Jump to content

Topic on Extension talk:LDAPGroups/Archive 2

Dimassc (talkcontribs)

I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login to the LDAP and restrict groups but I can't get LDAPGroups to sync with local groups. In the old installation I use $wgGroupPermissions to change permissions depending on LDAP groups, I'd like to do the same.


When I login I can't see any groups in Special:Preferences page, only "Users" and "Authenticated users".


In my LDAP schema all the groups have an attribute memberUid with all the users of this group (not full dn, only the uid).


php wikiutic/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username 40447118p

homedirectory => /home/h416udim

sambasid => S-1-5-21-4066546031-2994049288-1383288855-21844

uid => 40447118P

uidnumber => 10422

loginshell => /bin/bash

sambahomepath => \\svrfit\usuaris\h416udim

employeenumber => 40447118

mobile => a41c0a76a958ae045ed19cda402e9fef

objectclass =>

  0 => top

  1 => person

  2 => posixAccount

  3 => sambaSamAccount

  4 => inetOrgPerson

  sambapwdcanchange => 2074348956

  sambapwdmustchange => 0

  sambantpassword => 2DA051AD5B1EF7B4864929ABC47C5DB9

  sambapasswordhistory => 0000000000000000000000000000000000000000000000000000000000000000

  userpassword => {password}

  sambapwdlastset => 2581923686

  sambaprimarygroupsid => S-1-5-21-4066546031-2994049288-1383288855-21181

  gecos => Joan Test Name

  gidnumber => 10090

  sambalogonscript => scripts\logon.bat

  carlicense => 11709000

  telephonenumber => 1234

  mail => jtest.girona.ics@gencat.cat

  givenname => Joan

  description => Test

  sn => Test Name

  cn => Joan Test Name

  displayname => Joan Test Name

  departmentnumber => P40447118

  destinationindicator => uid=40447118P,ou=Users,dc=htrueta,dc=intranet

  sambaacctflags => [U]

  dn => uid=40447118P,ou=Users,dc=htrueta,dc=intranet


LocalSettings.php

# Autenticació LDAP

wfLoadExtensions( [

   'PluggableAuth', // Autenticació base

   'LDAPProvider', // Autenticació base

   'LDAPAuthentication2', // Autenticació base

   'LDAPAuthorization', // Per restringir accés per grups

   'LDAPGroups' // Per sincronitzar grups ldap amb locals

] );

// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Inicia sessió";

$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona

$LDAPAuthentication2AllowLocalLogin = true;

$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       'LDAP' => [

           'connection' => [

               "server" => "golum.trueta.intranet",

               "enctype" => 'clear',

               "basedn" => "dc=htrueta,dc=intranet",

               "userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet

               "searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",

               "searchattribute" => "uid",

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet

               "groupattribute" => "memberuid",

               "groupobjectclass" => "posixgroup",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"

           ],

           'authorization' => [

               'rules' => [

                   'groups' => [

                       'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt1,ou=Groups,dc=htrueta,dc=intranet",

                                       "cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]

                   ]

               ]

           ],

           'groupsync' => [

               "mechanism" => "allgroups",

               "mapping" => [

                   "s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",

                   "Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"

               ],

               "locally-managed" => [ "local", "wiki", "group", "names" ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Osnard (talkcontribs)

Please check what php wikiutic/extensions/LDAPProvider/maintenance/ShowUserGroups.php --domain LDAP --username 40447118p returns. Be aware that "mechanism" => "allgroups" will not evaluate "mapping". You may need to use "mechanism" => "mapping"