Topic on Extension talk:LDAPAuthorization

authorization by group not working (User XXXX not authorized)

13 comments • 12:57, 20 April 2023 1 year ago

13

Awatkins1966 (talkcontribs)

Battling with these extensions and have got Authorization to work, but when I try to restrict by group it fail. Looking at function makeGroupRequirements the ldapUserGroups has no values.

$ldapUserGroups = $this->ldapClient->getUserGroups( $username );

$username equals "andrew" and looking at debug output the memberof has been read.

[MediaWiki\Extension\LDAPProvider\Client] MediaWiki\Extension\LDAPProvider\Client::getUserDN: search with array (

'base' => 'dc=dcs,dc=bbk,dc=ac,dc=uk',

'filter' => '(samaccountname=andrew)',

'attributes' =>

array (

0 => '*',

1 => 'memberof',

),

)

....

10 => 'usncreated',

'memberof' =>

array (

'count' => 7,

0 => 'CN=xxx1,DC=dcs,DC=bbk,DC=ac,DC=uk',

1 => 'CN=xxx2,DC=dcs,DC=bbk,DC=ac,DC=uk',

2 => 'CN=xxx3,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

3 => 'CN=xxx4,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

4 => 'CN=xxx5,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

5 => 'CN=xxx6,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk',

6 => 'CN=xxx7,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk',

),

11 => 'memberof',

'usnchanged' =>

array (

'count' => 1,

Any ideas?

Reply Edited 10:51, 10 July 2019 5 years ago

Osnard (talkcontribs)

Maybe you need to set <code>"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory"</code> in you domain config under "connection/grouprequest". See Extension:LDAPProvider#Domain_config_settings

Reply 12:25, 18 July 2019 5 years ago

Awatkins1966 (talkcontribs)

@Osnard GREAT!!! That worked.

Reply 15:07, 19 July 2019 5 years ago

213.124.137.250 (talkcontribs)

I have this problem with OpenLDAP and "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory" - The group I want to search is a 'groupOfNames'

Without the authorization plugin enabled I can log in.

The config in a json file: {

       "LDAP": {
               "connection": {
                       "server": "XXX",
                       "user": "cn=docswiki_ro,ou=serviceaccounts,dc=XXX",
                       "pass": "",
                       "basedn": "XXX",
                       "groupbasedn": "ou=roles,ou=groups,dc=XXX",
                       "userbasedn": "ou=volunteers,dc=XXX",
                       "searchattribute": "uid",
                       "searchstring": "uid=USER-NAME,ou=volunteers,dc=XXX",
                       "usernameattribute": "uid",
                       "realnameattribute": "cn",
                       "emailattribute": "mail",
                       "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
               },
               "authorization": {
                       "rules": {
                               "groups": {
                                       "required": [
                                               "cn=rol_webadmin,ou=roles,ou=groups,dc=XXX"
                                       ]
                               }
                       }
               }
       }

}

Reply 20:56, 6 October 2019 5 years ago

Osnard (talkcontribs)

You may need to "hack" that code line until I can introduce a proper configuration variable: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/5c4546b8cb1f9890c3063f0bf073793e66563c01/src/UserGroupsRequest/GroupMember.php#L31

Alternatively you can implement a `UserGroupsRequest` class yourself and contribute it.

Reply 08:44, 7 October 2019 5 years ago

87.251.43.211 (talkcontribs)

I think I see the problem. I'm using an objectclass 'groupofnames' (in openldap) but the code you added only checks for a 'group.' When I have time I'll change that in the code and see if it works.

Reply 08:35, 8 October 2019 5 years ago