Jump to content

Topic on Talk:LDAP hub/Migration from extension LDAPAuthentication

could not authenticate credentials against domain

6 comments • 12:03, 9 January 2020 4 years ago
6
Shertster (talkcontribs)

Hi all,

I migrated recently from mediawiki 1.32 to 1.34 and so I was forced to change from LDAPAuthentication to LDAPHub, my version and configuration are :

MediaWiki 1.34.0
PHP 7.3.11-1~deb10u1 (fpm-fcgi)
MariaDB 10.3.21-MariaDB-1:10.3.21+maria~buster-log
ICU 63.1

Plugins :

PluggableAuth : 5.7

LDAPAuthentication2 : 1.0.1

LDAPProvider : 1.0.1

LDAPAuthorization : 1.0.0


#### new ldap conf

wfLoadExtension( 'LDAPProvider' );

$LDAPProviderDomainConfigs = "extensions/LDAPProvider/ldapprovider.json";

wfLoadExtension( 'PluggableAuth' );

$wgPluggableAuth_EnableLocalLogin = true;

$wgGroupPermissions['user']['autocreateaccount'] = true;

$wgGroupPermissions['user']['createaccount'] = true;

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPAuthentication2' );

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;


the json is :


{

    "localdomain.tld": {

            "connection": {

                "server": "ldap.localdomain.tld",

                "options": {

                          "LDAP_OPT_DEREF": 1

                },

                "port": 389,

                "enctype": "tls",

                "basedn": "dc=localdomain,dc=tld",

                "userbasedn": "ou=people,dc=localdomain,dc=tld",

                "searchattribute": "uid",

                "usernameattribute": "uid",

                "realnameattribute": "cn",

                "emailattribute": "mail",

                "searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld",

                "groupbasedn": "ou=group,dc=localdomain,dc=tld",

                "groupobjectclass": "posixgroup",

                "groupattribute": "memberuid",

                "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

            },

            "authorization": {

                "rules": {

                    "groups": {

                        "required": [

                            "cn=tsism,ou=group,dc=localdomain,dc=tld"

                        ]

                    }

                }

            }

        }

}


when I try to login using the web form I get :


"Could not authenticate credentials against domain "localdomain.tld"


If I use ShowUserInfo.php utility I get correct information, but CheckLogin.php fails,

do you have a suggestion on how to cehck/debug this issue ?

I guess it's something wrong my configuration, but I dont' understand how to start the

troubleshoot.


thank you


M.

Reply 13:31, 3 January 2020 4 years ago
Osnard (talkcontribs)

Is there any information in the debugging logs? You can enable them as described here.

Does your LDAP allow this particular user to bind? You can test on Linux by using ldapsearch (https://serverfault.com/a/514873).

Reply 15:08, 7 January 2020 4 years ago
Shertster (talkcontribs)

Thank You Osnard, I realyl don't know how I missed that part, after enablingthe debug on the ldap part we were able to fix the authentication problem, the searchstring order needed t obe fixed from

"searchstring": "ou=people,uid=USER-NAME,dc=localdomain,dc=tld"


to


"searchstring": "uid=USER-NAME,ou=people,dc=localdomain,dc=tld"


basically uid and ou where in wrong position preventing the bind to work.


Now the login with plugagbleauth returns "Fatal exception of type "DomainException""


in the debug I found :


[error] [7ab5c01906e24316bf5102cf] /index.php?title=Special:PluggableAuthLogin   ErrorException from line 39 of /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php: PHP Notice: Array to string conversion

#0 /mnt/data/mediawiki/mediawiki-1.34.0/extensions/PluggableAuth/includes/PluggableAuthLogin.php(39): MWExceptionHandler::handleError(integer, string, string, integer, array)


in the debug for the plugi neveything seems ok :


2020-01-08 10:57:45 wiki mediawiki-wk_: Authenticated new user: Array

2020-01-08 10:57:45 wiki mediawiki-wk_: User is authorized.


I wonder if the presence of a picture in the Ldap can give probelms,

(we have an attribute called jpegphoto and the picture is shown as binary data in

the debug and using ShowUserInfo.php)


M.


Reply 11:02, 8 January 2020 4 years ago
Osnard (talkcontribs)

It looks like $username provided by LDAPAuthentication2 was an array instead of a string. This is very stange. Can you share the output of ShowUserInfo.php? Please strip any sensitive information any binary data. The field "uid" is of special interest.

I don't think that the binary-data from the jpeg is an issue.

Reply 06:56, 9 January 2020 4 years ago
Shertster (talkcontribs)

Hi ,

I found the probelm , some users were defined in a strange way , they had two uid attributes.

this was made to create some sort of "alias" mechanism, once I deleted the extra uid attribute

all worked as expected.


Sorry for the chaos


M.

Reply 10:57, 9 January 2020 4 years ago
Osnard (talkcontribs)

Good to hear! Thanks for the feedback!

Reply 12:03, 9 January 2020 4 years ago
Reply to "could not authenticate credentials against domain"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Ve6i1dffauw5bg68"