Topic on Talk:LDAP hub/Migration from extension LDAPAuthentication

My connexion to LDAP server doesn't seems to work

8 comments • 14:06, 8 October 2020 4 years ago

8

Amaury Palao (talkcontribs)

Hi,

I am new to mediawiki, and I am trying to use account from a LDAP server to enter my wiki. However, whenever I try a connection the site give me this :

There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form.

This is the added settings on my LocalSettings.php, I have censore the sensible information with * :

$wgDebugDumpSql = true;

$wgShowExceptionDetails = true;

$wgShowSQLErrors = true;

$wgShowDBErrorBacktrace = true;

$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['mediawiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthentication2'] =

$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['read'] = false;

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['Reader']['createaccount'] = false;

$wgGroupPermissions['Reader']['read'] = true;

$wgGroupPermissions['Reader']['edit'] = false;

$wgGroupPermissions['Writer']['createaccount'] = false;

$wgGroupPermissions['Writer']['read'] = true;

$wgGroupPermissions['Writer']['edit'] = true;

wfLoadExtensions( [

'PluggableAuth',

'Auth_remoteuser',

'LDAPProvider',

'LDAPAuthentication2',

'LDAPAuthorization',

'LDAPUserInfo'

] );

#$wgSessionCacheType = 'session-cache';

#$wgObjectCaches['session-cache'] = [ 'factory' => 'ObjectCache::newAnything', 'keyspace' => 'shared-session' ];

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'domain-backslash-username';

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthentication2AllowLocalLogin = true;

$wgAuthRemoteuserAllowUserSwitch = true;

#$wgPluggableAuth_EnableLocalLogin = true;

#$LDAPProviderDomainConfigs = "$IP/extensions/LDAPProvider/docs/ldapprovider.json";

$wgAuthRemoteuserUserName = function() {

$user = '';

if( isset( $_SERVER[ 'REMOTE_USER' ] ) ) {

$user = strtolower( $_SERVER[ 'REMOTE_USER' ] );

}

return $user;

};

$LDAPProviderDomainConfigProvider = function() {

$config = [

'nrcanLDAP' => [

'connection' => [

"server" => "*****************",

"options" => [

"LDAP_OPT_DEREF" => 1

],

"basedn" => "dc=**,dc=**,dc=**,dc=**",

"groupbasedn" => "dc=**,dc=**,dc=**,dc=**",

"userbasedn" => "dc=**,dc=**,dc=**,dc=**",

"searchattribute" => "***",

#"usernameattribute" => "uid",

#"realnameattribute" => "fullname",

#"emailattribute" => "mail",

"grouprequest" => "mediawiki\\Extension\\LDAPProvider\\src\\UserGroupsRequest\\GroupMember::factory"

],

'authorization' => [

'rules' => [

'groups' => [

'required' => [

'dc=**,dc=**,dc=**,dc=**'

]

],

'userinfo' => [

'attributes-map' => [

'email' => 'mail',

'realname' => 'fullname'

]

];

return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Reply 20:59, 30 September 2020 4 years ago

Osnard (talkcontribs)

Can you please give additional information about your environment? E.g. software versions. Have you tried debugging? Can you please share the results?

Reply Edited 06:47, 2 October 2020 4 years ago

Amaury Palao (talkcontribs)

I have tried to debug, but I didn't found the log file.

There is the details of the environment :

Product

Version

MediaWiki 1.34.2

PHP 7.2.24-0ubuntu0.18.04.6 (apache2handler)

MariaDB 10.1.44-MariaDB-0ubuntu0.18.04.1

ICU 60.2

Extension

Version

License

Description

Authors

Auth_remoteuser 2.1.1 (4079f81) 18:07, 11 November 2019 GPL-2.0-or-later Automatically logs-in users using the REMOTE_USER environment variable Otheus Shelling, Rusty Burchfield, James Kinsman, Daniel Thomas, Ian Ward Comfort, Mark A. Hershberger and Stefan Engelhardt

LDAPAuthentication2 1.0.1 (370d143) 23:28, 3 September 2020 GPL-2.0 Allows authentication against a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPAuthorization 1.1.0 (fc0c8cb) 03:15, 14 September 2020 GPL-2.0 Restrict login based on specified LDAP values Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPProvider 1.0.5 (dbcb18e) 23:38, 3 September 2020 GPL-2.0+ Provides a common infratructure to connect to a LDAP resource and run queries against it Cindy Cicalese, Mark A. Hershberger and Robert Vogel

LDAPUserInfo 1.0.0 (39cca83) 23:58, 9 July 2020 GPL-2.0 Allows to synchronize user information and preferences with a LDAP resource Cindy Cicalese, Mark A. Hershberger and Robert Vogel

Lockdown – (95cdc71) 07:27, 14 March 2020 GPL-2.0-or-later Per namespace group permissions Daniel Kinzler, Platonides, Mark A. Hershberger and others

PluggableAuth 5.7 (17fb1ea) 04:20, 13 September 2019 MIT Provides framework for pluggable authentication and authorization Cindy Cicalese

Reply 14:47, 2 October 2020 4 years ago

Osnard (talkcontribs)

Try to save the debug log into "$IP/cache/LDAP.log" instead of '"/tmp/LDAP.log'.

Reply 17:24, 2 October 2020 4 years ago

Amaury Palao (talkcontribs)

I did, however the file remain empty no matter what I do, but the error still remains.

Reply 12:30, 6 October 2020 4 years ago

Osnard (talkcontribs)

The message "There seems to be a problem with your login session; this action has been canceled as a precaution against session hijacking. Please resubmit the form." seems very unrelated to LDAP. can you confirm it does not happen when LDAP extensions are disabled? For me this looks like you session storage mechanism has an issue in general, or your browser does not have cookies enabled.

Reply 05:59, 7 October 2020 4 years ago

Amaury Palao (talkcontribs)

I think I found a lead. It seems to be a problem of authentication with the hosting server of LDAP. I will keep you inform if I found any answer.