Jump to content

Topic on Talk:LDAP hub/Migration from extension LDAPAuthentication

Invalid credentials

8 comments • 07:00, 9 March 2020 4 years ago
8
213.138.74.76 (talkcontribs)

Hey guys, i've just migrated but there is a trouble now.

I recieve a "Could not authenticate credentials against domain "domain"" error.

My config is here:

wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );


$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'domain => [

           'connection' => [

               "server" => "domain.com",

               "user" => "domaincom\\user",

               "pass" => 'Password02', //no binding error

               "options" => [

                   "LDAP_OPT_DEREF" => 1

               ],

               "basedn" => "DC=domain,DC=com",

               "groupbasedn" => "DC=domain,DC=com",

               "userbasedn" => "DC=domain,DC=com",

               "searchattribute" => "sAMAccountName",

               "searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com",

//if i change to domaincom\\USER-NAME i'll recieve (PluggableAuthPrimaryAuthenticationProvider returned an invalid username:) error

               "usernameattribute" => "sAMAccountName",

               "realnameattribute" => "cn",

               "emailattribute" => "mail"

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

$LDAPAuthentication2AllowLocalLogin=true;

$wgShowExceptionDetails = true;


Pls, help me to catch the tail of this problem.


Thanks in advance.

Reply 10:53, 1 August 2019 5 years ago
213.138.74.76 (talkcontribs)

Update: php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain domain --username SomeUser works properly

Reply 13:07, 1 August 2019 5 years ago
Osnard (talkcontribs)

Have you also tried extensions/LDAPProvider/maintenance/CheckLogin.php --domain domain --username SomeUser?

Reply 14:02, 1 August 2019 5 years ago
109.165.87.163 (talkcontribs)

Yes.

If i change "searchstring" => "sAMAccountName=USER-NAME,DC=domain,DC=com to domaincom\\USER-NAME

php extensions/LDAPProvider/maintenance/CheckLogin.php --domain domaincom --username user

Auth is OK


But then i try auth in usual way, i receive another error:


[568043a6f699c2aa8ba284f2] /mediawiki/index.php?title=%D0%A1%D0%BB%D1%83%D0%B6%D0%B5%D0%B1%D0%BD%D0%B0%D1%8F:%D0%92%D1%85%D0%BE%D0%B4&returnto=%D0%97%D0%B0%D0%B3%D0%BB%D0%B0%D0%B2%D0%BD%D0%B0%D1%8F+%D1%81%D1%82%D1%80%D0%B0%D0%BD%D0%B8%D1%86%D0%B0 DomainException from line 612 of /var/lib/mediawiki/includes/auth/AuthManager.php: PluggableAuthPrimaryAuthenticationProvider returned an invalid username:

Backtrace:

#0 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(355): MediaWiki\Auth\AuthManager->continueAuthentication(array)

#1 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(482): AuthManagerSpecialPage->performAuthenticationStep(string, array)

#2 /var/lib/mediawiki/includes/htmlform/HTMLForm.php(660): AuthManagerSpecialPage->handleFormSubmit(array, VFormHTMLForm)

#3 /var/lib/mediawiki/includes/specialpage/AuthManagerSpecialPage.php(416): HTMLForm->trySubmit()

#4 /var/lib/mediawiki/includes/specialpage/LoginSignupSpecialPage.php(316): AuthManagerSpecialPage->trySubmit()

#5 /var/lib/mediawiki/includes/specialpage/SpecialPage.php(565): LoginSignupSpecialPage->execute(NULL)

#6 /var/lib/mediawiki/includes/specialpage/SpecialPageFactory.php(568): SpecialPage->run(NULL)

#7 /var/lib/mediawiki/includes/MediaWiki.php(288): SpecialPageFactory::executePath(Title, RequestContext)

#8 /var/lib/mediawiki/includes/MediaWiki.php(861): MediaWiki->performRequest()

#9 /var/lib/mediawiki/includes/MediaWiki.php(524): MediaWiki->main()

#10 /var/lib/mediawiki/index.php(42): MediaWiki->run()

#11 {main}

Reply 15:39, 1 August 2019 5 years ago
Osnard (talkcontribs)

It looks like the "usernameattribute" is not "sAMAccountName". Be careful, the configured attribute name is case sensitive. Can you try to set "samaccountname".

You can use php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser to see exactly what the application sees.

Reply 06:04, 2 August 2019 5 years ago
213.138.74.76 (talkcontribs)

Thanks! That is a solution.

Reply 06:18, 2 August 2019 5 years ago
177.95.128.116 (talkcontribs)

Thanks a lot for all the talk here, just solved my problem following this thread. It seems the "sAMAccountName" and " domaincom\\USER-NAME" should be the default or example configuration for these plugins, it should probably be on their pages.

Reply 17:48, 5 March 2020 4 years ago
Osnard (talkcontribs)
Reply 07:00, 9 March 2020 4 years ago
Reply to "Invalid credentials"
Retrieved from "https://www.mediawiki.org/wiki/Topic:V4kz5zw2ibzxated"