Topic on Extension talk:LDAPAuthentication2

Hello, I have Windows Server 2016, with IIS version 10, with PHP 8.3.3, with MediaWiki 1.41.0

i am new to setting all of this up and at points can be rather confusing.

i have been trying to set up LDAP and thus far used extensions LDAPProvider, LDAPAuthentication2, LDAPAuthorization.

with LDAPProvider, i also have a ldapprovider.json

FIRST, i'd like to know which extensions would best support the following:

after authenticating to LDAP/active directory, i want permissions set where certain users only have access to certain pages in the wiki

here's my LocalSettings.php and ldapprovider.json as currently i'm getting HTTP ERROR 500. any assistance would be appreciated...

<?php

# This file was automatically generated by the MediaWiki 1.41.0

# installer. If you make manual changes, please keep track in case you

# need to recreate them later.

#

# See includes/MainConfigSchema.php for all configurable settings

# and their default values, but don't forget to make changes in _this_

# file, not there.

#

# Further documentation for configuration settings may be found at:

# https://www.mediawiki.org/wiki/Manual:Configuration_settings

# Protect against web entry

if ( !defined( 'MEDIAWIKI' ) ) {

exit;

}

## Uncomment this to disable output compression

# $wgDisableOutputCompression = true;

$wgSitename = "raa ems wiki";

$wgMetaNamespace = "Raa ems wiki";

## The URL base path to the directory containing the wiki;

## defaults for all runtime URL paths are based off of this.

## For more information on customizing the URLs

## (like /w/index.php/Page_title to /wiki/Page_title) please see:

## https://www.mediawiki.org/wiki/Manual:Short_URL

$wgScriptPath = "/raaemsitwiki/mediawiki-1.41.0";

## The protocol and server name to use in fully-qualified URLs

$wgServer = "XXX";

## The URL path to static resources (images, scripts, etc.)

$wgResourceBasePath = $wgScriptPath;

## The URL paths to the logo.  Make sure you change this from the default,

## or else you'll overwrite your logo when you upgrade!

$wgLogos = [

'1x' => "$wgResourceBasePath/resources/assets/RAAEMS-Image.svg",

'icon' => "$wgResourceBasePath/resources/assets/RAAEMS-Image.svg",

];

## UPO means: this is also a user preference option

$wgEnableEmail = false;

$wgEnableUserEmail = false; # UPO

$wgEmergencyContact = "";

$wgPasswordSender = "";

$wgEnotifUserTalk = false; # UPO

$wgEnotifWatchlist = false; # UPO

$wgEmailAuthentication = true;

## Database settings

$wgDBtype = "mysql";

$wgDBserver = "localhost";

$wgDBname = "raaemsitwiki";

$wgDBuser = "XXX";

$wgDBpassword = "XXX";

# MySQL specific settings

$wgDBprefix = "";

$wgDBssl = false;

# MySQL table options to use during installation or update

$wgDBTableOptions = "ENGINE=InnoDB, DEFAULT CHARSET=binary";

# Shared database table

# This has no effect unless $wgSharedDB is also set.

$wgSharedTables[] = "actor";

## Shared memory settings

$wgMainCacheType = CACHE_NONE;

$wgMemCachedServers = [];

## To enable image uploads, make sure the 'images' directory

## is writable, then set this to true:

$wgEnableUploads = true;

#$wgUseImageMagick = true;

#$wgImageMagickConvertCommand = "/usr/bin/convert";

# InstantCommons allows wiki to use images from https://commons.wikimedia.org

$wgUseInstantCommons = false;

# Periodically send a pingback to https://www.mediawiki.org/ with basic data

# about this MediaWiki instance. The Wikimedia Foundation shares this data

# with MediaWiki developers to help guide future development efforts.

$wgPingback = false;

# Site language code, should be one of the list in ./includes/languages/data/Names.php

$wgLanguageCode = "en";

# Time zone

$wgLocaltimezone = "UTC";

## Set $wgCacheDirectory to a writable directory on the web server

## to make your wiki go slightly faster. The directory should not

## be publicly accessible from the web.

#$wgCacheDirectory = "$IP/cache";

$wgSecretKey = "3f3c74223135b08da57eeffcc1fae44b00656ec470ff2b2abfc8b8286f82aa53";

# Changing this will log out all existing sessions.

$wgAuthenticationTokenVersion = "";

# Site upgrade key. Must be set to a string (default provided) to turn on the

# web installer while LocalSettings.php is in place

$wgUpgradeKey = "f697fe884146d13d";

## For attaching licensing metadata to pages, and displaying an

## appropriate copyright notice / icon. GNU Free Documentation

## License and Creative Commons licenses are supported so far.

$wgRightsPage = ""; # Set to the title of a wiki page that describes your license/copyright

$wgRightsUrl = "";

$wgRightsText = "";

$wgRightsIcon = "";

# Path to the GNU diff3 utility. Used for conflict resolution.

$wgDiff3 = "";

# The following permissions were set based on your choice in the installer

$wgGroupPermissions['*']['createaccount'] = false;

$wgGroupPermissions['*']['edit'] = false;

## Default skin: you can change the default skin. Use the internal symbolic

## names, e.g. 'vector' or 'monobook':

$wgDefaultSkin = "timeless";

# Enabled skins.

# The following skins were automatically enabled:

wfLoadSkin( 'Timeless' );

# Enabled extensions. Most of the extensions are enabled by adding

# wfLoadExtension( 'ExtensionName' );

# to LocalSettings.php. Check specific extension documentation for more details.

# The following extensions were automatically enabled:

wfLoadExtension( 'CategoryTree' );

wfLoadExtension( 'Cite' );

wfLoadExtension( 'CiteThisPage' );

wfLoadExtension( 'CodeEditor' );

wfLoadExtension( 'Echo' );

wfLoadExtension( 'InputBox' );

wfLoadExtension( 'Nuke' );

wfLoadExtension( 'ParserFunctions' );

wfLoadExtension( 'ReplaceText' );

wfLoadExtension( 'WikiEditor' );

wfLoadExtension( 'CSS' );

# End of automatically generated settings.

# Add more configuration options below.

# Enable LDAPProvider extension

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

//wfLoadExtension( 'LDAPAuthorization' );

//wfLoadExtension( 'Lockdown' );

# Configure LDAP settings

$LDAPProviderDomainConfigs = "$IP/extensions/LDAPProvider/ldapprovider.json";

$LDAPProviderPreSearchUsernameModifierRegistry['strtolower'] = function (&$username) {

    $username = strtolower($username);

};

$wgLDAPProvider['CacheType'] = 'internal';

$wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

# LDAPAuthentication2 configuration

$LDAPAuthentication2AllowLocalLogin = false;

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

************************

{

"raaric.org": {

"connection": {

"server": "XXX",

"port": "XXX",

"use-tls": "true",

"user": "CN=mediawiki,OU=XXX,DC=XXX,DC=XXX",

"pass": "XXX",

"enctype": "ssl",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=XXX,dc=XXX",

"userbasedn": "dc=XXX,dc=XXX",

"groupbasedn": "dc=XXX,dc=XXX",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "displayName",

"emailattribute": "mail",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "strtolower" ]

}

}

}

FIRST, i'd like to know which extensions would best support the following: after authenticating to LDAP/active directory, i want permissions set where certain users only have access to certain pages in the wiki

For basic authentication, you need Extension:LDAPAuthentication2. If you want to restrict login to users of certain LDAP groups you need Extension:LDAPAuthorization. Permissions in MediaWiki are assigned to usergroups, not to particular users. Therefore if you want to set up some permissions, you'll most likely want to use Extension:LDAPGroups for sychronization of LDAP groups into the wiki. Hope that helps.

Regarding the error 500: The JSON file and the PHP settings file look good. There must be something in the error logs. only this can give you a clue about what's wrong.

Just a hint: Windows Server 2016 is no longer maintained. Consider migrating your application to a more up to date environment.

thanks @Osnard for the update. i have since moved beyond previous issues. for the time being, i'm stuck with windows server 2016 trying to make do.

i have LDAPAuthentication2 3.0.0-alpha, LDAPAuthentication 3.0.0-alpha, LDAPGroups 3.0.0-alpha, LDAPProvider 3.0.0-alpha, LDAPUserInfo 3.0.0-alpha, PluggableAuth 7.1.0

right now i'm having issue authenticating using LDAP, i can use an internal mediawiki admin account, but once $wgPluggableAuth_EnableLocalLogin = false, and i Log in, instant "The supplied credentials could not be authenticated." log in prompts are never provided.

getting [authentication] Login failed in primary authentication because no provider accepted

Have you tried the CLI tools like extensions/LDAPProvider/maintenance/CheckLogin.php?

thank you thank you @Osnard, your suggestion was very helpful, but i still immediately get to the "The supplied credentials could not be authenticated" without even showing prompts to enter username/password and i find a log that shows :

[authentication] Login failed in primary authentication because no provider accepted

it appears to look locally in mediawiki, and not reach out using ldap.

this is my LocalSettings:

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

    if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

        $wikiRequestIP = $_SERVER[$ipsVar];

        break;

    }

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

    $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

    if (is_array($testJson)) {

        $ldapConfig = true;

    } else {

        error_log("Found invalid JSON in file: $ldapJsonFile");

    }

}

# Activate extensions

if ($ldapConfig) {

    wfLoadExtension( 'LDAPProvider' );

    wfLoadExtension( 'LDAPAuthentication2' );

    wfLoadExtension( 'LDAPAuthorization' );

    wfLoadExtension( 'LDAPGroups');

    wfLoadExtension( 'LDAPUserInfo');

    wfLoadExtension( 'PluggableAuth' );

    $wgDebugLogGroups['PluggableAuth'] = 'C:\\Windows\\Temp\\PLUG.log';

    $wgDebugLogGroups['LDAP'] = 'C:\\Windows\\Temp\\LDAP.log';

    $wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:\\Windows\\Temp\\LDprov.log';

    $wgDebugLogGroups['LDAPGroups'] = 'C:\\Windows\\Temp\\LDgrp.log';

    $wgDebugLogGroups['LDAPUserInfo'] = 'C:\\Windows\\Temp\\LDui.log';

    $wgDebugLogGroups['LDAPAuthorization'] = 'C:\\Windows\\Temp\\LDAPauthor.log';

    $wgDebugLogFile = 'C:\\Windows\\Temp\\wikidbg.log';

    $LDAPProviderDomainConfigs = $ldapJsonFile;

    $LDAPProviderPreSearchUsernameModifierRegistry = [

        'strtolower' => function () {

        return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

        },

        'removespaces' => function () {

        return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();

        }

    ];

    $wgLDAPProvider['CacheType'] = 'CACHE_NONE'; //internal when not debugging

    $wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

    # LDAPAuthentication2 configuration

    $LDAPAuthentication2AllowLocalLogin = true;

    $LDAPAuthentication2UsernameNormalizer = 'strtolower';

    $wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

    # Configure PluggableAuth settings

    $wgPluggableAuth_EnableAutoLogin = false;

    $wgPluggableAuth_EnableLocalLogin = false;

    $wgPluggableAuth_EnableLocalProperties = false;

    $wgPluggableAuth_EnableFastLogout = true;

    $wgPluggableAuth_Config = [

        "My LDAP Login" => [

            'plugin' => 'PluggableAuth',

            'data' => [

                'server' => 'ldap://acme.org', // LDAP server hostname or IP address

                'port' => 389, // LDAP server port

                'basedn' => 'dc=acme,dc=org', // Base DN for LDAP searches

                'groupbasedn' => 'dc=acme,dc=org', // Base DN for LDAP groups

                'userbasedn' => 'dc=acme,dc=org', // Base DN for LDAP users

                'usersearch' => '(samaccountName=media wiki)', // LDAP search filter for users

                'groupsearch' => '(member=$dn)', // LDAP search filter for groups

                'options' => [

                    LDAP_OPT_DEREF => 1, // LDAP options

                ],

            ],

            'groupsyncs' => [

                [

                    'type' => 'mapped',

                    'map' => [

                        'information_technology' => ['groups' => 'Information Technology'],

                        'human_resources' => ['groups' => 'Human Resournces']

                    ]

                ],

            ],

        ],

    ];

    $LDAPGroupsSyncMechanismRegistry = [

        'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

    ];

} // end to activate extensions

any advice or questions to make my issue make more sense?

Looks like you may have mixed $wgPluggableAuth_Config from Extension:PluggableAuth#Configuration and $LDAPProviderDomainConfigs from Extension:LDAPProvider#Static_JSON_file.

Just put all what you currently have in 'data' into the domain configs and reference only the domain in 'data'

$wgPluggableAuth_Config = [
        "My LDAP Login" => [
            'plugin' => 'PluggableAuth',
            'data' => [
                    'domain' => '<domain-specified-in-domainconfigs>
            ]
];

And e.g. ldapprovider.json with

{
	"<domain-specified-in-domainconfigs>": {
		"connection": {
			"server": "...",
            ...

@Osnard eternally grateful for the assist, i see you are busy around here...

getting ...

[error] [d06bae5a95d5d9585f8e5074] /raaemsitwiki/mediawiki-1.41.0/index.php?title=Special:UserLogin&returnto=Main+Page PHP Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$password is deprecated

[error] [d06bae5a95d5d9585f8e5074] /raaemsitwiki/mediawiki-1.41.0/index.php?title=Special:UserLogin&returnto=Main+Page PHP Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$password is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

Deprecated: Creation of dynamic property MediaWiki\Extension\PluggableAuth\BeginAuthenticationRequest::$pluggableauthlogin0 is deprecated in C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\includes\session\Session.php on line 576

LOCALSETTINGS...

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

    if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

        $wikiRequestIP = $_SERVER[$ipsVar];

        break;

    }

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

    $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

    if (is_array($testJson)) {

        $ldapConfig = true;

    } else {

        error_log("Found invalid JSON in file: $ldapJsonFile");

    }

}

# Activate extensions

if ($ldapConfig) {

    wfLoadExtension( 'LDAPProvider' );

    wfLoadExtension( 'LDAPAuthentication2' );

    wfLoadExtension( 'LDAPAuthorization' );

    wfLoadExtension( 'LDAPGroups');

    wfLoadExtension( 'LDAPUserInfo');

    wfLoadExtension( 'PluggableAuth' );

    $wgDebugLogGroups['PluggableAuth'] = 'C:\\Windows\\Temp\\PLUG.log';

    $wgDebugLogGroups['LDAP'] = 'C:\\Windows\\Temp\\LDAP.log';

    $wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = 'C:\\Windows\\Temp\\LDprov.log';

    $wgDebugLogGroups['LDAPGroups'] = 'C:\\Windows\\Temp\\LDgrp.log';

    $wgDebugLogGroups['LDAPUserInfo'] = 'C:\\Windows\\Temp\\LDui.log';

    $wgDebugLogGroups['LDAPAuthorization'] = 'C:\\Windows\\Temp\\LDAPauthor.log';

    $wgDebugLogFile = 'C:\\Windows\\Temp\\wikidbg.log';

    $LDAPProviderDomainConfigs = $ldapJsonFile;

    $LDAPProviderPreSearchUsernameModifierRegistry = [

        'strtolower' => function () {

        return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

        },

        'removespaces' => function () {

        return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\RemoveSpaces::newInstance();

        }

    ];

    $wgLDAPProvider['CacheType'] = 'CACHE_NONE'; //internal when not debugging

    $wgLDAPProvider['CacheTime'] = 3600; // Cache LDAP queries for 1 hour

    # LDAPAuthentication2 configuration

    $LDAPAuthentication2AllowLocalLogin = true;

    $LDAPAuthentication2UsernameNormalizer = 'strtolower';   

    $wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName'; //Attribute in LDAP containing the username

    # Configure PluggableAuth settings

    $wgPluggableAuth_EnableAutoLogin = false;

    $wgPluggableAuth_EnableLocalLogin = true;

    $wgPluggableAuth_EnableLocalProperties = false;

    $wgPluggableAuth_EnableFastLogout = true;

    $wgPluggableAuth_Config = [

        "My LDAP Login" => [

            'plugin' => 'LDAPAuthentication2',

            'data' => [

                    'domain' => 'acme.org'

            ]

        ]

    ];

    $LDAPGroupsSyncMechanismRegistry = [

        'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

    ];

} // end to activate extensions

LDAPPROVIDER.JSON

{

"acme.org": {

"connection": {

"server": "acme.org",

"port": 389,

"use-tls": "true",

"user": "media wiki",

"pass": "XXX",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=acme,dc=org",

"userbasedn": "dc=acme,dc=org",

"groupbasedn": "dc=acme,dc=org",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "strtolower" ]

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"

}

},

"userinfo": {

"realname": "displayName"

}

}

}

Well, die messages from above are only "deprecation warnings". Nothing that should break things. If those are actually visible in your browser, you should diable show_errors in your php.ini. Also consider adding ~E_USER_DEPRECATED to the list of your display_errors setting.

ty again @Osnard

i can get checklogin,php and showuserinfo.php to succeed. but CheckConnection keeps giving :

MWException from line 236 of C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\src\Client.php: Error in LDAP search: Bad search filter

#0 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\maintenance\CheckConnection.php(40): MediaWiki\Extension\LDAPProvider\Client->search()
#1 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\maintenance\includes\MaintenanceRunner.php(703): MediaWiki\Extension\LDAPProvider\Maintenance\CheckConnection->execute()
#2 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\maintenance\doMaintenance.php(100): MediaWiki\Maintenance\MaintenanceRunner->run()
#3 C:\inetpub\wwwroot\raaemsitwiki\mediawiki-1.41.0\extensions\LDAPProvider\maintenance\CheckConnection.php(72): require_once('...')
#4 {main}

and i'm having a hard time finding in the json where it may be hanging up:

{
    "acme.org": {
        "connection": {
            "server": "acme.ORG",
            "port": 389,
            "enctype": "clear",
            "user": "CN=media wiki,OU=user accounts,DC=acme,DC=ORG",
            "pass": "XXX",
            "options": {
                "LDAP_OPT_DEREF": 1
            },
            "basedn": "dc=acme,dc=org",
            "userbasedn": "dc=acme,dc=org",
            "groupbasedn": "dc=acme,dc=org",
            "searchattribute": "samaccountname",
            "usernameattribute": "samaccountname",
            "realnameattribute": "cn",
            "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
            "presearchusernamemodifiers": [
                "strtolower"
            ]
        },
        "authorization": {
            "rules": {
                "groups": {
                    "required": [
                        "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",
                        "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"
                    ]
                }
            }
        },
        "groupsync": {
            "mechanism": "mappedgroups",
            "mapping": {
                "information_technology": "CN=Information Technology,OU=GROUPS,DC=acme,DC=ORG",
                "human_resources": "CN=Human Resources,OU=GROUPS,DC=acme,DC=ORG"
            }
        },
        "userinfo": {
            "realname": "displayName"
        }
    }
}

Also, when attempting to log in from the wiki site with the ldap binding account, i get "could not authenticate credentials against domain"

and when i try my AD log in, i get "incorrect username or password entered"

logs show no attempt made against LDAP when using anything other that the LDAP binding account

Error in LDAP search: Bad search filter is odd. I believe we hat it here on the talk pages already, please do some search. Also you can enable debug logging, so we can find the root cause.

@Osnard

CheckConnection debug log shows :

Start command line script CheckConnection.php

[session] SessionManager using store SqlBagOStuff

[localisation] LocalisationCache using store LCStoreDB

[objectcache] MainWANObjectCache using store EmptyBagOStuff

[LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3

[LDAPProvider] Setting LDAP_OPT_REFERRALS to 0

[LDAPProvider] Setting LDAP_OPT_DEREF to 1

hello @Osnard

when attempting to authenticate with a local AD account, i get the following:

Could not authenticate credentials against domain "acme.org"

I run ShowUserInfo and CheckConnection using the same local AD account and both run successfully

as you can see below, i've tried to play around with little settings here and there in the .json:

"acme.org": {

"connection": {

"server": "IP address",

"port": 389,

"enctype": "clear",

"user": "CN=media wiki,OU=Managed Service Accounts,DC=ACME,DC=ORG",

"pass": "XXX",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "DC=RAARIC,DC=ORG",

"userbasedn": "OU=RAA Users,DC=ACME,DC=ORG",

"groupbasedn": "OU=GROUPS,DC=ACME,DC=ORG",

"usersearch": "samaccountname",

"groupsearch": "$dn",

"searchattribute": "samaccountname",

"usernameattribute": "samaccountname",

"realnameattribute": "cn",

"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",

"presearchusernamemodifiers": [ "lowercase" ],

"searchstring": "samaccountname"

},

"authorization": {

"rules": {

"groups": {

"required": [

"CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

]

}

}

},

"groupsync": {

"mechanism": "mappedgroups",

"mapping": {

"information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",

"human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"

}

},

"userinfo": {

"realname": "samaccountname"

}

}

}

any ideas where i need to look? what i need to edit/refactor? any further questions to help you in helping me?