About this board

Cindy.cicalese

Previous discussion was archived at User talk:Cindy.cicalese/Archive 1 on 2017-03-17.

Matthews3h (talkcontribs)

Thank you very much for creating the PluggableAuth and OIDC auth extensions :)

Cindy.cicalese (talkcontribs)

Aww, you're very welcome! And thank you for your message. It means a lot to me that the extensions that I develop and maintain are useful to people.

Reply to "Thank you"
Gregz83 (talkcontribs)

Greetings, thank you for your help earlier, and apologies for my ignorance.

Do you happen to know how with or without the LDAP stack to add a Logout button or link?

I have been searching for a few days and I feel like this is probably somewhere but I am just missing it or not understanding it if I have passed over it.

I basically want local or domain users to be able to logout on demand.

Cindy.cicalese (talkcontribs)

The location would depend upon which skin you are using, but in general, the login link should be removed and a a logout link should be added once you have logged in. If you have autologin enabled, you will not see a login or a logout link. If you want to add a link in wikitext, you can add a link to the Special:UserLogout page.

Gregz83 (talkcontribs)

I am using the Timeless theme because of its automatic support for mobile view.

I don't have autologin enabled, just the ability to login with either domain or local account,

I think that Special:UserLogout page will work, I just need to add a link to it. Thank you, I will try that. You are so helpful and I appreciate it.

Reply to "LogOut button"

Configure as Required ... Where??

2
Gregz83 (talkcontribs)

For PluggableAuth and other extensions, it says configure as required, and shows a bunch of setting options. That's nice and all, but where do I put these settings? in LocalSettings? in another file? Forgive my ignorance but its not clear where to make these configuration changes.

Cindy.cicalese (talkcontribs)

Yes, in LocalSettings.php or a file in your environment that is included from LocalSettings.php. For example, some wiki farm environments have a hierarchy of settings files included for global settings and wiki instance settings. But, in a simple environment, that would just be LocalSettings.php.

Reply to "Configure as Required ... Where??"

SimpleSAMLphp (1.19.3) appear to be misconfigured

12
Frizzow (talkcontribs)

Hi Cindy,

I hope you are doing well.

Below are the error message i’ve received in my wiki when i wanted to check on special version page whether simplesamlphp and pluggableauth extension already available or not. I’m using simplesamlphp 1.35 and pluggableauth 1.35 and my mediawiki ver is 1.32. I will connect with Azure AD for SSO but i haven’t sent anything to Azure admin yet on the metadata since i got this error below:


Warning: require_once(/htdocs/simplesamlphplib/lib/_autoload.php): failed to open stream: No such file or directory in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Fatal error: require_once(): Failed opening required '/htdocs/simplesamlphplib/lib/_autoload.php' (include_path='E:\Apache24\htdocs\vendor/pear/console_getopt;E:\Apache24\htdocs\vendor/pear/mail;E:\Apache24\htdocs\vendor/pear/mail_mime;E:\Apache24\htdocs\vendor/pear/net_smtp;E:\Apache24\htdocs\vendor/pear/net_socket;E:\Apache24\htdocs\vendor/pear/pear-core-minimal/src;E:\Apache24\htdocs\vendor/pear/pear_exception;.;C:\php\pear') in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Other than that, i also received error at simplesamlphp library. It says Configuration error. And the debug information shows as “SimpleSAML\Error\CriticalConfigurationError: The configuration is invalid: Setting secure cookie on plain HTTP is not allowed.” Fyi, I put SimpleSamlPhp and pluggableauth extensions in extensions folder while the simplesamlphplib (from simplesamlphp.org), i put in htdocs folder.

I only added relevant code below in localsettings.php

  1. PluggableAuth

wfLoadExtension( 'PluggableAuth' ); $wgPluggableAuth_EnableAutoLogin = true; $wgPluggableAuth_EnableLocalLogin = false; $wgPluggableAuth_EnableLocalProperties = false; //$wgPluggableAuth_ButtonLabelMessage = "PluggableAuth Login"; //$wgPluggableAuth_Class = 'SimpleSAMLphp'; $wgGroupPermissions['*']['createaccount'] = true; $wgGroupPermissions['*']['autocreateaccount'] = true;

  1. SimpleSAMLphp

wfLoadExtension( 'SimpleSAMLphp' ); $wgSimpleSAMLphp_InstallDir = "/htdocs/simplesamlphplib"; $wgSimpleSAMLphp_AuthSourceId = "default-sp"; $wgSimpleSAMLphp_RealNameAttribute = "givenName"; $wgSimpleSAMLphp_EmailAttribute = "mail"; $wgSimpleSAMLphp_UsernameAttribute = "uid";


Appreciate your help.

Frizzow (talkcontribs)

I’ve changed from http to https://127.0.01/simplesamlphplib/www and it works. It says congratulations, you have successfully installed SimpleSamlphp. And now i shoud configure the baseurl and metadata accordingly. But at the top header it shows certificate error. Do i need to do something about it?

Also, i still get this warning error when I go to my mediawiki page. Do i need to exchange metadata to idp(azure) first and configure accordingly to be able to logon to the page or even check on special page? Is there anything that i should be concerned of based on error message below:

Warning: require_once(/htdocs/simplesamlphplib/lib/_autoload.php): failed to open stream: No such file or directory in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Fatal error: require_once(): Failed opening required '/htdocs/simplesamlphplib/lib/_autoload.php' (include_path='E:\Apache24\htdocs\vendor/pear/console_getopt;E:\Apache24\htdocs\vendor/pear/mail;E:\Apache24\htdocs\vendor/pear/mail_mime;E:\Apache24\htdocs\vendor/pear/net_smtp;E:\Apache24\htdocs\vendor/pear/net_socket;E:\Apache24\htdocs\vendor/pear/pear-core-minimal/src;E:\Apache24\htdocs\vendor/pear/pear_exception;.;C:\php\pear') in E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php on line 203

Cindy.cicalese (talkcontribs)

It looks like the problem is:


$wgSimpleSAMLphp_InstallDir = "/htdocs/simplesamlphplib";


That should be the full file system path to where the library is installed. I notice that the extension is installed at E:\Apache24\htdocs\extensions\SimpleSAMLphp. Is E:\Apache24 missing from the path?

Frizzow (talkcontribs)

Yeah! I think i’ve solved that one. But now it shows different error: [81fadbf837770d39b2164025] 2021-11-11 02:43:20: Fatal exception of type "InvalidArgumentException"

Is it because i didn’t set up the idp on my end yet or it’s a different issue? Just so u know, i’m using php 7.3.28. Everything is fine from the simplesamplphp installation page on the sanity check and php installation. I only don’t have LDAP Extension, predis, And memcache extension.

As for the warnings. It only shows core: frontpage: warnings_secretsalt.
Cindy.cicalese (talkcontribs)

That is not enough information to be able to figure out the source and cause of the error. You would need to look at the stack trace.

Frizzow (talkcontribs)

Internal error Jump to navigationJump to search [57e819a89ff1f7965dc9f1f6] /index.php/Special:PluggableAuthLogin InvalidArgumentException from line 203 of E:\Apache24\htdocs\includes\session\SessionManager.php: Invalid session ID Backtrace:

  1. 0 E:\Apache24\htdocs\includes\session\PHPSessionHandler.php(215): MediaWiki\Session\SessionManager->getSessionById(string, boolean)
  2. 1 [internal function]: MediaWiki\Session\PHPSessionHandler->read(string)
  3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandlerPHP.php(392): session_start()
  4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(172): SimpleSAML\SessionHandlerPHP->setCookie(string, string, array)
  5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(299): SimpleSAML\Session->__construct()
  6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
  7. 6 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
  8. 7 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
  9. 8 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
  10. 9 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  11. 10 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
  12. 11 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  13. 12 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
  14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
  15. 14 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
  16. 15 {main}


It is the same error as in this forum: https://www.mediawiki.org/wiki/Topic:Ux3y0zkubjm5zge5

Hence, I've tried your recommendation in the topic. See Extension:SimpleSAMLphp#Known_Bugs for a solution.

I only change 'store.type' => 'phpsession', to 'sql' as you can see from code below and then I received a different error which I will paste at the bottom of the code.


/****************************

    | DATA STORE CONFIGURATION |
    ****************************/

   /*
    * Configure the data store for SimpleSAMLphp.
    *
    * - 'phpsession': Limited datastore, which uses the PHP session.
    * - 'memcache': Key-value datastore, based on memcache.
    * - 'sql': SQL datastore, using PDO.
    * - 'redis': Key-value datastore, based on redis.
    *
    * The default datastore is 'phpsession'.
    */
   'store.type'                    => 'sql',
   /*
    * The DSN the sql datastore should connect to.
    *
    * See http://www.php.net/manual/en/pdo.drivers.php for the various
    * syntaxes.
    */
  'store.sql.dsn'                 => 'sqlite:/path/to/sqlitedatabase.sq3',

   /*
    * The username and password to use when connecting to the database.
    */
   'store.sql.username' => null,
   'store.sql.password' => null,

   /*
    * The prefix we should use on our tables.
    */
   'store.sql.prefix' => 'SimpleSAMLphp',

   /*
    * The hostname and port of the Redis datastore instance.
    */
   'store.redis.host' => 'localhost',
   'store.redis.port' => 6379,

   /*
    * The prefix we should use on our Redis datastore.
    */
   'store.redis.prefix' => 'SimpleSAMLphp',

];


[048838530ce5896198695c49] /index.php/Special:PluggableAuthLogin Exception from line 67 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: Database error: could not find driver Backtrace:

  1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
  2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
  3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
  4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
  5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
  6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
  7. 6 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
  8. 7 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
  9. 8 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
  10. 9 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  11. 10 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
  12. 11 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  13. 12 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
  14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
  15. 14 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
  16. 15 {main}


Version MediaWiki 1.32.2 PHP 7.3.28 (apache2handler) MariaDB 10.2.33-MariaDB-log PluggableAuth= 1.35 SimpleSAMLPhp=1.35

Do I need to add the username and password to connect to the database? In our end, I believe we are not supposed to hardcoded the username/password since we have our own IT Privileged Access which requires a second factor authentication in order to provide additional security measures in the login process. But since we are on-premise, do let me know if there is a workaround. Hopefully this is not the case.

Cindy.cicalese (talkcontribs)

You need to fix the value of store.sql.dsn to point to your database.

Frizzow (talkcontribs)

Hi Cindy,

Thank you so much for your help!

I’ve fixed the value of store.sql.dsn to my database accordingly with username and password.

'store.type' => 'sql', 'store.sql.dsn' => 'mysql:host=xxxx;port=xxxx;dbname=xxxxx', 'store.sql.username' => '[username]', 'store.sql.password' => '[pass]',

Then I received a different error as below. FYI, the user permission below is only able to SELECT, INSERT, UPDATE and DELETE in wiki database. Normally for CREATE command can only be done by our database administrator team which use a different id that is more powerful. Based on my experience installing the useragreement extension last time, the current id that I'm using has been denied to create a TABLE and the workaround was to ask the database admin team to create a table for us. In this case, does it mean I need to get the database administrator team powerful id and password to be added here or is there any syntax error going on? Btw, I haven't configured the metadata yet because i’m waiting for the azure team to exchange the idp and I believe that’s one of the reason we still see all the authentication error below.


[08c4d38a43fb4c1b6990850d] /index.php/Special:PluggableAuthLogin PDOException from line 95 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: SQLSTATE[42000]: Syntax error or access violation: 1142 CREATE command denied to user 'xxxxxxx'@'IP' for table 'SimpleSAMLphp_tableVersion' Backtrace:

  1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(95): PDO->exec(string)
  2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(77): SimpleSAML\Store\SQL->initTableVersionTable()
  3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
  4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
  5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
  6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
  7. 6 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
  8. 7 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
  9. 8 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
  10. 9 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
  11. 10 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
  12. 11 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  13. 12 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
  14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  15. 14 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
  16. 15 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
  17. 16 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
  18. 17 {main}


Thanks in advance!

Cindy.cicalese (talkcontribs)

Yes, they will need to create the table.

Frizzow (talkcontribs)

I've asked the database admin team to grant the user id a CREATE command ability temporary . Once they granted the permission, I re-run the code below. (Before that, I commented out the code so that it won't show any error in the wiki page.)

'store.type' => 'sql', 'store.sql.dsn' => 'mysql:host=xxxx;port=xxxx;dbname=xxxxx', 'store.sql.username' => '[username]', 'store.sql.password' => '[pass]',

Once I re-run or resaved, I try to run the wiki page and the SimpleSAMLPhp page, it shows below error. I've communicated with the database admin team on the error below and they said the table has been created about 10-20 minutes ago, probably when they granted a CREATE table access to the user id that I used which might be the same time that I was trying to do something on the config.php file. Based on the forum that I have read here: SQLSTATE[42S01]: Base table or view already exists: 1050 Table 'users' already exists · Issue #1116 · spatie/laravel-medialibrary · GitHub there are people that suggested to DROP the table and re-run again. Do you think that would be the case? Is this supposed to be a one-time configuration where I shouldn't re-saved or re-run it multiple times. I really appreciate your thoughts and recommendation.

[acb3c984ef5311d0f7784f6f] /index.php/Special:PluggableAuthLogin PDOException from line 175 of E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php: SQLSTATE[42S01]: Base table or view already exists: 1050 Table 'SimpleSAMLphp_kvstore' already exists Backtrace:

  1. 0 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(175): PDO->exec(string)
  2. 1 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store\SQL.php(78): SimpleSAML\Store\SQL->initKVTable()
  3. 2 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Store.php(52): SimpleSAML\Store\SQL->__construct()
  4. 3 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(138): SimpleSAML\Store::getInstance()
  5. 4 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\SessionHandler.php(43): SimpleSAML\SessionHandler::createSessionHandler()
  6. 5 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(332): SimpleSAML\SessionHandler::getSessionHandler()
  7. 6 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Session.php(263): SimpleSAML\Session::getSession()
  8. 7 E:\Apache24\htdocs\simplesamlphplib\lib\SimpleSAML\Auth\Simple.php(53): SimpleSAML\Session::getSessionFromRequest()
  9. 8 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(208): SimpleSAML\Auth\Simple->__construct(string)
  10. 9 E:\Apache24\htdocs\extensions\SimpleSAMLphp\includes\SimpleSAMLphp.php(104): SimpleSAMLphp::getSAMLClient()
  11. 10 E:\Apache24\htdocs\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): SimpleSAMLphp->authenticate(NULL, NULL, NULL, NULL, NULL)
  12. 11 E:\Apache24\htdocs\includes\specialpage\SpecialPage.php(569): PluggableAuthLogin->execute(NULL)
  13. 12 E:\Apache24\htdocs\includes\specialpage\SpecialPageFactory.php(568): SpecialPage->run(NULL)
  14. 13 E:\Apache24\htdocs\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
  15. 14 E:\Apache24\htdocs\includes\MediaWiki.php(860): MediaWiki->performRequest()
  16. 15 E:\Apache24\htdocs\includes\MediaWiki.php(517): MediaWiki->main()
  17. 16 E:\Apache24\htdocs\index.php(42): MediaWiki->run()
  18. 17 {main}


Below are database settings in Localsettings.php in case it has something to do with the permission which is not a $wgDBadminuser and the database type is being set as "mysql" instead of "sql".

    1. Database settings

$wgDBtype = "mysql"; $wgDBserver = "xxxxxxx"; $wgDBname = "xxxxxx"; $wgDBuser = "xxxxxx"; $wgDBpassword = "xxxxxxxxx";

Frizzow (talkcontribs)

Hi Cindy,

Sorry for bothering you.

I have tried to drop the table and it still shows the same error since it’s recreating the table the moment i refresh the simplesaml site. Then i have revoked my Create command access since i thought it may detected my user id to attempt in creating a table and apparently it shows this error, the database team said that the table is already existed, i think it may be because something else like the syntax or such, do u have anything on your mind? :


SimpleSAML\Error\Error: UNHANDLEDEXCEPTION Backtrace: 1 www\_include.php:17 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: PDOException: SQLSTATE[42000]: Syntax error or access violation: 1142 CREATE command denied to user 'user'@'IP' for table 'SimpleSAMLphp_kvstore' Backtrace: 10 lib\SimpleSAML\Store\SQL.php:175 (PDO::exec) 9 lib\SimpleSAML\Store\SQL.php:175 (SimpleSAML\Store\SQL::initKVTable) 8 lib\SimpleSAML\Store\SQL.php:78 (SimpleSAML\Store\SQL::__construct) 7 lib\SimpleSAML\Store.php:52 (SimpleSAML\Store::getInstance) 6 lib\SimpleSAML\SessionHandler.php:138 (SimpleSAML\SessionHandler::createSessionHandler) 5 lib\SimpleSAML\SessionHandler.php:43 (SimpleSAML\SessionHandler::getSessionHandler) 4 lib\SimpleSAML\Session.php:332 (SimpleSAML\Session::getSession) 3 lib\SimpleSAML\Session.php:263 (SimpleSAML\Session::getSessionFromRequest) 2 modules\core\www\frontpage_welcome.php:5 (require) 1 lib\SimpleSAML\Module.php:266 (SimpleSAML\Module::process) 0 www\module.php:10 (N/A)

Cindy.cicalese (talkcontribs)

That sounds like a problem with the configuration of the simplesaml library. You might try asking for help in their forum to find somebody with more experience with that library.

Reply to "SimpleSAMLphp (1.19.3) appear to be misconfigured"

MediaWiki Ver 1.32: PluggableAuth and SimpleSAMLphp compatible version

2
Frizzow (talkcontribs)

My mediawiki ver is 1.32 and we would like to use PluggableAuth and SimpleSAMLphp with azure AD.

Currently, We have no plan to upgrade the ver in anytime soon due to internal decision. If we would like to stay on 1.32 ver more longer and would like to use the mentioned extension for SSO ex: PluggableAuth and SimpleSAMLphp. Can i download the latest extension version from the drop down menu like 1.36(latest stable MediaWiki) or 1.35 since the status is LTS? if it's not possible, should i download the same extension ver from git? I tried to find the extension ver for 1.32 from git but i can’t find it because i’m not very familiar with it.

Appreciate your helps

Cindy.cicalese (talkcontribs)

You should be able to use the latest stable versions of both extensions with MediaWiki 1.32 at this point. I believe that both maintain backward compatibility at this point to at least 1.31.

Reply to "MediaWiki Ver 1.32: PluggableAuth and SimpleSAMLphp compatible version"
X-Savitar (talkcontribs)
The Technical Barnstar
For all the amazing work you do on CommentStreams. Thank you! X-Savitar (talk) 17:21, 12 August 2021 (UTC)
Cindy.cicalese (talkcontribs)

Awwww, thank you!!

X-Savitar (talkcontribs)

You're welcome! 🎉

Reply to "A barnstar for you!"

Relative image links for SemanticRating extension?

2
Theowl84 (talkcontribs)

Hi,

today I installed the SemanticRating extension. It is very helpful for our task and easier to install than any Template. However, I immediately stumbled across a problem with the image links for the stars. Our wiki can be reached from inside and outside the local network but the SemanticRating.php $imagepath is composed as an absolute URL (which leads to unreachable images for internal accesses or external accesses). The simple fix for this problem was to remove the $GLOBALS['wgServer'] part of $imagepath so the images ended up being relative URLs like any other image reference on the wiki.

So my question is why SemanticRating has absolute image paths in the first place? As far as I'm aware of, all other intra-wiki links or image-refs use relative URLs starting with $wgScriptPath, too. I don't know if I'm missing a problem here, but if not I would suggest removing the $wgServer part of the image URLs.

Thanks, Matthias

Cindy.cicalese (talkcontribs)

There is no good reason that it uses an absolute path. Please feel free to submit a patch in gerrit to change the path.


Thanks, Cindy

Reply to "Relative image links for SemanticRating extension?"

AD authentication for Mediawiki

11
2A01:9820:2:7:0:0:3E68:2F02 (talkcontribs)

hi,


you are listed on the Extension:LDAPAuthentication2 Page as Author. I want to ask is there a solution for not using a bind account to authenticate against active directory? This was possible with the old extension (Extension:LDAP Authentication). I have no good feelings adding a user an password to json file and have this inside an repo for automatic deployments. Why is this needed? LDAP Selfauth should work also fine.

Cindy.cicalese (talkcontribs)

@Osnard implemented this functionality and perhaps could respond here.

2A01:9820:2:7:0:0:3E68:2F02 (talkcontribs)

@Cindy.cicalese thx for the fast response. I have send an email to @Osnard yesterday. I'm also found it very annoying to have an json File with credentials in the webserver root. This makes security much more complex.


I also found it very strange that the most of the extensions are not able to install via composer. This makes automatic deployments with dependency tracking much harder as it should be.

MarkAHershberger (talkcontribs)
I also found it very strange that the most of the extensions are not able to install via composer.
I think I have deployed this with composer. See mediawiki/ldap-authentication-2 and mediawiki/ldap-provider (though, there is a missing dependency that I should fix).
I know @Osnard deploys these with composer, but Hallo Welt! uses their own repository.
I'm also found it very annoying to have an json File with credentials in the webserver root
You certainly do not have to do that. You can put the .json file wherever you want and point $LDAPProviderDomainConfigs to it.
2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talkcontribs)

@MarkAHershberger @Cindy.cicalese thx for your feedback, I hope you had a nice Easter.


@MarkAHershberger: The composer stuff was not only for this module We have a list of extension we need to use, only a few are available via composer. It would be really god for the future if it where possible to do the complete installation and updates via composer. This would make CI pipelines much better.


@MarkAHershberger: For the json file, I still see not the need why we need a bind user for the extension. Other tools can do it without.

As I wrote we try to deploy our installation as docker images. And hard coded credentials are a mess. I muss now parse two different

config file formats ( Localsettings.php and json) via docker-entrypoint script to put the right credentials in via environment variables.


@Cindy.cicalese @MarkAHershberger @Osnard From my view it would be better to have the stuff in the Localsettings.php and even better don't need a bind user, or make it optional. I have no example for php but for example netbox (open source dcim tool) works without bind user.

Osnard (talkcontribs)
Cindy.cicalese (talkcontribs)
2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talkcontribs)

@Cindy.cicalese: for me as user this would be a great improvement.


@Osnard: I send you an email some day's before about the ldap question above, why do the extension need a bind user? Have you seen it?

2A01:9820:2:7:0:0:3E68:2F02 (talkcontribs)

@Osnard @Cindy.cicalese I still got no feedback about the initial question why it needs a bind user?

Osnard (talkcontribs)
2A01:9820:2:4:F2D5:BFFF:FE93:E234 (talkcontribs)

@Osnard I think a self bind would make it much more secure. So you don't need any ldap user with global read access. And you have no credentials on your servers. I will take a look into the source code. I'm no php programmer but if it is easy I will try to send an patch.

Reply to "AD authentication for Mediawiki"
5.53.119.6 (talkcontribs)

Hi Cindy,


We want to use OpenID connect with last MediaWiki release - 1.35.1. It requires PHP 7.3.19+ and when we try to authenticate we get an error: php deprecated: array_key_exists(): Using array_key_exists() on objects is deprecated. Use isset() or property_exists() instead

This function is using here (912 line):


public function requestUserInfo($attribute = null) {

        $user_info_endpoint = $this->getProviderConfigValue("userinfo_endpoint");

        $schema = 'openid';

        $user_info_endpoint .= "?schema=" . $schema;

        //The accessToken has to be send in the Authorization header, so we create a new array with only this header.

        $headers = array("Authorization: Bearer {$this->accessToken}");

        $user_json = json_decode($this->fetchURL($user_info_endpoint,null,$headers));

        $this->userInfo = $user_json;

        if($attribute === null) {

            return $this->userInfo;

        } else if (array_key_exists($attribute, $this->userInfo)) {

            return $this->userInfo->$attribute;

        } else {

            return null;

        }

    }


I tried to fix this using property_exists() function, but seems like it don't working well. Could you please help with it?


Regrads,

Stanislav Babaryka

stanislav.babaryka@gmail.com

Cindy.cicalese (talkcontribs)

I believe that you are using an old version of the OpenID Connect extension. The extension makes use of an OpenID Connect library. The code you refer to is in that library. It is fixed in verion 0.9.0 of the library. The most recent version of the extension uses version 0.9.1 of the library. You can see this by looking for 'jumbojett/openid-connect-php' in the composer.json file of the extension. I suggest that you get the latest version of the extension, version 5.4, which includes this update.

5.53.119.6 (talkcontribs)

Hi again!

Yes, it worked well with new version, thanks!

But we have new issue now - when new user created during login it haven't email in it profile. Only attribute that new user receives from azure AD is realname.

LocalSettings part with plugins config:


wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgPluggableAuth_ButtonLabelMessage = "Office 365 Login";

wfLoadExtension( 'OpenIDConnect' );

$wgOpenIDConnect_Config['h ttps://sts.windows.net/***************************/'] = [

        'clientID' => '*****************************',

        'clientsecret' => '****************************'

    ];

$wgOpenIDConnect_UseRealNameAsUserName = true;


If I define username as email, it will have "User 1" name.

Maybe I missing something or you can suggest what I need to check.

Thanks in advance!


Regards,

Stas

Cindy.cicalese (talkcontribs)

I understand the bit about the email not getting set, but I'm not sure if you are saying you also have a problem using the real name as the username? It makes sense that it would use 'User 1' if you are using the email address for the name, but no email address and no preferred username is provided.

5.53.119.6 (talkcontribs)

Problem is with retrieving email from provider. Real name as username works correctly, but when i try to use email as username i'm getting "User 1". Also there is no email in "email" field in account properties. From Azure side all is ok, all necessary API permissions for Azure App are granted.

Cindy.cicalese (talkcontribs)

OK, I see. Unfortunately, I'm not familiar with configuring Azure to get it to return the email address. Unless it provides it to the extension, there's nothing the extension can do to get that information. There are other folks using Azure successfully, so it seems there must be a way to configure it to return that information if it exists on the Azure end.

Cindy.cicalese (talkcontribs)

You could try adding the scope parameter to your config:


$wgOpenIDConnect_Config['h ttps://sts.windows.net/***************************/'] = [

        'clientID' => '*****************************',

        'clientsecret' => '****************************'

      'scope' => [ 'openid', 'profile', 'email' ]

    ];

5.53.119.6 (talkcontribs)

Thanks! With adding Scope and some code editing it works!

Thank you for helping

Cindy.cicalese (talkcontribs)

Great! I have updated the documentation to include the scope parameter in all of the examples.

Reply to "OpenID Connect PHP 7.4"

OpenID Connect with Gitlab (self-hosted)

2
94.79.159.70 (talkcontribs)

Hi Cindy,

I want to share my configuration to use OpenID Connect with a Gitlab (self-hosted).


Gitlab

  • Login to Gitlab Admin Area
  • Applications -> New Application
    • Name: MediaWiki
    • Redirect URI: <<https wiki server>>/wiki/Special:PluggableAuthLogin
    • Trusted: yes
    • Confidential: yes
    • Scopes: openid, profile, email
  • Submit
  • Copy Application ID and Secret to LocalSettings.php


MediaWiki Configuration

In LocalSettings.php

# Extension:OpenID Connect
wfLoadExtension( 'PluggableAuth' );
# set to false to deactivate local logins
$wgPluggableAuth_EnableLocalLogin = true; #= false;

wfLoadExtension( 'OpenIDConnect' );
$wgOpenIDConnect_Config['<<https gitlab server>>'] = [
    'clientID' => '...', # Insert Gitlab Application ID here!
    'clientsecret' => '...', # Insert Gitlab Secret here!
    # docs.gitlab.com/ee/integration/openid_connect_provider.html
    # Alternative 'nickname'
    # Alternative 'name'
    'preferred_username' => 'nickname'
];
$wgPluggableAuth_ButtonLabelMessage = 'Login with your Gitlab Account';
Cindy.cicalese (talkcontribs)

Thank you very much for contributing this! Please feel free to update Extension:OpenID Connect with these instructions!


Cindy

Reply to "OpenID Connect with Gitlab (self-hosted)"