Hello everyone,
I feel like I am very close to getting LDAP working within Mediawiki, but may need a second set of eyes to see what I might be missing.
Mediawiki version 1.38.2 (Docker)
MySQL 8.0.30
PHP version 7.4.30
Using the latest versions available of:
LDAPAuthentication2
LDAPAuthorization
LDAPGroups
LDAPProvider
LDAPUserInfo
PluggableAuth
So far, it seems authentication is working with no issue. I can use the test scripts located at extensions/LDAPProvider/maintenance/:
CheckLogon.php returns OK
ShowUserGroups.php returns relevant information for any user I specify
ShowUserInfo.php returns relevant information for any user I specify
Where I think I am having issues is with groupsync. Despite being able to run the tests mentioned above successfully, attempting to login with any account contained in the groupsync section of my ldap.json file returns "Incorrect username or password entered." Seems to me that the groups are not syncing. I have triple checked my ldap.json config to ensure that my DN's are set correctly, but still have had no luck.
My ldap.json file:
{
"domain.local": {
"connection": {
"server": "10.10.0.2",
"user": "cn=ldap-services,ou=Zone0,ou=Zones,ou=Site,dc=creps,dc=local",
"pass": "password",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=domain,dc=local",
"groupbasedn": "ou=Groups,ou=Site,dc=domain,dc=local",
"userbasedn": "ou=Zones,ou=Site,dc=domain,dc=local",
"searchattribute": "samaccountname",
"usernameattribute": "cn",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "cn",
"nickname": "uid",
"language": "preferredlanguage"
}
},
"authorization": [],
"groupsync": {
"mapping": {
"Administrators": "cn=MediaWiki_Administrators,ou=Groups,ou=Site,dc=domain,dc=local"
}
}
}
}
LocalSettings.php contains the following for LDAP:
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
//wfLoadExtension( 'LDAPAuthorization' );
$LDAPProviderDomainConfigs = "/var/www/html/ldap.json";
$LDAPProviderDefaultDomain = "domain.local";
$LDAPAuthentication2AllowLocalLogin = true;
$wgPluggableAuth_ButtonLabel = "Log In";
$wgPluggableAuth_EnableLocalLogin = true;
I have also confirmed that the AD user I am attempting to login with is a member of the MediaWiki_Administrators group I specified in the groupsync mapping section. Any idea what I could be missing?