Hi,
I recently installed Bluespice Free 3.1 and tried to get LDAP Authentication working against an Active Directory.
So far I am able to log in using the account I created at installation, but with the password from AD (Account names are the same).
However, when I try to login with another account, the login form says (in German):
"Auto-creation of a local account failed:
Automatic account creation is not allowed"
Here is my config (relevant parts)
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
$LDAPProviderCacheTime = "1";
$LDAPProviderDomainConfigProvider = function() {
$config = [
'mydomain.com' => [
'connection' => [
"server" => "dc.mydomain.com",
"user" => "binduser@mydomain.com",
"pass" => "password",
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "DC=mydomain,DC=com",
"enctype" => "clear",
"port" => "389",
"groupbasedn" => "DC=mydomain,DC=com",
"userbasedn" => "DC=mydomain,DC=com",
"searchattribute" => "samaccountname",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",
"searchstring" => "USER-NAME@mydomain.com",
"usernameattribute" => "samaccountname",
"realnameattribute" => "cn",
"emailattribute" => "mail"
],
"authorization" => [
"rules" => [
"groups" => [
"required" => [ "CN=requiredgroup,OU=3,OU=2,OU=1,DC=mydomain,DC=com" ]
]
]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
$wgDebugLogFile = "/var/www/bluespice/debug-{$wgDBname}.log";
$wgShowExceptionDetails = true;
$wgGroupPermissions['(all)']['autocreateaccount'] = true;
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPGroups'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';
I would like to emphasize that $wgGroupPermissions['*']['autocreateaccount'] = true; is set and thus auto-account creation to group (all) should be set. However, when checking the "Special:ListGroupRights" page on my wiki, it says group (all) has no rights whatsoever. Is this a peculiarity of BlueSpice?
Also, I can't really seem to get the debug logs for the extensions working somehow (despite setting valid file paths in the wgDebugLogGroups variables, so a pointer on how to set them up to deliver necessary information to debug this would be awesome.
Thanks for reading and your help!
~ Pi