Topic on Talk:LDAP hub/Flow

Auto-creation of a local account failed: Automatic account creation is not allowed

3
77.87.224.101 (talkcontribs)

Hi,


I recently installed Bluespice Free 3.1 and tried to get LDAP Authentication working against an Active Directory.

So far I am able to log in using the account I created at installation, but with the password from AD (Account names are the same).


However, when I try to login with another account, the login form says (in German):

"Auto-creation of a local account failed:

Automatic account creation is not allowed"


Here is my config (relevant parts)

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;


wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );


$LDAPProviderCacheTime = "1";

$LDAPProviderDomainConfigProvider = function() {

       $config = [

               'mydomain.com' => [

                       'connection' => [

                               "server" => "dc.mydomain.com",

                               "user" => "binduser@mydomain.com",

                               "pass" => "password",

                               "options" => [

                                       "LDAP_OPT_DEREF" => 1

                               ],  

                               "basedn" => "DC=mydomain,DC=com",

                               "enctype" => "clear",

                               "port" => "389",

                               "groupbasedn" => "DC=mydomain,DC=com",

                               "userbasedn" => "DC=mydomain,DC=com",

                               "searchattribute" => "samaccountname",

                               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",

                               "searchstring" => "USER-NAME@mydomain.com",

                               "usernameattribute" => "samaccountname",

                               "realnameattribute" => "cn",

                               "emailattribute" => "mail"

                       ],

                       "authorization" => [

                               "rules" => [

                                       "groups" => [

                                               "required" => [ "CN=requiredgroup,OU=3,OU=2,OU=1,DC=mydomain,DC=com" ]

                                       ]

                               ]

                       ]

               ]

       ];

       return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};


$wgDebugLogFile = "/var/www/bluespice/debug-{$wgDBname}.log";

$wgShowExceptionDetails = true;

$wgGroupPermissions['(all)']['autocreateaccount'] = true;


$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

I would like to emphasize that $wgGroupPermissions['*']['autocreateaccount'] = true; is set and thus auto-account creation to group (all) should be set. However, when checking the "Special:ListGroupRights" page on my wiki, it says group (all) has no rights whatsoever. Is this a peculiarity of BlueSpice?

Also, I can't really seem to get the debug logs for the extensions working somehow (despite setting valid file paths in the wgDebugLogGroups variables, so a pointer on how to set them up to deliver necessary information to debug this would be awesome.

Thanks for reading and your help!

~ Pi

Osnard (talkcontribs)

This is probably due to the BlueSpice "role-permission-system". You might need to add

$GLOBALS['bsgPermissionConfig']['autocreateaccount'] = [ 'type' => 'global', "roles" => [ 'autocreateaccount' ] ];
$GLOBALS['bsgGroupRoles']['*']['autocreateaccount'] = true;

to your LocalSettings.php file.

77.87.224.101 (talkcontribs)

That was exactly it :)

Thank you very much!

Reply to "Auto-creation of a local account failed: Automatic account creation is not allowed"