Older comments at Extension talk:LDAP Authorization

How do you configure these settings?

I am trying to use the PHP array method. Do I add something like the following to LocalSettings.php:

"rules.group.required" => [ "cn=relevant_group,ou=groups,dc=example,dc=com"]

or is it more like

"rules" => [

"group.required" => "cn=relevant_group,ou=groups,dc=example,dc=com",

"attributes" = { (insert proper attributes stanza here) },

],

<rest of LocalSettings.php LDAPProvider configuration> 192.150.187.199 (talk) 23:47, 15 April 2019 (UTC)

Ok, I found the mediawiki.ldap.json-sample file in the LDAPProvider extension which has a very simple example of how to use this module. I don't understand why this info can't be found on a mediawiki.org page, but at least it exists somewhere.... 192.150.187.199 (talk) 23:32, 22 April 2019 (UTC)

Try something like

'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [
							"CN=wiki,OU=groups,DC=company,DC=local"
						],
						'excluded' => [
							"CN=nowiki,OU=groups,DC=company,DC=local"
						]
					]
				]
			],

Osnard (talk) 06:25, 10 May 2019 (UTC)

So did you get it to work then? Not having any luck with required by group? If so could you post what you did?

Thanks Awatkins1966 (talk) 11:13, 10 July 2019 (UTC)

authorization by group not working (User XXXX not authorized)

Battling with these extensions and have got Authorization to work, but when I try to restrict by group it fail. Looking at function makeGroupRequirements the ldapUserGroups has no values.

   $ldapUserGroups = $this->ldapClient->getUserGroups( $username );

$username equals "andrew" and looking at debug output the memberof has been read.

[MediaWiki\Extension\LDAPProvider\Client] MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=dcs,dc=bbk,dc=ac,dc=uk',

  'filter' => '(samaccountname=andrew)',

  'attributes' =>

  array (

   0 => '*',

   1 => 'memberof',

  ),

)

....

   10 => 'usncreated',

   'memberof' =>

   array (

     'count' => 7,

     0 => 'CN=xxx1,DC=dcs,DC=bbk,DC=ac,DC=uk',

     1 => 'CN=xxx2,DC=dcs,DC=bbk,DC=ac,DC=uk',

     2 => 'CN=xxx3,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     3 => 'CN=xxx4,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     4 => 'CN=xxx5,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     5 => 'CN=xxx6,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     6 => 'CN=xxx7,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

   ),

   11 => 'memberof',

   'usnchanged' =>

   array (

     'count' => 1,

Any ideas? Awatkins1966 (talk) 10:51, 10 July 2019 (UTC)

Maybe you need to set <code>"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"</code> in you domain config under "connection/grouprequest". See Extension:LDAPProvider#Domain_config_settings

Osnard (talk) 12:25, 18 July 2019 (UTC)

@Osnard GREAT!!! That worked. Awatkins1966 (talk) 15:07, 19 July 2019 (UTC)

I have this problem with OpenLDAP and "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory" - The group I want to search is a 'groupOfNames'

Without the authorization plugin enabled I can log in.

The config in a json file:

{

"LDAP": {

"connection": {

"server": "XXX",

"user": "cn=docswiki_ro,ou=serviceaccounts,dc=XXX",

"pass": "",

"basedn": "XXX",

"groupbasedn": "ou=roles,ou=groups,dc=XXX",

"userbasedn": "ou=volunteers,dc=XXX",

"searchattribute": "uid",

"searchstring": "uid=USER-NAME,ou=volunteers,dc=XXX",

"usernameattribute": "uid",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

},

"authorization": {

"rules": {

"groups": {

"required": [

"cn=rol_webadmin,ou=roles,ou=groups,dc=XXX"

]

}

}

}

}

} 213.124.137.250 (talk) 20:56, 6 October 2019 (UTC)

You may need to "hack" that code line until I can introduce a proper configuration variable: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/5c4546b8cb1f9890c3063f0bf073793e66563c01/src/UserGroupsRequest/GroupMember.php#L31

Alternatively you can implement a `UserGroupsRequest` class yourself and contribute it. Osnard (talk) 08:44, 7 October 2019 (UTC)

I think I see the problem. I'm using an objectclass 'groupofnames' (in openldap) but the code you added only checks for a 'group.' When I have time I'll change that in the code and see if it works. 87.251.43.211 (talk) 08:35, 8 October 2019 (UTC)

Confirmed, I changed it into groupOfNames and now my account authorizes but my test account doesn't; as expected. 213.124.137.250 (talk) 14:05, 8 October 2019 (UTC)

Thanks for confirming this. I have added this topic to https://phabricator.wikimedia.org/T214146 Osnard (talk) 12:03, 14 October 2019 (UTC)

It's working?? Guilherme bangemann (talk) 17:54, 14 October 2019 (UTC)

I have this problem, too. But it only occurs in private wikis. What can I do to solve this?

I use MediaWiki 1.39.3

PHP Version 8.1.2

MariaDB 10.6.12 Ablum010777 (talk) 07:44, 18 April 2023 (UTC)

Which LDAP extension versions are you using? Osnard (talk) 12:05, 18 April 2023 (UTC)

I'm using

PluggableAuth 5.7

LDAPAuthentication2 1.0.3

LDAPProvider 1.0.5

LDAPUserInfo 1.0.0

LDAPAuthorization 1.1.0

I cannot use PluggableAuth 6.X since it doesn't work with LDAPAuthentication2 or LDAPAuthorization yet. Ablum010777 (talk) 12:24, 18 April 2023 (UTC)

The change has been merged quite a while ago. You can now set the groupobjectclass to groupOfNames in connection. Osnard (talk) 12:57, 20 April 2023 (UTC)

LDAP Auth working but not SSO

Hi all

CentOS 7.5

Mediaiki = 1.31.0

PHP Version 7.2.10

LDAPAuth = 1.0 (Extension:LDAPAuthorization)

Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_auth_kerb/5.4 PHP/7.2.10

I am having a problem with SSO on mediawiki in that i get the following message

• [LDAPAuthorization] Could not check login requirements for AFINLAY
• [LDAPAuthorization] Unsupported format!
• [session] Can't login remote user 'AFINLAY' automatically. Blocked this user when applying filter to ''.

In LocalSettings.php

wfLoadExtension( 'LDAPAuthorization' );

any idea what is going on ?

Cheers

Alistair Alistair4267 (talk) 12:49, 19 July 2019 (UTC)

Greetings @ Everyone.

Having the same issue.

Windows server

Apache 2.4.33

Oracle Webgate Current 11.1.2.2.0

PHP 7.3.3

All LDAP hub extensions installed..

Any help appreciated.. R2spotuser (talk) 15:03, 21 July 2019 (UTC)

So Auth_remoteuser is installed and properly configured also? Osnard (talk) 14:46, 25 July 2019 (UTC)

Sorry, has been a stupid question. Of course it is.

This looks like the "remote user" is not provided in the format "username@domain" or "domain\\username". Can you tell which format $_SERVER['REMOTE_USER'] has? Osnard (talk) 14:50, 25 July 2019 (UTC)

thanks for responding.. is there a particular plugin to look in for this?

R2spotuser (talk) 03:14, 28 July 2019 (UTC)

No, just add something like <code>error_log( var_export( $_SERVER['REMOTE_USER'], true ) );</code> in your <code>LocalSettings.php</code> file, reload the wiki site in your browser and have a look at the PHP error log.

Btw.: I have added an example configuration here: LDAP hub/Migration from extension LDAPAuthentication. Maybe it is of help for you. Osnard (talk) 06:47, 30 July 2019 (UTC)

Thanks Osnard.. I used your example. Here is what i am getting in the log..

[LDAPAuthorization] Could not check login requirements for cn=xxxx,ou=xxx,ou=xxx,cn=xxx,dc=xxx,dc=xxx

[LDAPAuthorization] Unsupported format!

[session] Can't login remote user 'cn=xxxxx,ou=xxxxxr,ou=xxxx,cn=users,dc=xxx,dc=xxx' automatically. Blocked this user when applying filter to ''.

[session] Session "7u0tfujhb8qpcsfbk41f32377990jlp4" requested without UserID cookie

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff. R2spotuser (talk) 06:36, 2 August 2019 (UTC)

So it looks like the value of $_SERVER['REMOTE_USER'] was 'cn=xxxxx,ou=xxxx,ou=xxx,cn=xxx,dc=xxx,dc=xxx'. While this is technically a possible username it is probably not what you want. Given this username LDAPAuthorization probably fails to fetch the required information from the LDAP.

For Auth_remoteuser try something like this (UNTESTED):

$wgAuthRemoteuserUserName = function() {
	$user = '';
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = strtolower( preg_replace( 'cn=(.*?),ou=xxx,ou=xxx,cn=xxx,dc=xx,dc=xxx', '$1', $_SERVER[ 'REMOTE_USER' ] ) );
	}
	return $user;
};

Osnard (talk) 07:45, 2 August 2019 (UTC)

thanks again... So I have a older production version of mediawiki using webgate where $_SERVER['XXX_REMOTE_USER'] will pull USERNAME as the name (notice the xxx).. if i substitute that in this one i get .. if i use this format (where i am getting the user name $_SERVER['XXX_REMOTE_USER'] ) do i need to change anything in the other plugins to match?

Here is what i get when i use $_SERVER['XXX_REMOTE_USER'] in the AuthRemoteUserSessionProvider file when i change

# Set default remote user name source if no other is specified.

if ( !isset( $params[ 'remoteUserNames' ] ) ) {

$params[ 'remoteUserNames' ] = [

getenv( 'XXX_REMOTE_USER' ),

getenv( 'REDIRECT_XXX_REMOTE_USER' )

OUTPUT:

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreCDB

[LDAPAuthorization] Could not check login requirements for XXXXXXX

[LDAPAuthorization] Unsupported format!

[session] Can't login remote user 'XXXXXX' automatically. Blocked this user when applying filter to ''.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. R2spotuser (talk) 03:52, 3 August 2019 (UTC)

Addition.. when i click login on the page i now get this

[06c7b3ea463a5a76xxx745d5] /mw9/index.php?title=Special:UserLogin&returnto=Main+Page ArgumentCountError from line 39 of D:\Apache24\htdocs\mw9\includes\auth\PasswordDomainAuthenticationRequest.php: Too few arguments to function MediaWiki\Auth\PasswordDomainAuthenticationRequest::__construct(), 0 passed in D:\Apache24\htdocs\mw9\extensions\LdapAuth\src\Auth\PrimaryAuthenticationProvider.php on line 62 and exactly 1 expected

Backtrace:

#0 D:\Apache24\htdocs\mw9\extensions\LdapAuth\src\Auth\PrimaryAuthenticationProvider.php(62): MediaWiki\Auth\PasswordDomainAuthenticationRequest->__construct()

#1 D:\Apache24\htdocs\mw9\includes\auth\AuthManager.php(2100): Shanept\LdapAuth\Auth\PrimaryAuthenticationProvider->getAuthenticationRequests(string, array)

#2 D:\Apache24\htdocs\mw9\includes\auth\AuthManager.php(2078): MediaWiki\Auth\AuthManager->getAuthenticationRequestsInternal(string, array, array, User)

#3 D:\Apache24\htdocs\mw9\includes\specialpage\AuthManagerSpecialPage.php(256): MediaWiki\Auth\AuthManager->getAuthenticationRequests(string, User)

#4 D:\Apache24\htdocs\mw9\includes\specialpage\LoginSignupSpecialPage.php(141): AuthManagerSpecialPage->loadAuth(NULL)

#5 D:\Apache24\htdocs\mw9\includes\specialpage\LoginSignupSpecialPage.php(229): LoginSignupSpecialPage->load(NULL)

#6 D:\Apache24\htdocs\mw9\includes\specialpage\SpecialPage.php(569): LoginSignupSpecialPage->execute(NULL)

#7 D:\Apache24\htdocs\mw9\includes\specialpage\SpecialPageFactory.php(558): SpecialPage->run(NULL)

#8 D:\Apache24\htdocs\mw9\includes\MediaWiki.php(288): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)

#9 D:\Apache24\htdocs\mw9\includes\MediaWiki.php(865): MediaWiki->performRequest()

#10 D:\Apache24\htdocs\mw9\includes\MediaWiki.php(515): MediaWiki->main()

#11 D:\Apache24\htdocs\mw9\index.php(42): MediaWiki->run()

#12 {main} R2spotuser (talk) 04:06, 3 August 2019 (UTC)

You seem to be using Extension:LdapAuth, which is not part of the LDAP_Stack. Please have a look at LDAP_hub and especially LDAP_hub/Migration_from_extension_LDAPAuthentication Osnard (talk) 12:14, 5 August 2019 (UTC)

Good Afternoon Osnard and thanks for all the help. You are correct. LdapAuth was previously installed on the wiki and i turned it on to do some testing and forgot to disable it.. I have disabled it.

but now $_SERVER['REMOTE_USER'] doesnt appear to pull any info.

Here is what i get now.

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreCDB

[session] Can't login remote user '' automatically. Given remote user name is not of type string or empty.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection. R2spotuser (talk) 18:54, 5 August 2019 (UTC)

Can you please share you complete configuration of the LDAP_Stack, that you have set up? Please do not forget to strip sensitive data, like usernames, passwords, company/domain names. Osnard (talk) 05:46, 6 August 2019 (UTC)

here you go

# Enabled extensions. Most of the extensions are enabled by adding
# wfLoadExtensions('ExtensionName');
# to LocalSettings.php. Check specific extension documentation for more details.
# The following extensions were automatically enabled:
wfLoadExtension( 'Auth_remoteuser' );
####wfLoadExtension( 'LdapAuth' );
#require_once "$IP/extensions/LdapAuthentication/LdapAuthentication.php";
#require_once "$IP/extensions/LdapAuthentication/LdapAutoAuthentication.php";
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPUserInfo' );
#wfLoadExtension( 'LDAPGroups' );
wfLoadExtension( 'Nuke' );
wfLoadExtension( 'PdfHandler' );
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'Renameuser' );
wfLoadExtension( 'WikiEditor' );
$wgLdapAuthDomainNames = '(xxx.xxx)';
$wgLdapAuthServers = 'ldap.xxx.xxx';
$wgLdapAuthBindDN = "cn=username,ou=xxx,ou=xxxx,dc=xxx,dc=xxx";
$wgLdapAuthBindPass = 'xxxxxxxx';
$wgLdapAuthSearchTree = true;
#$wgLDAPSearchStrings = array('xxx' => 'DOMAIN\\USER-NAME',);
$wgLdapAuthSearchFilter = '(&(objectClass=user)(displayName=%1$s))';
$wgLdapAuthEncryptionType = 'clear';
$LdapGroupsIniFile = "d:\Apache24\htdocs\mw9\Configfiles\groups.ini";
##LDAP SETTINGS#####
$LDAPProviderDomainConfigs = "$IP/configfiles/ldapprovider.json";
##$LDAPProviderDomainConfigs = "\\MediaWiki\\Extension\\LDAPProvider\\src\\DomainConfigProvider\\LocalJSONFile::newInstance";
$wgLDAPEncryptionType = array("xxx.xxx" => "clear");
$wgLDAPUseLDAPGroups = array(
  'xxx.xxx' => true,
);
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain\\username';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgAuthRemoteuserUserName = function() {
	$user = '';
	if( isset( $_SERVER['REMOTE_USER'] ) ) {
		$user = strtolower( $_SERVER['REMOTE_USER'] );
	}
	return $user;
};
error_log( var_export( $_SERVER['REMOTE_USER'], true ) );
$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'xxx.xxx' => [
			'connection' => [
				"server" => "ldap.xxx.xxx",
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "dc=xxx,dc=xxx",
				"groupbasedn" => "OU=Groups,OU=xxxx,OU=Accounts,DC=xxx,DC=xxx",
				"userbasedn" => "cn=xxxx,ou=groups,ou=xxxx,ou=accounts,dc=xxx,dc=xxx",
				"searchattribute" => "uid",
				"usernameattribute" => "uid",
				"realnameattribute" => "fullname",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [
							'cn=xxxxx,ou=groups,ou=xxxx,ou=accounts,dc=xxx,dc=xxx'
						]
					]
				]
			],
			'userinfo' => [
				'attributes-map' => [
					'email' => 'mail',
					'realname' => 'fullname'
				]
			]
		]
	];
	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
#####Error logging######
#error_log( var_export( $_SERVER['REMOTE_USER'], true ) )
## PHP Error ###
error_reporting( -1 );
ini_set( 'display_errors', 1 );
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;
## SQL Error ###
$wgDebugDumpSql = true;
## Debug log to file ###
$wgLDAPDebug = 3;
$wgDebugLogFile = 'd:\Apache24\htdocs\mw9\logfile.txt';
$wgDebugComments = true;

R2spotuser (talk) 16:38, 6 August 2019 (UTC)

I have cleaned up the config a little bit and changed/added some things:

wfLoadExtension( 'Auth_remoteuser' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPUserInfo' );
#wfLoadExtension( 'LDAPGroups' );
##LDAP SETTINGS#####
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$LDAPAuthentication2AllowLocalLogin = false;
$wgAuthRemoteuserAllowUserSwitch = false;
$wgPluggableAuth_EnableLocalLogin = false;
$wgAuthRemoteuserUserName = function() {
	$user = '';
	if( isset( $_SERVER['REMOTE_USER'] ) ) {
		$user = strtolower( $_SERVER['REMOTE_USER'] );
	}
	return $user;
};
error_log( var_export( $_SERVER['REMOTE_USER'], true ) ); //Should be "xxx.xxx\\SomeUser"
$LDAPProviderDomainConfigProvider = function() {
	$config = [
		'xxx.xxx' => [
			'connection' => [
				"server" => "ldap.xxx.xxx",
				"options" => [
					"LDAP_OPT_DEREF" => 1
				],
				"basedn" => "dc=xxx,dc=xxx",
				"groupbasedn" => "OU=Groups,OU=xxxxx,OU=Accounts,DC=xxx,DC=xxx",
				"userbasedn" => "cn=xxxx,ou=groups,ou=xxxx,ou=accounts,dc=xxx,dc=xxx",
				"searchattribute" => "uid",
				"usernameattribute" => "uid",
				"realnameattribute" => "fullname",
				"emailattribute" => "mail",
				"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
			],
			'authorization' => [
				'rules' => [
					'groups' => [
						'required' => [
							'cn=xxxx,ou=groups,ou=xxxx,ou=accounts,dc=xxx,dc=xxx'
						]
					]
				]
			],
			'userinfo' => [
				'attributes-map' => [
					'email' => 'mail',
					'realname' => 'fullname'
				]
			]
		]
	];
	return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
#####Error logging######
##PHP Error ###
error_reporting( -1 );
ini_set( 'display_errors', 1 );
$wgShowExceptionDetails = true;
$wgShowDBErrorBacktrace = true;
##SQL Error ###
$wgDebugDumpSql = true;
##Debug log to file ###
$wgDebugLogFile = 'd:\Apache24\htdocs\mw9\logfile.txt';
$wgDebugComments = true;
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPGroups'] =
$wgDebugLogGroups['LDAPUserInfo'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

Especially important is $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';.

Could you please give it a try? Osnard (talk) 06:31, 7 August 2019 (UTC)

Greetings and thanks again for helping..

I tried the above and changed xxx to match info.. I am getting a HTTP500 error. did some troubleshooting and believe the error is coming from

$wgAuthRemoteuserUserName = function() {

$user = '';''

if( isset( $_SERVER['REMOTE_USER'] ) ) {

$user = strtolower( $_SERVER['REMOTE_USER'] );

}

return $user;

};

when i remove the " after the $user ";" line i get passed the error and the wiki page loads... but i get this from log

AUTHENTICATEDSTATE: M1IrWFIrWFlkLzJEckJvRzI4RVJWR01UUUxNQ0xLYm1KRzFLUDRlZFpqekhqUjNrdytScERpVjRlR051QTNYMDRtQ0RLWFdNQmRXVlBPd29HWm4vU3l3bVU0MnNpOC85Vm5TalpTTXpvRVA3WndKKzdhQWNkZXBycytTNUQ5L2FiZUc1T1d3THF3QnlOQ3Yvc1UyOWpxN0ZtMXpHeTdhK3NocjdZOUtMbVYvL1RQMGFmaE0zcytvYThMblVWMG41VmgyOXRSeEhYa2tRam4rdzcwSitSQzMvTUZGd1UzM3pHRnRKbnpqVTQyMmR0SWZqSERWRjZoc2o1V0t4aVdaeXpJZHpvejRDbHRZalpaSXZKS0ZPZnlLdzhoUGJYREN3QWREWEJmcUFXNDdGZ0JFOUpBME1uSDBkMWw5RmxTaHFGdkszQ0RFU3VUeGNRUzBDOHZ0T0dmZjgxUHJ3WGk3NTRDUTg3bjk0NVYrY0t3NlBMRnQ3Nmk1OW5TUTRDRzB5c1VRaXFrdDVkZmh0ZU0rQTBSeUcvaG9oaWNYeE9XbGR4TXVtNHBFYlhWYXhNUEFmK0R3aGxmbVZ2YS9KaVlNSXF4TnpnU0tnTWxBVGYrN1VGVkNMblVIMzhEVVM4MXhQc1lONUJuY0o2MktkREZSVDRoTWYyZGkrR2V3T05PYzdzd3JrNml1YlVvMmNVU2NDRFdoK2dYRGhsMWhIczBvSWNjZ2k1OWJrdmpIZm9aMU9YalBra05BRGRQOFRUamw2

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff

[caches] LocalisationCache: using store LCStoreCDB

[session] Can't login remote user ' ' automatically. Blocked this user when applying filter to ''.

[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {

    "IPAddress": "server",

    "UserAgent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0)",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0,

    "ChronologyClientId": null

} R2spotuser (talk) 05:43, 8 August 2019 (UTC)

A, I can see, my "clean-up" had an error in it: It needs to be $user = ''; instead of $user = '';'' (as in the example above).

Can you please add a error_log( $_SERVER['REMOTE_USER'] ); to your configuration and share the result? Osnard (talk) 09:30, 8 August 2019 (UTC)

when i use $user = '';''

get http error 500. no logs generated

R2spotuser (talk) 14:18, 8 August 2019 (UTC)

Sorry, just the other way round of course: $user = ''; instead of $user = '';'' Osnard (talk) 14:37, 12 August 2019 (UTC)

I did that and the wiki loads but doesnt log me in.. I am able to click login and it takes me to the login page asking for username and password and shows "log in with PluggableAuth". from the logs ( $_SERVER['REMOTE_USER'] ) is no longer pulling an account. There are also some additional logs

[caches] cluster: EmptyBagOStuff, WAN: mediawiki-main-default, stash: db-replicated, message: SqlBagOStuff, session: SqlBagOStuff
[caches] LocalisationCache: using store LCStoreCDB
[session] Can't login remote user <nowiki>''</nowiki> automatically. Given remote user name is not of type string or empty.
[DBConnection] Wikimedia\Rdbms\LoadBalancer::openConnection: calling initLB() before first connection.
[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff.
[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: using request info {
    "IPAddress": "server",
    "UserAgent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0)",
    "ChronologyProtection": false,
    "ChronologyPositionIndex": 0,
    "ChronologyClientId": null
<nowiki>***</nowiki>Provider log:
my_wiki_9:Setting LDAP_OPT_PROTOCOL_VERSION to 3
my_wiki_9:Cannot set option to LDAP connection!
my_wiki_9:Setting LDAP_OPT_REFERRALS to 0
my_wiki_9: Setting LDAP_OPT_DEREF to 1
my_wiki_9: Cannot set option to LDAP connection!
<nowiki>***</nowiki>Ldap log
my_wiki_9: ldap_connect( $hostname = 'ldap://ldap.xxx.xxx:389', $port = 389 );
my_wiki_9: # __METHOD__ returns
my_wiki_9: ldap_set_option( $linkID, $option = 17, $newval = 3 );
my_wiki_9: # returns
my_wiki_9: ldap_set_option( $linkID, $option = 8, $newval = 0 );
my_wiki_9: # returns
my_wiki_9: ldap_set_option( $linkID, $option = 2, $newval = 1 );
my_wiki_9: # returns

R2spotuser (talk) 17:19, 12 August 2019 (UTC)

Okay, there seem to be two issues:

1. $_SERVER['REMOTE_USER'] must be set to have SSO working (at least when you are using Apache mod_auth_kerb). This must be configured within the webserver, not within the wiki application.
2. It looks like Extension:LDAPProvider can not connect to the LDAP server. Maybe your LDAP does not allow anonymous bind. You will probably need to set connection.user and connection.pass. Please have a look at Extension:LDAPProvider#Dynamic_PHP_array Osnard (talk) 06:33, 13 August 2019 (UTC)

Hello..

I have tried different configurations and can not get $_SERVER['REMOTE_USER'] to return DOMAIN\\USER-NAME. I started a new wiki and using am using extension Auth-remoteuser and able to get all domain user to log in using SSO. for this instance $_SERVER['AAA_REMOTE_USER'] is returning "username" (as in lastname+first initial). is there a way to use this with the LDAP hub extensions? where would I need to modify to use this?

wfLoadExtension( 'Auth_remoteuser' );
require_once "$IP/extensions/WikiEditor/WikiEditor.php";
# End of automatically generated settings.
# Add more configuration options below.
#############################################################################################################################
// If account creation by anonymous users is forbidden, then allow
// it to be created automatically (by the extension).
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgAuthRemoteuserAuthz = true;
//User's mail domain to append to the user name to make their email address */
$wgAuthRemoteuserDomain = "xxx.xxx";
$wgAuthRemoteuserMailDomain = "xxx.xxx.xxx";
$wgAuthRemoteuserName = $_SERVER["AAA_REMOTE_USER"];
wfLoadExtension( 'UserMerge' );
// By default nobody can use this function, enable for bureaucrat?
$wgGroupPermissions['Bureaucrat']['usermerge'] = true;
$wgGroupPermissions['Administrators']['usermerge'] = true;
$wgGroupPermissions['Administrator']['usermerge'] = true;
# Allow all users to be merged (by default, the 'sysop' group is unmergeable)
$wgUserMergeProtectedGroups = array();
// optional: default is array( 'sysop' )
$wgUserMergeProtectedGroups = array( 'ALL' );
## Added to use TeX 10/11/2018
$wgUseTeX = true; 
## Added to solve Thumbnail image issue 10/23/17
$wgMaxShellMemory = 524288;
$wgMaxShellFileSize = 307200;
# Enables use of WikiEditor by default but still allows users to disable it in preferences
$wgDefaultUserOptions['usebetatoolbar'] = 1;
# Enables link and table wizards by default but still allows users to disable them in preferences
$wgDefaultUserOptions['usebetatoolbar-cgd'] = 1;
# Displays the Preview and Changes tabs
$wgDefaultUserOptions['wikieditor-preview'] = 1;
# Displays the Publish and Cancel buttons on the top right side
$wgDefaultUserOptions['wikieditor-publish'] = 1;
###########################################################################3
## remove login and logout buttons for all users
function StripLogin(&$personal_urls, &$wgTitle) {  
         unset( $personal_urls["login"] );
         unset( $personal_urls["logout"] );
         unset( $personal_urls['anonlogin'] );
         return true;
}
$wgHooks['PersonalUrls'][] = 'StripLogin';
## If account creation by anonymous users is forbidden, then allow
## it to be created automatically (by the extension).
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgAuthRemoteuserAuthz = true;
###########################################################################
# PHP Error ###
#error_reporting( -1 );
#ini_set( 'display_errors', 1 );
#$wgShowExceptionDetails = true;
#$wgShowDBErrorBacktrace = true;
## SQL Error ###
#$wgDebugDumpSql = true;
## Debug log to file ###
#$wgLDAPDebug = 3;
#$wgDebugLogFile = 'd:\Apache24\htdocs\mw\logfile.txt';
#$wgDebugComments = true;

R2spotuser (talk) 03:01, 20 August 2019 (UTC)

Okay, assuming that $_SERVER['REMOTE_USER'] has the value 'someuser' instead of 'someuser@somedomain' or 'somedomain\\someuser', you can still use the LDAP Stack extensions. The only thing you need to do is to set something like

$wgAuthRemoteuserUserName = function() {
	$user = '';
	if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {
		$user = strtolower( $_SERVER[ 'REMOTE_USER' ] ) . '@somedomain';
	}
	return $user;
};
$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

As you can see, the value of $_SERVER['REMOTE_USER'] is manually suffixed with '@somedomain'. And $LDAPAuthorizationAutoAuthRemoteUserStringParser is set to 'username-at-domain'. This allows LDAP Stack extensions to extract the domain from the username and load the proper domain configuration. Make sure that you have configured the domain 'somedomain' properly.

Another important thing is, that the LDAP extensions need to be able to resolve the local wiki username into a proper LDAP User DN. This is required to fetch user info (like "e-mail", or group memberships). If the value of $_SERVER['REMOTE_USER'] is not a LDAP user's CN, you might need to set up connection.searchstring and connection.searchstring in the domain config, so the LDAP stack extensions can find the user entry in the LDAP. Osnard (talk) 08:06, 20 August 2019 (UTC)

Greetings Osnard,

Still no luck. I have tried several on several test wikis and am unable to get LDAP working properly in 1.33.. using webgates, I am able to get user names in 2 formats from he header. username and in (lastname + firstinitial) or dn as in (cn? ou? dc?) i tired using the sample config file and modified to match environment with no luck. using tools i have verified the account i am using is able to bind to ad and pull info..

when i test using the files in the maintenance folder i am able to pull user info as well as group info.

I tried..

$wgAuthRemoteuserUserName = function() {

$user = '';

if( isset( $_SERVER[ 'BBB_REMOTE_USER' ] ) ) {

$user = strtolower( $_SERVER[ 'BBB_REMOTE_USER' ] ) . '@xxx.xxx';

}

return $user;

};

###############################################################################################################################################

##### LDAPAuthorization #####

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = false;

###############################################################################################################################################################################

### PluggableAuth ###

$wgAuthRemoteuserAllowUserSwitch = false;

$wgPluggableAuth_EnableLocalLogin = false;

error_log( var_export( $_SERVER['REMOTE_USER'], true ) ); //Should be "xxx.xxx\\SomeUser"

$LDAPProviderDomainConfigProvider = function() {

$config = [

'xxx' => [

'connection' => [

"server" => "ldap.xxx.xxx",

"options" => [

"LDAP_OPT_DEREF" => 1

],

"basedn" => "ou=xxx,ou=accounts,dc=xxx,dc=xxx",

"user" => "cn=fdsa_xxxwiki,ou=service accounts,ou=administrators,dc=xxx,dc=xxx",

      "pass" => "xxxxxxxxxx",

      "groupbasedn" => "ou=groups,ou=xxx,ou=accounts,dc=xxx,dc=xxx",

"userbasedn" => "CN=xxxWiki,OU=Groups,OU=xxx,OU=Accounts,DC=xxx,DC=xxx",

"searchattribute" => "samaccountname",

"searchstring" => "xxx.xxx\\USER-NAME",

## "searchstring" => "USER-NAME@xxx.xxx"

"usernameattribute" => "samaccountname",

"realnameattribute" => "displayname",

"emailattribute" => "mail",

## "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"

## "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

],

'authorization' => [

'rules' => [

'groups' => [

'required' => [

'CN=xxxWiki,OU=Groups,OU=xxx,OU=Accounts,DC=xxx,DC=xxx'

]

]

]

],

'groupsync' => [

                  ''

  ],

 

'userinfo' => [

''

],

]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

logs:

2019-08-30 06:44:41 xxx my_wiki5: Could not check login requirements for username

2019-08-30 06:44:41 xxx my_wiki5: Unsupported format!

2019-08-30 06:45:28 xxx my_wiki5: Could not check login requirements for cn=username,ou=xxx,ou=accounts,cn=users,dc=xxx,dc=xxx

2019-08-30 06:45:28 xxx my_wiki5: Unsupported format!

R2spotuser (talk) 15:08, 6 September 2019 (UTC)

Okay. So it looks like $_SERVER['BBB_REMOTE_USER'] can either have the value username or cn=username,ou=xxx,ou=xxx,cn=users,dc=xxx,dc=xxx, right? Btw., the key BBB_REMOTE_USER looks very strange.

It looks like transforming the username using $wgAuthRemoteuserUserName does not work as expected (didn't test it for myself, though). Can you try using $_SERVER[ 'REMOTE_USER' ] = strtolower( $_SERVER[ 'REMOTE_USER' ] ) . '@xxx.xxx'; directly in your LocalSettings.php instead? Osnard (talk) 14:55, 20 April 2020 (UTC)

Correct. BBB_Remote_User returns straight username and Remote_user returns dn..

BBB_remote_user was created to return Straight user name for older version of mediawiki where Auth_remoteuser was used (on LDAP) and other applications

Removed the $wgAuthRemoteuserUserName

Added (both with the $wgAuthRemoteuserUserName present and removed)

$_SERVER[ 'BBB_REMOTE_USER' ] = strtolower( $_SERVER[ 'BBB_REMOTE_USER' ] ) . '@xxx.xxx';

2020-04-21 01:37:19 server my_wiki: Could not check login requirements for username@xxx.xxx

2020-04-21 01:37:19 server my_wiki: Unsupported format!

[session] SessionManager using store SqlBagOStuff

[session] Can't login remote user 'username@xxx.xxx' automatically. Blocked this user when applying filter to ''.

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0.001s] localhost: SET group_concat_max_len = 262144, sql_mode = ''

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: request info {

    "IPAddress": "server",

    "UserAgent": "Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36 Edge\/18.17763",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0,

    "ChronologyClientId": false

} R2spotuser (talk) 01:47, 21 April 2020 (UTC)

Are you sure that $LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain'; is still set in your config?

Alteratively you could try $_SERVER[ 'BBB_REMOTE_USER' ] = 'xxx.xxx\\' . strtolower( $_SERVER[ 'BBB_REMOTE_USER' ] ); Osnard (talk) 15:59, 21 April 2020 (UTC)

with$_SERVER[ 'BBB_REMOTE_USER' ] = 'xxx.xxx\\' . strtolower( $_SERVER[ 'BBB_REMOTE_USER' ] );

[localisation] LocalisationCache: using store LCStoreDB

[session] SessionManager using store SqlBagOStuff

[session] Can't login remote user 'xxx.xxx\usernamer' automatically. Blocked this user when applying filter to ''.

[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0.001s] localhost: SET group_concat_max_len = 262144, sql_mode = ''

[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff

[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: request info {

    "IPAddress": "server",

    "UserAgent": "Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; Touch; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; Tablet PC 2.0; InfoPath.3; wbx 1.0.0)",

    "ChronologyProtection": false,

    "ChronologyPositionIndex": 0,

    "ChronologyClientId": false

Logs

2020-04-23 03:45:09 SERVER my_wiki: Could not check login requirements for xxx.xxx\username

2020-04-23 03:45:09 SERVER my_wiki: Unsupported format!

2020-04-23 03:45:09 SERVER my_wiki: Could not check login requirements for xxx.xxx\username

2020-04-23 03:45:09 SERVER my_wiki: Unsupported format!

Will this be more straightforward??

I spoke with the LDAP admins and they created wiki_remote_user which returns user@domain..

R2spotuser (talk) 03:22, 23 April 2020 (UTC)

Using username-at-domain looks good. The error ldap_connect(): Could not create session handle: Local error in D:\Apache24\htdocs\mw\extensions\LDAPProvider\src\PlatformFunctionWrapper.php on line 244 indicates that you may have an issue with your PHP LDAP setup. This is not related to the extension code. PHP just cant connect to the LDAP server on the given hostname/port. Osnard (talk) 09:51, 23 April 2020 (UTC)

HI Osnard and thanks for your patience and support.. I was able to get it working using $_SERVER[ 'BBB_REMOTE_USER' ] = 'xxx.xxx\\' . strtolower( $_SERVER[ 'BBB_REMOTE_USER' ] ); and $wgAuthRemoteuserUserNameReplaceFilter = [ '^xxx\\'           => ''].. seems the issue was with the format user@domain vs domain/user

Users who are part of the authorized group get accounts created when they visit the wiki and are added to a default group i created..

how do i tell if LDAPuserinfo is working. while in the wiki, i check preferences and the email is not populated. The extension also inst generating any logs. can you point me in the write direction.. $wgDebugLogGroups['LDAPUserInfo'] = 'D:\wiki\LDAPuser.log';

R2spotuser (talk) 20:25, 29 April 2020 (UTC)

Good to hear! First of all use LDAPProvider/maintenance/ShowUserInfo.php to check if the fields configured in "userinfo.attributes-map" of the domain config are available. Also make sure the LDAPUserInfo extension is enabled (Special:Version). Osnard (talk) 09:30, 30 April 2020 (UTC)

all groups are present and the extension is on.. will do some more digging on this..

Everything else was working well until last night.

I am being removed from groups (sysop etc).. i have tried adding using createandpromote and even at phpmyadmin.. I can add but when i visit and check the log

2020-05-02 22:21:50 mediawiki my_wiki: Problem removing user 'username' from the group 'sysop'

2020-05-02 22:21:50 mediawiki my_wiki: Problem removing user 'username' from the group 'wikigroup'

i tried adding locally managed but no difference

'groupsync' => [

                                "mechanism" => "mappedgroups",

"locally-managed" => ["bot", "user", "sysop", "bureaucrat", "interface-admin"],

                                "mapping" => [

##                                        "sysop" => "cn=wiki,cn=groups,dc=xx,dc=xxx", R2spotuser (talk) 22:28, 2 May 2020 (UTC)

groupsync.locally-managed is only evaluated if groupsync.mechanism=allgroups. And you can confirm that ShowUserGroups.php lists cn=wiki,cn=groups,dc=xx,dc=xxx for that user? Osnard (talk) 15:38, 6 May 2020 (UTC)

understood.. removed locally managed.. it is still removing my account from groups R2spotuser (talk) 20:27, 8 May 2020 (UTC)

AndShowUserGroups.php lists cn=wiki,cn=groups,dc=xx,dc=xxx for that particular user? Osnard (talk) 15:45, 10 May 2020 (UTC)

correct.. it lists the groups. but when i add sysops or bureaucrat. the logs show they are removed..

R2spotuser (talk) 18:47, 13 May 2020 (UTC)

Even though they are listed in "groupsync.mapping"? Osnard (talk) 19:08, 13 May 2020 (UTC)

yup

R2spotuser (talk) 03:04, 20 May 2020 (UTC)

So the messages "Problem removing user 'username' from the group ..." are probably only emitted because the user does not have the groups [1]. Yet this shows, that the "SyncMechanism" tries to actually remove them, based on it's configuration and the data provided by LDAP. I have added a test case [2] with your information. The implementation does work. So I assume that either the configuration is wrong or the group list from LDAP does not actually contain the group.

[1] https://gerrit.wikimedia.org/g/mediawiki/extensions/LDAPGroups/+/ed594fff4d0d61cd87d3a00a3e09a2a55399e610/src/SyncMechanism/Base.php#108

[2] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/LDAPGroups/+/597483/ Osnard (talk) 09:53, 20 May 2020 (UTC)

ok thanks will take another look at the configuration. I have confirmed the ldap grouplist has the group.. Another question (may be out of scope),I have been using Microsoft Edge the whole time and while testing with some users with IE i notices extensions arent working. For instance, Commentstreams shows up when i open it with Microsoft Edge but does not show in IE..

Thanks

R2spotuser (talk) 20:16, 1 June 2020 (UTC)

I have setup the extensions and all is well.. I trying to give an LDAP group read only access to the wiki.. I created a group in the wiki called "readers", gave read access in local settings file and am syncing the group with the LDAP dn..

"groupsync": {

"mapping":

{"readers": "ou=resders,dc=example,dc=com",

}

is there something I am missing? R2spotuser (talk) 19:12, 25 September 2020 (UTC)

Besides the "," at the end of the line, which is invalid JSON, this looks good. Make sure, you have removed the "edit" permission from the "user" group. Osnard (talk) 06:14, 28 September 2020 (UTC)

understood.. sorry for the typo.. still not working this is what I have. The authorization section works great. I can restrict access to an LDAP group. Just want to be able to give another LDAP group read access

$wgGroupPermissions['user']['edit'] = false;

$wgGroupPermissions['user']['createpage'] = false;

$wgGroupPermissions['readers']['read'] = true;

groupsync' => [

                                "mapping" => [

"readers" => "cn=resders,cn=Groups,dc=xxx,dc=xxx"

  ]'

"locally managed" => [

"bot", "sysop", "interface-admin", "bureaucrat", "wikiusers"

]

                        ]

                        R2spotuser (talk) 21:40, 28 September 2020 (UTC)

Can you confirm Extension:LDAPGroups is activated? Are users assigned to the "readers" group on login? If not, what does the LDAP-related logs say?

"readers" is always a "sub-group" of "user". If you want them to have read-permissions exclusively you might need to remove it from "user"

Be aware: the "locally-managed" (with dash) entry will only be used with "allgroups" mode, not with "mappedgroups". Osnard (talk) 06:58, 29 September 2020 (UTC)

yes i can confirm the extension is activated

wfLoadExtension( 'LDAPGroups' );

no users are assigned to the users group.. and there are no logs generated..

Does the group i want to have read access have to be added to the authentication area? I do not have the group added there

       'authorization' => [

"rules" => [

"groups" => [

"required" => [

"cn=wikiusers,cn=xxxs,dc=xxx,dc=xxx" R2spotuser (talk) 17:44, 30 September 2020 (UTC)

`authorization` will make sure users can not log in if they to not meet the requirements ("rules"). E.g. if they do not belong to a certain LDAP group. This doesn't say anything about the `read` permission in general. You'd need to set `$wgGroupPermissions['*']['read'] = false;` to prevent not-logged-in users to see content.

`groupsync` is about transferring LDAP groups to local wiki groups. By this you do not need to manage any group assignments within the wiki itself. You just change the assignment in the LDAP and the local wiki groups will be added/removed accordingly by the extension.

Can you confirm that running the CLI script `LDAPProvider/maintenance/ShowUserGroups.php` shows the "cn=resders,cn=Groups,dc=xxx,dc=xxx" (Mind the typo in "readers"!) LDAP group for a given user? Osnard (talk) 06:53, 2 October 2020 (UTC)

understood.

Yes, cli script 'LDAPProvider/maintenance/ShowUserGroups.php" shows the user group as "cn=resders,cn=Groups,dc=xxx,dc=xxx"..no logs are created in the associated group log.

$wgGroupPermissions['*']['read'] = false is also set in the local settings file.. No users outside of the LDAP group i set have any access to the wiki

Was doing some reading on LDAPgroups and

I tried cli LDAPGroups/maintenance/SyncGroups.php -- user USER

it shows the groups the user is in the wiki but there is an error

old groups:

*bureaucrat

*csmoderator

ERROR: could not find domain for USER!

Could this be related? R2spotuser (talk) 16:04, 2 October 2020 (UTC)

You can set a default domain ($LDAPProviderDefaultDomain = 'xxx';) in LocalSettings.php or provide the domain (as configured as root-node in the domain config) in the --domain parameter of ShowUserGrops.php. Example:

php extensions/LDAPProvider/maintenance/ShowuserGroups.php --domain xxx --user USER Osnard (talk) 17:22, 2 October 2020 (UTC)

setting $LDAPProviderDefaultDomain = 'xxx' worked for the error i was getting..

groups however are still not syncing. and there are no logs generated R2spotuser (talk) 00:54, 5 October 2020 (UTC)

So what exactly does ShowUserGrops.php list and how is the "groupsync" section currently set up? Osnard (talk) 14:43, 5 October 2020 (UTC)

$wgGroupPermissions['user']['edit'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['user']['createpage'] = false;

$wgGroupPermissions['readers']['read'] = true;

Groupsync from localsettings

'groupsync' => [

"mechanism" => "mappedgroups",

"mapping" => [

"readers" => "cn=resders,cn=Groups,dc=xxx,dc=xxx" (resders is not a typo it is the actual group name)

ShowUserGrops.php

Full DNs: cn=resders,cn=Groups,dc=xxx,dc=xxx

Short names:

resders

LDAPGroups/maintenance/SyncGroups.php -- user USER

old groups

*bureaucrat

*csmoderator

*interface-admin

New Groups:

*bureaucrat

*csmoderator

*interface-admin

                               

Log file: empty R2spotuser (talk) 20:07, 5 October 2020 (UTC)

Configuration looks good. Unfortunately without a debug log I can not tell more. Is there really noting in the log, or just nothing related to the group sync? Try to place the log file in a directory that you are sure the webserver can write (e.g. "$IP/cache/LDAP.log") Osnard (talk) 06:08, 7 October 2020 (UTC)

Users who belong to only one group get 'User not authorized'

I am using MW 1.33.1, PluggableAuth 5.7, LDAPProvider 1.0.1, LDAPAuthorization 1.0.0. OpenLDAP backend.

I enabled debug logging based on this page and can confirm that these users are authenticating successfully and belong to the correct group, but are not the passing authorization check.

Here are the relevant sanitized snippets from my ldapprovider.json file:

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

"authorization": {

           "rules": {

               "groups": {

                   "required": [

                       "cn=xxxx,ou=xxxx,dc=myorg,dc=tld"

                   ]

               }

           }

       }

I have created a group "xxxx". Users who belong to that group only are getting "User not authorized" upon logging in. Users who belong to that group in addition to one or more other groups are able authorized and allowed to enter the site.

Obviously, I can work around this by creating an additional (dummy) group and adding these users into it. However, it was extremely difficult to pin down that this was the issue. I was curious if anyone else can reproduce this. Thanks! 69.85.215.112 (talk) 14:41, 8 January 2020 (UTC)

Please check the output of "LDAPProvider/maintenance/ShowUserGroups.php" Osnard (talk) 06:50, 9 January 2020 (UTC)

@Osnard, the output is what I expected for the users who are having issues. It displays the required group for authorization. 69.85.215.112 (talk) 13:42, 9 January 2020 (UTC)

Group in group not working

I use MW 1.34 with an active directory.

This is an snap of my json file:

"authorization":{"rules":{"groups": {"required":["cn=mediawiki_users,ou=XXX,dc=XXX,dc=XXX"]}

When the use is present in the group mediawiki_users the the login will work,

But when I put the user in an group foo and add the group foo to the mediawiki_users group, then the login will fails.

As grouprequest I use MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory

In the old ldap module on MW 1.32 group in group will work when set

wgLDAPGroupsUseMemberOf = array(XXXXX' => true);

But how do this in MW 1.34 using the new LDAP framework?

Thanks for any help. Tuxwiki (talk) 11:41, 9 January 2020 (UTC)

This looks good. What does the script LDAPProvider/maintenance/ShowUserGroups.php show? Osnard (talk) 12:02, 9 January 2020 (UTC)

It will only show the primary groups.

But now I have found an dirty workaround. It looks like, it will be Microsoft specific :(

To get all groups of an user I use now this setting:

"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

"groupobjectclass":"group","groupattribute":"member:1.2.840.113556.1.4.1941:"

When using it, ShowUserGroups.php will list all groups of an user on active directory.

I think it will be an good idea, to add an "Microsoft" provider or an query setting, that will activate the "number stuff" Tuxwiki (talk) 12:28, 9 January 2020 (UTC)

I believe this should already be possible with MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory and "connection.nestedgroups" option. See

https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/master/src/UserGroupsRequest/GroupMember.php#L24-L27 Osnard (talk) 11:33, 10 January 2020 (UTC)

Your example got me close, but I am not using Active Directory

"Here is a complete example LocalSettings.php configuration for Active Directory"

I am using FreeIPA

I get a query looking for an opjectClass of "ipaNTTrustedDomain" and that's where it stops.

This is used, I think, when you set up a FreeIPA <--> Active Directory trust, but I have no such setup.

I expect it is a simple parameter setting, but I cannot find it. Igor-the-insane (talk) 20:24, 5 March 2020 (UTC)

Can you please share a your current configuration? Any maybe the outputs of the debug log? Osnard (talk) 06:55, 9 March 2020 (UTC)

OK, but it is redacted a bit.

From LocalSettings.php:

// Create Wiki-Group 'wikiusers' from default user group
$wgGroupPermissions['wikiusers'] = $wgGroupPermissions['user'];
// Private Wiki. External LDAP login. Default NS requires login.
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = "/etc/httpd/ldap.json" ;
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);
  if (is_array($testJson)) {
    $ldapConfig = true;
  } else {
    error_log("Found invalid JSON in file: /etc/httpd/ldap.json");
  }
}
// Activate Extension
if ( $ldapConfig ) {
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  wfLoadExtension( 'LDAPAuthorization' );
  wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Log In LDAP";
}
$wgShowExceptionDetails = true ;

And the JSON file:

{
    "DOMAIN.TLD": {
        "connection": {
            "server": "freeipa-server.DOMAIN.tld",
            "port": "636",
            "user": "uid=service-account,cn=sysaccounts,cn=etc,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
            "pass": "xxxxxxxxxxxxxxxxxxx",
            "enctype": "clear",
            "options": { "LDAP_OPT_DEREF": 1 },
            "basedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
            "userbasedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
            "groupbasedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
            "searchattribute": "uid",
            "usernameattribute": "uid",
            "realnameattribute": "displayName",
            "emailattribute": "mail",
            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\configurable::factory",
            "groupobjectclass": "group",
            "groupattribute": "member",
        },
        "userinfo": {
            "attributes-map": {
                "email": "mail",
                "realname": "cn",
                "nickname": "uid",
                "language": "preferredlanguage"
            },
        "authorization": [],
        "groupsync": {
            "mapping": {
                "wikiusers": "cn=ipausers,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
                "sysop": "cn=wiki_sysops,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4"
            }
        }
    }   
}

Now, from the wiki debug log:

Start request POST /wiki/index.php/Special:UserLogin
HTTP HEADERS:
HOST: wiki-client.DOMAIN.tld
USER-AGENT: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
ACCEPT-LANGUAGE: en-US,en;q=0.5
ACCEPT-ENCODING: gzip, deflate, br
REFERER: https://wiki-client.DOMAIN.tld/wiki/index.php/Special:UserLogin
CONTENT-TYPE: application/x-www-form-urlencoded
CONTENT-LENGTH: 215
CONNECTION: keep-alive
COOKIE: wikibase_session=jp9hhpa23ihn60j3td64chvgefb823j5
UPGRADE-INSECURE-REQUESTS: 1
[localisation] LocalisationCache: using store LCStoreDB
[session] SessionManager using store SqlBagOStuff
[session] Session "jp9hhpa23ihn60j3td64chvgefb823j5" requested without UserID cookie
[DBQuery] Wikimedia\Rdbms\DatabaseMysqlBase::open [0s] localhost: SET group_concat_max_len = 262144, sql_mode = 
[DBReplication] Cannot use ChronologyProtector with EmptyBagOStuff
[DBReplication] Wikimedia\Rdbms\LBFactory::getChronologyProtector: request info {
    "IPAddress": "10.0.1.75",
    "UserAgent": "Mozilla\/5.0 (X11; Linux x86_64; rv:68.0) Gecko\/20100101 Firefox\/68.0",
    "ChronologyProtection": false,
    "ChronologyPositionIndex": 0,
    "ChronologyClientId": false
}
[session] SessionBackend "jp9hhpa23ihn60j3td64chvgefb823j5" data dirty due to dirty(): MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->getSecretKeys/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "jp9hhpa23ihn60j3td64chvgefb823j5" data dirty due to dirty(): MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->getSecretKeys/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "jp9hhpa23ihn60j3td64chvgefb823j5" data dirty due to dirty(): MediaWiki\Auth\ThrottlePreAuthenticationProvider->testForAuthentication/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

I try to log in with LDAP credentials here:

[DBQuery] MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::beginPrimaryAuthentication [0s] localhost: SELECT  user_id,user_newpassword,user_newpass_time  FROM `user`    WHERE user_name = 'User@DOMAIN.tld'  LIMIT 1  
[DBQuery] MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::beginPrimaryAuthentication [0s] localhost: SELECT  user_id,user_password,user_password_expires  FROM `user`    WHERE user_name = 'User@DOMAIN.tld'  LIMIT 1  
[authentication] Login failed in primary authentication by MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider
[session] SessionBackend "jp9hhpa23ihn60j3td64chvgefb823j5" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->beginAuthentication/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty
[session] SessionBackend "jp9hhpa23ihn60j3td64chvgefb823j5" save: dataDirty=1 metaDirty=0 forcePersist=0
[SQLBagOStuff] Connection mysql object #141 (handle id #147) will be used for SqlBagOStuff

And with local credentials here:

[DBQuery] MediaWiki\Auth\TemporaryPasswordPrimaryAuthenticationProvider::beginPrimaryAuthentication [0s] localhost: SELECT  user_id,user_newpassword,user_newpass_time  FROM `user`    WHERE user_name = 'User'  LIMIT 1  
[DBQuery] MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider::beginPrimaryAuthentication [0s] localhost: SELECT  user_id,user_password,user_password_expires  FROM `user`    WHERE user_name = 'User'  LIMIT 1  
[authentication] Login failed in primary authentication by MediaWiki\Auth\LocalPasswordPrimaryAuthenticationProvider
[session] SessionBackend "7ncd4hs55m6abc21e7b634ulukcgc87o" data dirty due to dirty(): AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->beginAuthentication/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/Media
Wiki\Session\SessionBackend->dirty
[session] SessionBackend "7ncd4hs55m6abc21e7b634ulukcgc87o" save: dataDirty=1 metaDirty=0 forcePersist=0

Both failed.

On the FreeIPA side:

[10/Mar/2020:11:52:01.002026843 +0000] conn=8496 fd=70 slot=70 connection from 10.0.1.48 to 10.0.1.9
[10/Mar/2020:11:52:01.002421144 +0000] conn=8496 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domaincontrollerfunctionality defaultnamingcontext lastusn highestcommittedusn aci"
[10/Mar/2020:11:52:01.003811607 +0000] conn=8496 op=0 RESULT err=0 tag=101 nentries=1 etime=0.0001702685
[10/Mar/2020:11:52:01.011899856 +0000] conn=5 op=50951 SRCH base="dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wiki-client.DOMAIN.tld@DOMAIN.TLD)(krbPrincipalName:caseIgnoreIA5Match:=host/wiki-client.DOMAIN.tld@DOMAIN.TLD)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[10/Mar/2020:11:52:01.012425394 +0000] conn=5 op=50951 RESULT err=0 tag=101 nentries=1 etime=0.0000657159
[10/Mar/2020:11:52:01.012617231 +0000] conn=5 op=50952 SRCH base="cn=DOMAIN.TLD,cn=kerberos,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[10/Mar/2020:11:52:01.012703639 +0000] conn=5 op=50952 RESULT err=0 tag=101 nentries=1 etime=0.0000112687
[10/Mar/2020:11:52:01.012843127 +0000] conn=5 op=50953 SRCH base="dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/DOMAIN.TLD@DOMAIN.TLD)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.TLD@DOMAIN.TLD)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[10/Mar/2020:11:52:01.013086075 +0000] conn=5 op=50953 RESULT err=0 tag=101 nentries=1 etime=0.0000303463
[10/Mar/2020:11:52:01.013237790 +0000] conn=5 op=50954 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[10/Mar/2020:11:52:01.013316156 +0000] conn=5 op=50954 RESULT err=0 tag=101 nentries=1 etime=0.0000105459
[10/Mar/2020:11:52:01.014367028 +0000] conn=4 op=49621 SRCH base="dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=host/wiki-client.DOMAIN.tld@DOMAIN.TLD)(krbPrincipalName:caseIgnoreIA5Match:=host/wiki-client.DOMAIN.tld@DOMAIN.TLD)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[10/Mar/2020:11:52:01.014636556 +0000] conn=4 op=49621 RESULT err=0 tag=101 nentries=1 etime=0.0000385864
[10/Mar/2020:11:52:01.014820137 +0000] conn=4 op=49622 SRCH base="cn=DOMAIN.TLD,cn=kerberos,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=0 filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife krbMaxRenewableAge krbTicketFlags"
[10/Mar/2020:11:52:01.014890390 +0000] conn=4 op=49622 RESULT err=0 tag=101 nentries=1 etime=0.0000096924
[10/Mar/2020:11:52:01.015021951 +0000] conn=4 op=49623 SRCH base="dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=2 filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/DOMAIN.TLD@DOMAIN.TLD)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/DOMAIN.TLD@DOMAIN.TLD)))" attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink objectClass"
[10/Mar/2020:11:52:01.015233348 +0000] conn=4 op=49623 RESULT err=0 tag=101 nentries=1 etime=0.0000267170
[10/Mar/2020:11:52:01.015392104 +0000] conn=4 op=49624 SRCH base="cn=Default Host Password Policy,cn=computers,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=0 filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval krbPwdLockoutDuration"
[10/Mar/2020:11:52:01.015476790 +0000] conn=4 op=49624 RESULT err=0 tag=101 nentries=1 etime=0.0000111982
[10/Mar/2020:11:52:01.015690906 +0000] conn=4 op=49625 SRCH base="cn=ad,cn=trusts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4" scope=2 filter="(objectClass=ipaNTTrustedDomain)" attrs=ALL
[10/Mar/2020:11:52:01.015780737 +0000] conn=4 op=49625 RESULT err=32 tag=101 nentries=0 etime=0.0000130672 <-----------------------------------------------------------------------------

It goes OK until it wants "(objectClass=ipaNTTrustedDomain)" and then it comes to a screeching halt. Igor-the-insane (talk) 12:19, 10 March 2020 (UTC)

Can you tell what err=32 is on FreeIPA? Osnard (talk) 08:57, 11 March 2020 (UTC)

error (32)/'No such object' Igor-the-insane (talk) 11:30, 16 March 2020 (UTC)

Makes sense to me, but I was keying off the "nentries=0" which means zero entries/records were returned Igor-the-insane (talk) 11:31, 16 March 2020 (UTC)

So running a search with (objectClass=ipaNTTrustedDomain) on the base DN cn=ad,cn=trusts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4 returns nothing. I have no idea where (objectClass=ipaNTTrustedDomain) should come from. This is nowhere implemented in the LPAP Stack. What is the output and the log entries if you use LDAPProvider/maintenance/ShowUserInfo.php on the CLI? Osnard (talk) 15:01, 16 March 2020 (UTC)

[root wiki]# php extensions/LDAPProvider/maintenance/ShowUserInfo.php

Found invalid JSON in file: /etc/httpd/ldap.json

The following extensions are required to be installed for this script to run: LDAPProvider. Please enable them and then try again. Igor-the-insane (talk) 17:49, 19 March 2020 (UTC)

Do you see any glaring errors in the JSON file ? Igor-the-insane (talk) 17:50, 19 March 2020 (UTC)

I found it. I was missing a final "}"

Now, the ShowUserInfo command complains about parameters missing, but when I try logging in, I get

Internal error
[XnOyrtr5HW50o54P1exg6AAAAAA] /wiki/index.php/Special:PluggableAuthLogin Error from line 244 of /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/PlatformFunctionWrapper.php: Call to undefined function ldap_connect()
Backtrace:
#0 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/PlatformFunctionWrapper.php(261): MediaWiki\Extension\LDAPProvider\PlatformFunctionWrapper->connect()
#1 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(88): MediaWiki\Extension\LDAPProvider\PlatformFunctionWrapper::getConnection()
#2 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(76): MediaWiki\Extension\LDAPProvider\Client->makeNewConnection()
#3 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#4 /var/www/mediawiki-1.34.0/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs()
#5 /var/www/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()
#6 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()
#7 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()
#8 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()
#9 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(900): MediaWiki->performRequest()
#10 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(527): MediaWiki->main()
#11 /var/www/mediawiki-1.34.0/index.php(44): MediaWiki->run()
#12 {main}

So where should ldap_connect be found ? Igor-the-insane (talk) 18:02, 19 March 2020 (UTC)

CLOSER AND CLOSER !!

Google is my friend that told me to

yum install php-ldap

Than I retried the ShowUserInfo command and the complaint was about a missing username/domain, so I added that and got this:

[c56a8262dd23ec857966d70d] [no req]   Error from line 71 of /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/UserInfoRequest.php: Class 'MediaWiki\Extension\LDAPProvider\MWException' not found
Backtrace:
#0 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(228): MediaWiki\Extension\LDAPProvider\UserInfoRequest->getUserInfo()
#1 /var/www/mediawiki-1.34.0/includes/libs/objectcache/BagOStuff.php(133): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()
#2 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(229): BagOStuff->getWithSetCallback()
#3 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php(49): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()
#4 /var/www/mediawiki-1.34.0/maintenance/doMaintenance.php(99): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()
#5 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php(72): require_once(string)
#6 {main}

Igor-the-insane (talk) 18:25, 19 March 2020 (UTC)

Oh yes, one more thing:

In the wiki log, I saw this:

[LDAP] ldap_connect( $hostname = 'ldap://freeipa-server.DOMAIN.tld:636', $port = 389 );

So I tweaked the LDAP JSON File to

    "DOMAIN.TLD": {
        "connection": {
            "server": "freeipa-server.DOMAIN.tld",
            "port": "389",

Which parameter - other than "port" - tells it to use port 636 ? Igor-the-insane (talk) 18:28, 19 March 2020 (UTC)

I found this reference

https://www.mediawiki.org/w/index.php?title=Topic:Utpjqru8miq3ee2y&topic_showPostId=v7nzxw3hh5zq4bst#flow-post-v7nzxw3hh5zq4bst

that implies there is a newer version of the update, so I re-downloaded all of the LDAP Stack and installed the ones that were newer.

I AM ALMOST THERE !!

Now I am getting

[LDAPAuthentication2] Error fetching userinfo: Found more than one user for '(uid=myusername)'

I can see that I am getting back

uid=myusername,cn=users,cn=compat,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4

and

uid=myusername,cn=users,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4

Can I fix this by changing userbasedn ?

Adding "cn=accounts," in front ? Igor-the-insane (talk) 19:05, 19 March 2020 (UTC)

I tried it and got one step closer.

The complaint now is

[XnPHHVVDjxZZzBy2iTPzoQAAAAA] /wiki/index.php/Special:PluggableAuthLogin MWException from line 66 of /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/DomainConfigFactory.php: No section 'authorization' found in configuration for domain 'DOMAIN.TLD'!
Backtrace:
#0 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(57): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory()
#1 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(69): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct()
#2 /var/www/mediawiki-1.34.0/includes/Hooks.php(174): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback()
#3 /var/www/mediawiki-1.34.0/includes/Hooks.php(202): Hooks::callHook()
#4 /var/www/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(47): Hooks::run()
#5 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()
#6 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()
#7 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()
#8 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(900): MediaWiki->performRequest()
#9 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(527): MediaWiki->main()
#10 /var/www/mediawiki-1.34.0/index.php(44): MediaWiki->run()
#11 {main}

So I updated the ldap.json file, replacing

"authorization": []

with

"authorization": {
    "rules": {
        "groups": {
            "required": [
                "cn=ipausers,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4"
            ]
        }
    }
}

But still is says No section 'authorization' found Igor-the-insane (talk) 19:32, 19 March 2020 (UTC)

Can you please share the whole JSON file the way it is now (strip sensitive data) Osnard (talk) 14:01, 20 March 2020 (UTC)

{
  "DOMAIN.TLD": {
    "connection": {
      "groupobjectclass": "group", 
      "groupbasedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4", 
      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\configurable::factory", 
      "userbasedn": "cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4", 
      "basedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4", 
      "groupattribute": "member", 
      "port": "636", 
      "user": "uid=service-account,cn=sysaccounts,cn=etc,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4", 
      "emailattribute": "mail", 
      "pass": "xxxxxxxxxxxxxxxxxxx", 
      "usernameattribute": "uid", 
      "searchattribute": "uid", 
      "server": "freeipa-server.DOMAIN.tld", 
      "options": {
        "LDAP_OPT_DEREF": 1
      }, 
      "realnameattribute": "displayName", 
      "enctype": "clear"
    }, 
    "userinfo": {
      "attributes-map": {
        "nickname": "uid", 
        "email": "mail", 
        "language": "preferredlanguage", 
        "realname": "cn"
      }, 
      "groupsync": {
        "mapping": {
          "wikiusers": "cn=ipausers,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4", 
          "sysop": "cn=wiki_sysops,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4"
        }
      }, 
      "authorization": {
        "rules": {
          "groups": {
            "required": [
              "cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=nascom,dc=nasa,dc=gov"
            ]
          }
        }
      }
    }
  }
}

Igor-the-insane (talk) 20:04, 20 March 2020 (UTC)

Look like you have a bad nesting. The "authorization" key must be a child of "DOMAIN.TLD", not "userinfo". Try the following:

{
	"DOMAIN.TLD": {
		"connection": {
			"groupobjectclass": "group",
			"groupbasedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\configurable::factory",
			"userbasedn": "cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
			"basedn": "dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
			"groupattribute": "member",
			"port": "636",
			"user": "uid=service-account,cn=sysaccounts,cn=etc,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
			"emailattribute": "mail",
			"pass": "xxxxxxxxxxxxxxxxxxx",
			"usernameattribute": "uid",
			"searchattribute": "uid",
			"server": "freeipa-server.DOMAIN.tld",
			"options": {
				"LDAP_OPT_DEREF": 1
			},
			"realnameattribute": "displayName",
			"enctype": "clear"
		},
		"userinfo": {
			"attributes-map": {
				"nickname": "uid",
				"email": "mail",
				"language": "preferredlanguage",
				"realname": "cn"
			}
		},
		"groupsync": {
			"mapping": {
				"wikiusers": "cn=ipausers,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",
				"sysop": "cn=wiki_sysops,cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4"
			}
		},
		"authorization": {
			"rules": {
				"groups": {
					"required": [
						"cn=ipausers,cn=groups,cn=accounts,dc=lab,dc=nascom,dc=nasa,dc=gov"
					]
				}
			}
		}
	}
}

Osnard (talk) 12:25, 23 March 2020 (UTC)

Thanks. I will try.

Such information needs to be CLEARLY documented in the Extension hot-to Igor-the-insane (talk) 13:11, 23 March 2020 (UTC)

You are right. This is probably not stated clear enough on the documenation pages, sorry. But there are some examples (1, 2, 3) that indicate such a nesting. Osnard (talk) 13:40, 23 March 2020 (UTC)

OK, I fixed that and then I fixed the groupbasedn to

"groupbasedn": "cn=groups,cn=accounts,dc=rdn1,dc=rdn2,dc=rdn3,dc=rdn4",

And then I get

Internal error
[XnjNknXi5@hmFNjxHMN-fAAAAAQ] /wiki/index.php/Special:PluggableAuthLogin Error from line 354 of /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php: Class 'MediaWiki\Extension\LDAPProvider\UserGroupsRequest\configurable' not found
Backtrace:
#0 /var/www/mediawiki-1.34.0/includes/libs/objectcache/BagOStuff.php(133): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()
#1 /var/www/mediawiki-1.34.0/extensions/LDAPProvider/src/Client.php(361): BagOStuff->getWithSetCallback()
#2 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/RequirementsChecker.php(69): MediaWiki\Extension\LDAPProvider\Client->getUserGroups()
#3 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/RequirementsChecker.php(47): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->makeGroupRequirements()
#4 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(82): MediaWiki\Extension\LDAPAuthorization\RequirementsChecker->allSatisfiedBy()
#5 /var/www/mediawiki-1.34.0/extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(70): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->process()
#6 /var/www/mediawiki-1.34.0/includes/Hooks.php(174): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback()
#7 /var/www/mediawiki-1.34.0/includes/Hooks.php(202): Hooks::callHook()
#8 /var/www/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(47): Hooks::run()
#9 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute()
#10 /var/www/mediawiki-1.34.0/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run()
#11 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath()
#12 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(900): MediaWiki->performRequest()
#13 /var/www/mediawiki-1.34.0/includes/MediaWiki.php(527): MediaWiki->main()
#14 /var/www/mediawiki-1.34.0/index.php(44): MediaWiki->run()
#15 {main}

Igor-the-insane (talk) 17:00, 23 March 2020 (UTC)

Cast sensitive ? configurable vs Configurable

UFB

Stand by Igor-the-insane (talk) 13:04, 24 March 2020 (UTC)

Class names should not be case sensitive, no. Can you please check whether the folder extensions/LDAPProvider/src/UserGroupsRequest contains a file called Configurable.php. If not, you might need to download a newer version of the extension. Use branch REL1_31 ("1.31" in the ExtensionDistributor). Osnard (talk) 11:09, 25 March 2020 (UTC)

An upper case C made a difference, but I am stuck in a new spot.

I am getting either

Could not authenticate credentials against domain

or

User not authorized

depending on the value of "searchstring" in the JSON file.

The logs on the LDAP server side tell me nothing.

Any suggestions how to get more out of the mediawiki debugging for these LDAP related extensions ? Igor-the-insane (talk) 20:33, 26 March 2020 (UTC)

"User not authorized" sounds good. What does "LDAPProvider/maintenance/ShowUserGroups.php" return for that user? Osnard (talk) 12:48, 27 March 2020 (UTC)

Screwing up my ldap.json file with authorization section

Every time I add the authorization section to the ldap.json file, I get the following errors when I run the maintenance/update.php code.

Found invalid JSON in file: /var/www/html/wiki/ldap.json

PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /var/www/html/wiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php on line 53

[436fc5157dc2c6d4b9499735] [no req]   MWException from line 54 of /var/www/html/wiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php: Could not parse configuration file '/var/www/html/wiki/ldap.json'!

Backtrace:

#0 /var/www/html/wiki/extensions/LDAPProvider/src/DomainConfigProvider/LocalJSONFile.php(73): MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile->__construct(string)

#1 [internal function]: MediaWiki\Extension\LDAPProvider\DomainConfigProvider\LocalJSONFile::newInstance(MediaWiki\Extension\LDAPProvider\Config)

#2 /var/www/html/wiki/extensions/LDAPProvider/src/DomainConfigFactory.php(106): call_user_func_array(string, array)

#3 /var/www/html/wiki/extensions/LDAPAuthentication2/src/Setup.php(12): MediaWiki\Extension\LDAPProvider\DomainConfigFactory::getInstance()

#4 /var/www/html/wiki/includes/Setup.php(906): MediaWiki\Extension\LDAPAuthentication2\Setup::init()

#5 /var/www/html/wiki/maintenance/doMaintenance.php(83): require_once(string)

#6 /var/www/html/wiki/maintenance/update.php(277): require_once(string)

#7 {main}

This is my ldap.json code. I'm able to connect and authenticate without the authorization config set.

{

  "itorg.ad.buffalo.edu": {

     "connection": {

        "server": "itorg.ad.buffalo.edu",

        "port": "636",

        "user": "CN=#######,OU=Users,OU=UBSA,OU=StudentAssociation,OU=ITORGS,DC=itorg,DC=ad,DC=buffalo,DC=edu",

        "pass": "#######",

        "enctype": "ssl",

        "options": {

                "LDAP_OPT_DEREF": 1

        },

        "basedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",

        "userbasedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",

        "groupbasedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",

        "searchattribute": "samaccountname",

        "usernameattribute": "samaccountname",

        "realnameattribute": "cn",

        "emailattribute": "mail",

        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

        "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

     },

     "userinfo": [],

     "authorization" =>[

        "rules" =>[

            "groups" =>[

                "required" => [ "CN=UBSA_Student_Staff,OU=Groups,OU=UBSA,OU=StudentAssociation,OU=ITORGS,DC=itorg,DC=ad,DC=buffalo,DC=edu" ]

            ]

        ]

     ],

     "groupsync": {

        "mapping": {

           "sysop": "CN=UBSA_Pro_Staff,DC=itorg,DC=ad,DC=buffalo,DC=edu"

        }

     }

   }

}

I'd REALLY appreciate any help out there... I have read through the other similar issues below, but I believe I have already implemented the suggestions that helped people out already. I've been knocking my head against the wall on this one for a couple weeks now. Rosenblitt (talk) 21:30, 28 May 2020 (UTC)

Rosenblitt (talk) 15:31, 29 May 2020 (UTC)

Looks like you mixed PHP any JSON syntax in the "authorization" part. Please try this:

{
	"itorg.ad.buffalo.edu": {
		"connection": {
			"server": "itorg.ad.buffalo.edu",
			"port": "636",
			"user": "CN=#######,OU=Users,OU=UBSA,OU=StudentAssociation,OU=ITORGS,DC=itorg,DC=ad,DC=buffalo,DC=edu",
			"pass": "#######",
			"enctype": "ssl",
			"options": {
				"LDAP_OPT_DEREF": 1
			},
			"basedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",
			"userbasedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",
			"groupbasedn": "DC=itorg,DC=ad,DC=buffalo,DC=edu",
			"searchattribute": "samaccountname",
			"usernameattribute": "samaccountname",
			"realnameattribute": "cn",
			"emailattribute": "mail",
			"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
			"presearchusernamemodifiers": ["spacestounderscores", "lowercase"]
		},
		"userinfo": [],
		"authorization": {
			"rules": {
				"groups": {
					"required": ["CN=UBSA_Student_Staff,OU=Groups,OU=UBSA,OU=StudentAssociation,OU=ITORGS,DC=itorg,DC=ad,DC=buffalo,DC=edu"]
				}
			}
		},
		"groupsync": {
			"mapping": {
				"sysop": "CN=UBSA_Pro_Staff,DC=itorg,DC=ad,DC=buffalo,DC=edu"
			}
		}
	}
}

Osnard (talk) 05:50, 29 May 2020 (UTC)

You nailed it! I didn't even notice. It's very rare for me to edit json files, so thats totally on me. @Osnard, thank you again for pointing me in the right direction on all of this. I didn't realize that you are who you are, sorry again for emailing you direct the other day! You also helped me out once 2 weeks ago when I first started this project. Your help has been invaluable with this! Rosenblitt (talk) 15:32, 29 May 2020 (UTC)

Glad to hear this! Thanks! Osnard (talk) 08:14, 2 June 2020 (UTC)

Hello, I get the same error message from the apache log file : [client 132.156.9.193:62252] AH01071: Got error 'PHP message: Found invalid JSON in file: /media/wiki_cits35/ldap.json', referer: http://132.156.9.74:8080/index.php?title=Sp%C3%A9cial:Connexion&returnto=Accueil

However I don't think I have the same probleme. Here is my ldap.json.

{

        "xxxx.xxx.xxx": {

                "connection": {

                        "server": "xxxxx.xxx.xx.xx",

                        "port": "389",

                        "user": "CN=mediawiki-sa,CN=Users,DC=lenfiber,DC=local",

                        "pass": "*******",

                        "enctype": "clear",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "dc=nrn,dc=nrcan,dc=gc,dc=ca",

                        "userbasedn": "dc=nrn,dc=nrcan,dc=gc,dc=ca",

                        "groupbasedn": "dc=nrn,dc=nrcan,dc=gc,dc=ca",

                        "searchattribute": "samaccountName",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "Mediawiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                        "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

                },

                "userinfo": [],

                "authorization": []

                "groupsync": []

                }

        }

}

Thank you for any help Amaury Palao (talk) 20:52, 4 November 2020 (UTC)

The line "authorization": [] misses a comma. You can use tools like http://jsonlint.com/ to validate your json (*Be careful with sesitive data!*). Osnard (talk) 12:33, 9 November 2020 (UTC)

Thank you, I've implemented your solution, however the same error pop up. I have double check my ldap.json with the tool given. Amaury Palao (talk) 16:17, 9 November 2020 (UTC)

Well, that is strange. If you are using PHP-FPM, try restarting that service. Also make sure that the webserver user ("apache"?) has access permissions for this file. Osnard (talk) 11:14, 10 November 2020 (UTC)

I have rebuild an other wiki with the same configuration. While doing so, I notice on the home page of mediawiki a notice saying the following : Warning:MediaWiki is not compatible with PHP 7.4.0 to 7.4.2 due to an upstream bug. See task T246594 for more information.

So i believe the source of my problemes was the version of php.

I tested this theorie with my new wiki and it was proven true. Now my connection work.

Thank you for all your help. Amaury Palao (talk) 21:18, 12 November 2020 (UTC)

LDAP group names with umlaut aren't working

Every time I added the "authorization" section to my LDAPProvider.json I got an error. Syntax was always correct.

It took me nearly one day to discover that it was the group name with umlauts (special character) which forced the error. We have a group named "Domänen-Benutzer" (domain users) which I need as required group membership.

"authorization": {

           "rules": {

               "groups": {

                   "required":

                   ["cn=Domänen-Benutzer,ou=Beispielgruppen,ou=Gruppen,dc=xxx,dc=yyy,dc=zzz,dc=de"]

               }

           }

       },

Is there an easy solution? I tried using the HTML code for "ä" but it isn't working. Maybe the code of the extension need a little tweak to read the name correct.

Please let me know what solutions are available. At the moment I will try to get another group on our LDAP without special characters from my IT department. 80.152.132.238 (talk) 10:01, 8 September 2020 (UTC)

Have you tried the escaped version Dom\u00E4nenbenutzer? This is how JSON usually escapes special characters. Alternatively you could use PHP for configuration also. Osnard (talk) 12:09, 8 September 2020 (UTC)

Thanks for this idea, I tried it but it didn't work like that.

["cn=Dom\u00E4nen-Benutzer,...

I have also other groups available which I can use but they are nested.

Example: There is a group "all employees" which consists of groups "employees Berlin" and "employees Munich". I'm a direct member of "employees Berlin" but not a direct member of "all employees".

To catch all employees in this case I would request for membership in "all employees" but authorization wouldn't work this way!

Do you understand what I mean? Is it possible to use "nested groups"? 80.152.132.238 (talk) 13:36, 8 September 2020 (UTC)

Nested groups can be used, but only when the LDAP backend is a Microsoft AD and "GroupMember" is chosen as "grouprequest". Documentation was missing, sorry. I added it: https://www.mediawiki.org/w/index.php?diff=4089787&oldid=4029642&title=Extension:LDAPProvider&type=revision&diffmode=source

Hint: Use LDAPProvider/maintenance/ShowUserGroups.php to see what the wiki "sees". This can be useful during the configuration. Osnard (talk) 14:06, 8 September 2020 (UTC)

Thank you Osnard! Now it's working fine with nested groups. In that way it's easy to have "alias groups" and I can ignore the umlaut-problem. Thanks for updating the documentation.

ShowUserGroups.php shows correct groups now. 80.152.132.238 (talk) 11:26, 9 September 2020 (UTC)

Connection with ldap doesn't work

Hello, I am trying to authentifie with a distant AD with LDAP. Whenever I try to connect I get : Could not authenticate credentials against domain "domain". I have check with the ldapseach command, and the account is right. This also prove that the account used to bind works.

This is my ldap.json

{

        "domain": {

                "connection": {

                        "server": "xxx.xxxx.xxx.xx",

                        "port": "389",

                        "user": "cn=Manager,dc=test",

                        "pass": "xxxxxxxxxxxxx",

                        "enctype": "clear",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "ou=People,dc=test,dc=ca",

                        "userbasedn": "ou=People,dc=test,dc=ca",

                        "groupbasedn": "ou=People,dc=test,dc=ca",

                        "searchstring":"uid=USER-NAME,dc=test,dc=ca",

                        "usernameattribute": "uid",

                        "realnameattribute": "cn",

                        "emailattribute": "mail"

                }

        }

} Amaury Palao (talk) 21:36, 16 November 2020 (UTC)

In my experience, getting it connected to AD was a bit of work, but it works. The new LDAP Stack is quite a bit different from the legacy LDAP connection setup. Emikulic (talk) 19:25, 21 December 2020 (UTC)

Have you specified "enctype:clear" in the "ldapsearch" test also? Having no enctype is unusual and not supported by some LDAP backends (e.g. Active Directory) anymore. Osnard (talk) 11:58, 17 November 2020 (UTC)

I have search the internet, however I didn't found the correct syntaxte to specify the enctype.

This is the command I currently use

ldapsearch -x -H ldap://xxx.xxx.xxx.xxx -D user@xxx.xxx.xxx.xx -W -b "CN=random_user,dc=test,dc=ca" Amaury Palao (talk) 18:23, 17 November 2020 (UTC)

Sorry, no idea. From the docs [1] it looks like you have to use SSL (-X) and TLS (-Y) explicitly, so we can assume our test is actually without encryption.

Can you just try to set the "enctype" in the extensions' settings?

Maybe also have a look at this: https://stackoverflow.com/questions/43422469/php-adldap-error-unable-to-bind-to-server-stronger-authentication-required#43458820

[1] https://www.ibm.com/support/knowledgecenter/TI0002C/p8hcg/p8hcg_ldapsearch.htm Osnard (talk) 13:20, 18 November 2020 (UTC)

I don't understand when you says "Can you just try to set the "enctype" in the extensions' settings?".

I convert the encypte type from the old version of LDAP to the new. The old configuration works even without enctype.

$wgLDAPEncryptionType = array(

  "**.**.**"=>"false",

  );

I have also tried to use the ShowUserInfo.php to confirm the settings and I get this error :

MWException from line 208 of /mediawiki/mediawiki/extensions/LDAPProvider/src/Client.php: Error in LDAP search: Bad search filter

#0 /mediawiki/mediawiki/extensions/LDAPProvider/src/UserInfoRequest.php(61): MediaWiki\Extension\LDAPProvider\Client->search()

#1 /mediawiki/mediawiki/extensions/LDAPProvider/src/Client.php(241): MediaWiki\Extension\LDAPProvider\UserInfoRequest->getUserInfo()

#2 /mediawiki/mediawiki/includes/libs/objectcache/BagOStuff.php(149): MediaWiki\Extension\LDAPProvider\Client->MediaWiki\Extension\LDAPProvider\{closure}()

#3 /mediawiki/mediawiki/extensions/LDAPProvider/src/Client.php(242): BagOStuff->getWithSetCallback()

#4 /mediawiki/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(49): MediaWiki\Extension\LDAPProvider\Client->getUserInfo()

#5 /mediawiki/mediawiki/maintenance/doMaintenance.php(107): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute()

#6 /mediawiki/mediawiki/extensions/LDAPProvider/maintenance/ShowUserInfo.php(72): require_once('/mediawiki/medi...')

#7 {main}

I don't get what it means by Bad search filter and the internet doesn't seems to have the answer. Amaury Palao (talk) 21:48, 7 December 2020 (UTC)

In your ldap.json set "enctype": "tls",, "enctype": ""enctype": "tls",", or "enctype": "ssl", where it now has "enctype": "clear",.

The error from ShowGroups.php indicates that there is another issue with your configuration. Please enable debugging and share the results here. Osnard (talk) 14:45, 10 December 2020 (UTC)

I already tried those changes without succes. However I found this question Topic:V7i1eb6u4f779tpx. By implementing the solution, it works. I changes this files /var/www/wiki/extensions/LDAPProvider/src/UserGroupsRequest/GroupMember.php

$groups = $this->ldapClient->search(

                         "(objectClass=*)",

                      // "(&(objectclass=group)(member=$userDN))",

                                $baseDN, [ $dn ]

                        );

as written in the answer.

With this modification I can execute ShowUserInfo.php and ShowUserGroup.php. However I fail doing CheckLogin.php. I think there is an issue with my configuration. There is the log from the CheckLogin.php :

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_connect( $hostname = 'ldap://xxx.xxx.xxx.xxx:389', $port = 389 );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # __METHOD__ returns Resource id #780

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # returns 1

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: Setting LDAP_OPT_REFERRALS to 0

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # returns 1

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: Setting LDAP_OPT_DEREF to 1

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # returns 1

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_bind( $linkID, $bindRDN = 'cn=Manager,dc=test,dc=com', $bindPassword = 'XXXX' );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # returns 1

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=USER,dc=test,dc=com'

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: ldap_bind( $linkID, $bindRDN = 'uid=USER,dc=test,dc=com', $bindPassword = 'XXXX' );

2020-12-10 15:22:57 s-she-doctest3 wiki-wiki: # returns

I have also slighty change my ldap.json :

{

        "domain": {

                "connection": {

                        "server": "xxx.xxxx.xxx.xx",

                        "port": "389",

                        "user": "cn=Manager,dc=test",

                        "pass": "xxxxxxxxxxxxx",

                        "enctype": "clear",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",

                        "basedn": "ou=People,dc=test,dc=ca",

                        "userbasedn": "ou=People,dc=test,dc=ca",

                        "groupbasedn": "ou=People,dc=test,dc=ca",

"searchattribute": "uid",

                        "searchstring":"uid=USER-NAME,dc=test,dc=ca",

                        "usernameattribute": "uid",

                        "realnameattribute": "cn",

                        "emailattribute": "mail"

                }

        }

} Amaury Palao (talk) 15:26, 10 December 2020 (UTC)

Can you confirm that "uid=USER,dc=test,dc=com" is a valid User-DN? Osnard (talk) 07:53, 18 February 2021 (UTC)

how to filter for attribute mail ?

Hi, I am trying to upgrade from mw 1.31 with the old extension 'LdapAuthentication' to new 'LDAPAuthentication2'

Authentication works fine now, but I need a small rule for a few people.

How can i define a authorization rule in the php settings for e.g.: (|(mail="a.com")(mail="b.com")(mail="c.com"))

Heiko 134.28.50.218 (talk) 14:14, 8 December 2020 (UTC)

You should be able to use something like

'authorization' => [
	'rules' => [
		'attributes' => [
			 "|" => [
				"mail" => "a.com",
			   	"|" => [
					"mail" => "b.com",
					"|" => [
						"mail": "c.com",
					]
				]
			]
		]
	]

Untested. Osnard (talk) 15:04, 10 December 2020 (UTC)

LDAP group authorization plus local login

I have an issue where enabling LDAP Authorization for a specific LDAP group disables the use of local wiki account logins. I get the message "User not authorized" as if I was using a bad password or user which is not in the group.

If I disable the LDAP Authorization extension then my local wiki login works again.

Is there a way to work around this? Would it help to create a custom wiki group?

We need local logins for visitors and temporary users which do not need an LDAP account.

I'm using MediaWiki 1.35 with PHP 7.3.22. Dancabcaltech (talk) 17:22, 9 February 2021 (UTC)

Please share your "authorization" config section. Also please check with "LDAPProvider/maintenance/ShowUserInfo.php" and "LDAPProvider/maintenance/ShowUserGroups.php" what the application "sees". Osnard (talk) 07:32, 18 February 2021 (UTC)

@Osnard here's the authorization section from my JSON file.

                "authorization": {

                            "rules": {

                               "groups": {

                                  "required": ["cn=ausadmins,ou=Groups,ou=IMSS,o=Caltech,c=US"]

                                  }

                                }

                },

I can run the ShowUserGroups.php and ShowUserInfo.php scripts to query LDAP. They return the expected information.

If it helps we do have a wiki farm/family configuration. So I configure SERVER_NAME accordingly and give the --wiki option for running those scripts. Dancabcaltech (talk) 23:58, 22 February 2021 (UTC)

Yes, looks like others have the same issue. I have created a bug report: https://phabricator.wikimedia.org/T275496

Please feel free to add info to that task. Osnard (talk) 13:23, 23 February 2021 (UTC)

LDAP authorization via group or attributes

Hi,

I have Group authorization working:

"authorization": {

                       "rules": {

                               "groups": {

                                       "required": [

                                               "CN=sg,OU=..."

                                       ],

                                       "excluded": [

                                               "cn=evilgroup,OU=..."

                                       ]

                               }

                       }

               }

but I need to add an attribute aswell. I have to add "primarygroupid" since if the Primary Group is set as sg (in the above example) it does not appear in the group. So this would catch this:

"authorization": {

                       "rules": {

                               "attributes": {

                                       "primarygroupid": [ "3570", "1000" ]

                               }

                       }

               }

But how do I combine so it does GROUP or Attributes. I have tried a few versions but it throughs errors I have (i.e. "|": etc).

Any ideas? 193.61.29.100 (talk) 13:46, 17 February 2021 (UTC)

The extensions checks all rules that are available. If only one fails the whole authorization fails.

If there is only the "attributes" rule, you may use "|" and "&" operators. Here are some examples: https://github.com/wikimedia/mediawiki-extensions-LDAPAuthorization/blob/master/tests/phpunit/Requirement/MatchAttributesTest.php

We probably need to change the behavior of the extension here. Please file a task on Phabricator. Osnard (talk) 07:41, 18 February 2021 (UTC)

Thanks will do.

I had to check that I wasn't do anything silly before report a feature enhancement. Awatkins1966 (talk) 12:04, 18 February 2021 (UTC)

CheckLogin works but showUserGroups throws error?

Windows Server 2012R2

LDAPAuthentication2 1.0.2 (58e281c) 07:04, 7 January 2021

LDAPAuthorization 1.1.0 (e037664) 19:38, 9 July 2020

LDAPProvider 1.0.5 (ca854c1) 07:54, 14 December 2020

LDAPUserInfo 1.0.0 (39cca83) 19:58, 9 July 2020

PluggableAuth 5.7 (2a465ae) 15:07, 10 July 2020

LocalSettings.php:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthorization' );

$LDAPProviderDomainConfigProvider = function() {

$config = [

'server.ssv.ww.lcl' => [

'connection' => [

"server" => "server.ssv.ww.lcl",

"port" => "389",

"user" => "pre\\account",

"pass" => 'password',

"options" => [ "LDAP_OPT_DEREF" => 1 ],

"basedn" => "CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"groupbasedn" => "CN=Groups,CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"userbasedn" => "CN=Users,CN=containerNameHere,DC=ssv,DC=ww,DC=lcl",

"searchattribute" => "sAMAccountName",

"searchstring" => "pre\\USER-NAME",

"usernameattribute" => "sAMAccountName",

"realnameattribute" => "cn",

"emailattribute" => "mail",

"nestedgroups" => true,

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupUniqueMember::factory"

# ],

# "groupsync" => [ # ],

# "userinfo" => [ ]

]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

LDAPProvider\maintenance\CheckLogin.php says "OK" to my account but running ShowUserGroups with same -u and -d input gives "C:\MediaWiki\extensions\LDAPProvider\src\Client.php: Error in LDAP search: No such object" and ShowUserGroups says "PHP Warning:  ldap_count_entries() expects parameter 2 to be resource, bool given in C:\MediaWiki\extensions\LDAPProvider\src\PlatformFunctionWrapper.php on line 295" along with the same error in Client.php as above. The line of code in Client that throws the error is this one:

if ( !$res ) { throw new MWException( "Error in LDAP search: " . $this->connection->error() ); } which is in this function: public function search( $match, $basedn = null, $attrs = [ "*" ] )

Any ideas on how I should proceed to troubleshoot this? Mushu0mushu (talk) 00:13, 13 March 2021 (UTC)

If a "bool" is returned this indicates that no connection to the LDAP server could be established. Try a standalone script like https://www.php.net/manual/en/function.ldap-bind.php#refsect1-function.ldap-bind-examples to verify your connection settings. Osnard (talk) 13:28, 24 March 2021 (UTC)

I ran that example script and it works properly. The LocalSettings.php file has the correct username/password because the CheckLogin.php script returns "OK". The problem is that the ShowUserGroups.php script is returning a lot of errors, using the same config file. It still returns that "bool" error but the other scripts I run in the maintenance directory seem to work fine. I'm stuck and don't know how to move forward with troubleshooting this problem. Mushu0mushu (talk) 15:17, 23 April 2021 (UTC)

Have you tried using "samaccountname" instead of "sAMAccountName"? Also you "searchtring" looks odd. It should be a DN. Osnard (talk) 11:25, 26 April 2021 (UTC)

Got it to work finally!!!

In the settings:

groupbasedn and userbasedn strings can only contain DN items, no CN or OU items

searchattribute and usernameattribute strings both had to be samaccountname

grouprequest string needed a leading \\ and set to ...GroupMember::factory

searchstring needed leading domain prefix followed by \\USER-NAME

enctype had to be "clear"

I may have made minor code changes in several of the modules, been working on this for months off and on so not sure. Troubleshooting sucks when it is trial and error testing. In Client.php/getUserGroups() function I added our baseDN string instead of the default empty ' ' parameter. In UserInfoRequest.php/GetUserInfo() I had to comment out the "memberof" and leave attribute as just the wildcard. In GroupMember.php instead of an empty $baseDN I set it to $this->config->get( ClientConfig::GROUP_BASE_DN ). I think that about covers it. Mushu0mushu (talk) 18:53, 6 May 2021 (UTC)

Thanks for sharing! Maybe you could provide me with your code? I could check if I can add it to the extension. Osnard (talk) 14:03, 7 May 2021 (UTC)

Basically it was those changes above, not worth a full copy-n-paste since you can see they were very minor changes. This was a very steep learning curve trying to get Active Directory under IIS working. I still do not have the automatic login working with LDAPAuthentication2 yet but at least I can manually log in and nothing throws any errors in the logs. Mushu0mushu (talk) 17:19, 7 May 2021 (UTC)

Okay, thanks. For SSO you will need Extension:Auth_remoteuser. In IIS it should be straight forward to enable SSO. You should only need to switch from "Anonymous" to "NLTM/Kerberos" type in the "Authentication" section of your IIS-Website. Osnard (talk) 07:33, 11 May 2021 (UTC)

Thank you. I installed that but it still won't auto-login when I hit the wiki page. In another place I read that I need to disable the LDAPAuthentication2 extension, so I also tried to disable that, but same thing. Do you still need to click the Login link to log in automatically? When I do that i get a message: "The supplied credentials are not associated with any user on this wiki." but I have the createaccount setting set to true, as well as the autocreateaccount. Am I missing something else? Mushu0mushu (talk) 23:22, 12 May 2021 (UTC)

If you don't need form based authentication, you can disable Extension:LDAPAuthentication2 completely.

If Extension:Auth_remoteuser does not log you in automatically there can be three reasons:

• $_SERVER['REMOTE_USER'] is not properly set by the websever. Validate this by using a `phpinfo();` in a new file in the document root.
• $_SERVER['REMOTE_USER'] contains characters that are not allowed as MediaWiki usernames.
• Extension:LDAPAuthorization prevents the implicit login due to authorization issues. You may want to enable LDAP debugging to get more information. Osnard (talk) 14:14, 14 May 2021 (UTC)

Now I'm finally getting the wiki to use AD to authenticate existing users, but new users are not getting accounts created automatically. I have both of these set to true: $wgGroupPermissions['*']['autocreateaccount'] = true; and $wgGroupPermissions['*']['createaccount'] = true; but the new accounts never show up in the mySQL users table. Plus, people who are not in the database are getting website Error 500 and none of the log files are being written to, nor in the system Event log for IIS. Once more, I'm stuck again. Mushu0mushu (talk) 21:20, 21 May 2021 (UTC)

"Error 500" means there is an issue in the Wiki application. Are there also no outputs in the PHP error log? Osnard (talk) 11:02, 25 May 2021 (UTC)

The only PHP 7.4 error logged when someone goes to the MW webpage and their account is not in the MySQL user table is this:

[14-Jun-2021 21:40:26 UTC] PHP Deprecated:  Directive 'track_errors' is deprecated in Unknown on line 0

So it edited php.ini and set "track_errors" to "off" and we will see if that error goes away.

Also, here are all of the debug settings I have enabled in LocalSettings.php file:

$wgShowExceptionDetails = true;
$wgDebugLogFile = '\\temp\\wikidbg.log'; 
$wgDebugLogGroups['PluggableAuth'] = '\\temp\\PLUG.log';
$wgDebugLogGroups['LDAP'] = '\\temp\\LDAP.log';
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = '\\temp\\LDprov.log';
$wgDebugLogGroups['LDAPGroups'] = '\\temp\\LDgrp.log';
$wgDebugLogGroups['LDAPUserInfo'] = '\\temp\\LDui.log';
$wgDebugLogGroups['LDAPAuthorization'] = '\\temp\\LDAPauthor.log';

Not a single entry anywhere, not even in Windows event log, when a non-existing user goes to the MW webpage. yet it works for everyone who is in the user table just fine. I also have both account create variables set to true...any ideas? Mushu0mushu (talk) 21:52, 14 June 2021 (UTC)

Here is the webpage they see when they hit the page (note that active directory is enabled and they are on the network so it should log them in automagically like it does to those users who are already in the sql user table): https://ibb.co/dj9rHnZ Mushu0mushu (talk) 22:13, 14 June 2021 (UTC)

Please make sure the "\\temp" directory as well as the "php_error.log" file are writeable for the webserver user (probably "IUSR" or something). Windows can be tricky when it comes to FS permissions. Osnard (talk) 14:50, 15 June 2021 (UTC)

They are writeable since I generated other errors in another app that uses the same php version and it wrote those errors. Plus the other log files work if I generate thrown errors. So whatever the problem is, it is not causing a loggable error. Mushu0mushu (talk) 21:05, 16 June 2021 (UTC)

It's acting like it is unable to create new account, no matter what I have $wgGroupPermissions[] set to. Need more thoughts on how to troubleshoot this please, none of the log files are logging any errors for when users hit the page and get the Error 500, not even the IIS event log...?! And yes, my perms are set properly for all of the log files on the server since previous problems on this long trail of tears has shown other errors being logged from the other extensions. Mushu0mushu (talk) 17:25, 28 June 2021 (UTC)

Can you maybe share a screenshot of that error 500 (you can use some "pastebin" like tools on the web). If possible also a screenshot that shows the "Network" panel of the browsers developer tools. You may need to redact sensitive information (like server or user names, base urls, ...) Osnard (talk) 11:04, 29 June 2021 (UTC)

The error 500 screen is shown in the link above. Still trying to get someone who cannot log in to get me a screenshot of the browser dev tools network tab... Mushu0mushu (talk) 22:08, 20 July 2021 (UTC)

The screenshot does not show an error 500. It is a regular error message in the form based authentication process, shown when there is not local user account in the database. It is not emitted by the LDAP-Stack extensions, but rather by MediaWiki core software. Can you confirm you have the "autocreateaccount" permission assigned to the group of unauthenticated users ("*")? Osnard (talk) 06:05, 21 July 2021 (UTC)

Here is that part of LocalSettings.php in /mediawiki directory:

.

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['write']['edit'] = true;

$wgGroupPermissions['developers']['edit'] = true;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['write']['createpage'] = true;

$wgGroupPermissions['developers']['createpage'] = true;

$wgGroupPermissions['bureaucrat']['userrights'] = true;

. Mushu0mushu (talk) 20:02, 2 August 2021 (UTC)

So the problem appears to be code in auth_remoteuser extension file UserNameSessionInfo.php and I had to comment out this code:

1. if ( !Hooks::run( static::HOOKNAME, [ &$filteredUserName ] ) ) {
2. $metadata[ 'filteredUserName' ] = $filteredUserName;
3. $this->logger->warning(
4. "Can't login remote user '{remoteUserName}' automatically. " .
5. "Blocked this user when applying filter to '{filteredUserName}'.",
6. $metadata
7. );
8. continue;
9. }

Not sure what it even tries to do, but it would never work properly and nobody could get authenticated via active directory and automatically logged in. When I commented this section out, everything works as expected! I manually stripped the domain from the front of the username info and allowed it to get properly stuffed into the filtered name array. Would be great if somebody would tell me what this HOOKNAME stuff is trying to do... Mushu0mushu (talk) 19:16, 8 November 2021 (UTC)

This hook is used by Extension:LDAPAuthorization extension to prevent auto login of users that do not match certain criterias (e.g. LDAP group membership). If you don't need that feature I recommend to disable LDAPAuthorization in general. Osnard (talk) 07:06, 9 November 2021 (UTC)

LDAP group authorization

Im currently running into some issues trying to set up my ldapprovider.json config.

The mediawiki works with pure LDAP - everyone can login and it works. Now i want only a certain LDAP Group to login and i cant get my head around it...

My ldapprovider.json:

<code>

  1 {

  2     "intern.goetel.de": {

  3             "connection": {

  4                     "server": "our-dc-controller",

  5                     "user": "ldap-user",

  6                     "pass": "password",

  7                     "options": {

  8                             "LDAP_OPT_DEREF": 1

  9                     },

10                     "basedn": "ou=container, dc=domain,dc=tld",

11                     "groupbasedn": "dc=domain,dc=tld",

12                     "userbasedn": "dc=domain,dc=tld",

13                     "searchattribute": "samaccountname",

14                     "usernameattribute": "samaccountname",

15                     "realnameattribute": "cn",

16                     "emailattribute": "mail",

17                     "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"

18             },

19             "authorization": {

20                     "rules": {

21                             "groups": {

22                                     "required": ["CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de"]

23                             }

24                     }

25             }

26     }

27 }

</code>

I don´t get any errors. Everyone can still login, doesn´t matter if they´re in that Group or not...

Can someone help me in this? 93.229.78.177 (talk) 18:17, 9 February 2022 (UTC)

This looks just right. Can you confirm that php extensions/LDAPProvider/maintenance/ShowUserGroups.php ... does not list "CN=groupname,OU=OUname,OU=OUname,DC=goetel,DC=de". Can you confirm Extension:LDAPAuthorization to be properly enabled? Osnard (talk) 07:40, 10 February 2022 (UTC)

I tested it with 2 Accounts - user1 should login, user2 should not. "php ..." from user1 shows the group, from user2 is doesnt

LDAPAuthorization isnt installed, we got LDAPAuthentication2 and LDAPProvider running. Do i just need to install LDAPAuthorization on the wiki? 93.229.78.177 (talk) 12:58, 10 February 2022 (UTC)

Yes. Please install and activate Extension:LDAPAuthorization. Osnard (talk) 14:09, 10 February 2022 (UTC)

Now it works flawless, didnßt know i need another Extension...

Thank your for your help! 2A03:6880:1:309:6189:A5C1:16D7:4954 (talk) 12:41, 11 February 2022 (UTC)

Settings: grouprequest - name

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

Regarding the part of the settings for "grouprequest" where it says MediaWiki, if I named by wiki something other than the default, like "mywikipage", would I change MediaWiki to mywikipage in this setting? Gregzme17 (talk) 14:40, 10 March 2022 (UTC)

No. This is just a PHP namespace. It does not depend on you local wikis name ($wgSitename) Osnard (talk) 15:18, 10 March 2022 (UTC)

Appreciate the information Gregzme17 (talk) 15:42, 10 March 2022 (UTC)

ldap authorization blows up not sure whats wrong in setup

After fighting with Ldap Authentication - which works fine now -- i wanted to restrict it to certain AD group(s).

But when I run with "wfLoadExtension( 'LDAPAuthorization' );" it passes the "auth" part, but the verification of the group check blows up.

MediaWiki 1.35.3

PHP 7.3.29

LDAPAuthentication2 1.0.3

LDAPAuthorization 1.1.0

LDAPProvider 1.0.5

PluggableAuth 5.7

I cant figure out what I am missing, if anything

On screen I get:

Special:PluggableAuthLogin TypeError from line 47 of includes/config/HashConfig.php: Argument 1 passed to HashConfig::__construct() must be of the type array, null given, called in extensions/LDAPProvider/src/DomainConfigFactory.php on line 74

Backtrace:

#0 extensions/LDAPProvider/src/DomainConfigFactory.php(74): HashConfig->__construct(NULL)

#1 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(65): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#2 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(77): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct(User, boolean)

#3 includes/HookContainer/HookContainer.php(329): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#4 includes/HookContainer/HookContainer.php(132): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

....

In the Debug Logging, I get:

2022-05-27 18:07:54 {server name} {wiki name}: Domain set to 'abc.def.org'.

[error] [YpETerowjGVT6h9w1gQ@LwAAAAo] Special:PluggableAuthLogin   ErrorException from line 74 of extensions/LDAPProvider/src/DomainConfigFactory.php:

PHP Notice: Undefined index: authorization

#0 extensions/LDAPProvider/src/DomainConfigFactory.php(74): MWExceptionHandler::handleError(integer, string, string, integer, array)

#1 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(65): MediaWiki\Extension\LDAPProvider\DomainConfigFactory->factory(string, string)

#2 extensions/LDAPAuthorization/src/Hook/PluggableAuthUserAuthorization.php(77): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization->__construct(User, boolean)

#3 includes/HookContainer/HookContainer.php(329): MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization::callback(User, boolean)

#4 includes/HookContainer/HookContainer.php(132): MediaWiki\HookContainer\HookContainer->callLegacyHook(string, array, array, array)

#5 includes/Hooks.php(137): MediaWiki\HookContainer\HookContainer->run(string, array, array)

#6 extensions/PluggableAuth/includes/PluggableAuthLogin.php(53): Hooks::run(string, array)

#7 includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)

#8 includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)

#9 includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)

#10 includes/MediaWiki.php(940): MediaWiki->performRequest()

SO the issue seems to be "Undefined index: authorization"

(which is present in my "ldap.json" file - below) Undefined index: authorization

{

        "abd.def.org": {

                "connection": {

                        "server": "dc.abc.def.org",

                        "port": "389",

                        "user": "CN=Service,OU=groups,DC=abc,DC=def,DC=org",

                        "pass": "",

                        "options": {

                                "LDAP_OPT_DEREF": 1

                        },

                        "basedn": "DC=abc,DC=def,DC=org",

                        "userbasedn": "DC=abc,DC=def,DC=org",

                        "groupbasedn": "DC=abc,DC=def,DC=org",

                        "searchattribute": "samAccountName",

                        "usernameattribute": "samaccountname",

                        "realnameattribute": "cn",

                        "emailattribute": "mail",

                        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

                        "authorization": {

                                "rules": {

                                        "groups": {

                                                "required": ["CN=support,DC=abc,DC=def,DC=org"]

                                        }

                                }

                        }

                }

        }

}

SO -- I have no idea what's wrong, havent been able to figure out out! Argh! Richr410 (talk) 18:47, 27 May 2022 (UTC)

The "authorization" node must not be nested within, but a sibling of "connection" Osnard (talk) 08:39, 30 May 2022 (UTC)

oh!!

that was it!!

thanks might!! Richr410 (talk) 13:48, 31 May 2022 (UTC)

rules.group.required checks for IP Adress instead of username for non-existing users

When trying to Login with a LDAP user, who never logged in befor, the check for required groups always fails.

I checked the Logs and saw, that the plugin actually sent the IP adress instead of the username to check.

I appended the log with three login attempts:

• The first one fails for an user, which already logged in before but is not the required group
• The second one shows the described behavior. I try to login with "auth.test2", but the Plugin checks for groups of "172.22.0.1", which is the IP adress of the mediawiki container
• The third attempt shows a sucessfull login of another user, who already existed and who also is in the required group
  

Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'Auth.test'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user '172.22.0.1'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'valid.user'. Requirement 'groups.required' satisfied. All requirements satisfied. 2001:4DD0:D512:1:0:0:0:551 (talk) 13:13, 12 July 2022 (UTC)

Can you please share information about the environment? MediaWiki versions? Do you have a specific setting of $wgGroupPermissions in your LocalSettings.php file? Maybe regarding the autocreateaccount permission? Osnard (talk) 08:10, 13 July 2022 (UTC)

I use Mediawiki 1.38.2 inside a Docker Container and those Version of the LDAP Plugins (I accidentaly cut them out in the original post..):

LDAPAuthentication2    1.0.3 (c6a342f)

LDAPAuthorization    1.1.0 (e6815d2)

LDAPGroups    1.0.3 (e579978)

LDAPProvider    1.0.5 (8e1a6ff)

LDAPUserInfo    1.0.0 (b95faa0)

PluggableAuth    5.7

The $wgGroupPermissions are

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['user']['edit'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;

I tried to follow that example for the settings: Manual:Active Directory Integration 2001:4DD0:D512:1:0:0:0:551 (talk) 14:23, 13 July 2022 (UTC)

Hello, I was having the same issue on my side and I fixed that by modifying the PluggableAuthUserAuthorization.php, function process(), since it previously relied on getName() which turned out to return the IP address of the origin of the HTTP request for non-existing users.

Lines modified are marked with the comment "MODIFIED THIS" in the code here below, and were replaced by lines immediately following:

/**

     *

     * @return bool

     */

    public function process() {

        //MODIFIED THIS: $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->getName()}'." );

        $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->mName}'." );

        if ( $this->isLocalUser() ) {

            $this->logger->debug( 'Skipping local user.' );

            return true;

        }

        $requirementsChecker = new RequirementsChecker( $this->ldapClient, $this->domainConfig );

        $requirementsChecker->setLogger( $this->logger );

        ////MODIFIED THIS: if ( !$requirementsChecker->allSatisfiedBy( $this->user->getName() ) ) {

        if ( !$requirementsChecker->allSatisfiedBy( $this->user->mName ) ) {

            $this->logger->debug( 'Requirements could not be satisfied.' );

            $this->authorized = false;

            return false;

        }

        $this->logger->debug( 'All requirements satisfied.' );

        return true;

    }

All originated from PluggableAuthLogin.php, function execute() where for non-existing users the following code is executed:

if ( $id === null ) {

                    $user->loadDefaults( $username );

                    $user->mName = $username;

                    $user->mRealName = $realname;

                    $user->mEmail = $email;

                    $user->mEmailAuthenticated = wfTimestamp();

                    $user->mTouched = wfTimestamp();

                    wfDebugLog( 'PluggableAuth', 'Authenticated new user: ' . $username );

                    // PluggableAuthPopulateGroups is called from LocalUserCreated hook

                }

thus not initializing user member mLoadedItems, which in turns is requested by getName() through isItemLoaded function, otherwise the request origin IP address is returned:

/**

     * Get the user name, or the IP of an anonymous user

     * @return string User's name or IP address

     */

    public function getName(): string {

        if ( $this->isItemLoaded( 'name', 'only' ) ) {

            // Special case optimisation

            return $this->mName;

        }

        $this->load();

        if ( $this->mName === false ) {

            // Clean up IPs

            $this->mName = IPUtils::sanitizeIP( $this->getRequest()->getIP() );

        }

        return $this->mName;

    }

Replacing getName in PluggableAuthUserAuthorization.php with direct access to mName member (which is initialized by PluggableAuthLogin.php) made the magic.

Probably there are more elegant solution for fixing that, and the problem maybe should be reported to PluggableAuth developers (how can I do that? anyone knows? I am new to mediawiki...) but anyway that fixed the problem for me and maybe can be useful for some others too. Morix Dev (talk) 09:11, 29 September 2022 (UTC)

You made my day - Thanks a lot !!! 141.58.7.209 (talk) 11:04, 25 April 2023 (UTC)

I have the same problem that users that are not stored in the database are not authorized. This is what the log file for LDAPAuthorization gives me after I apply @Morix Dev's changes to PluggableAuthUserAuthorization.php :

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Domain set to 'wiki_d35'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user ')'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirement 'groups.required' not satisfied.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirements could not be satisfied.

I have Mediawiki 1.39.3 with php 8.1.2 and MariaDB 10.6.12.

My configuration in LocalSettings.php:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthorization' );

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Anmelden";

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'ucfirst';

$LDAPAuthentication2AllowLocalLogin = false;

$wgAuthRemoteuserAllowUserSwitch = false;

$wgPluggableAuth_Config['Log In'] = [

   'plugin' => 'LDAPAuthentication2',

   'data' => [

       'domain' => 'wiki_d35'

   ]

];

$wgDebugLogGroups['PluggableAuth'] = [

       'destination' => "$IP/cache/PluggableAuth.log"

];

$wgDebugLogGroups['LDAPProvider'] = [

       'destination' => "$IP/cache/LDAPProvider.log"

];

$wgDebugLogGroups['LDAPAuthentication2'] = [

       'destination' => "$IP/cache/LDAPAuth.log"

];

$wgDebugLogGroups['LDAPAuthorization'] = [

       'destination' => "$IP/cache/LDAPAuthorization.log"

];

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       "LDAP" => [

           "connection" => [

               "server" => "***",

               "options" => [ "LDAP_OPT_DEREF" => 1, "LDAP_OPT_PROTOCOL_VERSION" => 3 ],

               "port" => 389,

               "enctype" => "tls",

               "basedn" => "o=***,c=***",

               "userbasedn" => "o=***,c=***",

               "groupbasedn" => "ou=group,ou=***,o=***,c=***",

               "searchattribute" => 'uid',

               "usernameattribute" => 'uid',

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

  ],

           "authorization" => [

               "rules" => [

                   "groups" => [

                       "required" => [

                           "cn=***,ou=***,ou=***,o=***,c=***"

                       ]

                   ]

               ]

           ],

           "authentication" => [

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail"

           ],

           'userinfo' => [

               'attributes-map' => [

                   'email' => 'mail',

                   'realname' => 'cn'

               ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

}; Ablum010777 (talk) 11:18, 5 May 2023 (UTC)

I added the line

               $this->user->setName( $this->ldapClient->getUsername() );

at the beginning of the function process() in the file

extensions/LDAPAuthorization/src/hook/PluggableAuthUserAuthorization.php Ablum010777 (talk) 06:36, 22 May 2023 (UTC)

Maybe this is related to T334950 (Fix at https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PluggableAuth/+/909674)and will be fixed in an upcoming release of Extension:PluggableAuth. Osnard (talk) 15:50, 23 May 2023 (UTC)

anonymous binding

is it possible to use the newer LDAP stack with anonymous binding? Does the json look like this?

{

"****": {

"connection": {

"server": "**.***.**.**",

"port": "389",

"user": "",

"pass": "",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1,

                "LDAP_OPT_PROTOCOL_VERSION": 3,

                "LDAP_OPT_REFERRALS": 0

},

"basedn": "dc=****,dc=**,dc=**",

"userbasedn": "dc=****,dc=**,dc=**",

"groupbasedn": "dc=****,dc=**,dc=**",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

}

}

}

}

"****": {

"connection": {

"server": "**.128.**.**",

"port": "389",

"user": "",

"pass": "",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1,

                "LDAP_OPT_PROTOCOL_VERSION": 3,

                "LDAP_OPT_REFERRALS": 0

},

"basedn": "dc=****,dc=**,dc=**",

"userbasedn": "dc=****,dc=**,dc=**",

"groupbasedn": "dc=****,dc=**,dc=**",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

}

}

}

} 180.252.119.34 (talk) 12:10, 27 October 2022 (UTC)

No, anonymous binding is currently not supported Osnard (talk) 07:38, 4 November 2022 (UTC)

mediawiki-Login not working but CheckLogin.php OK

We are trying to migrate from mediawiki 1.30.0 to 1.39.3.

Everything seems to work so far, except authentication via LDAP.

All LDAPProvider related scripts return data or report success:

./LDAPProvider/maintenance/CheckConnection.php --conf /opt/mediawiki/LocalSettings.php --config /opt/mediawiki/ldapprovider.json --domain DOMAIN "(samaccountname=me)"

=> valid Data

./LDAPProvider/maintenance/ShowUserInfo.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me

=> valid Data

php ./LDAPProvider/maintenance/CheckLogin.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me

=> OK

php ./LDAPProvider/maintenance/ShowUserGroups.php --conf /opt/mediawiki/LocalSettings.php  --domain DOMAIN --username me

=> valid Data

ldapprovider.json:

{

  "DOMAIN": {

    "connection": {

      "server": "dc",

      "port": "636",

      "user": "ldap",

      "pass": "pass",

      "enctype": "ssl",

      "options": {

        "LDAP_OPT_DEREF": 1

      },

      "basedn": "OU=User,...",

      "userbasedn": "OU=User,...",

      "groupbasedn": "OU=Group...",

      "searchattribute": "sAMAccountName",

      "searchstring": "DOMAIN\\USER-NAME",

      "usernameattribute": "sAMAccountName",

      "realnameattribute": "cn",

      "emailattribute": "mail",

      "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

      "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]

    },

    "authorization": {

      "rules": {

        "groups": {

          "required":[

            "CN=User",

            "CN=Admin"

          ]

        }

      }

    },

    "groupsync": {

      "mechanism": "mappedgroups",

      "mapping": {

        "user": "CN=User",

        "sysop": "CN=VAdmin"

      }

    },

    "userinfo": {

      "attributes-map": {

        "email": "mail",

        "realname": "fullname"

      }

    }

  }

}

LocalSettings.php:

wfLoadExtension( 'AccessControl' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPGroups' );

wfLoadExtension( 'PluggableAuth' );

$wgDebugLogFile = "/opt/log/mediawiki_debug-{$wgDBname}.log";

$wgShowExceptionDetails = true;

$wgDebugToolbar = true;

$wgShowDebug = true;

$wgDevelopmentWarnings = false;

$wgDebugDumpSql = false;

$wgDebugLogGroups['authentication'] = "/opt/log/authentication.log";

$wgDebugLogGroups['login'] = "/opt/log/login.log";

$wgDebugLogGroups['PluggableAuth'] = "/opt/log/LDAP-Pluggable.log";

$wgDebugLogGroups['LDAP'] = "/opt/log/LDAP.log";

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/opt/log/LDAPProvider_Client.log";

$wgDebugLogGroups['LDAPGroups'] = "/opt/log/LDAPGroups.log";

$wgDebugLogGroups['LDAPUserInfo'] = "/opt/log/LDAPUserInfo.log";

$wgDebugLogGroups['LDAPAuthentication2'] = "/opt/log/LDAPAuthentication2.log";

$wgDebugLogGroups['LDAPAuthorization'] = "/opt/log/LDAPAuthorization.log";

$LDAPProviderDomainConfigs ="/opt/data/config/ldapprovider.json";

$LDAPProviderDomainConfigProvider = "MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance" ;

$LDAPProviderDefaultDomain = 'DOMAIN;

$wgAccessControlMessages = true;

$wgUseMediaWikiGroups = true;

$wgAdminCanReadAll = true;

$wgPluggableAuth_EnableAutoLogin = false;

$wgPluggableAuth_EnableLocalLogin = true;

(also tried $wgPluggableAuth_EnableLocalLogin = false;)

$LDAPAuthentication2AllowLocalLogin = true;

(also tried $LDAPAuthentication2AllowLocalLogin = false;)

$LDAPAuthentication2UsernameNormalizer = "strtolower";

$LDAPGroupsSyncMechanismRegistry = "mappedgroups";

$wgGroupPermissions['*']['createaccount'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['read'] = true;

$wgGroupPermissions['user']['edit'] = true;

$wgGroupPermissions['sysop']['edit'] = true;

$wgPluggableAuth_ButtonLabel = "Anmelden";

Debug-Output

• [error] [ZHi9J4zwAEy-BdrMNX0gmgAAAEE] /mediawiki/index.php?title=Spezial:Anmelden&returnto=Hauptseite PHP Deprecated: Use of userCan hook (used in AccessControlHooks::onUserCan) was deprecated in MediaWiki 1.37. [Called from MediaWiki\HookContainer\HookContainer::run]

• [authentication] Login failed in primary authentication because no provider accepted UweAtwork (talk) 15:48, 1 June 2023 (UTC)

hello, out of curiosity, did you ever find a resolution? Wikiphpnoob (talk) 22:01, 14 March 2024 (UTC)

Hooks were depricated in version 1.35 and then removed in 1.42.x. 144.51.12.195 (talk) 13:37, 20 October 2024 (UTC)

how to set $wgGroupPermissions

hello, i have mediawiki 1.39, PHP 8.3, Windows Server 2016 with IIS and will be using LDAP extensions

apologies if this is in the wrong discussion area

I will have, when fully set up, 8 groups with multiple users per group

only 1 of those groups will have full permissions, the rest will only have read

each of the 7 groups that will have read only, will also only have their own area of our local mediawiki site they'll have access to

which extension/s will control that? and where in LocalSettings and ldapprovider.json will those accesses be configured?

thank you Wikiphpnoob (talk) 17:18, 1 April 2024 (UTC)