Jump to content

Topic on Extension talk:LdapAuth

Freeipa Authtication errors

3
Deathhampsterx (talkcontribs)

I have Mediawiki 1.31 installed on Centos 7 as well as the latest version of FreeIPA on another Centos7 machine. I've tried joining Mediawiki to the FreeIPA domain with LdapAuth, but keep getting errors in the mediawiki logs when trying to log into Mediawiki with an LDAP account:


[authentication] Attempting to bind to LDAP for search with DN "uid=mediawiki,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=com@DOMAIN.COM".

[authentication] Bound successfully.

[authentication] Incorrect username or password entered.


I know the username and password listed in my config is correct but I keep seeing this error: Here's my config in LocalSettings.php


wfLoadExtension( 'LdapAuth' );

$wgLdapAuthDomainNames = ['DOMAIN.COM'];

$wgLdapAuthServers = 'FREEIPA_server1, FREEIPA_server2';

$wgLdapAuthBindDN = 'uid=mediawiki,cn=sysaccounts,cn=etc,dc=DOMAIN,dc=com';

$wgLdapAuthBindPass = 'PASSWORD';

$wgLdapAuthUseLocal = true;


I also set up the FreeIPA client on the mediawiki machine and can ssh to it with LDAP accounts no problem.


Any thoughts?

TrixTri (talkcontribs)

Yes, your config is wrong ( I know its not your fault as you followed the instructions on the main page)


Copy my entire config in the post 'Mediawiki 1.33' keeping the same format which is quite different to what you are using.

One thing you can modify is the search filter, mine will only allow users in a particular group, if you want to allow all users change the line to

$wgLdapAuthSearchFilter = ['domain' => '(&(objectClass=user)(sAMAccountName=%1$s))'];

Deathhampsterx (talkcontribs)

Thanks for the info, however, it doesn't like the arrays. I tried your config after removing the AD stuff because FreeIPA has no sAMAccountName object class. I get this Error:

preg_split() expects parameter 2 to be string, array given in /var/www/mediawiki-1.31.5/extensions/LdapAuth/src/Hooks/Config.php on line 154.

config:

wfLoadExtension( 'LdapAuth' );

$wgGroupPermissions['*'] ['autocreateaccount'] = true;

$wgLdapAuthDomainNames = ['DOMAIN.com'];

$wgLdapAuthServers = ['DOMAIN.com' => [‘SERVER1.DOMAIN.com', ‘SERVER2.DOMAIN.com']];

$wgLdapAuthBindDN = [ 'DOMAIN.com' => 'uid=mediawiki,cn=users,cn=accounts,dc=DOMAIN,dc=com'];

$wgLdapAuthBindPass = ['DOMAIN.com' => ‘PASSWORD’];

$wgLdapAuthEncryptionType = ['DOMAIN.com' => 'none'];

#$wgLdapAuthSearchFilter = ['DOMAIN.com' => '(&(objectClass=user)(sAMAccountName=%1$s)(memberof=CN=GRP - WikiUsers,OU=Groups,DC=DOMAIN,DC=com))'];

$wgLdapAuthSearchFilter = '(&(objectClass=user)(displayName=%1$s))';

$wgLdapAuthBaseDN = ['DOMAIN.com' => 'DC=DOMAIN,DC=com'];

#$wgLdapAuthIsActiveDirectory = true;

#$wgLdapAuthUsernameField = ['DOMAIN.com' => 'sAMAccountName'];

$wgLdapAuthSearchTree = ['DOMAIN.com' => true];

$wgLdapAuthMapGroups = ['DOMAIN.com' => []];


If I remove all the arrays, the errors go away, but then I'm back at my previous issue where it rejects like my mediawiki service account. I know the account works, because I've used it successfully with other things.

I also get the same results no matter what the searchfilter is set to.

thanks for the help, it would be nice to get this working with FreeIPA, but I can always go back to using Extension:LDAP Authentication





Reply to "Freeipa Authtication errors"