Topic on Talk:LDAP hub

User group don't work with LDAPhub

6 comments • 11:30, 28 October 2024 24 days ago

6

185.200.202.174 (talkcontribs)

Hello,

Following the Manual:Active_Directory_Integration documentation I connected the mediawiki to my LDAP

The user connection works but I can't do:

- Restriction on groups (to allow a group of persons)

- Manage rights by groups

My users is :

- wiki_admin is in the group : grpwikiadmin

- wiki_utilisateur is in the group : grpwikiutilisateur

- wiki_interdit have no group

My groups :

- Grpwikiadmin : I want them to be admin

- Grpwikiutilisateur : I want basic user rights on wiki

Grpwikiutilisateur have the member : Grpwikiadmin and wiki_utilisateur

how to do it?

Thank you for your help

The LDAP connexion don't work if the options "authorization => "rules" => "groups" => "required" is présent

My domain is test.local and my groups and users is in the OU=test,DC=test,DC=local

################### ldap.json ###################

{

"test.local": {

"connection": {

"server": "192.168.1.50",

"port": "3268",

"user": "CN=svc_wiki,OU=test,DC=test,DC=local",

"pass": "MYpassword",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=test,DC=local",

"userbasedn": "DC=test,DC=local",

"groupbasedn": "DC=test,DC=local",

"searchattribute": "samaccountname",

"searchstring": "USER-NAME@test.local",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": {

"rules": {

"groups": {

"required": ["CN=grpwikiutilisateur,OU=test,DC=test,DC=local"]

}

},

"groupsync": {

"mapping": {

"engineering": "CN=grpwikiutilisateur,OU=test,DC=test,DC=local",

"bureaucrat": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

"interface-admin": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

"sysop": "CN=grpwikiadmin,OU=test,DC=test,DC=local"

}

################### localconfig.php ###################

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array('127.0.0.1','localhost');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'engineering' from default user group

$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];

// Privatisation du Wiki

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Chargement du fichier Json si il existe sans erreur

$ldapJsonFile = "$IP/ldap.json";

$ldapConfig = false;

if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {

$testJson = @json_decode(file_get_contents($ldapJsonFile),true);

if (is_array($testJson)) {

$ldapConfig = true;

} else {

error_log("Found invalid JSON in file: $IP/ldap.json");

}

//////////// Active l'extension

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

$LDAPProviderDomainConfigs = $ldapJsonFile;

$wgPluggableAuth_ButtonLabel = "Connexion LDAP";

if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

################### My configuration ###################

Mediawiki : 1.34

PHP7.3.14-1~deb10u1 (apache2handler)

DAPAuthentication2 1.0.1 (4836429) 20 mars 2020 à 07:29

LDAPAuthorization 1.1.0 (c7d1c50) 18 mars 2020 à 22:23

LDAPGroups 1.0.2 (d8f8e90) 18 mars 2020 à 22:24

LDAPProvider 1.0.3 (ecf3c2d) 18 mars 2020 à 22:37

LDAPUserInfo 1.0.0 (ea18199) 18 mars 2020 à 22:38

PluggableAuth 5.7 (17fb1ea) 13 septembre 2019 à 10:20

Reply 10:16, 8 April 2020 4 years ago

Osnard (talkcontribs)

Can you please provide the output of LDAPProvider/maintenance/ShowUserGroups.php?

Reply 14:30, 8 April 2020 4 years ago

185.200.202.174 (talkcontribs)

Hello,

php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain test.local --username wiki_admin

samaccountname => wiki_admin

samaccounttype => 805306368

userprincipalname => wiki_admin@test.local

objectcategory => CN=Person,CN=Schema,CN=Configuration,DC=test,DC=local

PuTTYPuTTYdscorepropagationdata => 16010101000000.0Z

lastlogontimestamp => 132302933033589595

mail => wiki_admin@domain.test

dn => CN=wiki_admin,OU=test,DC=test,DC=local

php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain test.local --username wiki_admin

Full DNs:

PHP Warning: Invalid argument supplied for foreach() in /var/www/html/wikidsi/extensions/LDAPProvider/maintenance/ShowUserGroups.php on line 60

Short names:

PHP Warning: Invalid argument supplied for foreach() in /var/www/html/wikidsi/extensions/LDAPProvider/src/GroupList.php on line 52

I have errors but I can't find any information about them

Reply 06:50, 9 April 2020 4 years ago

Osnard (talkcontribs)

Please try to configure a different "groupsrequest". E.g. MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory

Reply 10:50, 9 April 2020 4 years ago

185.200.202.174 (talkcontribs)

Hello, i create a group named "Factory", it's work !

root@wiki:/var/www/html/wikidsi# php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain test.local --username wiki_admin

Full DNs:

CN=factory,OU=test,DC=test,DC=local

CN=grpwikiadmin,OU=test,DC=test,DC=local

Short names:

factory

grpwikiadmin

i don't understand this function. My error is the group name of "UserGroupsRequest\\GroupMember::" ?

Reply 19:26, 9 April 2020 4 years ago

185.200.202.174 (talkcontribs)

Hello,

everything is working !!!! :-D (access right and group)

my mistakes were:

- grouprequest: you had to put: GroupMember :: factory

- the mechanism was missing

My ldap.json :

{

"test.local": {

"connection": {

"server": "192.168.1.50",

"port": "3268",

"user": "CN=svc_wiki,OU=test,DC=test,DC=local",

"pass": "Not24get",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=test,DC=local",

"userbasedn": "DC=test,DC=local",

"groupbasedn": "DC=test,DC=local",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": {

"rules": {

"groups": {

"required":[ "CN=grpwikiutilisateur,OU=test,DC=test,DC=local","CN=grpwikiadmin,OU=test,DC=test,DC=local" ]

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"engineering": "CN=grpwikiutilisateur,OU=test,DC=test,DC=local",

"bureaucrat": "CN=grpwikiadmin,OU=test,DC=test,DC=local",

"sysop": "CN=grpwikiadmin,OU=test,DC=test,DC=local"

}

},

"userinfo": {

"email": "mail",

"realname": "cn",

"properties.gender": "gender"

}

Reply 15:01, 14 April 2020 4 years ago

Reply to "User group don't work with LDAPhub"