We are trying to migrate from mediawiki 1.30.0 to 1.39.3.
Everything seems to work so far, except authentication via LDAP.
All LDAPProvider related scripts return data or report success:
./LDAPProvider/maintenance/CheckConnection.php --conf /opt/mediawiki/LocalSettings.php --config /opt/mediawiki/ldapprovider.json --domain DOMAIN "(samaccountname=me)"
=> valid Data
./LDAPProvider/maintenance/ShowUserInfo.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me
=> valid Data
php ./LDAPProvider/maintenance/CheckLogin.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me
=> OK
php ./LDAPProvider/maintenance/ShowUserGroups.php --conf /opt/mediawiki/LocalSettings.php --domain DOMAIN --username me
=> valid Data
ldapprovider.json:
{
"DOMAIN": {
"connection": {
"server": "dc",
"port": "636",
"user": "ldap",
"pass": "pass",
"enctype": "ssl",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "OU=User,...",
"userbasedn": "OU=User,...",
"groupbasedn": "OU=Group...",
"searchattribute": "sAMAccountName",
"searchstring": "DOMAIN\\USER-NAME",
"usernameattribute": "sAMAccountName",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
"presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
},
"authorization": {
"rules": {
"groups": {
"required":[
"CN=User",
"CN=Admin"
]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"user": "CN=User",
"sysop": "CN=VAdmin"
}
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "fullname"
}
}
}
}
LocalSettings.php:
wfLoadExtension( 'AccessControl' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
wfLoadExtension( 'PluggableAuth' );
$wgDebugLogFile = "/opt/log/mediawiki_debug-{$wgDBname}.log";
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgShowDebug = true;
$wgDevelopmentWarnings = false;
$wgDebugDumpSql = false;
$wgDebugLogGroups['authentication'] = "/opt/log/authentication.log";
$wgDebugLogGroups['login'] = "/opt/log/login.log";
$wgDebugLogGroups['PluggableAuth'] = "/opt/log/LDAP-Pluggable.log";
$wgDebugLogGroups['LDAP'] = "/opt/log/LDAP.log";
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = "/opt/log/LDAPProvider_Client.log";
$wgDebugLogGroups['LDAPGroups'] = "/opt/log/LDAPGroups.log";
$wgDebugLogGroups['LDAPUserInfo'] = "/opt/log/LDAPUserInfo.log";
$wgDebugLogGroups['LDAPAuthentication2'] = "/opt/log/LDAPAuthentication2.log";
$wgDebugLogGroups['LDAPAuthorization'] = "/opt/log/LDAPAuthorization.log";
$LDAPProviderDomainConfigs ="/opt/data/config/ldapprovider.json";
$LDAPProviderDomainConfigProvider = "MediaWiki\\Extension\\LDAPProvider\\DomainConfigProvider\\LocalJSONFile::newInstance" ;
$LDAPProviderDefaultDomain = 'DOMAIN;
$wgAccessControlMessages = true;
$wgUseMediaWikiGroups = true;
$wgAdminCanReadAll = true;
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = true;
(also tried $wgPluggableAuth_EnableLocalLogin = false;)
$LDAPAuthentication2AllowLocalLogin = true;
(also tried $LDAPAuthentication2AllowLocalLogin = false;)
$LDAPAuthentication2UsernameNormalizer = "strtolower";
$LDAPGroupsSyncMechanismRegistry = "mappedgroups";
$wgGroupPermissions['*']['createaccount'] = true;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = true;
$wgGroupPermissions['user']['edit'] = true;
$wgGroupPermissions['sysop']['edit'] = true;
$wgPluggableAuth_ButtonLabel = "Anmelden";
Debug-Output
[error] [ZHi9J4zwAEy-BdrMNX0gmgAAAEE] /mediawiki/index.php?title=Spezial:Anmelden&returnto=Hauptseite PHP Deprecated: Use of userCan hook (used in AccessControlHooks::onUserCan) was deprecated in MediaWiki 1.37. [Called from MediaWiki\HookContainer\HookContainer::run]
[authentication] Login failed in primary authentication because no provider accepted