Cindy.cicalese

Hi Cindy, do you know if there is any progress/update on the mentioned plugin? Can we at least expect it? I guess that many users wait for it. Aschroet (talk) 09:26, 28 July 2017 (UTC)Reply

Good question! Let me look into that and get back to you.

Cindy Cindy.cicalese (talk) 14:23, 28 July 2017 (UTC)Reply

Hello toegether!

I know how to solve one of the issues at least and I have posted the way to the solution here: Topic:Tlz6fw5aasbglko8!

Would be great, if someone could integrate this fix! 2003:72:6D2A:9E00:C089:626A:E54F:136D (talk) 08:21, 30 July 2017 (UTC)Reply

Hi!

The future of Extension:LdapAuthentication is not clear. At the moment there are efforts being made to build an alternative. It will be based on Extension:PluggableAuth. A migration guide will be published under LDAP hub/Migration from extension LDAPAuthentication. Unfortunately it is not ready yet. Osnard (talk) 14:04, 4 August 2017 (UTC)Reply

I wish to move mediawiki 1.26 in 1.31 but I need Ldap (company rule)

I'm trying to install LDAP Autentication2 with LDAP Provider and PlugableAuth in 1.31

Result is a [038e54b61e1b8be5ce73ffcb] 2019-01-26 20:51:05: Fatal exception of type "Error"

Are you able to suggest help? Vbhttb (talk) 20:55, 26 January 2019 (UTC)Reply

Please post questions on Extension:LDAPAuthentication2 at Extension talk:LDAPAuthentication2. Please be sure to include version information for all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log. Cindy.cicalese (talk) 23:49, 28 January 2019 (UTC)Reply

MediaWiki message delivery (talk) 18:35, 29 March 2018 (UTC)Reply

MediaWiki message delivery (talk) 01:33, 13 April 2018 (UTC)Reply

MediaWiki message delivery (talk) 00:43, 20 April 2018 (UTC)Reply

Hi Cindy!! As the CommentStreams extension page states, latest version of the extension is supported by;

Whereas, I have Mediawiki of 1.25.2 and PHP version of 5.5.9-1. Shouldn't it work normally? But I get error of;

MediaWiki Extension:CommentStreams, undefined constant DB_REPLICA error. And when I try to save comment it gives <unknownerror> on pop up window. After a long research I found out that my Mediawiki might not be compatible to the latest version of the extension. So I downloaded the CommentStreams version 4.0. Now the DB_REPLICA error is gone but still giving me the error of <unknownerror> while I want to add comment. Could you please help me with this? Thanks in advance. Shahbibash (talk) 16:17, 20 January 2019 (UTC)Reply

Hi Cindy,
do you know why if the page title (the node) contains symbols (e.g. a single quote) VIKi puts the corresponding HTML number (that is: &#39;) instead?

For example if, in my wiki, I have the node Rickett's Hornpipe and the VIKI graph will render it as Rickett&#39;s Hornpipe

Is there a way to solve this misbehaviour?

Thank you. Silkwood (talk) 13:50, 12 February 2019 (UTC)Reply

Unfortunately, there is no longer an active maintainer for Extension:VIKI. Cindy.cicalese (talk) 16:54, 12 February 2019 (UTC)Reply

Hello Cindy,

I found you on recent changes, can you hide my IP Topic:Vk2wxxb5bxbovovq here, please.

Have a nice day! Estin Giç Giç (talk) 22:18, 7 April 2020 (UTC)Reply

Hi Cindy,

I want to share my configuration to use OpenID Connect with a Gitlab (self-hosted).

Gitlab

• Login to Gitlab Admin Area
• Applications -> New Application
  • Name: MediaWiki
  • Redirect URI: <<https wiki server>>/wiki/Special:PluggableAuthLogin
  • Trusted: yes
  • Confidential: yes
  • Scopes: openid, profile, email
• Submit
• Copy Application ID and Secret to LocalSettings.php

MediaWiki Configuration

In LocalSettings.php

# Extension:OpenID Connect
wfLoadExtension( 'PluggableAuth' );
# set to false to deactivate local logins
$wgPluggableAuth_EnableLocalLogin = true; #= false;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_Config['<<https gitlab server>>'] = [
    'clientID' => '...', # Insert Gitlab Application ID here!
    'clientsecret' => '...', # Insert Gitlab Secret here!
    # docs.gitlab.com/ee/integration/openid_connect_provider.html
    # Alternative 'nickname'
    # Alternative 'name'
    'preferred_username' => 'nickname'
];
$wgPluggableAuth_ButtonLabelMessage = 'Login with your Gitlab Account'; 94.79.159.70 (talk) 15:46, 20 November 2020 (UTC)Reply

Thank you very much for contributing this! Please feel free to update Extension:OpenID Connect with these instructions!

Cindy Cindy.cicalese (talk) 16:14, 20 November 2020 (UTC)Reply

Hi Cindy,

We want to use OpenID connect with last MediaWiki release - 1.35.1. It requires PHP 7.3.19+ and when we try to authenticate we get an error: php deprecated: array_key_exists(): Using array_key_exists() on objects is deprecated. Use isset() or property_exists() instead

This function is using here (912 line):

public function requestUserInfo($attribute = null) {

        $user_info_endpoint = $this->getProviderConfigValue("userinfo_endpoint");

        $schema = 'openid';

        $user_info_endpoint .= "?schema=" . $schema;

        //The accessToken has to be send in the Authorization header, so we create a new array with only this header.

        $headers = array("Authorization: Bearer {$this->accessToken}");

        $user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));

        $this->userInfo = $user_json;

        if($attribute === null) {

            return $this->userInfo;

        } else if (array_key_exists($attribute, $this->userInfo)) {

            return $this->userInfo->$attribute;

        } else {

            return null;

        }

    }

I tried to fix this using property_exists() function, but seems like it don't working well. Could you please help with it?

Regrads,

Stanislav Babaryka

stanislav.babaryka@gmail.com 5.53.119.6 (talk) 15:02, 20 January 2021 (UTC)Reply

I believe that you are using an old version of the OpenID Connect extension. The extension makes use of an OpenID Connect library. The code you refer to is in that library. It is fixed in verion 0.9.0 of the library. The most recent version of the extension uses version 0.9.1 of the library. You can see this by looking for 'jumbojett/openid-connect-php' in the composer.json file of the extension. I suggest that you get the latest version of the extension, version 5.4, which includes this update. Cindy.cicalese (talk) 15:59, 23 January 2021 (UTC)Reply

Hi again!

Yes, it worked well with new version, thanks!

But we have new issue now - when new user created during login it haven't email in it profile. Only attribute that new user receives from azure AD is realname.

LocalSettings part with plugins config:

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_ButtonLabelMessage = "Office 365 Login";

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['h ttps://sts.windows.net/***************************/'] = [

        'clientID' => '*****************************',

        'clientsecret' => '****************************'

    ];

$wgOpenIDConnect_UseRealNameAsUserName = true;

If I define username as email, it will have "User 1" name.

Maybe I missing something or you can suggest what I need to check.

Thanks in advance!

Regards,

Stas 5.53.119.6 (talk) 13:39, 26 January 2021 (UTC)Reply

I understand the bit about the email not getting set, but I'm not sure if you are saying you also have a problem using the real name as the username? It makes sense that it would use 'User 1' if you are using the email address for the name, but no email address and no preferred username is provided. Cindy.cicalese (talk) 13:50, 26 January 2021 (UTC)Reply

Problem is with retrieving email from provider. Real name as username works correctly, but when i try to use email as username i'm getting "User 1". Also there is no email in "email" field in account properties. From Azure side all is ok, all necessary API permissions for Azure App are granted. 5.53.119.6 (talk) 13:57, 26 January 2021 (UTC)Reply

OK, I see. Unfortunately, I'm not familiar with configuring Azure to get it to return the email address. Unless it provides it to the extension, there's nothing the extension can do to get that information. There are other folks using Azure successfully, so it seems there must be a way to configure it to return that information if it exists on the Azure end. Cindy.cicalese (talk) 14:02, 26 January 2021 (UTC)Reply

You could try adding the scope parameter to your config:

$wgOpenIDConnect_Config['h ttps://sts.windows.net/***************************/'] = [

        'clientID' => '*****************************',

        'clientsecret' => '****************************'

      'scope' => [ 'openid', 'profile', 'email' ]

    ]; Cindy.cicalese (talk) 15:01, 26 January 2021 (UTC)Reply

Thanks! With adding Scope and some code editing it works!

Thank you for helping 5.53.119.6 (talk) 11:09, 28 January 2021 (UTC)Reply

Great! I have updated the documentation to include the scope parameter in all of the examples. Cindy.cicalese (talk) 13:58, 28 January 2021 (UTC)Reply

hi,

you are listed on the Extension:LDAPAuthentication2 Page as Author. I want to ask is there a solution for not using a bind account to authenticate against active directory? This was possible with the old extension (Extension:LDAP Authentication). I have no good feelings adding a user an password to json file and have this inside an repo for automatic deployments. Why is this needed? LDAP Selfauth should work also fine. 2A01:9820:2:7:0:0:3E68:2F02 (talk) 10:36, 31 March 2021 (UTC)Reply

@Osnard implemented this functionality and perhaps could respond here. Cindy.cicalese (talk) 12:32, 31 March 2021 (UTC)Reply

@Cindy.cicalese thx for the fast response. I have send an email to @Osnard yesterday. I'm also found it very annoying to have an json File with credentials in the webserver root. This makes security much more complex.

I also found it very strange that the most of the extensions are not able to install via composer. This makes automatic deployments with dependency tracking much harder as it should be. 2A01:9820:2:7:0:0:3E68:2F02 (talk) 07:18, 1 April 2021 (UTC)Reply

I also found it very strange that the most of the extensions are not able to install via composer.

I think I have deployed this with composer. See mediawiki/ldap-authentication-2 and mediawiki/ldap-provider (though, there is a missing dependency that I should fix).

I know @Osnard deploys these with composer, but Hallo Welt! uses their own repository.

I'm also found it very annoying to have an json File with credentials in the webserver root

You certainly do not have to do that. You can put the .json file wherever you want and point $LDAPProviderDomainConfigs to it. ☠MarkAHershberger☢(talk)☣ 15:09, 2 April 2021 (UTC)Reply

@MarkAHershberger @Cindy.cicalese thx for your feedback, I hope you had a nice Easter.

@MarkAHershberger: The composer stuff was not only for this module We have a list of extension we need to use, only a few are available via composer. It would be really god for the future if it where possible to do the complete installation and updates via composer. This would make CI pipelines much better.

@MarkAHershberger: For the json file, I still see not the need why we need a bind user for the extension. Other tools can do it without.

As I wrote we try to deploy our installation as docker images. And hard coded credentials are a mess. I muss now parse two different

config file formats ( Localsettings.php and json) via docker-entrypoint script to put the right credentials in via environment variables.

@Cindy.cicalese @MarkAHershberger @Osnard From my view it would be better to have the stuff in the Localsettings.php and even better don't need a bind user, or make it optional. I have no example for php but for example netbox (open source dcim tool) works without bind user. 2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talk) 08:59, 6 April 2021 (UTC)Reply

LDAP extensions can be installed/updated via composer, but one would need to add a special package-registry. See https://github.com/hallowelt/mediawiki/blob/3.1.x/_bluespice/build/bluespice-ldap/composer.json#L2-L5

AFAIK, MWStake decided to not model inter-extension-dependencies on composer-level, but rather on the extension-manifest Osnard (talk) 09:39, 6 April 2021 (UTC)Reply

It would be good to get the stalled RFC about extension management with composer moving again: https://phabricator.wikimedia.org/T250406. Cindy.cicalese (talk) 13:09, 6 April 2021 (UTC)Reply

@Cindy.cicalese: for me as user this would be a great improvement.

@Osnard: I send you an email some day's before about the ldap question above, why do the extension need a bind user? Have you seen it? 2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talk) 14:29, 6 April 2021 (UTC)Reply

@Osnard @Cindy.cicalese I still got no feedback about the initial question why it needs a bind user? 2A01:9820:2:7:0:0:3E68:2F02 (talk) 08:54, 12 April 2021 (UTC)Reply

Well, I don't think there is a particular reason. Anonymous binds or binds as the user that logs in is just an issue in many cases. Usually you need a privileged proxy user account that has permissions to run all required LDAP searches anyways. Please feel free to provide a patch. The respective code can be found here: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/acf7b41f09ba0058ee54a11f3a5e24fb7f220dcb/src/Client.php#L174-L199 Osnard (talk) 15:21, 12 April 2021 (UTC)Reply

@Osnard I think a self bind would make it much more secure. So you don't need any ldap user with global read access. And you have no credentials on your servers. I will take a look into the source code. I'm no php programmer but if it is easy I will try to send an patch. 2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talk) 13:48, 16 April 2021 (UTC)Reply

Hi,

today I installed the SemanticRating extension. It is very helpful for our task and easier to install than any Template. However, I immediately stumbled across a problem with the image links for the stars. Our wiki can be reached from inside and outside the local network but the SemanticRating.php $imagepath is composed as an absolute URL (which leads to unreachable images for internal accesses or external accesses). The simple fix for this problem was to remove the $GLOBALS['wgServer'] part of $imagepath so the images ended up being relative URLs like any other image reference on the wiki.

So my question is why SemanticRating has absolute image paths in the first place? As far as I'm aware of, all other intra-wiki links or image-refs use relative URLs starting with $wgScriptPath, too. I don't know if I'm missing a problem here, but if not I would suggest removing the $wgServer part of the image URLs.

Thanks, Matthias Theowl84 (talk) 18:53, 18 April 2021 (UTC)Reply

There is no good reason that it uses an absolute path. Please feel free to submit a patch in gerrit to change the path.

Thanks, Cindy Cindy.cicalese (talk) 21:17, 18 April 2021 (UTC)Reply

My mediawiki ver is 1.32 and we would like to use PluggableAuth and SimpleSAMLphp with azure AD.

Currently, We have no plan to upgrade the ver in anytime soon due to internal decision. If we would like to stay on 1.32 ver more longer and would like to use the mentioned extension for SSO ex: PluggableAuth and SimpleSAMLphp. Can i download the latest extension version from the drop down menu like 1.36(latest stable MediaWiki) or 1.35 since the status is LTS? if it's not possible, should i download the same extension ver from git? I tried to find the extension ver for 1.32 from git but i can’t find it because i’m not very familiar with it.

Appreciate your helps Frizzow (talk) 06:16, 23 September 2021 (UTC)Reply

You should be able to use the latest stable versions of both extensions with MediaWiki 1.32 at this point. I believe that both maintain backward compatibility at this point to at least 1.31. Cindy.cicalese (talk) 12:21, 23 September 2021 (UTC)Reply

Hi Cindy,

I hope you are doing well.

Below are the error message i’ve received in my wiki when i wanted to check on special version page whether simplesamlphp and pluggableauth extension already available or not. I’m using simplesamlphp 1.35 and pluggableauth 1.35 and my mediawiki ver is 1.32. I will connect with Azure AD for SSO but i haven’t sent anything to Azure admin yet on the metadata since i got this error below:

Warning: require_once(/htdocs/simplesamlphplib/lib/_autoload.php): failed to open stream: No such file or directory in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Fatal error: require_once(): Failed opening required '/htdocs/simplesamlphplib/lib/_autoload.php' (include_path='E:\Apache24\htdocs\vendor/pear/console_getopt;E:\Apache24\htdocs\vendor/pear/mail;E:\Apache24\htdocs\vendor/pear/mail_mime;E:\Apache24\htdocs\vendor/pear/net_smtp;E:\Apache24\htdocs\vendor/pear/net_socket;E:\Apache24\htdocs\vendor/pear/pear-core-minimal/src;E:\Apache24\htdocs\vendor/pear/pear_exception;.;C:\php\pear') in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Other than that, i also received error at simplesamlphp library. It says Configuration error. And the debug information shows as “SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed.” Fyi, I put SimpleSamlPhp and pluggableauth extensions in extensions folder while the simplesamlphplib (from simplesamlphp.org), i put in htdocs folder.

I only added relevant code below in localsettings.php

1. PluggableAuth

wfLoadExtension( 'PluggableAuth' ); $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; //$wgPluggableAuth_ButtonLabelMessage = "PluggableAuth Login"; //$wgPluggableAuth_Class = 'SimpleSAMLphp'; $wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true;

1. SimpleSAMLphp

wfLoadExtension( 'SimpleSAMLphp' ); $wgSimpleSAMLphp_InstallDir = "/htdocs/simplesamlphplib"; $wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgSimpleSAMLphp_RealNameAttribute = "givenName"; $wgSimpleSAMLphp_EmailAttribute = "mail"; $wgSimpleSAMLphp_UsernameAttribute = "uid";

Appreciate your help. Frizzow (talk) 07:19, 10 November 2021 (UTC)Reply

I’ve changed from http to https://127.0.01/simplesamlphplib/www and it works. It says congratulations, you have successfully installed SimpleSamlphp. And now i shoud configure the baseurl and metadata accordingly. But at the top header it shows certificate error. Do i need to do something about it?

Also, i still get this warning error when I go to my mediawiki page. Do i need to exchange metadata to idp(azure) first and configure accordingly to be able to logon to the page or even check on special page? Is there anything that i should be concerned of based on error message below:

Warning: require_once(/htdocs/simplesamlphplib/lib/_autoload.php): failed to open stream: No such file or directory in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Fatal error: require_once(): Failed opening required '/htdocs/simplesamlphplib/lib/_autoload.php' (include_path='E:\Apache24\htdocs\vendor/pear/console_getopt;E:\Apache24\htdocs\vendor/pear/mail;E:\Apache24\htdocs\vendor/pear/mail_mime;E:\Apache24\htdocs\vendor/pear/net_smtp;E:\Apache24\htdocs\vendor/pear/net_socket;E:\Apache24\htdocs\vendor/pear/pear-core-minimal/src;E:\Apache24\htdocs\vendor/pear/pear_exception;.;C:\php\pear') in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203 Frizzow (talk) 08:03, 10 November 2021 (UTC)Reply

It looks like the problem is:

$wgSimpleSAMLphp_InstallDir = "/htdocs/simplesamlphplib";

That should be the full file system path to where the library is installed. I notice that the extension is installed at E:\Apache24\htdocs\extensions\SimpleSAMLphp. Is E:\Apache24 missing from the path? Cindy.cicalese (talk) 13:23, 10 November 2021 (UTC)Reply

Yeah! I think i’ve solved that one. But now it shows different error:

[81fadbf837770d39b2164025] 2021-11-11 02:43:20: Fatal exception of type "InvalidArgumentException"

Is it because i didn’t set up the idp on my end yet or it’s a different issue? Just so u know, i’m using php 7.3.28. Everything is fine from the simplesamplphp installation page on the sanity check and php installation. I only don’t have LDAP Extension, predis, And memcache extension.

As for the warnings. It only shows core: frontpage: warnings_secretsalt. Frizzow (talk) 03:06, 11 November 2021 (UTC)Reply

That is not enough information to be able to figure out the source and cause of the error. You would need to look at the stack trace. Cindy.cicalese (talk) 15:17, 11 November 2021 (UTC)Reply

Internal error

Jump to navigationJump to search

[57e819a89ff1f7965dc9f1f6] /index.php/Special:PluggableAuthLogin InvalidArgumentException from line 203 of E:\Apache24\htdocs\includes\session\SessionManager.php: Invalid session ID

Backtrace:

1. 0 E:\Apache24\htdocs\includes\session\PHPSessionHandler.php(215): MediaWiki\Session\SessionManager->getSessionById(string, boolean)
2. 1 [internal function]: MediaWiki\Session\PHPSessionHandler->read(string)
3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandlerPHP.php(392): session_start()
4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(172): SimpleSAML\SessionHandlerPHP->setCookie(string, string, array)
5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(299): SimpleSAML\Session->__construct()
6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
7. 6 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
8. 7 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
9. 8 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
10. 9 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
11. 10 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
12. 11 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
13. 12 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
15. 14 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
16. 15 {main}

It is the same error as in this forum: https://www.mediawiki.org/wiki/Topic:Ux3y0zkubjm5zge5

Hence, I've tried your recommendation in the topic. See Extension:SimpleSAMLphp#Known_Bugs for a solution.

I only change 'store.type' => 'phpsession', to 'sql' as you can see from code below and then I received a different error which I will paste at the bottom of the code.

/****************************

| DATA STORE CONFIGURATION |

****************************/

/*

* Configure the data store for SimpleSAMLphp.

*

* - 'phpsession': Limited datastore, which uses the PHP session.

* - 'memcache': Key-value datastore, based on memcache.

* - 'sql': SQL datastore, using PDO.

* - 'redis': Key-value datastore, based on redis.

*

* The default datastore is 'phpsession'.

*/

'store.type' => 'sql',

/*

* The DSN the sql datastore should connect to.

*

* See http://www.php.net/manual/en/pdo.drivers.php for the various

* syntaxes.

*/

'store.sql.dsn' => 'sqlite:/path/to/sqlitedatabase.sq3',

/*

* The username and password to use when connecting to the database.

*/

'store.sql.username' => null,

'store.sql.password' => null,

/*

* The prefix we should use on our tables.

*/

'store.sql.prefix' => 'SimpleSAMLphp',

/*

* The hostname and port of the Redis datastore instance.

*/

'store.redis.host' => 'localhost',

'store.redis.port' => 6379,

/*

* The prefix we should use on our Redis datastore.

*/

'store.redis.prefix' => 'SimpleSAMLphp',

];

[048838530ce5896198695c49] /index.php/Special:PluggableAuthLogin Exception from line 67 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: Database error: could not find driver

Backtrace:

1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
7. 6 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
8. 7 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
9. 8 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
10. 9 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
11. 10 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
12. 11 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
13. 12 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
15. 14 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
16. 15 {main}

Version

MediaWiki

1.32.2

PHP

7.3.28 (apache2handler)

MariaDB

10.2.33-MariaDB-log

PluggableAuth= 1.35

SimpleSAMLPhp=1.35

Do I need to add the username and password to connect to the database?

In our end, I believe we are not supposed to hardcoded the username/password since we have our own IT Privileged Access which requires a second factor authentication in order to provide additional security measures in the login process. But since we are on-premise, do let me know if there is a workaround. Hopefully this is not the case. Frizzow (talk) 03:18, 12 November 2021 (UTC)Reply

You need to fix the value of store.sql.dsn to point to your database. Cindy.cicalese (talk) 12:33, 12 November 2021 (UTC)Reply

Hi Cindy,

Thank you so much for your help!

I’ve fixed the value of store.sql.dsn to my database accordingly with username and password.

'store.type' => 'sql',

'store.sql.dsn' => 'mysql:host=xxxx;port=xxxx;dbname=xxxxx',

'store.sql.username' => '[username]',

'store.sql.password' => '[pass]',

Then I received a different error as below. FYI, the user permission below is only able to SELECT, INSERT, UPDATE and DELETE in wiki database. Normally for CREATE command can only be done by our database administrator team which use a different id that is more powerful. Based on my experience installing the useragreement extension last time, the current id that I'm using has been denied to create a TABLE and the workaround was to ask the database admin team to create a table for us. In this case, does it mean I need to get the database administrator team powerful id and password to be added here or is there any syntax error going on? Btw, I haven't configured the metadata yet because i’m waiting for the azure team to exchange the idp and I believe that’s one of the reason we still see all the authentication error below.

[08c4d38a43fb4c1b6990850d] /index.php/Special:PluggableAuthLogin PDOException from line 95 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: SQLSTATE[42000]: Syntax error or access violation: 1142 CREATE command denied to user 'xxxxxxx'@'IP' for table 'SimpleSAMLphp_tableVersion'

Backtrace:

1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(95): PDO->exec(string)
2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(77): SimpleSAML\Store\SQL->initTableVersionTable()
3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
7. 6 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
8. 7 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
9. 8 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
10. 9 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
11. 10 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
12. 11 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
13. 12 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
15. 14 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
16. 15 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
17. 16 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
18. 17 {main}

Thanks in advance! Frizzow (talk) 09:10, 15 November 2021 (UTC)Reply

Yes, they will need to create the table. Cindy.cicalese (talk) 13:48, 15 November 2021 (UTC)Reply

I've asked the database admin team to grant the user id a CREATE command ability temporary . Once they granted the permission, I re-run the code below. (Before that, I commented out the code so that it won't show any error in the wiki page.)

'store.type' => 'sql',

'store.sql.dsn' => 'mysql:host=xxxx;port=xxxx;dbname=xxxxx',

'store.sql.username' => '[username]',

'store.sql.password' => '[pass]',

Once I re-run or resaved, I try to run the wiki page and the SimpleSAMLPhp page, it shows below error. I've communicated with the database admin team on the error below and they said the table has been created about 10-20 minutes ago, probably when they granted a CREATE table access to the user id that I used which might be the same time that I was trying to do something on the config.php file. Based on the forum that I have read here: SQLSTATE[42S01]: Base table or view already exists: 1050 Table 'users' already exists · Issue #1116 · spatie/laravel-medialibrary · GitHub there are people that suggested to DROP the table and re-run again. Do you think that would be the case? Is this supposed to be a one-time configuration where I shouldn't re-saved or re-run it multiple times. I really appreciate your thoughts and recommendation.

[acb3c984ef5311d0f7784f6f] /index.php/Special:PluggableAuthLogin PDOException from line 175 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: SQLSTATE[42S01]: Base table or view already exists: 1050 Table 'SimpleSAMLphp_kvstore' already exists

Backtrace:

1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(175): PDO->exec(string)
2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(78): SimpleSAML\Store\SQL->initKVTable()
3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
7. 6 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
8. 7 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
9. 8 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
10. 9 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
11. 10 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
12. 11 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
13. 12 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
15. 14 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
16. 15 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
17. 16 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
18. 17 {main}

Below are database settings in Localsettings.php in case it has something to do with the permission which is not a $wgDBadminuser and the database type is being set as "mysql" instead of "sql".

1. 1. Database settings

$wgDBtype = "mysql";

$wgDBserver = "xxxxxxx";

$wgDBname = "xxxxxx";

$wgDBuser = "xxxxxx";

$wgDBpassword = "xxxxxxxxx"; Frizzow (talk) 09:51, 16 November 2021 (UTC)Reply

Hi Cindy,

Sorry for bothering you.

I have tried to drop the table and it still shows the same error since it’s recreating the table the moment i refresh the simplesaml site. Then i have revoked my Create command access since i thought it may detected my user id to attempt in creating a table and apparently it shows this error, the database team said that the table is already existed, i think it may be because something else like the syntax or such, do u have anything on your mind? :

SimpleSAML\Error\Error: UNHANDLEDEXCEPTION

Backtrace:

1 www\_include.php:17 (SimpleSAML_exception_handler)

0 [builtin] (N/A)

Caused by: PDOException: SQLSTATE[42000]: Syntax error or access violation: 1142 CREATE command denied to user 'user'@'IP' for table 'SimpleSAMLphp_kvstore'

Backtrace:

10 lib\SimpleSAML\Store\SQL.php:175 (PDO::exec)

9 lib\SimpleSAML\Store\SQL.php:175 (SimpleSAML\Store\SQL::initKVTable)

8 lib\SimpleSAML\Store\SQL.php:78 (SimpleSAML\Store\SQL::__construct)

7 lib\SimpleSAML\Store.php:52 (SimpleSAML\Store::getInstance)

6 lib\SimpleSAML\SessionHandler.php:138 (SimpleSAML\SessionHandler::createSessionHandler)

5 lib\SimpleSAML\SessionHandler.php:43 (SimpleSAML\SessionHandler::getSessionHandler)

4 lib\SimpleSAML\Session.php:332 (SimpleSAML\Session::getSession)

3 lib\SimpleSAML\Session.php:263 (SimpleSAML\Session::getSessionFromRequest)

2 modules\core\www\frontpage_welcome.php:5 (require)

1 lib\SimpleSAML\Module.php:266 (SimpleSAML\Module::process)

0 www\module.php:10 (N/A) Frizzow (talk) 03:14, 19 November 2021 (UTC)Reply

That sounds like a problem with the configuration of the simplesaml library. You might try asking for help in their forum to find somebody with more experience with that library. Cindy.cicalese (talk) 14:19, 19 November 2021 (UTC)Reply

For PluggableAuth and other extensions, it says configure as required, and shows a bunch of setting options. That's nice and all, but where do I put these settings? in LocalSettings? in another file? Forgive my ignorance but its not clear where to make these configuration changes. Gregzme17 (talk) 15:07, 2 March 2022 (UTC)Reply

Yes, in LocalSettings.php or a file in your environment that is included from LocalSettings.php. For example, some wiki farm environments have a hierarchy of settings files included for global settings and wiki instance settings. But, in a simple environment, that would just be LocalSettings.php. Cindy.cicalese (talk) 15:10, 2 March 2022 (UTC)Reply

Greetings, thank you for your help earlier, and apologies for my ignorance.

Do you happen to know how with or without the LDAP stack to add a Logout button or link?

I have been searching for a few days and I feel like this is probably somewhere but I am just missing it or not understanding it if I have passed over it.

I basically want local or domain users to be able to logout on demand. Gregzme17 (talk) 14:59, 10 March 2022 (UTC)Reply

The location would depend upon which skin you are using, but in general, the login link should be removed and a a logout link should be added once you have logged in. If you have autologin enabled, you will not see a login or a logout link. If you want to add a link in wikitext, you can add a link to the Special:UserLogout page. Cindy.cicalese (talk) 15:15, 10 March 2022 (UTC)Reply

I am using the Timeless theme because of its automatic support for mobile view.

I don't have autologin enabled, just the ability to login with either domain or local account,

I think that Special:UserLogout page will work, I just need to add a link to it. Thank you, I will try that. You are so helpful and I appreciate it. Gregzme17 (talk) 15:41, 10 March 2022 (UTC)Reply

Thank you very much for creating the PluggableAuth and OIDC auth extensions :) Matthews3h (talk) 11:09, 10 April 2022 (UTC)Reply

Aww, you're very welcome! And thank you for your message. It means a lot to me that the extensions that I develop and maintain are useful to people. Cindy.cicalese (talk) 16:48, 10 April 2022 (UTC)Reply

Hi Cindy,

I have a question about your code in PluggableAuth. I do not understand why you make the concatenation 'PluggableAuth' . $plugin in initConfig() in PluggableAuthFactory.php. Because if I add the name of the plugin with $wgPluggableAuth_Config, e.g. LDAPAuthentication2, then I would expect to search for LDAPAuthentication2 and not for PluggableAuthLDAPAuthentication2 in the config. What is the reason behind that? I stumbled about that because my setting where not working.

Cheers,

Martin 2003:CF:3F45:F800:B7B5:5EDD:ABA6:1EEF (talk) 16:31, 30 June 2022 (UTC)Reply

In your plugin, you need to set at attribute in extension.json to declare the plugin. It is named by both PluggableAuth as the top level key and then the name of the plugin as the second level key. For example, see https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/OpenIDConnect/+/refs/heads/master/extension.json#60. The way the attribute code in MediaWiki works is that the two keys are concatenated to find the attribute value. Cindy.cicalese (talk) 16:58, 30 June 2022 (UTC)Reply

Thank you for the fast reply. Your answer helped me a lot but I have now the problem to figure out which version of LDAPAuthentication2 fits to which version of PluggableAuth. In LDAPAuthentication2, extension.json says that the extension PluggableAuth is required in version * which seems to be wrong and not helpful. Do you have a suggestion which versions work together? 213.168.81.98 (talk) 09:57, 1 July 2022 (UTC)Reply

Unfortunately, LDAPAuthentication2 is not yet compatible with PluggableAuth 6.0. Please see the compatibility matrix at Extension:PluggableAuth#Installation. Cindy.cicalese (talk) 20:17, 2 July 2022 (UTC)Reply

Hello Cindy.cicalese

I need your help please !

i implement a SSO in my MW 1.39 against Azure AD

all thing work fine whene i click the login button i am redirect to microsoft interface to use email to authentificate, But whene i click on mail i get this message :

"Désolé, nous rencontrons des problèmes pour vous connecter.

AADSTS900971: No reply address provided."

i configure my redirect URI in Azure AD like this :

https://myserever/index.php/Special:PluggableAuthLogin

NB : NO SSL certificate installed on my MW server

the log show no error and it indicate that OpenIDConnect use Redirect URL

http://myserever/index.php?title=Sp%C3%A9cial:PluggableAuthLogin

[OpenIDConnect] Redirect URL: http://myserver/index.php?title=Sp%C3%A9cial:PluggableAuthLogin

[DBQuery] JobQueueDB::doGetSiblingQueuesWithJobs [0.001s] localhost: SELECT  DISTINCT job_cmd  FROM .....

which the right Redirect URI should i put  ? does i miss configuration of a plugin in my MW OR in AZURE AD side ?

I need your help please thanks Raoufgui (talk) 21:39, 15 June 2023 (UTC)Reply

I'm wondering whether the form of the redirect URL might be the problem. If you check the Known Issues, you can see:

• Wikis that use URLs of the form https://example.org/w/index.php?title=Page_title (i.e. having the page title provided as a query parameter) will not be redirected correctly to complete the authentication flow. Instead, URLs must be of the form https://example.org/w/index.php/Page_title, which can be accomplished by using short URLs or by setting $wgArticlePath appropriately. Cindy.cicalese (talk) 22:02, 15 June 2023 (UTC)Reply

HI @Cindy.cicalese

Thank you very much for reply

i tried to configure shot URL on MW but not succeed

i put this configuration in my virtualhost  :

DocumentRoot /app/httpd/www/wiki-test/current

DirectoryIndex index.php

AllowOverride ALL

RewriteEngine On

RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]

RewriteRule ^/*$ %{DOCUMENT_ROOT}/index.php [L]

i put this configuration in LocalSettings.php

$wgScriptPath = "";

$wgScriptExtension = ".php";

$wgArticlePath = "/wiki/$1";

$wgUsePathInfo = true;

I see any change, my MW still show page in this format "http://myserer/ndex.php?title=Page_tile" on the navigator

but the log show that OpenIDConnect use ,now, Redirect URL

http://signxpapp006.srv.sigma.host/wiki/Sp%C3%A9cial:PluggableAuthLogin"

[OpenIDConnect] Redirect URL: http://signxpapp006.srv.sigma.host/wiki/Sp%C3%A9cial:PluggableAuthLogin

[session] SessionBackend.......

before (in my previous comment )it was

http://myserever/index.php?title=Sp%C3%A9cial:PluggableAuthLogin

but i still have the problème AADSTS900971: No reply address provided."

i update the the reply URl on Azure AD side by the new one but i have the same problem

whereis the problem please ?

Thanks very much Raoufgui (talk) 14:17, 16 June 2023 (UTC)Reply

There is some additional guidance at Extension:OpenID Connect#Microsoft Entra ID as well as some new configuration parameters that might be useful at Extension:OpenID Connect#$wgPluggableAuth Config. Cindy.cicalese (talk) 01:43, 12 January 2025 (UTC)Reply

Hello

Both OpenID Connect and PluggableAuth are well configured on MW

I also correctly configure the Redirect URI and i don't have the problem of No reply address provided"

after i click on microsoft interface to login with my email i get message indicate "Erreur fatale durant l’authentification de l’utilisateur"

when i chek a log message i found a time out in curl commande

[OpenIDConnect] Jumbojett\OpenIDConnectClientException: Curl error: (28) Connection timed out after 60000 milliseconds in /MW-path-install/extensions/OpenIDConnect/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php:1495

what is the probleme exactly ? does it a problem of network flow between My server and azure AD ?

Thanks Raoufgui (talk) 16:26, 19 June 2023 (UTC)Reply

Yes, it appears to be a network configuration error. Cindy.cicalese (talk) 16:37, 19 June 2023 (UTC)Reply

Thank you very much Raoufgui (talk) 16:48, 19 June 2023 (UTC)Reply

Hello

@Cindy.cicalese first i woulk like to thank you very much for your support, finally i can implement SSO with AD Azure using OpenIDConnect and PluggableAuth_Config.

Now after login i have permission error

You do not have permission to read this page, for the following reason:

The action you have requested is limited to users in one of the groups: Administrators, app_wiki_usr

Acutally i have the groupe "app_wiki_usr" on my MW and it has a "READ" permission

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- should I create the same groupe on Azure AD and add users to IT ?

2- for mapping group do you confirm that I should add on $wgPluggableAuth_Config ONYLY this lines bellow  ?

'groupsyncs' => [

     [

       'type' => 'mapped',

       'map' => [

         'app_wiki_usr' => [ 'groups' => 'app_wiki_usr' ],

       ]

     ]

   ];

Have a nice day Raoufgui (talk) 10:17, 20 June 2023 (UTC)Reply

I'm so glad you've gotten it working. If there was anything that you had to do that was accurately represented in the instructions on the extension wiki page, please update it.

The answer to your question depends on where you want you system administrator to manage the user permissions: in the wiki or in Azure AD. Either would work. If you want to administer the permissions in the wiki, a user with bureaucrat permissions would do so on page Special:UserRights. If you want to administer the permissions in Azure AD, you would add the code you indicate above or similar. What I do not know is what attribute name the group information will be provided in by Azure AD. 'groups' is a popular choice. You will need to make sure whatever attribute name is provided in Azure AD matches what is in the config snippet above. Cindy.cicalese (talk) 12:38, 20 June 2023 (UTC)Reply

Hello @Cindy.cicalese

Yes i will update pages that need to be updated.

excuse me i have some confusion from what you said

for me permission will be administrated from Azure AD Side

the group created on Azure Ad by Ad administrator is named "DSI - Wiki - USER", it contains all user allowed to connect to MW

in MW we have a group named "app_wiki_usr"

$wgGroupPermissions['app_wiki_usr']['read'] = true;

1- what do you mean please by attribute name does it the Objecttype and how to get it  ?

2- should i have the same name of group in MW and Azure AD ?

3-second configure the mapping , here what should i put at this line  ?

' (which group AD or MW)' => [ 'attribute name of AD group "DSI - Wiki - USER"' => '(which group AD or MW)' ],

Thanks Raoufgui (talk) 13:44, 20 June 2023 (UTC)Reply

1) When the groups are synchronized between Azure AD and MediaWiki, the MediaWiki code will request the attributes provided by Azure AD. What is in the response depends upon how Azure AD is configured. The group information will be in the structure that is returned as the response to that request. The attribute name that is used to index into the resulting data structure is what you will need. If you don't know what is in that structure, you could add some debugging to https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/PluggableAuth/+/refs/heads/master/includes/Group/GroupProcessorRunner.php#51 to show what is returned in pluginAttributes.

2) It does not matter whether those names are the same.

3) <name of MW group> => [ <name of AD attribute> => <name of AD group> ]

<name of MW group> is the name you want the group to have on the MW side

<name of AD attribute> is the attribute name referred to in 1) above

<name of AD group> is the name of the group in AD that you want to have mapped to the MW group Cindy.cicalese (talk) 18:15, 20 June 2023 (UTC)Reply

Thanks a lot it work now Raoufgui (talk) 15:12, 22 June 2023 (UTC)Reply

Great! Cindy.cicalese (talk) 15:14, 22 June 2023 (UTC)Reply

@RakingTheLeaves

perhaps i'm being premature in tagging you here without putting the above to the test.... but perhaps also, this is worth a read through? Wikiphpnoob (talk) 21:06, 19 April 2024 (UTC)Reply

Hi Cindy,

I hope you are doing well. I am trying to set up OpenIDConnect with PluggableAuth to use Azure AD. However, I'm facing an issue where, upon attempting to log in to Mediawiki, I am not directed to Azure for authentication. Instead, I receive the message "The supplied credentials could not be authenticated." I'm not sure what I am missing in this setup. I have already ensured that the tenant ID, Client Secret, and Client ID are all correctly set and Files that I configured:

• composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"

• composer.json In root directory of MediawikiNEW added/got added this line

"jumbojett/openid-connect-php": "^0.9.10"

• Below is my LocalSettings.php: FrankKufer (talk) 18:57, 25 August 2023 (UTC)Reply

<?php

error_reporting( E_ALL );

ini_set( 'display_errors', 1 );

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

$wgSitename = "My Website Name";

$wgMetaNamespace = "My_Website_Name";

$wgScriptPath = "/mediawikiNEW";

$wgServer = "";

$wgResourceBasePath = $wgScriptPath;

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/change-your-logo.svg",

'icon' => "$wgResourceBasePath/resources/assets/change-your-logo-icon.svg",

];

$wgEnableEmail = true;

$wgEnableUserEmail = true; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "myDatabse";

$wgDBuser = "mediaUser";

$wgDBpassword = "Password";

# MySQL specific settings

$wgDBprefix = "";

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

/* $wgMainCacheType = CACHE_ACCEL;

$wgSessionCacheType = CACHE_DB; */

$wgMemCachedServers = [];

$wgEnableUploads = true;

$wgUseImageMagick = true;

$wgImageMagickConvertCommand = "/usr/bin/convert";

$wgUseInstantCommons = false;

$wgPingback = true;

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "America/New_York";

$wgSecretKey = "SercretKey";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "1";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "UpgradeKey";

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "/usr/bin/diff3";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "vector";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'MinervaNeue' );

wfLoadSkin( 'MonoBook' );

wfLoadSkin( 'Timeless' );

wfLoadSkin( 'Vector' );

# visual editor

wfLoadExtension( 'VisualEditor' );

$wgDefaultUserOptions['visualeditor-editor'] = "visualeditor";

$wgHiddenPrefs[] = 'visualeditor-enable';

# create page

wfLoadExtension( 'CreatePageUw' );

$wgCreatePageUwUseVE = true;

### Azure directory extensions or config

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;           # if this set to true allows local login without azure auth

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =true;       

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

# OpenIDConnect config

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

"My Login" => [

'plugin' => 'OpenIDConnect',

'data' => [

'providerURL' => '',

'clientID' => 'ID',

'clientsecret' => 'secret'

],

'scope' => [ 'openid', 'profile', 'email' ]

]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

# ShortURL Config

wfLoadExtension( 'ShortUrl' );

/* $wgShortUrlTemplate = '/mediawikiNEW/wiki/$1'; */

$wgArticlePath = "/mediawikiNEW/$1"; FrankKufer (talk) 18:59, 25 August 2023 (UTC)Reply

• composer.local.json-sample In root directory of MediawikiNEW added this line "extensions/OpenIDConnect/composer.json"

You should rename this file to composer.local.json

• composer.json In root directory of MediawikiNEW added/got added this line

You should not edit this file. Adding the line above to composer.local.json shoudl be sufficient. Then, you would need to run "composer update" or "composer install" from the root MediaWiki directory.

Please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log. Cindy.cicalese (talk) 19:49, 25 August 2023 (UTC)Reply

Hello Cindy,

I followed your instructions and ran composer. However, I am still not able to use Azure AD.

When I add below block I get this error Fatal exception of type "TypeErro" when clicking on log in button

$wgPluggableAuth_Config[] = [

   'plugin' => 'OpenIDConnect',

   'data' => [

        'providerURL' => 'https://login.microsoftonline.com/id/v2.0/',

        'clientID' => 'id',

        'clientsecret' => 'secret'

    ]

];

The debug on browser shows these exceptions:

• [rdbms] MWExceptionHandler::rollbackPrimaryChanges [0s] localhost: ROLLBACK
• [rdbms] MWExceptionHandler::rollbackPrimaryChanges: acknowledged server-side transaction loss on localhost
• [exception] [1d11fafe16b669e17bba17df] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given
• [MessageCache] MessageCache using store SqlBagOStuff

NOTES:

1- In maintenance folder I ran php update.php

2- Ran composer update after changing the composer.local.json-sample to composer.local.json

then added "extensions/OpenIDConnect/composer.json"

3- Added to MediaWiki\Extension\PluggableAuth\PluggableAuth path the below line

"PluggableAuth": {

    "OpenIDConnect": {

        "class": "MediaWiki\\Extension\\OpenIDConnect\\OpenIDConnect",

        "services": [

           "MainConfig",

           "AuthManager",

           "OpenIDConnectStore"

        ]

    }

 }

4- Rest of LocalSettings.php config :

#PluggableAuth

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_EnableLocalProperties = false;

$wgPluggableAuth_EnableFastLogout =false;

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect';

#AAD

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[].......................................

$wgOpenIDConnect_UseRealNameAsUserName = true;

5- Short URL is configured as well.

Please help/let me know if I am missing anything.

Thanks! FrankKufer (talk) 18:55, 7 November 2023 (UTC)Reply

Which versions of the PluggableAuth and OpenIDConnect extensions are you using?

In 2), hopefully you added the line before you ran composer update.

I'm not sure what 3) refers to above, but it should not be necessary.

I need more information about where the exception is happening, including at least the start of the stack trace. Please refer to How to debug to see how to enable more debugging information.

You should be able to remove the following config lines:

$wgPluggableAuth_ButtonLabelMessage = 'Login';

$wgPluggableAuth_Class = 'OpenIDConnect'; Cindy.cicalese (talk) 19:13, 7 November 2023 (UTC)Reply

1) OpenIDConnect 7.0.1 and PluggableAuth is 7.0.0 and mediawiki is 1.40.0.

2) yes I added the line then ran composer.

Sure here is the stack trace when I added $wgShowExceptionDetails = true;

[4a9b3e88ee46f7baf2a4dbfb] /mediawikinew/index.php?title=Special:UserLogin&returnto=Main+Page TypeError: method_exists(): Argument #1 ($object_or_class) must be of type object|string, array given

Backtrace:

from /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88)

#0 /var/www/mediawikinew/extensions/PluggableAuth/includes/PrimaryAuthenticationProvider.php(88): method_exists()

#1 /var/www/mediawikinew/includes/auth/AuthManager.php(2272): MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider->getAuthenticationRequests()

#2 /var/www/mediawikinew/includes/auth/AuthManager.php(2250): MediaWiki\Auth\AuthManager->getAuthenticationRequestsInternal()

#3 /var/www/mediawikinew/includes/specialpage/AuthManagerSpecialPage.php(277): MediaWiki\Auth\AuthManager->getAuthenticationRequests()

#4 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(147): AuthManagerSpecialPage->loadAuth()

#5 /var/www/mediawikinew/includes/specialpage/LoginSignupSpecialPage.php(238): LoginSignupSpecialPage->load()

#6 /var/www/mediawikinew/includes/specialpage/SpecialPage.php(701): LoginSignupSpecialPage->execute()

#7 /var/www/mediawikinew/includes/specialpage/SpecialPageFactory.php(1475): SpecialPage->run()

#8 /var/www/mediawikinew/includes/MediaWiki.php(327): MediaWiki\SpecialPage\SpecialPageFactory->executePath()

#9 /var/www/mediawikinew/includes/MediaWiki.php(923): MediaWiki->performRequest()

#10 /var/www/mediawikinew/includes/MediaWiki.php(576): MediaWiki->main()

#11 /var/www/mediawikinew/index.php(50): MediaWiki->run()

#12 /var/www/mediawikinew/index.php(46): wfIndexMain()

#13 {main} FrankKufer (talk) 19:51, 7 November 2023 (UTC)Reply

What is item 3) above? That sounds like it could be interfering. It isn't clear to me where you have made that change or why. It should not be necessary. Cindy.cicalese (talk) 20:59, 7 November 2023 (UTC)Reply

Great news! The issue has been resolved.

Item 3 was the problem. I reverted the changes to their default settings, and that resolved the issue.

Thank you so much for your help. I appreciate it. FrankKufer (talk) 18:46, 8 November 2023 (UTC)Reply

Great! Cindy.cicalese (talk) 18:51, 8 November 2023 (UTC)Reply

Hello

I implement SSO on my MW using PluggableAuth en OpenID connect and i configure the group mapping with Azure AD

Now i would like to create a Local user accout on my MW and add it to this mapped group (the accout dont exist on Azure side it will be created only on MW side)

Does it feasible plesae ? Does this user will be able to connect localy using login/pwd and have the same rights of mapped group  ?

Thanks Raoufgui (talk) 11:29, 31 August 2023 (UTC)Reply

Yes, this should be working. If you "enable local login" in PluggableAuth, such a user can authenticate directly against the wiki, rather than against Azure AD. In case of a local authentication no group sync will be applied at all, so the manually assigned groups will not be lost. Osnard (talk) 05:59, 5 September 2023 (UTC)Reply

Hi Cindy,

I just posted a queston on the MediaWiki Support Desk, but then realized, that this maybe is a better place for the question. Could you please have a look?

Regards, Zoltan Vajdaz (talk) 19:23, 11 October 2023 (UTC)Reply

Hi Cindy, I have an issue setting up ShortUrl using $wgArticlePath. Following the documentation I was able to create the short url but I get 404 error. Please let me know if there is a fix for this.

Below are my configurations:

My Folder name and Url is set to "mediawikinew"

In my LocalSettings.php File I have set

$wgScriptPath = "/mediawikinew";

$wgArticlePath = "/mediawikinew/$1";

$wgUsePathInfo = true;

My Nginx for mediawiki conf is set to this

server{

listen 80;

listen [::]:80;

server_name mediwikinew;

root /var/www/mediawikinew;

index index.php;

error_log /var/log/nginx/mediawikinew.error;

access_log /var/log/nginx/mediawikinew.access;

location / {

        try_files $uri $uri/ /index.php;

        #try_files $uri $uri/ @mediawikinew;

}

location ~ /.well-known {

       allow all;

}

location ~ /\.ht {

      deny all;

}

location /mediawikinew/ {

                #rewrite ^/mediawikinew/(?<pagename>.*)$ /mediawikinew/index.php;

                rewrite ^/mediawikinew/([^\?]*) /mediawikinew/index.php?title=$1&$args last;

       }

location = / {

                return 301 /mediawikinew/Main_Page;

        }

location ~ ^/mediawikinew/(index|load|api|thumb|opensearch_desc|rest|img_auth)\.php$ {

                include /etc/nginx/fastcgi_params;

                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

                #fastcgi_param SCRIPT_FILENAME $document_root/index.php;

                fastcgi_pass unix:/run/php/php8.1-fpm.sock;

                include snippets/fastcgi-php.conf;

        }

location /mediawikinew/images/deleted {

                # Deny access to deleted images folder

                deny all;

        }

location /mediawikinew/images {

                # Separate location for images/ so .php execution won't apply

        }

location ~ ^/mediawikinew/resources/(assets|lib|src) {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(skins|extensions)/.+\.(css|js|gif|jpg|jpeg|png|svg|wasm|ttf|woff|woff2)$ {

                try_files $uri =404;

                add_header Cache-Control "public";

                expires 7d;

        }

location = /favicon.ico {

                alias /mediawikinew/images/6/64/Favicon.ico;

                add_header Cache-Control "public";

                expires 7d;

        }

location ~ ^/mediawikinew/(COPYING|CREDITS)$ {

                default_type text/plain;

        }

location /mediawikinew/rest.php/ {

                try_files $uri $uri/ /mediawikinew/rest.php?$query_string;

        }

} FrankKufer (talk) 15:30, 3 November 2023 (UTC)Reply

This topic is resolved. FrankKufer (talk) 14:45, 7 November 2023 (UTC)Reply

We are using Microsoft Azure Entra ID but getting Fatal Authentication  Error at mediawiki end.  We have followed the steps given at Extension:OpenID Connect documentation.

We have done following configuration at mediawiki LocalSettings.php  :-

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'OpenIDConnect' );

$wgPluggableAuth_Config[] = [

    'plugin' => 'OpenIDConnect',

    'data' => [

        'providerURL' => 'https://login.microsoftonline.com/XXXXXXXXXX

        'clientID' => 'XXXXXXXXXXXXXXXXX',

        'clientsecret' => 'XXXXXXXXXXXXXXXXXXX'

    ]

];

$wgOpenIDConnect_UseRealNameAsUserName = true;

Please help us to solve this issue as it is very urgent.

Thanks

Extension:OpenID Connect - MediaWiki 49.43.224.61 (talk) 15:23, 12 December 2023 (UTC)Reply

When reporting an error, please be sure to include version information for MediaWiki and all relevant extensions as well as configuration information. Also, please turn on debug logging as described at Manual:How to debug#Logging and include the relevant portions of the debug log. Cindy.cicalese (talk) 15:26, 12 December 2023 (UTC)Reply

Hello Cindy! It looks like the link http://www.linkedin.com/pub/cynthia-cicalese/9/60b/91a mentioned here at your MediaWiki user page doesn't work. Just wanted you to know. :-) Have a great day, and happy holidays! Tommy Kronkvist (talk) 10:45, 23 December 2023 (UTC)Reply

Thank you! Fixed! Cindy.cicalese (talk) 13:32, 23 December 2023 (UTC)Reply

Hi, It would be great if the issue of missing appid could be resolved in this plugin to make it easier to use. thanks Ashley please take a look at; https://github.com/jumbojett/OpenID-Connect-PHP/issues/190#issuecomment-2272600124 202.27.76.251 (talk) 04:45, 7 August 2024 (UTC)Reply

I've replied on that thread. Cindy.cicalese (talk) 01:42, 12 January 2025 (UTC)Reply

Hi Cindy - before I dive in I wanted to thank you for writing the OpenID Connect (and PluggableAuth) extension.

I'm looking for some help debugging an issue with OIDC. Like the title, I'm experiencing a redirect loop after my SSO provider redirects to Special:PluggableAuthLogin. My SSO provider and Special:PluggableAuthLogin redirect back and forth to each other infinitely.

It looks like my SSO provider (Keycloak) is sending the correct query parameters back to PluggableAuthLogin.

I'm running: MW 1.39.10; PluggableAuth 7.1.0 (db07c04); OpenID Connect 8.0.3 (0cd85ca)

Here is a debug log too: Topic:Yg0wtew7lklqijwy HadleySo (talk) 21:45, 13 November 2024 (UTC)Reply

Solved it - there was a issue in the web server config for Manual:Short_URL. A few other Special pages were not working either. HadleySo (talk) 19:52, 17 November 2024 (UTC)Reply

Sorry for the delayed response. I'm glad you were able to resolve the issue! And, thank you for the thank you :-) Cindy.cicalese (talk) 04:02, 11 January 2025 (UTC)Reply