Topic on Talk:LDAP hub/Flow

Authorization failing?

3
192.150.187.199 (talkcontribs)

I cannot get authorized to the wiki, although it seems the ldap is authenticating my login account. We have our 1.23 version with the old LdapAuthentication set to private with only the specific ldap group configured to have login access. Here is my LocalSettings.php stanza for 1.31:


wfLoadExtension("PluggableAuth");

wfLoadExtension("LDAPProvider");

wfLoadExtension("LDAPGroups");

wfLoadExtension("LDAPAuthentication2");

wfLoadExtension("LDAPAuthorization");

$LDAPProviderDomainConfigProvider = function() {

       $config = [

               "LDAP" => [

                       "connection" => [

                               "server"            => "ldap.domain.org",

               "port"            => "636",

               "user" => "cn=authaccount,dc=domain,dc=org",

               "pass" => "password-auth",

                               "basedn"            => "ou=People,dc=domain,dc=org",

                               "groupbasedn"       => "ou=Groups,dc=domain,dc=org",

                               "userbasedn"        => "ou=People,dc=domain,dc=org",

                               "searchattribute"   => "uid",

                               "searchstring"      => "",

                               "usernameattribute" => "uid",

                               "realnameattribute" => "cn",

                               "emailattribute"    => "Email"

                       ],

                       "groupsync" => [

               "cn=wiki_editors,ou=Groups,dc=domain,dc=org"

                       ],

                       "userinfo" => [

                       ]

               ]

       ];

       return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};


This gives me a login prompt which accepts my username password combo and then returns an error "Fatal exception of type MWException". When I check the ldap logs, I see the following:


Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 fd=24 ACCEPT from IP=x.y.z.34:58576 (IP=0.0.0.0:636)

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 fd=24 TLS established tls_ssf=256 ssf=256

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=0 BIND dn="cn=authaccount,dc=domain,dc=org" method=128

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=0 BIND dn="cn=authaccount,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=0 RESULT tag=97 err=0 text=

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=1 SRCH base="ou=People,dc=domain,dc=org" scope=2 deref=0 filter="(uid=username)"

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=1 SRCH attr=* memberof

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=2 BIND anonymous mech=implicit ssf=0

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=2 BIND dn="uid=username,ou=People,dc=domain,dc=org" method=128

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=2 BIND dn="uid=username,ou=People,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=2 RESULT tag=97 err=0 text=

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=3 BIND anonymous mech=implicit ssf=0

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=3 BIND dn="cn=authaccount,dc=domain,dc=org" method=128

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=3 BIND dn="cn=authaccount,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=3 RESULT tag=97 err=0 text=

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=4 SRCH base="ou=People,dc=domain,dc=org" scope=2 deref=0 filter="(uid=username)"

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=4 SRCH attr=* memberof

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 op=5 UNBIND

Apr 16 14:47:43 pastrami slapd[4356]: conn=2275506 fd=24 closed


For the record, this is what the successful login looks like on the same ldap server with the old 1.23 wiki, with the old LdapAuthentication:


Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 fd=24 ACCEPT from IP=x.y.z.14:43293 (IP=0.0.0.0:636)

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 fd=24 TLS established tls_ssf=256 ssf=256

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=0 BIND dn="cn=authaccount,dc=domain,dc=org" method=128

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=0 BIND dn="cn=authaccount,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=0 RESULT tag=97 err=0 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=1 SRCH base="ou=People,dc=domain,dc=org" scope=2 deref=0 filter="(uid=username)"

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=1 SRCH attr=* memberof

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=2 BIND anonymous mech=implicit ssf=0

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=2 BIND dn="uid=username,ou=People,dc=domain,dc=org" method=128

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=2 BIND dn="uid=username,ou=People,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=2 RESULT tag=97 err=0 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=3 SRCH base="uid=username,ou=People,dc=domain,dc=org" scope=0 deref=0 filter="(objectClass=posixAccount)"

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=3 SRCH attr=dn

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=4 BIND anonymous mech=implicit ssf=0

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=4 BIND dn="cn=authaccount,dc=domain,dc=org" method=128

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=4 BIND dn="cn=authaccount,dc=domain,dc=org" mech=SIMPLE ssf=0

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=4 RESULT tag=97 err=0 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=5 SRCH base="dc=domain,dc=org" scope=2 deref=0 filter="(&(member=uid=username,ou=people,dc=domain,dc=org)(objectClass=\

groupOfNames))"

Apr 16 09:27:45 pastrami slapd[4356]: <= bdb_equality_candidates: (member) not indexed

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=5 SEARCH RESULT tag=101 err=0 nentries=18 text=

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 op=6 UNBIND

Apr 16 09:27:45 pastrami slapd[4356]: conn=2275479 fd=24 closed


I've tried adding the following to the LocalSettings.php file, above the groupsync section, but when I add this the wiki refuses to load and I only get a blank screen:

                    "authorization" => {

                      "rules" => {

                        "groups" => {

                          "required" => [

                                         "cn=wiki_editors,ou=Groups,dc=domain,dc=org"

                                        ],

                          "excluded" => [

                                        ]

                        }

                      }

                    },

192.150.187.199 (talkcontribs)

Forgot to mention RHEL6, with apache 2.4, php7.0, mariadb5.5


Osnard (talkcontribs)

The "groupsync" section seems to be configured wrong. Please check the documentation on this. Also it looks like you are not using Extension:LDAPAuthorization, so you might as well disable it.

Reply to "Authorization failing?"