Topic on Extension talk:LDAPProvider/Flow

Summary by Wikiphpnoob

looks since the office is more making a move towards Azure/Entra for authentication, so will our wiki site. So there may be a chance I will be posing questions in those article topic sections soon. wish me luck

Wikiphpnoob (talkcontribs)

i keep trying to reach out, but i guess SME's are otherwise engaged. so i'll try again.

i completely wiped out my previous build and started over.

I'm on Windows Server 2016 ( i know its not supported), with IIS 10

Installed software

Product Version

MediaWiki 1.39.6

PHP 8.3.4 (cgi-fcgi)

MySQL 8.3.0

ICU 72.1

LDAPAuthentication2 2.0.7 (3a91dad) 08:59, 4 March 2024

LDAPAuthorization 2.0.5 (ccd20da) 08:59, 4 March 2024

LDAPGroups 2.0.5 (956a438) 19:08, 4 March 2024

LDAPProvider 2.0.5 (b7fd141) 08:59, 4 March 2024

LDAPUserInfo 2.0.4 (a5eeff0) 08:59, 4 March 2024

PluggableAuth 7.1.0 (1884a12) 06:36, 4 March 2024

I am able to log in locally. I cannot authenticate over LDAP

I attempt to log in over LDAP using my samaccountname ID - firstname.lastname and get Could not authenticate credentials against domain "ACME.ORG"

LDAPAuthentication2 log shows - 2024-04-02 18:19:06 SERVER acmewiki: Could not bind to LDAP domain with given user: firstname.lastname

PluggableAuth log shows:

2024-04-02 18:19:06 SERVER acmewiki: In execute()

2024-04-02 18:19:06 SERVER acmewiki: Getting PluggableAuth instance

2024-04-02 18:19:06 SERVER acmewiki: Plugin name: LDAPAuthentication2

2024-04-02 18:19:06 SERVER acmewiki: Authentication failure.

2024-04-02 18:19:06 SERVER acmewiki: ERROR: Could not authenticate credentials against domain "ACME.ORG"


I also get [authentication] Login failed in primary authentication by MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider


i can succesfully run showuserinfo.php, ShowUserGroups.php, CheckConnection.php. BUT CheckLogin.php shows FAILED

i can perform a simple bind using LDP.exe using the ldap bind service account and using my samaccountname ID - firstname.lastname

i have been running update.php and resetarting IIS when making changes

here are scrubbed LocalSettings and ldapprovider.json:

LocalSettings:

// Safe IP or not (for bypassing external login via AD)

$safeIPs = array(

'127.0.0.1',

'localhost',

'x.x.x.x/16');

$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }

}

$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));

// Create Wiki-Group 'users' from default user group

$wgGroupPermissions['users'] = $wgGroupPermissions['user']; (IS THIS OK?????)

// Private Wiki. External LDAP login. Default NS requires login. (ARE THESE OK???)

$wgEmailConfirmToEdit = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['sysop']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgBlockDisablesLogin = true;

// Load LDAP Config from JSON

$ldapJsonFile = __DIR__ . '/ldapprovider.json';

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

    $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

    if (is_array($testJson)) {

        $ldapConfig = true;

    } else {

        error_log("Found invalid JSON in file: $ldapJsonFile");

    }

} else {

    error_log("LDAP config file not found: $ldapJsonFile");

}

// Activate LDAP extensions

if ( $ldapConfig ) {

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'LDAPUserInfo' );

$LDAPProviderDomainConfigs = "$ldapJsonFile";

// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)

$LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));

# Configure PluggableAuth settings

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout = true;

$wgPluggableAuth_Config = [

"ACME Wiki Login" => [

'plugin' => 'LDAPAuthentication2',

'data' => ['domain' => 'ACME.ORG']

],

"LDAP Authorization" => [

'plugin' => 'LDAPAuthorization'

]

];

# LDAPProvider settings

$LDAPProviderCacheType = 'CACHE_NONE'; // 'CACHE_ANYTHING' when NOT debugging

$LDAPProviderCacheTime = 500;

$LDAPProviderPreSearchUsernameModifierRegistry = [

'strtolower' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

},

'removespaces' => function () {

return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();

}

];

# LDAPAuthentication2 settings

$LDAPAuthentication2AllowLocalLogin = true;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';

if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }

}

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgDebugLogGroups['PluggableAuth'] = 'C:/Windows/Temp/PLUG.log';

$wgDebugLogGroups['LDAP'] = 'C:/Windows/Temp/ldap1.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:/Windows/Temp/ldapprovider.log';

$wgDebugLogGroups['LDAPGroups'] = 'C:/Windows/Temp/LDAPGroups.log';

$wgDebugLogGroups['LDAPUserInfo'] = 'C:/Windows/Temp/LDAPUser.log';

$wgDebugLogGroups['LDAPAuthentication2'] = 'C:/Windows/Temp/LDAPAuthentication2.log';

$wgDebugLogGroups['LDAPAuthorization'] = 'C:/Windows/Temp/LDAP.log';

********************************

ldapprovider.json:

{

  "ACME.ORG": {

    "connection": {

      "server": "x.x.x.x",

      "port": 389,

      "use-tls": false,

      "enctype": "clear",

      "user": "CN=wiki service account,OU=ACME Managed Service Accounts,DC=ACME,DC=ORG",

      "pass": "xxx",

      "options": { "LDAP_OPT_DEREF": 1 },

      "basedn": "DC=ACME,DC=ORG",

      "groupbasedn": "DC=ACME,DC=ORG",

      "userbasedn": "DC=ACME,DC=ORG",

      "searchattribute": "samaccountname",

      "usernameattribute": "samaccountname",

      "realnameattribute": "samaccountname",

      "groupsearch": "$dn",

      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

      "presearchusernamemodifiers": [ "lowercase", "removespaces" ],

      "searchstring": "CN=USER-NAME,DC=ACME,DC=ORG",

      "nestedgroups": false

    },

    "userinfo": {

      "attributes-map": {

        "realname": "samaccountname"

      }

    },

    "authorization": {

      "rules": {

        "groups": {

          "required": [

            "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

            "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

          ]

        }

      }

    },

    "groupsync": {

      "mechanism": "mappedgroups",

      "mapping": {

        "information technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

        "human resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

      }

    }

  }

}

Wikiphpnoob (talkcontribs)
Wikiphpnoob (talkcontribs)

also seeing from $wgDebugLogFile some entries...

>checkLDAPLogin/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty [LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3 [LDAPProvider] Setting LDAP_OPT_REFERRALS to 0 [LDAPProvider] Setting LDAP_OPT_DEREF to 1 [LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=firstname.lastname,DC=ACME,DC=ORG'


which i believe at a minimum, it shows successful validation of a username using LDAP

Osnard (talkcontribs)

What do the debug logs?

Regarding the $wgGroupPermissions: If you want to have per-namespace permissions, please check out Extension:Lockdown

Wikiphpnoob (talkcontribs)

@Osnard

if there are other logs i need to set up, or have done so incorrectly, please help

I have this set up at the bottom of my LocalSettings:

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgDebugLogGroups['PluggableAuth'] = 'C:/Windows/Temp/PLUG.log';

$wgDebugLogGroups['LDAP'] = 'C:/Windows/Temp/ldap1.log';

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:/Windows/Temp/ldapprovider.log';

$wgDebugLogGroups['LDAPGroups'] = 'C:/Windows/Temp/LDAPGroups.log';

$wgDebugLogGroups['LDAPUserInfo'] = 'C:/Windows/Temp/LDAPUser.log';

$wgDebugLogGroups['LDAPAuthentication2'] = 'C:/Windows/Temp/LDAPAuthentication2.log';

$wgDebugLogGroups['LDAPAuthorization'] = 'C:/Windows/Temp/LDAP.log';

$wgDebugLogFile = 'C:/Windows/Temp/Debug.log';


only Debug, LDAPAuthentication2 and PLUG log files are collecting logs

LDAPAuthentication2:

2024-04-04 12:04:44 SERVER acme: Try to authenticate user: firstname.lastname

2024-04-04 12:04:44 SERVER acme: Not local login. Checking LDAP...

2024-04-04 12:04:44 SERVER acme: LDAP domain: RAARIC.ORG

2024-04-04 12:04:44 SERVER acme: Could not bind to LDAP domain with given user: firstname.lastname

PLUG

2024-04-04 12:04:44 SERVER acme: In execute()

2024-04-04 12:04:44 SERVER acme: Getting PluggableAuth instance

2024-04-04 12:04:44 SERVER acme: Plugin name: LDAPAuthentication2

2024-04-04 12:04:44 SERVER acme: Authentication failure.

2024-04-04 12:04:44 SERVER acme: ERROR: Could not authenticate credentials against domain "ACME.ORG"

Debug snippits:

[session] SessionBackend "3j82ch3sui4ve4f2ftbjsb8l31dgkhts" data dirty due to dirty(): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->continuePrimaryAuthentication/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[authentication] Login failed in primary authentication by MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider

[session] SessionBackend "3j82ch3sui4ve4f2ftbjsb8l31dgkhts" data dirty due to dirty(): AuthManagerSpecialPage->handleFormSubmit/AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty


[session] SessionBackend "3j82ch3sui4ve4f2ftbjsb8l31dgkhts" data dirty due to dirty(): AuthManagerSpecialPage->handleReturnBeforeExecute/MediaWiki\Auth\AuthManager->removeAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty[DBQuery] LCStoreDB::get [0s] 127.0.0.1: SELECT  lc_value  FROM `l10n_cache`    WHERE lc_lang = 'en' AND lc_key = 'messages:ldapauthentication2-error-authentication-failed'  LIMIT 1  [session] SessionBackend "3j82ch3sui4ve4f2ftbjsb8l31dgkhts" data dirty due to dirty(): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3

[LDAPProvider] Setting LDAP_OPT_REFERRALS to 0

[LDAPProvider] Setting LDAP_OPT_DEREF to 1

[LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'CN=firstname.lastname,DC=ACME,DC=ORG'

Osnard (talkcontribs)

Are there no log messages (e.g. in C:/Windows/Temp/ldap1.log) that look like this?

ldap_bind( ...
# returns ...
Wikiphpnoob (talkcontribs)

no, there is no ldap1 log file created

Osnard (talkcontribs)

What about C:/Windows/Temp/ldapprovider.log? Is such a log message in any of the other logs you have wired?

Wikiphpnoob (talkcontribs)

negative