I'm trying to migrate from the old LdapAuthentication to the new LDAP Hub extensions. Now I can login to the LDAP and restrict groups but I can't get LDAPGroups to sync with local groups. In the old installation I use $wgGroupPermissions to change permissions depending on LDAP groups, I'd like to do the same.
When I login I can't see any groups in Special:Preferences page, only "Users" and "Authenticated users".
In my LDAP schema all the groups have an attribute memberUid with all the users of this group (not full dn, only the uid).
php wikiutic/extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain LDAP --username 40447118p
homedirectory => /home/h416udim
sambasid => S-1-5-21-4066546031-2994049288-1383288855-21844
uid => 40447118P
uidnumber => 10422
loginshell => /bin/bash
sambahomepath => \\svrfit\usuaris\h416udim
employeenumber => 40447118
mobile => a41c0a76a958ae045ed19cda402e9fef
objectclass =>
0 => top
1 => person
2 => posixAccount
3 => sambaSamAccount
4 => inetOrgPerson
sambapwdcanchange => 2074348956
sambapwdmustchange => 0
sambantpassword => 2DA051AD5B1EF7B4864929ABC47C5DB9
sambapasswordhistory => 0000000000000000000000000000000000000000000000000000000000000000
userpassword => {password}
sambapwdlastset => 2581923686
sambaprimarygroupsid => S-1-5-21-4066546031-2994049288-1383288855-21181
gecos => Joan Test Name
gidnumber => 10090
sambalogonscript => scripts\logon.bat
carlicense => 11709000
telephonenumber => 1234
mail => jtest.girona.ics@gencat.cat
givenname => Joan
description => Test
sn => Test Name
cn => Joan Test Name
displayname => Joan Test Name
departmentnumber => P40447118
destinationindicator => uid=40447118P,ou=Users,dc=htrueta,dc=intranet
sambaacctflags => [U]
dn => uid=40447118P,ou=Users,dc=htrueta,dc=intranet
LocalSettings.php
# Autenticació LDAP
wfLoadExtensions( [
'PluggableAuth', // Autenticació base
'LDAPProvider', // Autenticació base
'LDAPAuthentication2', // Autenticació base
'LDAPAuthorization', // Per restringir accés per grups
'LDAPGroups' // Per sincronitzar grups ldap amb locals
] );
// $wgPluggableAuth_EnableAutoLogin = true; /* Si activem desactiva la opció de fer logout */
$wgPluggableAuth_EnableLocalLogin = false;
$wgPluggableAuth_ButtonLabel = "Inicia sessió";
$LDAPAuthentication2UsernameNormalizer = 'strtoupper'; // strtolower no funciona
$LDAPAuthentication2AllowLocalLogin = true;
$wgLDAPUseLocal = false; // Permetre autentificació local wiki. Mirar que no estigui sobreescrit a LdapAuthentication.php
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "golum.trueta.intranet",
"enctype" => 'clear',
"basedn" => "dc=htrueta,dc=intranet",
"userbasedn" => "dc=htrueta,dc=intranet", // u=Users,dc=htrueta,dc=intranet
"searchstring" => "uid=USER-NAME,ou=Users,dc=htrueta,dc=intranet",
"searchattribute" => "uid",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail",
"groupbasedn" => "dc=htrueta,dc=intranet", // ou=Groups,dc=htrueta,dc=intranet
"groupattribute" => "memberuid",
"groupobjectclass" => "posixgroup",
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory"
],
'authorization' => [
'rules' => [
'groups' => [
'required' => [ "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet",
"cn=s103,ou=Groups,dc=htrueta,dc=intranet",
"cn=wikiUtic,ou=Groups,dc=htrueta,dc=intranet",
"cn=wikiUticLectura,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt2b,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt1,ou=Groups,dc=htrueta,dc=intranet",
"cn=lt15,ou=Groups,dc=htrueta,dc=intranet"]
]
]
],
'groupsync' => [
"mechanism" => "allgroups",
"mapping" => [
"s103" => "cn=s103,ou=Groups,dc=htrueta,dc=intranet",
"Domain admins" => "cn=Domain Admins,ou=Groups,dc=htrueta,dc=intranet"
],
"locally-managed" => [ "local", "wiki", "group", "names" ]
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};