Jump to content

Topic on Extension talk:LDAPAuthorization

authorization by group not working (User XXXX not authorized)

13
Awatkins1966 (talkcontribs)

Battling with these extensions and have got Authorization to work, but when I try to restrict by group it fail. Looking at function makeGroupRequirements the ldapUserGroups has no values.

   $ldapUserGroups = $this->ldapClient->getUserGroups( $username );

$username equals "andrew" and looking at debug output the memberof has been read.


[MediaWiki\Extension\LDAPProvider\Client] MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

  'base' => 'dc=dcs,dc=bbk,dc=ac,dc=uk',

  'filter' => '(samaccountname=andrew)',

  'attributes' =>

  array (

   0 => '*',

   1 => 'memberof',

  ),

)

....

   10 => 'usncreated',

   'memberof' =>

   array (

     'count' => 7,

     0 => 'CN=xxx1,DC=dcs,DC=bbk,DC=ac,DC=uk',

     1 => 'CN=xxx2,DC=dcs,DC=bbk,DC=ac,DC=uk',

     2 => 'CN=xxx3,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     3 => 'CN=xxx4,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

     4 => 'CN=xxx5,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     5 => 'CN=xxx6,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

     6 => 'CN=xxx7,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

   ),

   11 => 'memberof',

   'usnchanged' =>

   array (

     'count' => 1,


Any ideas?

Osnard (talkcontribs)
Awatkins1966 (talkcontribs)
213.124.137.250 (talkcontribs)

I have this problem with OpenLDAP and "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory" - The group I want to search is a 'groupOfNames'

Without the authorization plugin enabled I can log in.

The config in a json file: {

       "LDAP": {
               "connection": {
                       "server": "XXX",
                       "user": "cn=docswiki_ro,ou=serviceaccounts,dc=XXX",
                       "pass": "",
                       "basedn": "XXX",
                       "groupbasedn": "ou=roles,ou=groups,dc=XXX",
                       "userbasedn": "ou=volunteers,dc=XXX",
                       "searchattribute": "uid",
                       "searchstring": "uid=USER-NAME,ou=volunteers,dc=XXX",
                       "usernameattribute": "uid",
                       "realnameattribute": "cn",
                       "emailattribute": "mail",
                       "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
               },
               "authorization": {
                       "rules": {
                               "groups": {
                                       "required": [
                                               "cn=rol_webadmin,ou=roles,ou=groups,dc=XXX"
                                       ]
                               }
                       }
               }
       }

}

Osnard (talkcontribs)
87.251.43.211 (talkcontribs)

I think I see the problem. I'm using an objectclass 'groupofnames' (in openldap) but the code you added only checks for a 'group.' When I have time I'll change that in the code and see if it works.

213.124.137.250 (talkcontribs)

Confirmed, I changed it into groupOfNames and now my account authorizes but my test account doesn't; as expected.

Osnard (talkcontribs)
Guilherme bangemann (talkcontribs)

It's working??

Ablum010777 (talkcontribs)

I have this problem, too. But it only occurs in private wikis. What can I do to solve this?


I use MediaWiki 1.39.3

PHP Version 8.1.2

MariaDB 10.6.12

Osnard (talkcontribs)

Which LDAP extension versions are you using?

Ablum010777 (talkcontribs)

I'm using

PluggableAuth 5.7

LDAPAuthentication2 1.0.3

LDAPProvider 1.0.5

LDAPUserInfo 1.0.0

LDAPAuthorization 1.1.0


I cannot use PluggableAuth 6.X since it doesn't work with LDAPAuthentication2 or LDAPAuthorization yet.

Osnard (talkcontribs)

The change has been merged quite a while ago. You can now set the groupobjectclass to groupOfNames in connection.

Reply to "authorization by group not working (User XXXX not authorized)"