Hi Osnard,
I've got a similar problem when upgrading from mediawiki 1.31 to 1.35 and migrating to LDAPProvider at the same time.
Situation:
LDAP Group:
dn: cn=wiki,ou=groups,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: wiki
memberUid: user1
memberUid: user2
to match group membership, the following query works.
ldapsearch -x "(&(objectClass=*)(memberUid=user1))" dn -LLL -b ou=groups,dc=example,dc=com
LDAP user:
dn: uid=t.test, ou=users, dc=example, dc=com
objectClass: top
objectClass: posixUser
uid: t.test
displayname: Thorsten Test
cn: Thorsten Test
mail: t.test@example.com
I migrated from Extension:LdapAuthentication to LDAP Stack:
From old config:
require_once 'extensions/LdapAuthentication/LdapAuthentication.php';
require_once 'includes/AuthPlugin.php';
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = "/var/log/mediawiki/mediawiki-ldap.log" ;
$wgLDAPDomainNames = array( 'LDAP' );
$wgLDAPServerNames = array( 'example.com' => 'localhost' );
$wgLDAPNameMapperServerName = "localhost";
$wgLDAPNameMapperBaseDN = "dc=example,dc=com";
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( 'example.com' => 'clear');
$wgLDAPSearchAttributes = array( 'example.com' => 'displayname' );
$wgLDAPBaseDNs = array( 'example.com' => 'dc=example,dc=com' );
# To pull e-mail address from LDAP
$wgLDAPPreferences = array( 'example.com' => array( 'email' => 'mail') );
# Group based restriction
$wgLDAPGroupUseFullDN = array( "example.com" => false );
$wgLDAPGroupObjectclass = array( "example.com" => "posixgroup" );
$wgLDAPGroupAttribute = array( "example.com" => "memberuid" );
$wgLDAPGroupSearchNestedGroups = array( "example.com" => false );
$wgLDAPGroupNameAttribute = array( "example.com" => "cn" );
$wgLDAPRequiredGroups = array( "example.com" => array("cn=wiki,ou=groups,dc=example,dc=com"));
$wgLDAPLowerCascomsername = array( 'example.com' => false,
$wgLDAPGroupUseRetrievedUsername = array( "example.com" => true );
$wgLDAPDisableAutoCreate = array( "example.com" => false );
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgLDAPUseLDAPGroups = array( 'example.com' => true );
To new config:
wfLoadExtensions( [
'PluggableAuth',
'Auth_remotcomser',
'LDAPProvider',
'LDAPAuthentication2',
'LDAPAuthorization',
'LDAPUserInfo',
'LDAPGroups'
] );
$LDAPAuthorizationAutoAuthRemotcomserStringParser = 'username-at-domain';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemotcomserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgAuthRemotcomserUserName = function() {
$user = '';
if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );
}
return $user;
};
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "localhost",
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=example,dc=com",
"groupbasedn" => "ou=groups,dc=example,dc=com",
"userbasedn" => "ou=users,dc=example,dc=com",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,ou=users,dc=example,dc=com",
"usernameattribute" => "cn",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",
"groupobjectclass" => "posixGroup",
"groupattribute" => "memberUid",
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "cn=wiki,ou=groups,dc=example,dc=com" ]
]
]
],
'userinfo' => [
'attributes-map' => [
'email' => 'mail',
'realname' => 'cn'
]
],
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
#####Error logging######
##PHP Error ###
error_reporting( -1 );
ini_set( 'display_errors', 1 );
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;
##Debug log to file ###
$wgDebugLogFile = '/var/log/mediawiki/debuglogfile.log';
$wgDebugComments = true;
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/var/log/mediawiki/LDAPProvider.log';
$wgGroupPermissions['*']['autocreateaccount'] = true;
The users wiki username is its fullname, so attribute displayname or cn. The old setup offered the possibility to login via LDAP uid or via fullname. If it's not possible to have both, I'd prefer login by uid.
As you can see the mediawiki usernameattribute is cn, which is firstname lastname.
So I need verify the groups by uid and then bind to LDAP User with attribute cn.
As the problem seemed to be the same as Sebastians, I changed the UserGroupRequest/Configurable.php from $userDN to $username as suggested.
Since then the ShowUserGroup.php maintance script works as expected and returns all groups the user is part of. Many thanks @Sebastian19276!
Sadly the login still does not work.
When I login via browser, the following error is shown:
The user Thorsten Test is not authenticated.
The LDAP log shows the following:
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_connect( $hostname = 'ldap://localhost:389', $port = 389 );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # __METHOD__ returns Resource id #36
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Setting LDAP_OPT_REFERRALS to 0
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Setting LDAP_OPT_DEREF to 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_bind( $linkID, $bindRDN = '', $bindPassword = 'XXXX' );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=t.test,ou=users,dc=example,dc=com'
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_bind( $linkID, $bindRDN = 'uid=t.test,ou=users,dc=example,dc=com', $bindPassword = 'XXXX' );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 1
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_search( $linkID, $baseDN = 'ou=users,dc=example,dc=com', $filter = '(uid=t.test)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns Resource id #54
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_get_entries( $linkID, $resultID );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns: array (
'count' => 1,
0 =>
array (
'uid' =>
array (
'count' => 1,
0 => 't.test',
),
0 => 'uid',
'uidnumber' =>
array (
'count' => 1,
0 => '0',
),
1 => 'uidnumber',
'mail' =>
array (
'count' => 1,
0 => 't.test@example.com',
),
2 => 'mail',
'homedirectory' =>
array (
'count' => 1,
0 => '/t.test',
),
3 => 'homedirectory',
'givenname' =>
array (
'count' => 1,
0 => 'Thorsten',
),
4 => 'givenname',
'gidnumber' =>
array (
'count' => 1,
0 => '0',
),
5 => 'gidnumber',
'displayname' =>
array (
'count' => 1,
0 => 'Thorsten Test',
),
6 => 'displayname',
'sn' =>
array (
'count' => 1,
0 => 'Test',
),
7 => 'sn',
'cn' =>
array (
'count' => 1,
0 => 'Thorsten Test',
),
8 => 'cn',
'objectclass' =>
array (
'count' => 3,
0 => 'inetOrgPerson',
1 => 'posixAccount',
2 => 'top',
),
9 => 'objectclass',
'userpassword' =>
array (
'count' => 1,
0 => '{SSHA}xxxxx',
),
10 => 'userpassword',
'employeetype' =>
array (
'count' => 1,
0 => 'aktiv',
),
11 => 'employeetype',
'count' => 12,
'dn' => 'uid=t.test,ou=users,dc=example,dc=com',
),
)
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Ran LDAP search for '(uid=t.test)' in 0.00060606002807617 seconds.
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (
'base' => 'dc=example,dc=com',
'filter' => '(uid=Thorsten Test)',
'attributes' =>
array (
0 => '*',
1 => 'memberof',
),
)
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_search( $linkID, $baseDN = 'dc=example,dc=com', $filter = '(uid=Thorsten Test)', $attributes = [ '*', 'memberof' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns Resource id #66
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_count_entries( $linkiID, $result = 'Resource id #66' );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns 0
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Could not get user DN!
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_search( $linkID, $baseDN = 'ou=groups,dc=example,dc=com', $filter = '(&(objectclass=posixGroup)(memberUid=Thorsten Test))', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns Resource id #72
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: ldap_get_entries( $linkID, $resultID );
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: # returns: array (
'count' => 0,
)
2020-11-10 14:57:36 xxxxx.xxxxx.xx wiki: Ran LDAP search for '(&(objectclass=posixGroup)(memberUid=Thorsten Test))' in 0.00049185752868652 seconds.
Somehow it first queries a ldap_search with uid=t.test but later with uid=Thorsten Test.
Can you please help me to figure out, what to do to make it work?
Cheers
Dominik