Jump to content

Topic on Extension talk:LDAPAuthorization

rules.group.required checks for IP Adress instead of username for non-existing users

8
2001:4DD0:D512:1:0:0:0:551 (talkcontribs)

When trying to Login with a LDAP user, who never logged in befor, the check for required groups always fails.

I checked the Logs and saw, that the plugin actually sent the IP adress instead of the username to check.

I appended the log with three login attempts:

  • The first one fails for an user, which already logged in before but is not the required group
  • The second one shows the described behavior. I try to login with "auth.test2", but the Plugin checks for groups of "172.22.0.1", which is the IP adress of the mediawiki container
  • The third attempt shows a sucessfull login of another user, who already existed and who also is in the required group

Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'Auth.test'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user '172.22.0.1'. Requirement 'groups.required' not satisfied. Requirements could not be satisfied. Domain set to 'LDAP'. MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user 'valid.user'. Requirement 'groups.required' satisfied. All requirements satisfied.

Osnard (talkcontribs)

Can you please share information about the environment? MediaWiki versions? Do you have a specific setting of $wgGroupPermissions in your LocalSettings.php file? Maybe regarding the autocreateaccount permission?

2001:4DD0:D512:1:0:0:0:551 (talkcontribs)

I use Mediawiki 1.38.2 inside a Docker Container and those Version of the LDAP Plugins (I accidentaly cut them out in the original post..):

LDAPAuthentication2    1.0.3 (c6a342f)

LDAPAuthorization    1.1.0 (e6815d2)

LDAPGroups    1.0.3 (e579978)

LDAPProvider    1.0.5 (8e1a6ff)

LDAPUserInfo    1.0.0 (b95faa0)

PluggableAuth    5.7


The $wgGroupPermissions are

$wgGroupPermissions['*']['edit'] = false;

$wgGroupPermissions['user']['edit'] = true;

$wgGroupPermissions['*']['autocreateaccount'] = true;

$wgGroupPermissions['*']['createaccount'] = false;


I tried to follow that example for the settings: Manual:Active Directory Integration

Morix Dev (talkcontribs)

Hello, I was having the same issue on my side and I fixed that by modifying the PluggableAuthUserAuthorization.php, function process(), since it previously relied on getName() which turned out to return the IP address of the origin of the HTTP request for non-existing users.

Lines modified are marked with the comment "MODIFIED THIS" in the code here below, and were replaced by lines immediately following:


/**

     *

     * @return bool

     */

    public function process() {

        //MODIFIED THIS: $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->getName()}'." );

        $this->logger->debug( __CLASS__ . ": Check authorization for user '{$this->user->mName}'." );

        if ( $this->isLocalUser() ) {

            $this->logger->debug( 'Skipping local user.' );

            return true;

        }

        $requirementsChecker = new RequirementsChecker( $this->ldapClient, $this->domainConfig );

        $requirementsChecker->setLogger( $this->logger );

        ////MODIFIED THIS: if ( !$requirementsChecker->allSatisfiedBy( $this->user->getName() ) ) {

        if ( !$requirementsChecker->allSatisfiedBy( $this->user->mName ) ) {

            $this->logger->debug( 'Requirements could not be satisfied.' );

            $this->authorized = false;

            return false;

        }

        $this->logger->debug( 'All requirements satisfied.' );

        return true;

    }


All originated from PluggableAuthLogin.php, function execute() where for non-existing users the following code is executed:


if ( $id === null ) {

                    $user->loadDefaults( $username );

                    $user->mName = $username;

                    $user->mRealName = $realname;

                    $user->mEmail = $email;

                    $user->mEmailAuthenticated = wfTimestamp();

                    $user->mTouched = wfTimestamp();

                    wfDebugLog( 'PluggableAuth', 'Authenticated new user: ' . $username );

                    // PluggableAuthPopulateGroups is called from LocalUserCreated hook

                }


thus not initializing user member mLoadedItems, which in turns is requested by getName() through isItemLoaded function, otherwise the request origin IP address is returned:


/**

     * Get the user name, or the IP of an anonymous user

     * @return string User's name or IP address

     */

    public function getName(): string {

        if ( $this->isItemLoaded( 'name', 'only' ) ) {

            // Special case optimisation

            return $this->mName;

        }

        $this->load();

        if ( $this->mName === false ) {

            // Clean up IPs

            $this->mName = IPUtils::sanitizeIP( $this->getRequest()->getIP() );

        }

        return $this->mName;

    }


Replacing getName in PluggableAuthUserAuthorization.php with direct access to mName member (which is initialized by PluggableAuthLogin.php) made the magic.

Probably there are more elegant solution for fixing that, and the problem maybe should be reported to PluggableAuth developers (how can I do that? anyone knows? I am new to mediawiki...) but anyway that fixed the problem for me and maybe can be useful for some others too.

141.58.7.209 (talkcontribs)

You made my day - Thanks a lot !!!

Ablum010777 (talkcontribs)

I have the same problem that users that are not stored in the database are not authorized. This is what the log file for LDAPAuthorization gives me after I apply @Morix Dev's changes to PluggableAuthUserAuthorization.php :


2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Domain set to 'wiki_d35'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: MediaWiki\Extension\LDAPAuthorization\Hook\PluggableAuthUserAuthorization: Check authorization for user ')'.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirement 'groups.required' not satisfied.

2023-05-08 04:44:39 vermkv-wiki-neu wiki_d35: Requirements could not be satisfied.


I have Mediawiki 1.39.3 with php 8.1.2 and MariaDB 10.6.12.


My configuration in LocalSettings.php:


wfLoadExtension( 'PluggableAuth' );

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPUserInfo' );

wfLoadExtension( 'LDAPAuthorization' );

$wgPluggableAuth_EnableLocalLogin = false;

$wgPluggableAuth_ButtonLabel = "Anmelden";

$LDAPAuthorizationAutoAuthRemoteUserStringParser = 'username-at-domain';

$LDAPAuthentication2UsernameNormalizer = 'ucfirst';

$LDAPAuthentication2AllowLocalLogin = false;

$wgAuthRemoteuserAllowUserSwitch = false;

$wgPluggableAuth_Config['Log In'] = [

   'plugin' => 'LDAPAuthentication2',

   'data' => [

       'domain' => 'wiki_d35'

   ]

];

$wgDebugLogGroups['PluggableAuth'] = [

       'destination' => "$IP/cache/PluggableAuth.log"

];

$wgDebugLogGroups['LDAPProvider'] = [

       'destination' => "$IP/cache/LDAPProvider.log"

];

$wgDebugLogGroups['LDAPAuthentication2'] = [

       'destination' => "$IP/cache/LDAPAuth.log"

];

$wgDebugLogGroups['LDAPAuthorization'] = [

       'destination' => "$IP/cache/LDAPAuthorization.log"

];

$LDAPProviderDomainConfigProvider = function() {

   $config = [

       "LDAP" => [

           "connection" => [

               "server" => "***",

               "options" => [ "LDAP_OPT_DEREF" => 1, "LDAP_OPT_PROTOCOL_VERSION" => 3 ],

               "port" => 389,

               "enctype" => "tls",

               "basedn" => "o=***,c=***",

               "userbasedn" => "o=***,c=***",

               "groupbasedn" => "ou=group,ou=***,o=***,c=***",

               "searchattribute" => 'uid',

               "usernameattribute" => 'uid',

               "realnameattribute" => "cn",

               "emailattribute" => "mail",

               "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"

  ],

           "authorization" => [

               "rules" => [

                   "groups" => [

                       "required" => [

                           "cn=***,ou=***,ou=***,o=***,c=***"

                       ]

                   ]

               ]

           ],

           "authentication" => [

               "usernameattribute" => "uid",

               "realnameattribute" => "cn",

               "emailattribute" => "mail"

           ],

           'userinfo' => [

               'attributes-map' => [

                   'email' => 'mail',

                   'realname' => 'cn'

               ]

           ]

       ]

   ];

   return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );

};

Ablum010777 (talkcontribs)

I added the line

               $this->user->setName( $this->ldapClient->getUsername() );

at the beginning of the function process() in the file

extensions/LDAPAuthorization/src/hook/PluggableAuthUserAuthorization.php

Osnard (talkcontribs)
Reply to "rules.group.required checks for IP Adress instead of username for non-existing users"