Manual talk:Active Directory Integration
| This page used the Structured Discussions extension to give structured discussions. It has since been converted to wikitext, so the content and history here are only an approximation of what was actually displayed at the time these comments were made. |
Setup Doesn't work from MediaWiki WebSite
Setup configuration as explained in article and ran update.php
When attempting to login from the GUI the following error is thrown:
[X4hn3AICGN7jXCch3jl1rAAAAI4] /wiki/index.php?title=Special:PluggableAuthLogin MWException from line 169 of /var/www/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server
Backtrace:
#0 /var/www/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php(92): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php(329): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/mediawiki-1.35.0/extensions/LDAPAuthentication2/src/PluggableAuth.php(81): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/mediawiki-1.35.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/mediawiki-1.35.0/includes/specialpage/SpecialPage.php(600): PluggableAuthLogin->execute(NULL)
#5 /var/www/mediawiki-1.35.0/includes/specialpage/SpecialPageFactory.php(635): SpecialPage->run(NULL)
#6 /var/www/mediawiki-1.35.0/includes/MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/mediawiki-1.35.0/includes/MediaWiki.php(940): MediaWiki->performRequest()
#8 /var/www/mediawiki-1.35.0/includes/MediaWiki.php(543): MediaWiki->main()
#9 /var/www/mediawiki-1.35.0/index.php(53): MediaWiki->run()
#10 /var/www/mediawiki-1.35.0/index.php(46): wfIndexMain()
#11 {main}
Tested configuration with the following scripts which all worked:
php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain YourDomain --username SomeUser
php extensions/LDAPProvider/maintenance/CheckLogin.php --domain YourDomain --username SomeUser
However as noted the web interface does not work when attempting login. 47.26.146.98 (talk) 15:20, 15 October 2020 (UTC)
Is there any way to test is user is logged on in LocalSetting.php
You may ask why, but having problem with VisualEditor in latest 1.35 MediaWiki, since it does not like Private mediawiki sites. You have to log on to view site "$wgGroupPermissions['*']['read'] = false;". (Ref: VisualEditor/Feedback/Archive/2020#h-Error_contacting_the_Parsoid/RESTBase_server_(HTTP_404)-2020-09-26T06:56:00.000Z)
With such sites you can not edit pages (like I am doing now). Currently the only real workaround is to test IP address in LocalSetting.php but no help if you want to access site from many clients. This is why I am asking if there is something I can add in LocalSettings.php which test if Username/password is valid, so then I can set $wgGroupPermissions['*']['read'] = true;"
Thanks Awatkins1966 (talk) 11:22, 6 November 2020 (UTC)
- See what server environment variables are set, find one that is set to the current logged in user and test for that. Mushu0mushu (talk) 21:54, 20 July 2021 (UTC)
How to bind ldap groups the either View Only, Edit and Admin
Hi,
After a lot of trail and error I finally can log in properly and that a you must login, but I can't figure out how to implemented the following:
- Viewers (read only obviously) (CN=WIKI_VIEWERS,OU=groups,DC=mydomain,DC=local)
- Editors (CN=WIKI_USERS,OU=groups,DC=mydomain,DC=local)
- Admins (CN=WIKI_ADMINS,OU=groups,DC=mydomain,DC=local)
I tired fiddling with the mappings but does not seems to do anything (my partial json):
"groupsync": {
"mapping": {
"VIEWERS" : "CN=WIKI_VIEWERS,OU=groups,DC=mydomain,DC=local",
"EDITORS" : "CN=WIKI_USERS,OU=groups,DC=mydomain,DC=local",
"ADMINS" : "CN=WIKI_ADMINS,OU=groups,DC=mydomain,DC=local"
}
}
I started testing with viewers like so:, but when I login with a user that is in that group the user test can edit and create new pages.. But more explanation or some examples would be most helpfull
$wgGroupPermissions['VIEWERS']['edit'] = false;
$wgGroupPermissions['VIEWERS']['createpage'] = false;
Thanks in advance. 159.46.196.36 (talk) 09:35, 8 December 2020 (UTC)
How to enable automatic login using AD authentication so user doesn't have to click the Log In button?
Windows Server 2012R2
| MediaWiki | 1.35.1 |
| PHP | 7.4.14 (cgi-fcgi) |
| MySQL | 5.7.13-log |
LDAPAuthentication2 1.0.2 (58e281c) 07:04, 7 January 2021
Auth_remoteuser 2.1.1 (a448e28) 23:55, 7 May 2021
LDAPAuthorization 1.1.0 (e037664) 19:38, 9 July 2020
LDAPProvider 1.0.5 (ca854c1) 07:54, 14 December 2020
LDAPUserInfo 1.0.0 (39cca83) 19:58, 9 July 2020
PluggableAuth 5.7 (2a465ae) 15:07, 10 July 2020
I have proper modules installed as far as I can tell, but MW requires me to click the login button and enter a password. How can I automate this so it logs in automagically and uses perms via groups? Mushu0mushu (talk) 17:12, 10 May 2021 (UTC)
- I ended up using Auth_remoteuser for automatic login. I also had to disable LDAPAuthentication2 for that to work. Everything else seems to be okay so far. I am still testing. Xdaveyx (talk) 12:06, 12 May 2021 (UTC)
- Thanks for that. I disabled the load of LDAPAuthentication2 but it still leaves me at the main wiki page not logged in. Were there any other settings you changed in your LocalSettings.php file related to this? Mushu0mushu (talk) 15:11, 12 May 2021 (UTC)
- Sorry, that I didn't see your question until now.
- Here's the other relevant bits from my localsettings file:
$LDAPProviderDomainConfigs = $ldapJsonFile;$LDAPProviderDefaultDomain = "DOMAIN";$LDAPProviderCacheType = CACHE_MEMCACHED; #*$LDAPProviderCacheTime = 8 * 60 * 60;$wgPluggableAuth_EnableAutoLogin = true;$wgPluggableAuth_EnableLocalLogin = true;- *Obviously use your own caching method here. I went through the pain of setting up memcached. It seems to make the difference since I am using a lot of nested templates.
- I hope that helps! Xdaveyx (talk) 20:42, 19 May 2021 (UTC)
- I got it to finally auto-login but only if the account exists in the user tables in the database. I have the createaccount and autocreateaccount set to true but the accounts are never added to the table. Plus those people get server Error 500 and no event log entries are generated, plus no MW extension log files are written to. However for anyone who is already in the user table everything works great, no errors are thrown, and they are auto-logged in. Thoughts? Mushu0mushu (talk) 21:26, 21 May 2021 (UTC)
- Are you using IIS, or another web server? I'd be digging down a bit more with LDAPAuthorization.
- Enable and check any logs you can. There were a couple of good posts about logging with examples that I found in the posts on these plugin talk pages and some other related pages.
- Profiling, and the process monitor software were really helpful too. Though it took me some time to figure out.
- I am on a domain system with Windows defender enabled by my admin. Since I put the website and PHP in non-standard folders I had to add exclusions to defender to help with some speed (+10 seconds) and permissions( related to image uploading, I think). There was some sort of locking issue. Xdaveyx (talk) 17:06, 24 May 2021 (UTC)
- So the problem appears to be code in auth_remoteuser extension file UserNameSessionInfo.php and I had to comment out this code:
- #if ( !Hooks::run( static::HOOKNAME, [ &$filteredUserName ] ) ) {
- # $metadata[ 'filteredUserName' ] = $filteredUserName;
- # $this->logger->warning(
- # "Can't login remote user '{remoteUserName}' automatically. " .
- # "Blocked this user when applying filter to '{filteredUserName}'.",
- # $metadata
- # );
- # continue;
- #}
- Not sure what it even tries to do, but it would never work properly and nobody could get authenticated via active directory and automatically logged in. When I commented this section out, everything works as expected! I manually stripped the domain from the front of the username info and allowed it to get properly stuffed into the filtered name array. Would be great if somebody would tell me what this HOOKNAME stuff is trying to do... Mushu0mushu (talk) 19:18, 8 November 2021 (UTC)
Invalid json file
Greetings all! I am a newbie to MediaWiki and this is my first project to get MW to work with AD sign on using the instructions here. I do have a binding account and password set up. Here are the other items I have installed:
MediaWiki 1.36
PHP 7.4.6
MariaDB 10.3.28 MySql 15.1
The json I wrote has all the information from the tutorial layout and for the bind account I used the information from the Name Attributes in AD (Name, OU, etc, etc)
I have added the code in the localsettings.php file and perform the update.php and this is where I get the invalid json file text
"php update.php --force
Found invalid JSON in file: /redacted/ldap.json
MediaWiki 1.36.2 Updater"
Would my syntax or other information cause this error? SonicMagnus (talk) 01:58, 13 November 2021 (UTC)
Not loading extensions
| RESOLVED | |
| This was my fault, had to change the localsettings.php to point to the LDAP.JSON file by its absolute Windows path. | |
The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.
I followed the directions but it when I checked Special:Version, it does not appear to be loading any of the extensions, or at least they are not listed on that page.
Windows Server 2016 / IIS
MediaWiki 1.35.5
PHP 7.4.13
MaraDB 10.7.3.0
I have verified the DC, user account, password, groups
Here is my ldap.json file (details changed):
{
"mydomain.net": {
"connection": {
"server": "dc.mydomain.net",
"port": "3268",
"user": "CN=user,OU=ou,OU=ou,OU=ou,DC=mydomain,DC=net",
"pass": "password",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "DC=mydomain,DC=net",
"userbasedn": "DC=mydomain,DC=net",
"groupbasedn": "DC=mydomain,DC=net",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mechanism": "mappedgroups"
"mapping": {
"Group": "CN=group,OU=ou,OU=ou,OU=ou,OU=ou,DC=mydomain,DC=net",
"sysop": "",
}
}
}
}This is the bottom of my localsettings.php:
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
// Create Wiki-Group 'IS' from default user group
$wgGroupPermissions['IS'] = $wgGroupPermissions['user'];
// Private Wiki. External LDAP login. Default NS requires login.
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: $IP/ldap.json");
}
}
// Activate Extension
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgPluggableAuth_ButtonLabel = "Log In";
// Force LDAPGroups to sync by choosing a domain ( e.g. first JSON object in ldap.json )
$LDAPProviderDefaultDomain = "mydomain.net";
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
}I am honestly completely new to this and not sure what I am doing wrong. Gregzme17 (talk) 18:31, 8 March 2022 (UTC)
Why use a json file?
$LDAPProviderDomainConfigProvider = function() {
$config = [
'DOMAIN' => [
'connection' => [
"server" => "AD-SERVER",
"port" => "3268",
"enctype" => "tls",
"user" => "CN=user,OU=stuff",
"pass" => "password123",
"options" => [
"LDAP_OPT_DEREF" => 1,
"LDAP_OPT_REFERRALS" => 0,
"LDAP_OPT_X_TLS_CRLCHECK" => 0,
"LDAP_OPT_X_TLS_REQUIRE_CERT" => 0
],
"basedn" => "DC=DOMAIN,DC=TLD",
"groupbasedn" => "...",
"userbasedn" => "...",
"searchattribute" => "cn",
"usernameattribute" => "cn",
"realnameattribute" => "mail",
"emailattribute" => "mail",
"presearchusernamemodifiers" => [ "spacestounderscores", "lowercase" ]
],
"userinfo" => [],
"authorization" => [],
"groupsync" => [
"mapping" => [
"user" => "GROUP-ALL-USERS-ARE-IN"
]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
It will automatically be used by LDAPAuthentication2 92.34.216.26 (talk) 13:12, 18 March 2022 (UTC)
Unable to establish AD sync
I've setup AD integration according to this manual in my private wiki, but after perform php maintenance/update.php and restart httpd on the new browser window in incognito mode at the wiki.company.com/index.php/Special:UserLogin I see only
The supplied credentials are not associated with any user on this wiki. without option to type user or password.
My current configration:
ldap.json:
{
"company.local": {
"connection": {
"server": "dc.company.local",
"port": "389",
"user": "CN=mediawiki,CN=Users,DC=company,DC=local",
"pass": "P@ssw0rd",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=company,dc=local",
"userbasedn": "dc=company,dc=local",
"groupbasedn": "dc=company,dc=local",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mapping": {
"admins": "CN=Domain Admins,CN=Users,DC=company,DC=local"
}
}
}
}
LocalSettings.php:
[...]
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
$wgGroupPermissions['sysop'] = $wgGroupPermissions['user'];
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: $IP/ldap.json");
}
}
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgPluggableAuth_ButtonLabel = "Log In";
$LDAPProviderDefaultDomain = "company.local";
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
$LDAPAuthentication2AllowLocalLogin = true;
}
(pretty much the same as example in manual)
I've ensured network connection (firewall, dns resolution).
I've enabled in debug LocalSettings.php by adding $wgDebugLogFile = "$IP/debug.log";
Entering login page creates almost 4k lines of code so I share it via pastebin: https://phabricator.wikimedia.org/P28279
What I check else?
Environment: PHP 7.4.6, Mediawiki 1.37.2, LDAP extensions stack: REL1_35 Asterops (talk) 18:45, 22 May 2022 (UTC)
- If I execute
php extensions/LDAPProvider/maintenance/ShowUserInfo.php -d company.local -u mediawikiI see output about AD's mediawiki bind user. - ldap_domains table in database is created but it's empty Asterops (talk) 18:49, 22 May 2022 (UTC)
- I've updated LDAP extensions to 1_37 and now works. Asterops (talk) 18:49, 24 May 2022 (UTC)
Missing Auth_remoteuser dependency
The Auth_remoteuser extension is not mentioned in this article, but appears to be required for AD authentication to work. 129.222.217.236 (talk) 18:39, 7 December 2022 (UTC)
instructions not compatible with PluggableAuth since v6.0
The instructions do no longer work since PuggableAuth v6.0. The variable wgPluggableAuth_ButtonLabel is no longer supported, instead wgPluggableAuth_Config is mandatory required.
As as documentation of PluggableAuth mentions that other plugins need to be compatible with the new version I have downloaded the old MediaWiki V1.35 compatible version 5.7 which is deprecated but still works. 2003:CF:2F39:8D00:915:3926:CDF3:4AC0 (talk) 18:13, 22 January 2023 (UTC)
Mediawiki doesn't show login box after running update.php
Hello,
I've installed Mediawiki 1.39.2, xamp 8.2.0 and extensions 1.39 over Microsoft Windows. I want to integrate to Active Directory.
After running update.php (which ran apparently ok), mediawiki doesn't let me login in, even with administrator user. It shows always this message:
"Las credenciales proporcionadas no se han podido autentificar."
I tested CheckLogin.php and ShowUserInfo.php. Both ran ok.
D:\xampp\php>php d:\xampp\htdocs\mediawiki\extensions\LDAPProvider\maintenance\CheckLogin.php --domain domino.local --username wikisoludepa
Password:XXXXXXXXX
OK
D:\xampp\php>php d:\xampp\htdocs\mediawiki\extensions\LDAPProvider\maintenance\ShowUserInfo.php --domain dominio.local --username marisolb
cn => marisolb
................
dn => CN=marisolb,CN=Users,DC=dominio,DC=local
I don't see error at the output of update.php.
I enabled debug and this is the output of trying to login. Can someone please help me to find the problem?
Thanks in advance.
.....................................................................................
[authentication] Login failed in primary authentication because no provider accepted
..................................................................................
[authevents] Login attempt
......................................................
[DBQuery] MediaWiki::preOutputCommit [0s] localhost: COMMIT
MediaWiki::preOutputCommit: primary transaction round committed
MediaWiki::preOutputCommit: pre-send deferred updates completed
MediaWiki::preOutputCommit: session changes committed
[DBReplication] Wikimedia\Rdbms\LBFactory::shutdown: finished ChronologyProtector shutdown
[DBReplication] LBFactory shutdown completed
.................................................................................
OutputPage::sendCacheControl: no caching **
[DBQuery] MediaWiki::restInPeace [0.002s] localhost: COMMIT
...................................................................
[DBReplication] LBFactory shutdown completed
Request ended normally
[session] Saving all sessions on shutdown
[resourceloader] Failed to find echo-badge-count (es)
[resourceloader] Failed to find templatedata-doc-subpage (es) Marisol6B (talk) 01:37, 26 April 2023 (UTC)
Error: The username or password is incorrect. Please try again.
Hello,
I am currently setting up a wiki and would like to connect the AD. Im using MediaWiki Version 1.39.3, LDAP Stack Version 1.39, PHP 7.4.3 nts and IIS Webserver. I have done every step as described in the instructions, but when I try to log in with an AD user I get the following error message: "The username or password is incorrect. Please try again". My ldap.json seems to be correct, I can run "CheckUserLogin" and "ShowUserInfo" successfully.
Can someone help me in this case? has anyone ever had the problem before?
I also installed MediaWiki 1.35.10 with the LDAP Stack Version 1.35, but here i also get an error message, here you can see:
Notice: Undefined index: sAMAccountName in C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php on line 203
276a8d50710e0d16830c7f12] /mediawiki135/index.php?title=Spezial:PluggableAuthLogin TypeError from line 57 of C:\inetpub\wwwroot\mediawiki135\includes\user\UserFactory.php: Argument 1 passed to MediaWiki\User\UserFactory::newFromName() must be of the type string, null given, called in C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php on line 68
Backtrace:
#0 C:\inetpub\wwwroot\mediawiki135\extensions\LDAPAuthentication2\src\PluggableAuth.php(68): MediaWiki\User\UserFactory->newFromName()
#1 C:\inetpub\wwwroot\mediawiki135\extensions\PluggableAuth\includes\PluggableAuthLogin.php(36): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate()
#2 C:\inetpub\wwwroot\mediawiki135\includes\specialpage\SpecialPage.php(600): PluggableAuthLogin->execute()
#3 C:\inetpub\wwwroot\mediawiki135\includes\specialpage\SpecialPageFactory.php(635): SpecialPage->run()
#4 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(307): MediaWiki\SpecialPage\SpecialPageFactory->executePath()
#5 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(947): MediaWiki->performRequest()
#6 C:\inetpub\wwwroot\mediawiki135\includes\MediaWiki.php(547): MediaWiki->main()
#7 C:\inetpub\wwwroot\mediawiki135\index.php(53): MediaWiki->run()
#8 C:\inetpub\wwwroot\mediawiki135\index.php(46): wfIndexMain()
#9 {main}
I don't know what else I can try, can someone help me?
Thanks in Advance! Yanick3453263 (talk) 12:36, 12 June 2023 (UTC)
1.39 The data provided cannot be used for credential checks.
Hello,
Im trying to setup ldap on Mediawiki 1.39.4, all plugins also downloaded for 1.39 version. LDAP is hosted in docker with OpenLDAP, Mediawiki is hosted on xampp with MySQL database. I think i configured everything how it should be by reading Active Directory Integration manual. When im clicking on log in im getting "The data provided cannot be used for credential checks."
Below is my ldap.json (ip and password changed for posting this):
{
"ldap.computingforgeeks.com": {
"connection": {
"server": "ldap://ip:389",
"port": "389",
"use-tls": "true",
"user": "cn=admin,dc=computingforgeeks,dc=com",
"pass": "password",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=computingforgeeks,dc=com",
"userbasedn": "ou=users,dc=computingforgeeks,dc=com",
"groupbasedn": "ou=groups,dc=computingforgeeks,dc=com",
"searchattribute": "sAMAccountName",
"usernameattribute": "sAMAccountName",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mapping": {
"engineering": "CN=employees,OU=Groups,DC=computingforgeeks,DC=com",
"employer": "CN=employer,OU=Groups,DC=computingforgeeks,DC=com"
}
}
}
}
Below is LocalSettings.php:
# End of automatically generated settings.
# Add more configuration options below.
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));
// Create Wiki-Group 'engineering' from default user group
$wgGroupPermissions['engineering'] = $wgGroupPermissions['user'];
// Private Wiki. External LDAP login. Default NS requires login.
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = true;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['*']['createaccount'] = true;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: $IP/ldap.json");
}
}
// Activate Extension
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgPluggableAuth_ButtonLabel = "Log In";
// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)
$LDAPProviderDefaultDomain = "ldap.computingforgeeks.com";
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = false; }
}
I also checked ldap connection using python script and everything works in it. On mediawiki im getting error. Do you have any ideas what could help? Also i have deleted LDAPAuthorization plugin for a while and it changed nothing. 46.238.215.24 (talk) 08:04, 24 August 2023 (UTC)
1.39 Could not authenticate credentials against domain "mydomain.com"
Hello, dear support!
I am trying to connect my instance of MW to our AD exactly as explained in this page, to which I am adding this topic. I spent a lot of time, reading such discussions on the subject, but cannot get it working.
Here, to save your time, I am attaching my ldap.json and LocalSettings.php (sure, with dummy data replaced sensitive information).
The symptoms:
- I still see both username and password fields on the login page, but without the standard button "Log in", only with the LDAP log in button, which is.. strange
- On clicking the LDAP login button I see error message: Could not authenticate credentials against domain "mydomainname.com"
- php extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain ldap.service --username ldap.user returns only this: Full DNs: Short names:
- php extensions/LDAPProvider/maintenance/CheckConnection.php --config /path/to/ldap.json --domain ldap.service "(samaccountname=*)" returns tons of information, related to our LDAP server (DNs)
- php extensions/LDAPProvider/maintenance/CheckLogin.php --domain ldap.service --username ldap.user when then I enter correct password it said FAILD, but if I just hit Enter on the password prompt it says OK
- php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain ldap.service --username ldap.user returns nothing
ldapsearch returns correct output on test connection.
We restarted Apache after adding PHP modules, we did update.php after applying this new LDAP extensions, as advised in the topic.
Please, help!
ldap.json:
{
"ldap.service": {
"connection": {
"server": "01.myldapservice.com",
"port": "389",
"use-tls": "false",
"user": "CN=ldap.user,OU=IT,DC=myldapservice,DC=com",
"pass": "passwordtoprotectmygreatldapnetwork",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "DC=myldapservice,DC=com",
"userbasedn": "DC=myldapservice,DC=com",
"groupbasedn": "DC=myldapservice,DC=com",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"searchstring": "samaccountname",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"developer": "CN=WIKI - Сообщество,OU=Группы доступа Wiki,OU=IT,DC=myldapservice,DC=com"
}
}
}
}
The system and plugins information:
Installed software
| Product | Version |
|---|---|
| MediaWiki | 1.39.3 (1a4ca63)
12:21, 12 August 2023 |
| PHP | 8.2.10 (fpm-fcgi) |
| MySQL | 8.0.34-0ubuntu0.22.04.1 |
| ICU | 70.1 |
| Lua | 5.1.5 |
| Pygments | 2.11.2 |
Entry point URLs
| Entry point | URL |
|---|---|
| Article path | /index.php?title=$1 |
| Script path | / |
| index.php | /index.php |
| api.php | /api.php |
| rest.php | /rest.php |
Installed extensions
| Special pages | |
|---|---|
| Extension | Version |
| CiteThisPage | – |
| Interwiki | 3.2 |
| Nuke | – |
| Renameuser | – |
| Replace Text | 1.7 |
| UserMerge | 1.10.1 (a6fd7d8) 05:50, 1 August 2023 |
| Editors | |
| Extension | Version |
| CodeEditor | – |
| VisualEditor | 0.1.2 |
| WikiEditor | 0.5.3 |
| Parser hooks | |
| Extension | Version |
| CategoryTree | – |
| Cite | – |
| CSS | 3.5.0 (035e731) 03:47, 4 December 2022 |
| ImageMap | – |
| InputBox | 0.3.0 |
| Math | 3.0.0 |
| ParserFunctions | 1.6.0 |
| Poem | – |
| Scribunto | – |
| SyntaxHighlight | 2.0 |
| TemplateData | 0.1.2 |
| Media handlers | |
| Extension | Version |
| PDF Handler | – |
| API | |
| Extension | Version |
| PageImages | – |
| Other | |
| Extension | Version |
| Gadgets | – |
| LDAPAuthentication2 | 2.0.2 (b83f5d1) 07:23, 4 September 2023 |
| LDAPAuthorization | 2.0.1 (fbb1c3b) 07:23, 4 September 2023 |
| LDAPGroups | 2.0.1 (1f945ca) 07:23, 4 September 2023 |
| LDAPProvider | 2.0.1 (dc89b2f) 07:23, 4 September 2023 |
| LDAPUserInfo | 2.0.0 (01a4b9e) 10:03, 14 June 2023 |
| MultimediaViewer | – |
| OATHAuth | 0.5.0 |
| PluggableAuth | 7.0.0 (1cbf448) 05:33, 29 August 2023 |
| SecureLinkFixer | – |
| TextExtracts | – |
LocalSettings.php:
<?php
//error_reporting( -1 ); // Debug
//ini_set( 'display_errors', 1 ); / Debug
# Protect against web entry
if ( !defined( 'MEDIAWIKI' ) ) {
exit;
}
## Uncomment this to disable output compression
# $wgDisableOutputCompression = true;
$wgSitename = "Wiki name";
$wgMetaNamespace = "wiki_name";
$wgScriptPath = "";
## The protocol and server name to use in fully-qualified URLs
$wgServer = "https://myserver.com";
## The URL path to static resources (images, scripts, etc.)
$wgResourceBasePath = $wgScriptPath;
## The URL paths to the logo. Make sure you change this from the default,
## or else you'll overwrite your logo when you upgrade!
$wgLogos = [
'1x' => "$wgResourceBasePath/resources/assets/logo.png",
'icon' => "$wgResourceBasePath/resources/assets/logo.png",
];
$wgDebugLogFile = "$wgResourceBasePath/logs/mw.log";
## UPO means: this is also a user preference option
$wgEnableEmail = false;
$wgEnableUserEmail = true; # UPO
$wgEmergencyContact = "";
$wgPasswordSender = "";
$wgEnotifUserTalk = false; # UPO
$wgEnotifWatchlist = false; # UPO
$wgEmailAuthentication = true;
## Database settings
$wgDBtype = "mysql";
$wgDBserver = "localhost";
$wgDBname = "dbname";
$wgDBuser = "dbuser";
$wgDBpassword = "thestrongestpasswordinthewordforthedatabaseandmediawikionecouldeverguess";
# MySQL specific settings
$wgDBprefix = "wiki_";
# MySQL table options to use during installation or update
$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";
# Shared database table
# This has no effect unless $wgSharedDB is also set.
$wgSharedTables[] = "actor";
## Shared memory settings
$wgMainCacheType = CACHE_NONE;
$wgMemCachedServers = [];
## To enable image uploads, make sure the 'images' directory
## is writable, then set this to true:
$wgEnableUploads = true;
#$wgUseImageMagick = true;
#$wgImageMagickConvertCommand = "/usr/bin/convert";
$wgUseInstantCommons = false;
$wgPingback = false;
# Site language code, should be one of the list in ./includes/languages/data/Names.php
$wgLanguageCode = "gb";
# CSS path
$wgCSSPath = '';
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addScriptFile( '/js/jquery.js' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addScriptFile( '/js/bpmn-navigated-viewer.development.js' );
};
#$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
# $out->addScriptFile( '/js/bpmn-viewer.development.js' );
#};
$wgHooks['MimeMagicInit'][] = static function ( MimeAnalyzer $mime ) {
$mime->addExtraTypes( 'application/xml bpmn' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/fontawesome.css' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/solid.css' );
};
$wgHooks['BeforePageDisplay'][] = function( OutputPage &$out, Skin &$skin ) {
$out->addStyle( '/css/fontawesome/css/regular.css' );
};
// Adding help to the footer
$wgHooks['SkinAddFooterLinks'][] = function ( Skin $skin, string $key, array &$footerlinks ) {
if ( $key === 'places' ) {
$footerlinks['helper-page'] = $skin->footerLink( 'Help-link-text', 'Help-Link' );
$footerlinks['glossary-page'] = $skin->footerLink( 'Glossary-link-text', 'Glossary-Link' );
};
};
$wgUploadDirectory = 'uploads';
$wgUploadPath = 'uploads';
$wgFileExtensions[] = 'bpmn';
# Time zone
$wgLocaltimezone = "UTC";
## Set $wgCacheDirectory to a writable directory on the web server
## to make your wiki go slightly faster. The directory should not
## be publicly accessible from the web.
#$wgCacheDirectory = "$IP/cache";
$wgSecretKey = "mysecretkeyforthisgreatwikiofalltimes";
# Changing this will log out all existing sessions.
$wgAuthenticationTokenVersion = "1";
# Site upgrade key. Must be set to a string (default provided) to turn on the
# web installer while LocalSettings.php is in place
$wgUpgradeKey = "myupgradekeyforthiswiki";
## For attaching licensing metadata to pages, and displaying an
## appropriate copyright notice / icon. GNU Free Documentation
## License and Creative Commons licenses are supported so far.
$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright
$wgRightsUrl = "";
$wgRightsText = "";
$wgRightsIcon = "";
# Path to the GNU diff3 utility. Used for conflict resolution.
$wgDiff3 = "/usr/bin/diff3";
# The following permissions were set based on your choice in the installer
$wgAddGroups['sysop'] = ['bureaucrat', 'sysop'];
$wgRemoveGroups['sysop'] = ['bureaucrat', 'sysop'];
## Default skin: you can change the default skin. Use the internal symbolic
## names, e.g. 'vector' or 'monobook':
$wgDefaultSkin = "Medik";
$wgMedikColor = "#347291";
# Enabled skins.
# The following skins were automatically enabled:
wfLoadSkin( 'Medik' );
// DEBUG //
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgShowDebug = true;
$wgDevelopmentWarnings = true;
// <ActiveDirectorty integration> //
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));
// Create Wiki-Group 'engineering' from default user group
$wgGroupPermissions['developer'] = $wgGroupPermissions['user'];
// Private Wiki. External LDAP login. Default NS requires login.
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalProperties = false;
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = "/path/to/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile),true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: /path/to/ldap.json");
}
}
// Activate Extension
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
wfLoadExtension( 'LDAPProvider' );
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgPluggableAuth_Config['Enter, using LDAP service'] = [
'plugin' => 'LDAPAuthentication2',
'data' => [
'domain' => 'ldap.service'
]
];
$wgPluggableAuth_Class = "MediaWiki\\Extension\\LDAPAuthentication2\\PluggableAuth";
// $wgPluggableAuth_Config = array(
// array('plugin' => 'LDAPAuthentication2'),
// array('plugin' => 'LDAPAuthorization'),
//// array('plugin' => 'LDAPUserInfo'),
//// array('plugin' => 'LDAPGroups'),
//// array('plugin' => 'LDAPProvider')
// );
// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)
$LDAPProviderDefaultDomain = "ldap.service";
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
}
// </ActiveDirectorty integration> //
$wgUserMergeProtectedGroups = [];
$wgGroupPermissions['sysop']['usermerge'] = true;
$wgGroupPermissions['sysop']['usermerge'] = true;
$wgGroupPermissions['sysop']['deletelogentry'] = true;
$wgGroupPermissions['sysop']['deleterevision'] = true;
# Enabled extensions. Most of the extensions are enabled by adding
# wfLoadExtension( 'ExtensionName' );
# to LocalSettings.php. Check specific extension documentation for more details.
# The following extensions were automatically enabled:
wfLoadExtension( 'CategoryTree' );
wfLoadExtension( 'Cite' );
wfLoadExtension( 'CiteThisPage' );
wfLoadExtension( 'CodeEditor' );
wfLoadExtension( 'CSS' );
wfLoadExtension( 'Gadgets' );
wfLoadExtension( 'ImageMap' );
wfLoadExtension( 'InputBox' );
wfLoadExtension( 'Interwiki' );
wfLoadExtension( 'Math' );
wfLoadExtension( 'MultimediaViewer' );
wfLoadExtension( 'Nuke' );
wfLoadExtension( 'OATHAuth' );
wfLoadExtension( 'PageImages' );
wfLoadExtension( 'ParserFunctions' );
wfLoadExtension( 'PdfHandler' );
wfLoadExtension( 'Poem' );
wfLoadExtension( 'Renameuser' );
wfLoadExtension( 'ReplaceText' );
wfLoadExtension( 'Scribunto' );
wfLoadExtension( 'SecureLinkFixer' );
wfLoadExtension( 'SyntaxHighlight_GeSHi' );
wfLoadExtension( 'TemplateData' );
wfLoadExtension( 'TextExtracts' );
wfLoadExtension( 'UserMerge' );
wfLoadExtension( 'VisualEditor' );
wfLoadExtension( 'WikiEditor' );
# End of automatically generated settings.
# Add more configuration options below.
$wgShowExceptionDetails = true; Arsenii Gorkin (talk) 11:59, 9 September 2023 (UTC)
Arsenii Gorkin (talk) 12:01, 9 September 2023 (UTC) Arsenii Gorkin (talk) 12:02, 9 September 2023 (UTC)
- Solved. Arsenii Gorkin (talk) 15:41, 11 September 2023 (UTC)
- Hi, how did you solved? 189.9.13.119 (talk) 18:05, 18 September 2023 (UTC)
- Hi Arsenii Gorkin,
- I'm getting the same exact error as you had. In the CheckLogin.php, if I entered my password it returns Failed. But if I just press enter, it returns OK. ShowUserInfo.php was giving correct results.
- Can you please tell us on how you solve the issue on your side? Thank you very much 147.161.214.84 (talk) 05:36, 23 February 2024 (UTC)
- @Arsenii Gorkin
- Hi Arsenii Gorkin,
- I'm getting the same exact error as you had. In the CheckLogin.php, if I entered my password it returns Failed. But if I just press enter, it returns OK. ShowUserInfo.php was giving correct results.
- Can you please tell us on how you solve the issue on your side? Thank you very much 147.161.214.84 (talk) 05:37, 23 February 2024 (UTC)
Authenticate just one AD group
Hi, i want that just one group of active directory be able to authenticate or read in the wiki.
By the configuration, it allows every user of the domain. 189.9.13.119 (talk) 11:59, 22 September 2023 (UTC)