 => '\\\\cifs\\profiles\\test.user',

    ),

    26 => 'profilepath',

    'objectsid' =>

    array (

      'count' => 1,

      0 => '��' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '' . "\0" . '��' . "\0" . '' . "\0" . '' . "\0" . 'üâîxc��LY±S…0�' . "\0" . '' . "\0" . '',

    ),

    27 => 'objectsid',

    'accountexpires' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    28 => 'accountexpires',

    'logoncount' =>

    array (

      'count' => 1,

      0 => '22',

    ),

    29 => 'logoncount',

    'samaccountname' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    30 => 'samaccountname',

    'samaccounttype' =>

    array (

      'count' => 1,

      0 => '805306368',

    ),

    31 => 'samaccounttype',

    'userprincipalname' =>

    array (

      'count' => 1,

      0 => 'test.user@mydomain.mydomain.de',

    ),

    32 => 'userprincipalname',

    'lockouttime' =>

    array (

      'count' => 1,

      0 => '0',

    ),

    33 => 'lockouttime',

    'objectcategory' =>

    array (

      'count' => 1,

      0 => 'CN=Person,CN=Schema,CN=Configuration,dc=MyActiveDirectory',

    ),

    34 => 'objectcategory',

    'dscorepropagationdata' =>

    array (

      'count' => 3,

      0 => '20210111164144.0Z',

      1 => '20201228231658.0Z',

      2 => '16010101000000.0Z',

    ),

    35 => 'dscorepropagationdata',

    'lastlogontimestamp' =>

    array (

      'count' => 1,

      0 => '132663400070044244',

    ),

    36 => 'lastlogontimestamp',

    'uid' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    37 => 'uid',

    'mssfu30name' =>

    array (

      'count' => 1,

      0 => 'test.user',

    ),

    38 => 'mssfu30name',

    'mssfu30nisdomain' =>

    array (

      'count' => 1,

      0 => 'mydomain',

    ),

    39 => 'mssfu30nisdomain',

    'uidnumber' =>

    array (

      'count' => 1,

      0 => '10006',

    ),

    40 => 'uidnumber',

    'gidnumber' =>

    array (

      'count' => 1,

      0 => '10000',

    ),

    41 => 'gidnumber',

    'unixhomedirectory' =>

    array (

      'count' => 1,

      0 => '/users/test.user',

    ),

    42 => 'unixhomedirectory',

    'loginshell' =>

    array (

      'count' => 1,

      0 => '/bin/bash',

    ),

    43 => 'loginshell',

    'count' => 44,

    'dn' => 'CN=test.user,CN=Users,dc=MyActiveDirectory',

  ),

)

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=test.user,CN=Users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_bind( $linkID, $bindRDN = 'CN=myldapuser,cn=users,dc=MyActiveDirectory', $bindPassword = 'XXXX' );

2021-05-26 17:24:40 wiki-test my_wiki: # returns 1

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=test.user)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #59

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

  'count' => 0,

)

2021-05-26 17:24:40 wiki-test my_wiki: ldap_search( $linkID, $baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2021-05-26 17:24:40 wiki-test my_wiki: # returns Resource id #75

2021-05-26 17:24:40 wiki-test my_wiki: ldap_get_entries( $linkID, $resultID );

2021-05-26 17:24:40 wiki-test my_wiki: # returns: array (

  'count' => 0,

)

Reply 17:34, 26 May 2021 2 years ago
Osnard (talkcontribs)

First, there are two strange entries in the logs:

  1. samaccountname=test.user --> 0 results
  2. samaccountname=<empty> --> 0 results

Looks like something is wrong with the DNs:

$baseDN = 'cn=users,dc=MyActiveDirectory',          $filter = '(samaccountname=test.user)'
$baseDN = 'cn=users,cd=mydomain,dc=mydomain,dc=de', $filter = '(samaccountname=test.user)'

No idea where this could come from. Do you have any?

Regarding the error message: I'd think Extension:LDAPAuthentication2 probably returns an empty string.

Maybe you want to debug here: https://github.com/wikimedia/mediawiki-extensions-LDAPAuthentication2/blob/1.0.2/src/PluggableAuth.php#L178


Do the regular PHP logs show anything? Like a "Notice" or "Warning" that something is not set?

Reply 13:38, 27 May 2021 2 years ago
134.60.112.70 (talkcontribs)

Thank you for the response.

The PHP logs do indeed show notices for samaccountname, cn and memberof not being set. This would mean, that the LDAP-Connection does not work as intended. However, I am confused since the initial login is working and the above mentioned error message is only displayed if correct credentials are used. In other cases the error message says: <<Could not authenticate credentials against domain "myActiveDirectory">>

You mentioned there might something wrong with the DNs. To be honest I'm quite new to LDAP. But I have successfully used these baseDNs for multiple other applications like nextcloud. So I don't know what would be wrong with these but am open for infos on what attribute might be missing. I also checked in my Active Directory and samaccountname is definitely set for the users including the testuser. So if the logs show "samaccountname=test.user --> 0 results" there must be something wrong with the query, right?


PHP Error Log:

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin   ErrorException from line 178 of /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: samaccountname

#0 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(178): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(48): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin(string, string, string, NULL, NULL, NULL)

#2 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)

#3 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#4 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#5 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#6 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#7 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#8 /var/www/mediawiki/index.php(53): MediaWiki->run()

#9 /var/www/mediawiki/index.php(46): wfIndexMain()

#10 {main}

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin   ErrorException from line 179 of /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php: PHP Notice: Undefined index: cn

#0 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(179): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(48): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin(string, NULL, string, NULL, NULL, NULL)

#2 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, NULL, NULL, NULL, NULL)

#3 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#4 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#5 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#6 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#7 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#8 /var/www/mediawiki/index.php(53): MediaWiki->run()

#9 /var/www/mediawiki/index.php(46): wfIndexMain()

#10 {main}

2021-05-26 17:24:40 wiki-test my_wiki: [9d3354b584a8768e190b4853] /wiki/Spezial:PluggableAuthLogin   ErrorException from line 17 of /var/www/mediawiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php: PHP Notice: Undefined index: memberof

#0 /var/www/mediawiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php(17): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/www/mediawiki/extensions/LDAPProvider/src/Client.php(361): MediaWiki\Extension\LDAPProvider\UserGroupsRequest\UserMemberOf->getUserGroups(string)

#2 /var/www/mediawiki/includes/libs/objectcache/BagOStuff.php(149): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}(integer)

#3 /var/www/mediawiki/extensions/LDAPProvider/src/Client.php(362): BagOStuff->getWithSetCallback(string, integer, Closure)

#4 /var/www/mediawiki/extensions/LDAPAuthorization/src/RequirementsChecker.php(69): MediaWiki\Extension\LDAPProvider\Client->getUserGroups(string)

#5 /var/www/mediawiki/extensions/LDAPAuthorization/src/RequirementsChecker.php(47): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->makeGroupRequirements(NULL, array)

#6 /var/www/mediawiki/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(82): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->allSatisfiedBy(NULL)

#7 /var/www/mediawiki/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(70): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->process()

#8 /var/www/mediawiki/includes/HookContainer/HookContainer.php(320): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#9 /var/www/mediawiki/includes/HookContainer/HookContainer.php(131): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

#10 /var/www/mediawiki/includes/Hooks.php(137): MediaWiki\HookContainer\HookContainer->run(string, array, array)

#11 /var/www/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(53): Hooks::run(string, array)

#12 /var/www/mediawiki/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#13 /var/www/mediawiki/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#14 /var/www/mediawiki/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#15 /var/www/mediawiki/includes/MediaWiki.php(940): MediaWiki->performRequest()

#16 /var/www/mediawiki/includes/MediaWiki.php(543): MediaWiki->main()

#17 /var/www/mediawiki/index.php(53): MediaWiki->run()

#18 /var/www/mediawiki/index.php(46): wfIndexMain()

#19 {main}

Reply 13:54, 28 May 2021 2 years ago
2001:7C0:3100:10:0:0:0:8C (talkcontribs)

Correction: The LDAP-Query does indeed return the correct attributes to the LDAP-User. But still the PHP error says that cn and samaccountname are undefined.

Reply 16:22, 31 May 2021 2 years ago
Osnard (talkcontribs)
Reply 14:19, 7 June 2021 2 years ago
Reply to "LDAP auto account creation not working"

/CheckLogin.php and /ShowUserGroups.php

19 comments • 14:00, 15 December 2020 3 years ago
19
Summary by Guilherme bangemann

edit /var/www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

LINE 31:

```

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                      // "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

```

CHANGE "(&(objectclass=group)(member=$userDN))", TO "(objectClass=*)",.

Guilherme bangemann (talkcontribs)

I'm getting error on CheckLogin.php and getting "null" on ShowUserGroups.php:


Command Line

user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain solis --username guilherme_bangemann

objectclass =>

  0 => sambaSamAccount

  1 => shadowAccount

  2 => posixAccount

  3 => inetOrgPerson

  4 => organizationalPerson

  5 => person

  sambadomainname => SOLIS

  displayname => Guilherme Keunecke Bangemann

  sambahomedrive => U:

  sambakickofftime => 1893463200

  sambaprimarygroupsid => S-1-5-21-2804338137-552302570-2244938293-513

  sambaacctflags => [XU         ]

  sambasid => S-1-5-21-2804338137-552302570-2244938293-21792

  shadowwarning => 10

  shadowinactive => 10

  shadowmin => 1

  shadowmax => 365

  homedirectory => /home/guilherme

  loginshell => /bin/bash

  gidnumber => 10001

  cn => Guilherme Keunecke Bangemann

  uidnumber => 10396

  sn => Bangemann

  givenname => Guilherme Keunecke

  departmentnumber => Setor de Infraestrutura

  uid => guilherme_bangemann

  mail => guilherme_bangemann@solis.com.br

  sambantpassword => A7C1B218F8E637AA62F59D31F76DFBCD

  sambapwdlastset => 1559650352

  shadowlastchange => 18051

  userpassword => {CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1

  dn => uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain solis --username guilherme_bangemann

Full DNs:

Short names:

user@userpc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/CheckLogin.php --domain solis --username guilherme_bangemann

Password:userpassword

FAILED


LocalSettings.php

wfLoadExtensions( [

        'PluggableAuth',

        'LDAPProvider',

        'LDAPAuthentication2',

        'LDAPAuthorization',

        'LDAPUserInfo',

        'LDAPGroups'

] );

$LDAPProviderDomainConfigProvider = function() {

        $config = [

                "solis" => [

                        "connection" => [

                                "port" => 389,

                                "enctype" => "clear",

                                "server" => "ldapslave.solis.com.br",

                                "user"   => "uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br",

                                "pass"   => "userpassword",

                                "options" => [

                                         "LDAP_OPT_DEREF" => 1

                                 ],

                                "basedn"            => "dc=solis,dc=coop,dc=br",

                                "groupbasedn"       => "dc=solis,dc=coop,dc=br",

                                "userbasedn"        => "dc=solis,dc=coop,dc=br",

                                "searchattribute"   => "uid",

                                "searchstring"      => "solis\\USER-NAME",

                                "usernameattribute" => "uid",

                                "realnameattribute" => "cn",

                                "emailattribute"    => "mail",

                                "grouprequest"      => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                        ],

                        "groupsync" => [

                                "mechanism" => "allgroups",

                        ],

                        "userinfo" => [

                               "attributes-map" => [

                                         "realname" => "cn"

                                 ]

                        ],

                        "authorization" => [

                            "rules" => [

                                        "groups" => [

                                                "required" => [ "ou=users,dc=solis,dc=coop,dc=br" ]

                                        ]

]

                        ]

                ]

        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_ButtonLabel = null;

$wgPluggableAuth_ExtraLoginFields = [];


Reply Edited 14:49, 17 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

Please @Osnard could you help me with this problem?

When I try to login in my wiki, I get the message: Could not authenticate credentials against domain "solis"


cat debugLDAP-wiki.log

IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/CheckLogin.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/ShowUserGroups.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 19 of /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php: PHP Notice: Undefined index: memberof

#0 /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php(19): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/src/Client.php(346): MediaWiki\Extension\LDAPProvider\UserGroupsRequest\UserMemberOf->getUserGroups(string)

#2 /var/lib/wiki/includes/libs/objectcache/BagOStuff.php(159): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()

#3 /var/lib/wiki/extensions/LDAPProvider/src/Client.php(347): BagOStuff->getWithSetCallback(string, integer, Closure)

#4 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(48): MediaWiki\Extension\LDAPProvider\Client->getUserGroups(string)

#5 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#6 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#7 {main}

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 59 of /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php: PHP Warning: Invalid argument supplied for foreach()

#0 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(59): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(50): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->showValue(MediaWiki\Extension\LDAPProvider\GroupList)

#2 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#3 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#4 {main}

[error] [15122d2a2917e2206b29694d] [no req]   ErrorException from line 52 of /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php: PHP Warning: Invalid argument supplied for foreach()

#0 /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php(52): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php(32): MediaWiki\Extension\LDAPProvider\GroupList->makeShortNames()

#2 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(64): MediaWiki\Extension\LDAPProvider\GroupList->getShortNames()

#3 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(50): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->showValue(MediaWiki\Extension\LDAPProvider\GroupList)

#4 /var/lib/wiki/maintenance/doMaintenance.php(94): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserGroups->execute()

#5 /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php(71): require_once(string)

#6 {main}

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.

IP: 127.0.0.1

Start command line script extensions/LDAPProvider/maintenance/ShowUserInfo.php

[caches] cluster: APCBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: APCBagOStuff, session: APCBagOStuff

[caches] LocalisationCache: using store LCStoreDB

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "127.0.0.1",

    "UserAgent": false,

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0

}

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: connected to database 0 at 'localhost'.

[DBConnection] Wikimedia\Rdbms\{closure}: closing connection to database 'localhost'.


cat LDAP.log

2019-09-17 17:50:01 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:01 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:01 guilherme-pc wiki: # returns 1

2019-09-17 17:50:01 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:02 guilherme-pc wiki: # returns 1

2019-09-17 17:50:02 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'solis\guilherme_bangemann', $bindPassword = 'XXXX' );

2019-09-17 17:50:02 guilherme-pc wiki: # returns

2019-09-17 17:50:07 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:07 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:07 guilherme-pc wiki: # returns 1

2019-09-17 17:50:07 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-17 17:50:07 guilherme-pc wiki: # returns Resource id #216

2019-09-17 17:50:07 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-17 17:50:07 guilherme-pc wiki: # returns: array (

  'count' => 1,

  0 =>

  array (

    'objectclass' =>

    array (

      'count' => 6,

      0 => 'sambaSamAccount',

      1 => 'shadowAccount',

      2 => 'posixAccount',

      3 => 'inetOrgPerson',

      4 => 'organizationalPerson',

      5 => 'person',

    ),

    0 => 'objectclass',

    'sambadomainname' =>

    array (

      'count' => 1,

      0 => 'SOLIS',

    ),

    1 => 'sambadomainname',

    'displayname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    2 => 'displayname',

    'sambahomedrive' =>

    array (

      'count' => 1,

      0 => 'U:',

    ),

    3 => 'sambahomedrive',

    'sambakickofftime' =>

    array (

      'count' => 1,

      0 => '1893463200',

    ),

    4 => 'sambakickofftime',

    'sambaprimarygroupsid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-513',

    ),

    5 => 'sambaprimarygroupsid',

    'sambaacctflags' =>

    array (

      'count' => 1,

      0 => '[XU         ]',

    ),

    6 => 'sambaacctflags',

    'sambasid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-21792',

    ),

    7 => 'sambasid',

    'shadowwarning' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    8 => 'shadowwarning',

    'shadowinactive' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    9 => 'shadowinactive',

    'shadowmin' =>

    array (

      'count' => 1,

      0 => '1',

    ),

    10 => 'shadowmin',

    'shadowmax' =>

    array (

      'count' => 1,

      0 => '365',

    ),

    11 => 'shadowmax',

    'homedirectory' =>

    array (

      'count' => 1,

      0 => '/home/guilherme',

    ),

    12 => 'homedirectory',

    'loginshell' =>

    array (

      'count' => 1,

      0 => '/bin/bash',

    ),

    13 => 'loginshell',

    'gidnumber' =>

    array (

      'count' => 1,

      0 => '10001',

    ),

    14 => 'gidnumber',

    'cn' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    15 => 'cn',

    'uidnumber' =>

    array (

      'count' => 1,

      0 => '10396',

    ),

    16 => 'uidnumber',

    'sn' =>

    array (

      'count' => 1,

      0 => 'Bangemann',

    ),

    17 => 'sn',

    'givenname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke',

    ),

    18 => 'givenname',

    'departmentnumber' =>

    array (

      'count' => 1,

      0 => 'Setor de Infraestrutura',

    ),

    19 => 'departmentnumber',

    'uid' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann',

    ),

    20 => 'uid',

    'mail' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann@solis.com.br',

    ),

    21 => 'mail',

    'sambantpassword' =>

    array (

      'count' => 1,

      0 => 'A7C1B218F8E637AA62F59D31F76DFBCD',

    ),

    22 => 'sambantpassword',

    'sambapwdlastset' =>

    array (

      'count' => 1,

      0 => '1559650352',

    ),

    23 => 'sambapwdlastset',

    'shadowlastchange' =>

    array (

      'count' => 1,

      0 => '18051',

    ),

    24 => 'shadowlastchange',

    'userpassword' =>

    array (

      'count' => 1,

      0 => '{CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1',

    ),

    25 => 'userpassword',

    'count' => 26,

    'dn' => 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br',

  ),

)

2019-09-17 17:50:12 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-17 17:50:12 guilherme-pc wiki: # __METHOD__ returns Resource id #198

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-17 17:50:12 guilherme-pc wiki: # returns 1

2019-09-17 17:50:12 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-17 17:50:12 guilherme-pc wiki: # returns Resource id #214

2019-09-17 17:50:12 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-17 17:50:12 guilherme-pc wiki: # returns: array (

  'count' => 1,

  0 =>

  array (

    'objectclass' =>

    array (

      'count' => 6,

      0 => 'sambaSamAccount',

      1 => 'shadowAccount',

      2 => 'posixAccount',

      3 => 'inetOrgPerson',

      4 => 'organizationalPerson',

      5 => 'person',

    ),

    0 => 'objectclass',

    'sambadomainname' =>

    array (

      'count' => 1,

      0 => 'SOLIS',

    ),

    1 => 'sambadomainname',

    'displayname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    2 => 'displayname',

    'sambahomedrive' =>

    array (

      'count' => 1,

      0 => 'U:',

    ),

    3 => 'sambahomedrive',

    'sambakickofftime' =>

    array (

      'count' => 1,

      0 => '1893463200',

    ),

    4 => 'sambakickofftime',

    'sambaprimarygroupsid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-513',

    ),

    5 => 'sambaprimarygroupsid',

    'sambaacctflags' =>

    array (

      'count' => 1,

      0 => '[XU         ]',

    ),

    6 => 'sambaacctflags',

    'sambasid' =>

    array (

      'count' => 1,

      0 => 'S-1-5-21-2804338137-552302570-2244938293-21792',

    ),

    7 => 'sambasid',

    'shadowwarning' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    8 => 'shadowwarning',

    'shadowinactive' =>

    array (

      'count' => 1,

      0 => '10',

    ),

    9 => 'shadowinactive',

    'shadowmin' =>

    array (

      'count' => 1,

      0 => '1',

    ),

    10 => 'shadowmin',

    'shadowmax' =>

    array (

      'count' => 1,

      0 => '365',

    ),

    11 => 'shadowmax',

    'homedirectory' =>

    array (

      'count' => 1,

      0 => '/home/guilherme',

    ),

    12 => 'homedirectory',

    'loginshell' =>

    array (

      'count' => 1,

      0 => '/bin/bash',

    ),

    13 => 'loginshell',

    'gidnumber' =>

    array (

      'count' => 1,

      0 => '10001',

    ),

    14 => 'gidnumber',

    'cn' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke Bangemann',

    ),

    15 => 'cn',

    'uidnumber' =>

    array (

      'count' => 1,

      0 => '10396',

    ),

    16 => 'uidnumber',

    'sn' =>

    array (

      'count' => 1,

      0 => 'Bangemann',

    ),

    17 => 'sn',

    'givenname' =>

    array (

      'count' => 1,

      0 => 'Guilherme Keunecke',

    ),

    18 => 'givenname',

    'departmentnumber' =>

    array (

      'count' => 1,

      0 => 'Setor de Infraestrutura',

    ),

    19 => 'departmentnumber',

    'uid' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann',

    ),

    20 => 'uid',

    'mail' =>

    array (

      'count' => 1,

      0 => 'guilherme_bangemann@solis.com.br',

    ),

    21 => 'mail',

    'sambantpassword' =>

    array (

      'count' => 1,

      0 => 'A7C1B218F8E637AA62F59D31F76DFBCD',

    ),

    22 => 'sambantpassword',

    'sambapwdlastset' =>

    array (

      'count' => 1,

      0 => '1559650352',

    ),

    23 => 'sambapwdlastset',

    'shadowlastchange' =>

    array (

      'count' => 1,

      0 => '18051',

    ),

    24 => 'shadowlastchange',

    'userpassword' =>

    array (

      'count' => 1,

      0 => '{CRYPT}$1$wn6dubOY$obSU01DXY2wolpTXxXLEq1',

    ),

    25 => 'userpassword',

    'count' => 26,

    'dn' => 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br',

  ),

)


cat LDAPProvider.log

2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:01 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:02 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'solis\guilherme_bangemann'

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:07 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:07 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0060989856719971 seconds.

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-17 17:50:12 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-17 17:50:12 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0033810138702393 seconds.


cat PluggableAuth.log

2019-09-17 17:50:41 guilherme-pc wiki: In execute()

2019-09-17 17:50:41 guilherme-pc wiki: Getting PluggableAuth singleton

2019-09-17 17:50:41 guilherme-pc wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2019-09-17 17:50:41 guilherme-pc wiki: Authentication failure.

2019-09-17 17:50:41 guilherme-pc wiki: ERROR: Could not authenticate credentials against domain "solis"


Reply 17:57, 17 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

## LOGS

$wgDebugLogFile = "/var/log/wiki/debugLDAP-{$wgDBname}.log";

$wgDebugLogGroups['PluggableAuth'] = "/var/log/wiki/PluggableAuth.log";

$wgDebugLogGroups['LDAP'] = "/var/log/wiki/LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/var/log/wiki/LDAPProvider.log";

$wgDebugLogGroups['LDAPGroups'] = "/var/log/wiki/LDAPGroups.log";

$wgDebugLogGroups['LDAPUserInfo'] = "/var/log/wiki/LDAPUserInfo.log";

$wgDebugLogGroups['LDAPAuthorization'] = "/var/log/wiki/LDAPAuthorization.log";

Reply 17:58, 17 September 2019 4 years ago
Osnard (talkcontribs)

I can see a two things here:

  1. The search string "searchstring" => "solis\\USER-NAME", looks odd. This should probably be "searchstring" => "uid=USER-NAME,ou=users,dc=solis,dc=coop,dc=br",. Please also try to unset "searchstring" completely.
  2. You have configured "GroupMember" as "grouprequest", yet I can see from the logs that "UserMemberOf" is used. Therefore no usergroups are being returned. I can not explain this behavior, but it is probably not connected to the "authentication" issue. It would only be an issue when it comes to "authorization" (after "authentication").
Reply Edited 06:26, 19 September 2019 4 years ago
Guilherme bangemann (talkcontribs)
  1. "searchstring" => uid=USER-NAME,ou=users,dc=solis,dc=coop,dc=br OK -- I'll try to unset completely to see the 'return'
  2. Yes, I saw that now. And thank you! I'll put here the logs. Another question... So the problem it is in Authorization and Authentication?
Reply 11:44, 19 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

Question:

- Why it's authenticating a new user if it exists? I'll see the Authentication and Authorization configurations page.


BASH

guilherme_bangemann@guilherme-pc:/var/www/wiki$ sudo php extensions/LDAPProvider/maintenance/CheckLogin.php -d solis -u guilherme_bangemann

Password:********

OK


WIKI

When I try to log on site:

User guilherme_bangemann not autorized


LDAP.log

2019-09-19 12:04:21 guilherme-pc wiki: ldap_connect( $hostname = 'ldap://ldapslave.solis.com.br:389', $port = 389 );

2019-09-19 12:04:21 guilherme-pc wiki: # __METHOD__ returns Resource id #21

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_bind( $linkID, $bindRDN = 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br', $bindPassword = 'XXXX' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #42

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array ( ... )


2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(uid=guilherme_bangemann)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #55

2019-09-19 12:04:21 guilherme-pc wiki: ldap_count_entries( $linkiID, $result = 'Resource id #55' );

2019-09-19 12:04:21 guilherme-pc wiki: # returns 1

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array ( ... )


2019-09-19 12:04:21 guilherme-pc wiki: ldap_search( $linkID, $baseDN = 'dc=solis,dc=coop,dc=br', $filter = '(&(objectclass=group)(member=uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br))', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref =  );

2019-09-19 12:04:21 guilherme-pc wiki: # returns Resource id #63

2019-09-19 12:04:21 guilherme-pc wiki: ldap_get_entries( $linkID, $resultID );

2019-09-19 12:04:21 guilherme-pc wiki: # returns: array (

  'count' => 0,

)


LDAPProvider.log

2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_REFERRALS to 0

2019-09-19 12:04:21 guilherme-pc wiki: Setting LDAP_OPT_DEREF to 1

2019-09-19 12:04:21 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br'

2019-09-19 12:04:21 guilherme-pc wiki: Ran LDAP search for '(uid=guilherme_bangemann)' in 0.0050511360168457 seconds.

2019-09-19 12:04:21 guilherme-pc wiki: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=solis,dc=coop,dc=br',

  'filter' => '(uid=guilherme_bangemann)',

  'attributes' =>

  array (

    0 => '*',

    1 => 'memberof',

  ),

)

2019-09-19 12:04:21 guilherme-pc wiki: Found user DN: 'uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br'

2019-09-19 12:04:21 guilherme-pc wiki: Ran LDAP search for '(&(objectclass=group)(member=uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br))' in 0.0033600330352783 seconds.


PluggableAuth.log

2019-09-19 12:04:21 guilherme-pc wiki: In execute()

2019-09-19 12:04:21 guilherme-pc wiki: Getting PluggableAuth singleton

2019-09-19 12:04:21 guilherme-pc wiki: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2019-09-19 12:04:21 guilherme-pc wiki: Authenticated new user: guilherme_bangemann

2019-09-19 12:04:21 guilherme-pc wiki: Authorization failure.



Reply 12:23, 19 September 2019 4 years ago
Osnard (talkcontribs)

So, as CheckLogin.php returns OK, we can assume that authentiation works. Also the error message on the form-based-authentication is "User guilherme_bangemann not authorized". So the the reason must be in the authorization part.

From your config I can see, that you restrict login capability to users from LDAP group "ou=users,dc=solis,dc=coop,dc=br" (actually, this does not look like a usual group DN). Is this group listed, when you execute ShowUserGroups.php for that particular user?

Reply 12:53, 19 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

When I execute ShowUserGroups.php for this user "guilherme_bangemann", returns nothing. (null)

php extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

Full DNs:

Short names:


LocalSettings.php

...

"grouprequest"      => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

                        ],

                        "groupsync" => [

                                "mechanism" => "mappedgroups",

                                "mapping" => [

                                        "users" => "ou=users,dc=solis,dc=coop,dc=br",

                                        "mailaliases" => "ou=mailaliases,dc=solis,dc=coop,dc=br",

                                        "groups" => "ou=groups,dc=solis,dc=coop,dc=br"

                                ] ...

... "authorization" => [

                                "rules" => [

                                        "attributes" => [

                                        ],

                                        "groups" => [

                                                "required" => [ "ou=users" ]

                                        ] ...


$wgSyncMechanismRegistry = "mappedgroups";

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = false;

$wgAutoAuthRemoteUserStringParser = "domain-backslash-username"; //"username-at-domain";

Reply Edited 14:44, 19 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

When I execute this command ldapsearch -b dc=solis,dc=coop,dc=br -W -h ldapslave.solis.com.br -D uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br returns all LDAP user's, and I saw that has anothers groups, like mailaliasesandgroups

# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

objectClass: sambaSamAccount

objectClass: shadowAccount

objectClass: posixAccount

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

sambaDomainName: SOLIS

displayName: Guilherme Keunecke Bangemann

sambaHomeDrive: U:

sambaKickoffTime: **********

sambaPrimaryGroupSID: ***********

sambaAcctFlags: [**         ]

sambaSID: **********

shadowWarning: 10

shadowInactive: 10

shadowMin: 1

shadowMax: 365

homeDirectory: /home/guilherme

loginShell: /bin/bash

gidNumber: ******

cn: Guilherme Keunecke Bangemann

uidNumber: ******

sn: Bangemann

givenName: Guilherme Keunecke

departmentNumber: Setor de Infraestrutura

uid: guilherme_bangemann

mail: guilherme_bangemann@solis.com.br

sambaNTPassword: ******************************

sambaPwdLastSet: *************

shadowLastChange: ******

userPassword:: *********************************************************


Reply Edited 14:13, 19 September 2019 4 years ago
Osnard (talkcontribs)

If ShowUserGroups.php returns nothing it is clear that authorization fails, as you have set a required group. You will probably need to configure a different grouprequest. At the moment you have MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory. Please try

  • MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory
  • MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory

and test each with ShowUserGroups.php.

Reply 06:57, 20 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory

Return the same thing when I use GroupMember

MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory

sudo php extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

PHP Notice:  Undefined index: memberof in /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

Notice: Undefined index: memberof in /var/lib/wiki/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 19

Full DNs:

PHP Warning:  Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 59

Warning: Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 59

Short names:

PHP Warning:  Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php on line 52

Warning: Invalid argument supplied for foreach() in /var/lib/wiki/extensions/LDAPProvider/src/GroupList.php on line 52


May be "groupsync" => [ or "authorization" => [ ?? Or in my config this is OK?

Reply 18:02, 25 September 2019 4 years ago
Osnard (talkcontribs)

Okay, obviously MemberOf is not the right choice. So it should be GroupMember or GroupUniqueMember. Can you please give me an example of a "group" object in your LDAP? Full DN and attributes?

BTW: In authorization.rules.groups.required you should use a full group DN. The value "ou=users" is probably wrong. It should proably be "ou=users,dc=solis,dc=coop,dc=br"

Reply Edited 07:11, 30 September 2019 4 years ago
Guilherme bangemann (talkcontribs)

FULL DN and attributes examples:

# felipe_dahmer, users, solis.coop.br

dn: uid=felipe_dahmer,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Felipe Augusto Dahmer

uid: felipe_dahmer

cn: Felipe Augusto Dahmer

mail: felipe_dahmer@solis.com.br

sn: Dahmer


# janete, users, solis.coop.br

dn: uid=janete,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Janete Becker

uid: janete

cn: Janete Becker

mail: janete@solis.com.br

sn: Becker


# solis-pml, mailaliases, solis.coop.br

dn: cn=solis-pml,ou=mailaliases,dc=solis,dc=coop,dc=br

objectClass: nisMailAlias

cn: solis-pml


# alerta-ucpel, mailaliases, solis.coop.br

dn: cn=alerta-ucpel,ou=mailaliases,dc=solis,dc=coop,dc=br

cn: alerta-ucpel


# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Guilherme Keunecke Bangemann

cn: Guilherme Keunecke Bangemann

sn: Bangemann

uid: guilherme_bangemann

mail: guilherme_bangemann@solis.com.br


# sandroroberto, users, solis.coop.br

dn: uid=sandroroberto,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Sandro Roberto Thome

cn: Sandro Roberto Thome

sn: Thome

uid: sandroroberto

mail: sandroroberto@solis.com.br


# newsletter, users, solis.coop.br

dn: uid=newsletter,ou=users,dc=solis,dc=coop,dc=br

sambaDomainName: SOLIS

displayName: Newsletter Solis

uid: newsletter

cn: Newsletter Solis

mail: newsletter@solis.com.br

sn: Solis


ALL ATTRIBUTES to filter:

# guilherme_bangemann, users, solis.coop.br

dn: uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

objectClass:

sambaDomainName:

displayName:

sambaHomeDrive:

sambaKickoffTime:

sambaPrimaryGroupSID:

sambaAcctFlags:

sambaSID:

shadowWarning:

shadowInactive:

shadowMin:

shadowMax:

homeDirectory:

loginShell:

gidNumber:

cn:

uidNumber:

sn:

givenName:

departmentNumber:

uid:

mail:

sambaNTPassword:

sambaPwdLastSet:

shadowLastChange:

userPassword::

Reply 14:42, 2 October 2019 4 years ago
Guilherme bangemann (talkcontribs)

OK, I changed the code here sudo vim www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

LINE 31:

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                                //      "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

I just put "(objectClass=*)",

and commented "(&(objectclass=group)(member=$userDN))",

RETURNED ALL FULL DNs of ALL members and ALL short names of them... How can I filter this to just return my dnand my short name?:

guilherme_bangemann@guilherme-pc:/var/www/wiki$ sudo php /var/www/wiki/extensions/LDAPProvider/maintenance/ShowUserGroups.php -d solis -u guilherme_bangemann

Full DNs:

dc=solis,dc=coop,dc=br

ou=users,dc=solis,dc=coop,dc=br

ou=groups,dc=solis,dc=coop,dc=br

ou=computers,dc=solis,dc=coop,dc=br

uid=niumar,ou=users,dc=solis,dc=coop,dc=br

cn=solis,ou=groups,dc=solis,dc=coop,dc=br

uid=taffarel,ou=users,dc=solis,dc=coop,dc=br

uid=guilherme_bangemann,ou=users,dc=solis,dc=coop,dc=br

uid=sandroroberto,ou=users,dc=solis,dc=coop,dc=br

uid=newsletter,ou=users,dc=solis,dc=coop,dc=br

Short names:

solis

users

groups

computers

...

lucas_horn

felipe_dahmer

janete

solis-pml

alerta-ucpel

guilherme_bangemann

sandroroberto

...

newsletter

Reply 15:00, 3 October 2019 4 years ago
Osnard (talkcontribs)

Okay, so this change made it work? If so, we can assume this to be a bug and put in a configuration option into the extension

Reply 11:22, 4 October 2019 4 years ago
Guilherme bangemann (talkcontribs)

It's working. I tried with 2 members of group users. I'll try with another groups and then I'll return here.

About the "bug", may be a bug, but I can't be sure. Will be good if put in a configuration option into the extension, this would help the others.


Thank you @Osnard. When I'm sure, I'll close the ticked.. OK? :D


Reply 15:01, 4 October 2019 4 years ago
Osnard (talkcontribs)
Reply 08:46, 7 October 2019 4 years ago
Guilherme bangemann (talkcontribs)

Ok! Thank You!

I think it's ok from now.. Thank you @Osnard for your attention. Any problem I'll re-open this ticket.


edit /var/www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

LINE 31:

```

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                      // "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

```

CHANGE "(&(objectclass=group)(member=$userDN))", TO "(objectClass=*)",.

Reply Edited 17:45, 7 October 2019 4 years ago
Osnard (talkcontribs)

This change looks strange. This basically means the you query _all_ LDAP objects (users, groups, etc.) and not just group objects that are assigned to a certain user. Are you sure this search delivers the required information?

Reply 14:00, 15 December 2020 3 years ago
Reply to "/CheckLogin.php and /ShowUserGroups.php"

Is password reset supported?

5 comments • 18:59, 27 May 2020 3 years ago
5
Goibhniu (talkcontribs)

I'm migrating from LDAP Authentication to LDAPAuthentication2 and I can't find any details on how to enable the password reset feature. I wonder if there is such an option with the new stack. Any pointers would be greatly appreciated.

Reply 20:44, 25 May 2020 3 years ago
Osnard (talkcontribs)

There is no "password reset" in the new stack, sorry. In general the new extensions are read-only. No writing to the LDAP server is possibe. What do you need this for? Users should be able to reset their password in a different place than the wiki anyways.

Reply 15:14, 26 May 2020 3 years ago
Goibhniu (talkcontribs)

Thanks Osnard, that's good to know. I hoped I could provide the same functionality as the old LDAP Authentication extension, but I'll be able to find another solution.

Reply 16:14, 26 May 2020 3 years ago
Osnard (talkcontribs)

Please feel free to contribute to the LDAP Stack extensions. It'd be great to have the functionality improved. What exactly is the use case?

Reply 19:54, 26 May 2020 3 years ago
Goibhniu (talkcontribs)
Reply 18:59, 27 May 2020 3 years ago
Reply to "Is password reset supported?"

User group don't work with LDAPhub

6 comments • 15:01, 14 April 2020 4 years ago
6
185.200.202.174 (talkcontribs)

Hello,

Following the Manual:Active_Directory_Integration documentation I connected the mediawiki to my LDAP

The user connection works but I can't do:

- Restriction on groups (to allow a group of persons)

- Manage rights by groups

My users is :

- wiki_admin is in the group : grpwikiadmin

- wiki_utilisateur is in the group : grpwikiutilisateur

- wiki_interdit have no group

My groups :

- Grpwikiadmin : I want them to be admin

- Grpwikiutilisateur : I want basic user rights on wiki

Grpwikiutilisateur have the member : Grpwikiadmin and wiki_utilisateur

how to do it?

Thank you for your help

The LDAP connexion don't work if the options "authorization =>  "rules" => "groups" =>  "required" is présent

My domain is test.local and my groups and users is in the OU=test,DC=test,DC=local

################### ldap.json ###################

{

       "test.local": {

               "connection": {

                       "server": "192.168.1.50",

                       "port": "3268",

                       "user": "CN=svc_wiki,OU=test,DC=test,DC=local",

                       "pass": "MYpassword",

                       "enctype": "clear",

                       "options": {

                               "LDAP_OPT_DEREF": 1

                       },

                       "basedn": "DC=test,DC=local",

                       "userbasedn": "DC=test,DC=local",

                       "groupbasedn": "DC=test,DC=local",

                       "searchattribute": "samaccountname",

                       "searchstring": "USER-NAME@test.local",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                       "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

               },

               "userinfo": [],

               "authorization": {

                       "rules": {

                               "groups": {

                                       "required": ["CN=grpwikiutilisateur,OU=test,DC=test,DC=local"]

                                       }

                               }

                       }

               },

               "groupsync": {

                       "mapping": {

                               "engineering": "CN=grpwikiutilisateur,OU=test,DC=test,DC=local",

                               "bureaucrat": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

                               "interface-admin": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

                               "sysop": "CN=grpwikiadmin,OU=test,DC=test,DC=local"

                       }

               }

       }

}

################### localconfig.php ###################

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Privatisation du Wiki

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Chargement du fichier Json si il existe sans erreur

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);

  if (is_array($testJson)) {

  $ldapConfig = true;

  } else {

  error_log("Found invalid JSON in file: $IP/ldap.json");

  }

}

//////////// Active l'extension

if ( $ldapConfig ) {

  wfLoadExtension( 'PluggableAuth' );

  wfLoadExtension( 'LDAPProvider' );

  wfLoadExtension( 'LDAPAuthentication2' );

  wfLoadExtension( 'LDAPAuthorization' );

  wfLoadExtension( 'LDAPUserInfo' );

  wfLoadExtension( 'LDAPGroups' );

  $LDAPProviderDomainConfigs = $ldapJsonFile;

  $wgPluggableAuth_ButtonLabel = "Connexion LDAP";

  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

################### My configuration ###################

Mediawiki : 1.34

PHP7.3.14-1~deb10u1 (apache2handler)

DAPAuthentication2 1.0.1 (4836429) 20 mars 2020 à 07:29

LDAPAuthorization 1.1.0 (c7d1c50) 18 mars 2020 à 22:23

LDAPGroups 1.0.2 (d8f8e90) 18 mars 2020 à 22:24

LDAPProvider 1.0.3 (ecf3c2d) 18 mars 2020 à 22:37

LDAPUserInfo 1.0.0 (ea18199) 18 mars 2020 à 22:38

PluggableAuth 5.7 (17fb1ea) 13 septembre 2019 à 10:20

Reply 10:16, 8 April 2020 4 years ago
Osnard (talkcontribs)

Can you please provide the output of LDAPProvider/maintenance/ShowUserGroups.php?

Reply 14:30, 8 April 2020 4 years ago
185.200.202.174 (talkcontribs)

Hello,


php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain test.local --username wiki_admin

  samaccountname => wiki_admin

  samaccounttype => 805306368

  userprincipalname => wiki_admin@test.local

  objectcategory => CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local

  PuTTYPuTTYdscorepropagationdata => 16010101000000.0Z

  lastlogontimestamp => 132302933033589595

  mail => wiki_admin@domain.test

  dn => CN=wiki_admin,OU=test,DC=test,DC=local


php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain test.local --username wiki_admin

Full DNs:

PHP Warning:  Invalid argument supplied for foreach() in /var/www/html/wikidsi/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 60

Short names:

PHP Warning:  Invalid argument supplied for foreach() in /var/www/html/wikidsi/extensions/LDAPProvider/src/GroupList.php on line 52


I have errors but I can't find any information about them

Reply 06:50, 9 April 2020 4 years ago
Osnard (talkcontribs)

Please try to configure a different "groupsrequest". E.g. MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory

Reply 10:50, 9 April 2020 4 years ago
185.200.202.174 (talkcontribs)

Hello, i create a group named "Factory", it's work !

root@wiki:/var/www/html/wikidsi# php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain test.local --username wiki_admin

Full DNs:

       CN=factory,OU=test,DC=test,DC=local

       CN=grpwikiadmin,OU=test,DC=test,DC=local

Short names:

       factory

       grpwikiadmin


i don't understand this function. My error is the group name of "UserGroupsRequest\\GroupMember::" ?

Reply 19:26, 9 April 2020 4 years ago
185.200.202.174 (talkcontribs)

Hello,

everything is working !!!! :-D (access right and group)

my mistakes were:

- grouprequest: you had to put: GroupMember :: factory

- the mechanism was missing


My ldap.json :

{

       "test.local": {

               "connection": {

                       "server": "192.168.1.50",

                       "port": "3268",

                       "user": "CN=svc_wiki,OU=test,DC=test,DC=local",

                       "pass": "Not24get",

                       "enctype": "clear",

                       "options": {

                               "LDAP_OPT_DEREF": 1

                       },

                       "basedn": "DC=test,DC=local",

                       "userbasedn": "DC=test,DC=local",

                       "groupbasedn": "DC=test,DC=local",

                       "searchattribute": "samaccountname",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail",

                       "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",

                       "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

               },

               "userinfo": [],

               "authorization": {

                      "rules": {

                              "groups": {

                                      "required":[ "CN=grpwikiutilisateur,OU=test,DC=test,DC=local","CN=grpwikiadmin,OU=test,DC=test,DC=local" ]

                              }

                      }

               },

               "groupsync": {

                       "mechanism": "mappedgroups",

                       "mapping": {

                               "engineering": "CN=grpwikiutilisateur,OU=test,DC=test,DC=local",

                               "bureaucrat": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

                               "sysop": "CN=grpwikiadmin,OU=test,DC=test,DC=local"

                       }

               },

               "userinfo": {

                               "email": "mail",

                               "realname": "cn",

                               "properties.gender": "gender"

               }

       }

}

Reply 15:01, 14 April 2020 4 years ago
Reply to "User group don't work with LDAPhub"
Load more
Retrieved from "https://www.mediawiki.org/wiki/Talk:LDAP_hub"
Return to "LDAP hub" page.