MediaWiki

Topic on Extension talk:LDAPProvider

< Extension talk:LDAPProvider

LDAP Login for some user not working

3 comments • 05:52, 16 August 2022 1 year ago
3
P.kotrba (talkcontribs)

Hello,

i have upgraded our Mediawiki from 1.33.0 to the 1.35.6 Version.

After the upgrade, the new version of the Active Directory Integration was installed:

Manual:Active Directory Integration


Currently i have the following problem: Some User can perform an AD login, some not.

The access to the wiki is permited for the members of the AD group xxx-WIKI.


ldap.json (without security information):

{

   "xxxxxxx": {

       "connection": {

           "server": "xxx-dc3.xxxxx-xxxxx.local",

           "port": "389",

           "user": "ldap_ro",

           "pass": "top-secret",

           "enctype": "clear",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "OU=MyBusiness,DC=xxxxx-xxxxx,DC=local",

           "userbasedn": "OU=xxxxx-xxxxx,OU=MyBusiness,DC=xxxxx-xxxxx,DC=local",

           "groupbasedn": "OU=MyBusiness,DC=xxxxx-xxxxx,DC=local",

           "searchattribute": "samaccountname",

           "usernameattribute": "samaccountname",

           "realnameattribute": "cn",

           "emailattribute": "mail",

           "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

           "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

       },

       "userinfo": [],

       "authorization": {

           "rules": {

               "groups": {

                   "required": ["CN=xxx-WIKI,OU=Security Groups,OU=MyBusiness,DC=xxxxx-xxxxx,DC=local"]

               }

           }

       },

       

       "groupsync": {

           "mapping": {

               "sysop": ["CN=xxx-WIKI,OU=Security Groups,OU=MyBusiness,DC=xxxxx-xxxxx,DC=local"]

           }

       }

   }


here are the results of the ldap provider ShowUserGrroups.php (i have removed the other groups from the output, for security reasons):

User where the ldap login works:

Full DNs:

      CN=xxx-WIKI,OU=Security Groups,OU=MyBusiness,DC=xxxxx-xxxxx,DC=local

Short names:

       xxx-wiki


User where the ldap login doesn't works:

PHP Notice:  Undefined index: memberof in /home/dokuwiki/mediawiki-1.35.6/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 17

Full DNs:

Short names:


When i run ShowUserInfo.php with the user, witch is not able to login, i got cryptic characters:

objectclass =>

  0 => top

  1 => person

  2 => organizationalPerson

  3 => user

  cn => Test Hugo

  sn => Hugo

  description => Testuser

  givenname => Test

  distinguishedname => CN=Test Hugo,OU=xxx-IT,OU=xxxxx-xxxxx,OU=MyBusiness,DC=xxxxx-xxxxx,DC=local

  displayname => Test Hugo

  proxyaddresses => x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5fd3030abdaf40238f02390b8c6aa835-Test Hugo

  targetaddress => SMTP:testuser.hugo@steyrmotors365.mail.onmicrosoft.com

  mailnickname => testuser.hugo

  name => Test Hugo

  objectguid => ▒▒#▒_▒J▒?▒l▒4܍


Please help & thank you

Reply 11:47, 11 August 2022 1 year ago
Osnard (talkcontribs)

You have set up group based login restrictions and the user that is not in the group can not log in. That's what it is supposed to do.

You have configured the plugin to look into the "memberof" field of the user. Apparently this is not set properly.

See: PHP Notice: Undefined index: memberof in /home/dokuwiki/mediawiki-1.35.6/extensions/LDAPProvider/src/UserGroupsRequest/UserMemberOf.php on line 17

Check on you LDAP why this user is not in the proper groups.

Reply 10:09, 12 August 2022 1 year ago
P.kotrba (talkcontribs)

The user with the not working login, has the required AD Group.

I've checked the membership again in der active directory.

We have an active directory with german language. Is it possible, that there are encoding problems?

When i run the following command, i will get a lot of cryptic keys as result:

dokuwiki@xxx-WIKI:~/public_html$php extensions/LDAPProvider/maintenance/ShowUserInfo.php -d xxxxx-xxxxx -u testuser.hugo

objectclass =>

  0 => top

  1 => person

  2 => organizationalPerson

  3 => user

  cn => Test Hugo

  sn => Hugo

  description => Testuser

  givenname => Test

  displayname => Test Hugo

  proxyaddresses => x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=5fd3030abdaf40238f02390b8c6aa835-Test Hugo

  targetaddress => SMTP:testuser.hugo@steyrmotors365.mail.onmicrosoft.com

  mailnickname => testuser.hugo

  name => Test Hugo

  objectguid => ▒▒#▒_▒J▒?▒l▒4܍

  codepage => 0

  countrycode => 0

  primarygroupid => 14167

c▒▒Z▒▒▒▒#id => *▒~

  samaccountname => testuser.hugo

Reply 05:52, 16 August 2022 1 year ago
Reply to "LDAP Login for some user not working"
Retrieved from "https://www.mediawiki.org/wiki/Topic:X10t2fype1y2i1b0"