Jump to content

Topic on Manual talk:Active Directory Integration

Unable to establish AD sync

3
Asterops (talkcontribs)

I've setup AD integration according to this manual in my private wiki, but after perform php maintenance/update.php and restart httpd on the new browser window in incognito mode at the wiki.company.com/index.php/Special:UserLogin I see only

The supplied credentials are not associated with any user on this wiki. without option to type user or password.

My current configration:

ldap.json:

{
    "company.local": {
        "connection": {
            "server": "dc.company.local",
            "port": "389",
            "user": "CN=mediawiki,CN=Users,DC=company,DC=local",
            "pass": "P@ssw0rd",
            "enctype": "clear",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "dc=company,dc=local",
            "userbasedn": "dc=company,dc=local",
            "groupbasedn": "dc=company,dc=local",
            "searchattribute": "samaccountname",
            "usernameattribute": "samaccountname",
            "realnameattribute": "cn",
            "emailattribute": "mail",
            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
            "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
        },
        "userinfo": [],
        "authorization": [],
        "groupsync": {
            "mapping": {
                "admins": "CN=Domain Admins,CN=Users,DC=company,DC=local"
            }
        }
    }
}

LocalSettings.php:

[...]
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR','HTTP_X_REAL_IP','REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
 if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar]; break; }
}
$wikiRequestSafe = (isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
$wgGroupPermissions['sysop'] = $wgGroupPermissions['user'];
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("$IP/extensions/LDAPProvider")) {
  $testJson = @json_decode(file_get_contents($ldapJsonFile),true);
  if (is_array($testJson)) {
    $ldapConfig = true;
  } else {
    error_log("Found invalid JSON in file: $IP/ldap.json");
  }
}
if ( $ldapConfig ) {
  wfLoadExtension( 'PluggableAuth' );
  wfLoadExtension( 'LDAPProvider' );
  wfLoadExtension( 'LDAPAuthentication2' );
  wfLoadExtension( 'LDAPAuthorization' );
  wfLoadExtension( 'LDAPUserInfo' );
  wfLoadExtension( 'LDAPGroups' );
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Log In";
  $LDAPProviderDefaultDomain = "company.local";
  if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
  $LDAPAuthentication2AllowLocalLogin = true;
}

(pretty much the same as example in manual)

I've ensured network connection (firewall, dns resolution).

I've enabled in debug LocalSettings.php by adding $wgDebugLogFile = "$IP/debug.log";

Entering login page creates almost 4k lines of code so I share it via pastebin: https://phabricator.wikimedia.org/P28279

What I check else?

Environment: PHP 7.4.6, Mediawiki 1.37.2, LDAP extensions stack: REL1_35

Asterops (talkcontribs)

If I execute php extensions/LDAPProvider/maintenance/ShowUserInfo.php -d company.local -u mediawiki I see output about AD's mediawiki bind user.

ldap_domains table in database is created but it's empty

Asterops (talkcontribs)

I've updated LDAP extensions to 1_37 and now works.

Reply to "Unable to establish AD sync"