Topic on Extension talk:LDAPAuthentication2/Flow

SSO not working using LDAPAuthentication2

8
Testergt1302 (talkcontribs)

Hi,

We had MW 1.35 in Prod and SSO was working when using extension LDAPAuthentication. But when we upgraded to MW 1.39, we are advised to use extension LDAPAuthentication2 with LDAPProvider & PluggableAuth. But the SSO is not working with this Formbased solution.

Please let us know how can we achieve SSO with this form based approach?


Thanks,

GT

Osnard (talkcontribs)
Testergt1302 (talkcontribs)

Ok, we are currently using this one only. If the user id is present in wiki DB, the extension allows user to access wiki. But noticed that, new user acc is being created in wiki DB only with the user name. Email id and other things are not added in the user table. For existing users I can see email id and other details since it was done by LDAP extension.

Not sure if this will be a problem in the future if we plan to move to other SSO method like SAML.

Osnard (talkcontribs)

If you use Auth_remoteuser for SSO you can use extensions LDAPProvider, LDAPGroups and LDAPUserInfo in addition to do the synchronization of "realname", "e-mail" and "group assignments" after the SSO has happened.

If you switch to Extension:SimpleSAMLphp or Extension:OpenIDConnect all those things will be implicitly be handled in the SSO process.

Testergt1302 (talkcontribs)

We had some challenges in the networking and AD side while configuring the SAML SSO, this may take some time to setup. Meanwhile we have to use the AuthRemoteUser.


By the way, I tried installing extensions LDAPProvider, LDAPGroups and LDAPUserInfo in wiki. But not sure if it is able to do the synchronization. Is there any special setting/variable to do the sync in backend ?

Osnard (talkcontribs)
Testergt1302 (talkcontribs)

Hi Osnard,

I think I have done this. I can see these lines in the logs:

"wiki: Set 'realname' with raw value <My Full Name>"

But there is another problem here. Now I am not able to do upload while editing page. There is upload dialog which we use to upload files directly from editing a page inserting it into the page. This was easier than going to upload page, upload file there, then edit page embed it.

Now if I try to upload in edit page, it shows: You dont have permission to upload this file.

Tried to allow upload for all by setting: $wgGroupPermissions['*']['upload'] = true;

but then it says: You must be logged in to upload file.

Does this mean that I am still not logged in. Then how I can access our private wiki, edit pages and do all other things there ?

I dont understand this behavior..

Can please you help here ?

Thanks- GT

Osnard (talkcontribs)

Can you please check the following things:

  1. Are session cookies included in the Upload-API call? Use the "network" panel in the browser development tools (F12) to check this.
  2. Is Kerberos authentication enabled in conext of the api.php entrypoint? Look into the LDAP releated logs when the API endpoint gets called.
Reply to "SSO not working using LDAPAuthentication2"