Jump to content

Topic on Extension talk:LDAP Authentication

Automatic account creation is not allowed

20
TroySettle (talkcontribs)

extension for mediawiki 1.28

I'm getting closer to figuring this out, but stuck on automatically creating accounts. Here's my current (sanitized) configuration. I can authenticate, but I then get the message:

Auto-creation of a local account failed: Automatic account creation is not allowed.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;
$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.local.domain');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=domain,dc=local');

$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );

$wgLDAPDisableAutoCreate = array('LOCAL' => false);

Any help would be greatly appreciated!

Tz1971 (talkcontribs)

currently I am using Centos 7.3, MySql 5.7 and PHP 7.1 LDAP TLS

LdapAuthentication: REL1_28 2016-11-18T19:08:52 770c89e

in /etc/openldap/ldap.conf

I add

TLS_REQCERT allow    

TLS hard

and LocalSettings.php setting

$wgLDAPEncryptionType  = array('domain.com' => 'tls');

at this point cannot authenticate

so i tweak and change some code in LdapAuthenticationPlugin at line 547

if ( !ldap_start_tls( $this->ldapconn ) ) {

add @

if ( !@ldap_start_tls( $this->ldapconn ) ) {

for autocreation, I stuck at /includes/auth/AuthManager.php between line 1612 and 1626

// Is the IP user able to create accounts?

$anon = new User;

/*

if ( !$anon->isAllowedAny( 'createaccount', 'autocreateaccount' ) ) {

.....

}

*/

comment out this block, now working. (need better solution rather than comment out)

for group permission

# Implicit group for all visitors

$wgGroupPermissions['*']['createaccount'] = false; // ??? not working

$wgGroupPermissions['*']['autocreateaccount'] = false;  // ???

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['*']['createpage'] = false;

$wgGroupPermissions['*']['createtalk'] = false;

$wgGroupPermissions['*']['writeapi'] = false;

Aarango1 (talkcontribs)

Same here. Any help is appreciated. My config:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );

$wgAuth = new LdapAuthenticationPlugin();

$wgLDAPDomainNames = array("iRedMail");

$wgLDAPServerNames = array("iRedMail" => "192.168.XX.XX");

$wgLDAPPort = array("iRedMail" => 389);

$wgLDAPEncryptionType = array( "iRedMail" => "clear");

$wgLDAPBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPProxyAgent = array("iRedMail"=>"cn=vmail,dc=example,dc=com");

$wgLDAPProxyAgentPassword = array( "iRedMail"=>"*****");

$wgLDAPUserBaseDNs = array( "iRedMail"=>"o=domains,dc=example,dc=com");

$wgLDAPSearchAttributes = array( "iRedMail" => "mail");

$wgLDAPLowerCaseUsername = array( "iRedMail"=>true);

$wgLDAPUseLocal = true;

$wgLDAPDebug = 3;

$wgDebugLogGroups['ldap'] = '/tmp/debug.log';

Legaulph (talkcontribs)

Same issue

TroySettle (talkcontribs)

FWIW, I finally got it working. Not sure what the difference is here... the $wgGroupPermissions item is not listed on the LDAP extension instructions, but I think this is what did it.

require_once ("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
#$wgLDAPUseLocal = true;
$wgLDAPDomainNames       = array('LOCAL');
$wgLDAPServerNames       = array('LOCAL' => 'local-dc2.mydomain.local');
$wgLDAPEncryptionType    = array('LOCAL' => 'clear');
$wgMinimalPasswordLength = 1;
$wgLDAPBaseDNs           = array('LOCAL' => 'ou=Users,ou=LOCAL,dc=mydomain,dc=local');
$wgLDAPSearchStrings     = array('LOCAL' => 'LOCAL\\USER-NAME');
$wgLDAPSearchAttributes  = array('LOCAL' => 'sAMAccountName' );
$wgLDAPRetrievePrefs     = array('LOCAL' => true );
$wgGroupPermissions['*']['autocreateaccount'] = true;
Aarango1 (talkcontribs)

I tried with that TroySettle but not luck. I receive same fails, what versions do you have installed? (Mediawiki and LDAP please) Thanks.

Did you create Wiki as Open? private?

NOTE: I solved using wiki 1.23 version.

Legaulph (talkcontribs)

I had to set $wgGroupPermissions['*']['createaccount'] = true;

130.219.8.234 (talkcontribs)

That still did not work for me.

My other anonymous permissions are set to false.

$wgGroupPermissions['*']['edit'] = false; $wgGroupPermissions['*']['read'] = false;

I want this to be a private wiki.

130.219.8.234 (talkcontribs)

It would seem I had to clear all session data and remove cookies from previous logon attempts with my test user as well as comment out self::saveDomain( $user, $_SESSION['wsDomain'] ); from one of the extension's configuration files. It now works.

153.96.128.5 (talkcontribs)

I had this problem, too. In my case, the solution was the one that has already been mentioned above:

1. switch back to local auth in LocalSettings.php; then login with a *local* admin/bureaucrat account (the one you set up when installing the wiki).

2. create a local user with the same name as one that exists in LDAP (give him a bullsh*t password, no need to match the LDAP one). Not mandatory, but if you are smart, this user should be a bureaucrat as you need at least one LDAP-based bureaucrat anyways. Lets call this user "Ldapboss".

3. switch again to LDAP auth in LocalSettings.php; then login with the user Ldapboss you just created. Of course you need to use the user's actual LDAP password this time. Btw, your local admin is now locked out of the system (unless you set wgLDAPUseLocal to true). This is why you need an LDAP-based bureaucrat.

From this point on, weirdly enough, auto account creation works. It's like, you need at least one successful login to make it work. Not sure why, doesn't make sense.

Ask a colleague to log on, or alternatively, rename your Ldapboss user to Ldapboss_Trash (Renameuser extension) and logout. Then login again with Ldapboss using again the LDAP credentials. Now, you Ldapboss is auto-created (this time as a simple user, as it should).

Actually, on Ryan D Lane (creator and ex-maintainer of the plugin) has this written on a 2009 blog post --- Quote:

"Before enabling the plugin, you should create a user in the local wiki database that exists in AD, and promote that user to sysop. After the plugin is enabled, you will not be able to log in as any user who does not exist in AD."

Brain wang (talkcontribs)

Hi,

While I executed step 3, then use Ldapboss login with LDAP password, I got the following error:

[WMFhIqwRAAIAABOptNUAAAAG] 2017-03-09 14:05:24: Fatal exception of type "DBQueryError"

Is it normal?

But it looks I have already logged in.

223.166.93.186 (talkcontribs)

Hi,

Any news on Brain Wang's problem? I experience the same issue. The user seems to be logged in, however logging in with an other user from LDAP still fails.

195.212.29.162 (talkcontribs)

Today I ran into the same issue, and found that the LDAP plugin does not have the right to autocreate users, despite the allowed autocreateaccount Group Permission setting. Then I found that the referred table (ldap_domains) did not exist in the database (and thus throwing the authmanager-autocreate-noperm errors). Creating the table in the right database based on the extensions/LdapAuthentication/schema/ldap-mysql.sql seems to fixed the issue:

# mysql -u root -p

Enter password:

mysql> use my_wiki

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> CREATE TABLE ldap_domains (domain_id int not null primary key auto_increment,domain varchar(255) binary not null,user_id int not null);

Query OK, 0 rows affected (0.00 sec)

85.220.204.126 (talkcontribs)

This worked for me. Thanks

145.109.211.76 (talkcontribs)

I am running a private Wiki

$wgGroupPermissions['*']['autocreateaccount'] = true;

fixed it for me. If you read the changelog of 1.27:

* MediaWiki will now auto-create users as necessary, removing the need for

  extensions to do so. An 'autocreateaccount' right is added to allow

  auto-creation when 'createaccount' is not granted to all users.

31.221.114.66 (talkcontribs)

I resolved the problem by setting the $wgGroupPermissions['*']['autocreateaccount'] = true but also assigning CHMOD permissions to all .php files in /mediawiki to 777 for the local account I was using.

70.67.200.45 (talkcontribs)

For anyone else with this error:

Do set $wgGroupPermissions['*']['autocreateaccount'] = true;

Then delete your session cookie and reload the page to get a new session before trying again. Your session gets added to an account auto-creation blacklist when it fails the first time, which happens to give the exact same error message.

213.33.64.46 (talkcontribs)

This exact method worked for me too, thanks! Removing the session-cookie was the one thing I missed after unsuccessfully adding the configuration-option

73.44.250.189 (talkcontribs)

I had the same issue - I did not need to add any particular wgGroupPermissions, I just followed responses from:

153.96.128.5

and 195.212.29.162


Was racking my brain as to why it wasn't working, thanks for your help.

This comes up quite high on the search for issue, so I thought I'd add my 2 cents.

I am running on mediaWiki 1.29 due to legacy php/database and other things related - we're not in a position to do much upgrades and were stuck in using this, which is fine for us, thanks.

187.41.31.85 (talkcontribs)

It worked for me. -> 153.96.128.5

Reply to "Automatic account creation is not allowed"