i keep trying to reach out, but i guess SME's are otherwise engaged. so i'll try again.
i completely wiped out my previous build and started over.
I'm on Windows Server 2016 ( i know its not supported), with IIS 10
Installed software
Product Version
MediaWiki 1.39.6
PHP 8.3.4 (cgi-fcgi)
MySQL 8.3.0
ICU 72.1
LDAPAuthentication2 2.0.7 (3a91dad) 08:59, 4 March 2024
LDAPAuthorization 2.0.5 (ccd20da) 08:59, 4 March 2024
LDAPGroups 2.0.5 (956a438) 19:08, 4 March 2024
LDAPProvider 2.0.5 (b7fd141) 08:59, 4 March 2024
LDAPUserInfo 2.0.4 (a5eeff0) 08:59, 4 March 2024
PluggableAuth 7.1.0 (1884a12) 06:36, 4 March 2024
I am able to log in locally. I cannot authenticate over LDAP
I attempt to log in over LDAP using my samaccountname ID - firstname.lastname and get Could not authenticate credentials against domain "ACME.ORG"
LDAPAuthentication2 log shows - 2024-04-02 18:19:06 SERVER acmewiki: Could not bind to LDAP domain with given user: firstname.lastname
PluggableAuth log shows:
2024-04-02 18:19:06 SERVER acmewiki: In execute()
2024-04-02 18:19:06 SERVER acmewiki: Getting PluggableAuth instance
2024-04-02 18:19:06 SERVER acmewiki: Plugin name: LDAPAuthentication2
2024-04-02 18:19:06 SERVER acmewiki: Authentication failure.
2024-04-02 18:19:06 SERVER acmewiki: ERROR: Could not authenticate credentials against domain "ACME.ORG"
I also get [authentication] Login failed in primary authentication by MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider
i can succesfully run showuserinfo.php, ShowUserGroups.php, CheckConnection.php. BUT CheckLogin.php shows FAILED
i can perform a simple bind using LDP.exe using the ldap bind service account and using my samaccountname ID - firstname.lastname
i have been running update.php and resetarting IIS when making changes
here are scrubbed LocalSettings and ldapprovider.json:
LocalSettings:
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array(
'127.0.0.1',
'localhost',
'x.x.x.x/16');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = ( isset($wikiRequestIP ) && ( in_array($wikiRequestIP,$safeIPs) ));
// Create Wiki-Group 'users' from default user group
$wgGroupPermissions['users'] = $wgGroupPermissions['user']; (IS THIS OK?????)
// Private Wiki. External LDAP login. Default NS requires login. (ARE THESE OK???)
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
// Load LDAP Config from JSON
$ldapJsonFile = __DIR__ . '/ldapprovider.json';
$ldapConfig = false;
if (is_file($ldapJsonFile)) {
$testJson = @json_decode(file_get_contents($ldapJsonFile), true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: $ldapJsonFile");
}
} else {
error_log("LDAP config file not found: $ldapJsonFile");
}
// Activate LDAP extensions
if ( $ldapConfig ) {
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPGroups' );
wfLoadExtension( 'LDAPUserInfo' );
$LDAPProviderDomainConfigs = "$ldapJsonFile";
// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldap.json)
$LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));
# Configure PluggableAuth settings
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = true;
$wgPluggableAuth_EnableLocalProperties = false;
$wgPluggableAuth_EnableFastLogout = true;
$wgPluggableAuth_Config = [
"ACME Wiki Login" => [
'plugin' => 'LDAPAuthentication2',
'data' => ['domain' => 'ACME.ORG']
],
"LDAP Authorization" => [
'plugin' => 'LDAPAuthorization'
]
];
# LDAPProvider settings
$LDAPProviderCacheType = 'CACHE_NONE'; // 'CACHE_ANYTHING' when NOT debugging
$LDAPProviderCacheTime = 500;
$LDAPProviderPreSearchUsernameModifierRegistry = [
'strtolower' => function () {
return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();
},
'removespaces' => function () {
return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();
}
];
# LDAPAuthentication2 settings
$LDAPAuthentication2AllowLocalLogin = true;
$LDAPAuthentication2UsernameNormalizer = 'strtolower';
$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
}
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgDebugLogGroups['PluggableAuth'] = 'C:/Windows/Temp/PLUG.log';
$wgDebugLogGroups['LDAP'] = 'C:/Windows/Temp/ldap1.log';
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:/Windows/Temp/ldapprovider.log';
$wgDebugLogGroups['LDAPGroups'] = 'C:/Windows/Temp/LDAPGroups.log';
$wgDebugLogGroups['LDAPUserInfo'] = 'C:/Windows/Temp/LDAPUser.log';
$wgDebugLogGroups['LDAPAuthentication2'] = 'C:/Windows/Temp/LDAPAuthentication2.log';
$wgDebugLogGroups['LDAPAuthorization'] = 'C:/Windows/Temp/LDAP.log';
********************************
ldapprovider.json:
{
"ACME.ORG": {
"connection": {
"server": "x.x.x.x",
"port": 389,
"use-tls": false,
"enctype": "clear",
"user": "CN=wiki service account,OU=ACME Managed Service Accounts,DC=ACME,DC=ORG",
"pass": "xxx",
"options": { "LDAP_OPT_DEREF": 1 },
"basedn": "DC=ACME,DC=ORG",
"groupbasedn": "DC=ACME,DC=ORG",
"userbasedn": "DC=ACME,DC=ORG",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "samaccountname",
"groupsearch": "$dn",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "lowercase", "removespaces" ],
"searchstring": "CN=USER-NAME,DC=ACME,DC=ORG",
"nestedgroups": false
},
"userinfo": {
"attributes-map": {
"realname": "samaccountname"
}
},
"authorization": {
"rules": {
"groups": {
"required": [
"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"information technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
"human resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
}
}
}
}