Topic on Extension talk:LDAPAuthentication2

Hi,

It seems that the following error is a common occurrence when someone tries to tie Mediawiki into an Active Directory domain: "The supplied credentials are not associated with any user on this wiki."

Osnard, as you know from a separate post in Extension talk:PluggableAuth, I was trying to get Mediawiki talking to a FreeIPA (Red Hat IdM) LDAP directory.

I still intend to reach out to someone with Red Hat or FreeIPA to help determine why there seems to be two "users" in the database associated with the same uid.

That said, my ultimate goal is to bind Media Wiki to an Active Directory (and use FreeIPA as a "proxy" of sorts).

In part of my troubleshooting, I decided to try to connect Mediawiki directly to AD without FreeIPA in the middle.

And that leads me to the error I'm currently getting, that "The supplied credentials are not associated with any user on this wiki."

If I enter in incorrect credentials, I confirm that there is a failure to authenticate.

I can confirm that I AM able to get correct output when I run:

php /var/www/html/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username {my-user}

My /etc/mediawiki/ldapprovider.json file contains the following:

                       "server": "10.10.10.10",

                       "user": "cn=bind_user,ou=MediaWiki,ou=Applications,ou=Foo,dc=example,dc=com",

                       "pass": "REDACTED",

                       "port":"389",

                       "enctype":"clear",

                       "basedn": "dc=example,dc=com",

                       "groupbasedn": "ou=Network Users,dc=example,dc=com",

                       "userbasedn": "ou=Network Users,dc=example,dc=com",

                       "searchattribute": "samaccountname",

                       "searchstring": "USER-NAME",

                       "usernameattribute": "samaccountname",

                       "realnameattribute": "cn",

                       "emailattribute": "mail"

My LocalSettings.php file contains:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

$LDAPProviderDomainConfigs = "/etc/mediawiki/ldapprovider.json";

$LDAPAuthentication2AllowLocalLogin = false;

I have the following versions:

- Mediawiki 1.34

- PluggableAuth-REL1_34

- LDAPUserInfo-REL1_31

- LDAPAuthentication2-master-2aa5664 (I've also tried LDAPAuthentication2-REL1_31)

- LDAPProvider-master-963bd84 (I've also tried LDAPProvider-REL1_31)

I'm not sure where to go from here.

I have just done a "fresh install" of MediaWiki 1.34 to rule out any possible issue in the database itself.

Using the same codebase and configuration options as described above in the (new) LocalSettings.php of the new install, I am still getting the symptoms I described earlier. My user credentials are clearly working, but I keep getting the error message "The supplied credentials are not associated with any user on this wiki." when I do try to login.

I'm completely at a loss at this point.

Have you found a solution yet, this is where I'm at.

Nope, I still don't have this working. I was hoping someone else would be able to provide some guidance.

I'll keep troubleshooting, and if I get it working, will be sure to post back here. If you come up with a solution for yourself, please consider posting back here with your solution as well.

Just enable logs with

$wgDebugLogFile = "/var/www/mediawiki/debug.log";

You could see the error there

I'm a little late to the party, but I had this issue a few days ago and even posted about it here Topic:Vues871fgeqbz0p0, here's a snip of my comment on how I solved this, my installation is now working properly.

to solve this, keep in mind the JSON fields MUST be in all lower case letters, so instead of sAMAccountname you must use samaccountname and so on for all fields used by the JSON file.

Hello, I have had some mediawiki servers running and am working on a fresh 1.35 install. I only noticed your note from a search. I also have RHEL IDM working w/AD we setup over a year ago with RH.

The only thing I wanted to note is that you will not get everything from AD through IDM; its a subset of information. RH Is working on expanding that. Like email address, will not be passed as it is part of IDM. Groups get passed depending on how you configure IDM.

IDM is amazing and better than all the other solutions to date, and getting better. Definitely helps move enterprises in the direction of 'single account' with all their linux users.