Jump to content

Topic on Extension talk:LDAPProvider/Flow

Could not authenticate credentials against domain "mydomain"

16
Pysleto (talkcontribs)

I am trying to get the LDAP stack working with mediawiki (1.39.2) using the procedure Manual:Active Directory Integration

Both the LDAP and mediawiki are hosted on a Synology NAS.

Using the mediawiki login page returns the above error message


Running ShowUserInfo.php --domain "mydomain" --username "pytest" returns a valid outptup


Running CheckLogin.php --domain "mydomain" --username "pytest" however returns a Password: FAILED error message


Below is my ldapprovider.json file

{

"mydomain": {

"connection": {

"server": "ldap.XXXXX.nl",

"port": "389",

"user": "uid=root,cn=users,dc=ldap,dc=XXXXX,dc=com",

"pass": "XXXXX",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=ldap,dc=XXXXX,dc=com",

"userbasedn": "dc=ldap,dc=XXXXX,dc=com",

"groupbasedn": "dc=ldap,dc=XXXXX,dc=com",

"searchattribute": "uid",

"usernameattribute": "USER-NAME",

"searchstring": "uid=USER-NAME,dc=ldap,dc=XXXXX,dc=com",

"realnameattribute": "cn",

"emailattribute": "mail"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"users": "cn=users,cn=groups,dc=ldap,dc=XXXXX,dc=com",

"sysop": "cn=administrators,cn=groups,dc=ldap,dc=XXXXX,dc=com"

}

}

}

}


I am running out of ideas and thank you for your help

Osnard (talkcontribs)
Pysleto (talkcontribs)

Thank you for your reply and help

Below the debug logs. As you can see, could not bind to LDAP domain with given user. But I do not understand why... Oddly, local login does not work either (2nd attempt) unless I deactivate the LDAP stack.


2024-04-04 12:04:31 mydomain Test-Test: In execute()

2024-04-04 12:04:31 mydomain Test-Test: Getting PluggableAuth instance

2024-04-04 12:04:31 mydomain Test-Test: Plugin name: LDAPAuthentication2

2024-04-04 12:04:31 mydomain Test-Test: Try to authenticate user: pytest

2024-04-04 12:04:31 mydomain Test-Test: Not local login. Checking LDAP...

2024-04-04 12:04:31 mydomain Test-Test: LDAP domain: mydomain

2024-04-04 12:04:32 mydomain Test-Test: Could not bind to LDAP domain with given user: pytest

2024-04-04 12:04:32 mydomain Test-Test: Authentication failure.

2024-04-04 12:04:32 mydomain Test-Test: ERROR: Could not authenticate credentials against domain "mydomain"

2024-04-04 12:04:43 mydomain Test-Test: In execute()

2024-04-04 12:04:43 mydomain Test-Test: Getting PluggableAuth instance

2024-04-04 12:04:43 mydomain Test-Test: Plugin name: LDAPAuthentication2

2024-04-04 12:04:43 mydomain Test-Test: Try to authenticate user: Pysleto

2024-04-04 12:04:43 mydomain Test-Test: Not local login. Checking LDAP...

2024-04-04 12:04:43 mydomain Test-Test: LDAP domain: mydomain

2024-04-04 12:04:44 mydomain Test-Test: Could not bind to LDAP domain with given user: Pysleto

2024-04-04 12:04:44 mydomain Test-Test: Authentication failure.

2024-04-04 12:04:44 mydomain Test-Test: ERROR: Could not authenticate credentials against domain "mydomain"

Osnard (talkcontribs)

Does your LDAP server allow binding for this user?

Pysleto (talkcontribs)

I get a valid output when running the following command line. Anymous binding is disabled but allowing it does not solve the problem.

ldapsearch -x "uid=pytest" -H "ldap://ldap.mydomain.com:389" -D "uid=root,cn=users,dc=ldap,dc=mydomain,dc=com" -w "XXXXXXXXXX" -b "dc=ldap,dc=mydomain,dc=com"

or am I misunderstanding your point?

Thank you very much for your support

Osnard (talkcontribs)

Are there any log messages that start with / contain code ldap_? Have you wired all log channels?

Pysleto (talkcontribs)

The general debug.log file contains the following lines with a reference to LDAP, utlimately resulting in User::getBlockedStatus

[session] SessionBackend "cb9oc0i5slqfanhaslo63s5tjt9esiqu" data dirty due to dirty(): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3

[LDAPProvider] Setting LDAP_OPT_REFERRALS to 0

[LDAPProvider] Setting LDAP_OPT_DEREF to 1

[LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=mydomain,dc=com'


I have wired the following log as suggested

$wgDebugLogFile = "$IP/debug.log";

$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthentication2'] =

$wgDebugLogGroups['LDAPAuthorization'] = "$IP/tmp/LDAP.log";

Osnard (talkcontribs)
Pysleto (talkcontribs)

Thank you very much for your suport

I have set $wgDebugLogGroups['LDAPProvider'].

It adds 3 lines on setting CONSTANTS but I still do not see the expected ldap_ error message

Below the LDAP.log

2024-04-08 09:52:58 Test Test-test: In execute()

2024-04-08 09:52:58 Test Test-test: Getting PluggableAuth instance

2024-04-08 09:52:58 Test Test-test: Plugin name: LDAPAuthentication2

2024-04-08 09:52:58 Test Test-test: Try to authenticate user: pytest

2024-04-08 09:52:58 Test Test-test: Not local login. Checking LDAP...

2024-04-08 09:52:59 Test Test-test: LDAP domain: mydomain

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_REFERRALS to 0

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_DEREF to 1

2024-04-08 09:52:59 Test Test-test: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=mydomain,dc=com'

2024-04-08 09:52:59 Test Test-test: Could not bind to LDAP domain with given user: pytest

2024-04-08 09:52:59 Test Test-test: Authentication failure.

2024-04-08 09:52:59 Test Test-test: ERROR: Could not authenticate credentials against domain "mydomain"

Osnard (talkcontribs)
Pysleto (talkcontribs)

No need to apologise and once again, thank you for your support.

I have tried to apply the patch but get the following error

root@XXXXX:/volume1/web_packages/mediawiki/extensions/LDAPProvider# git apply 07c6aa5.diff

warning: src/Client.php has type 100755, expected 100644

error: patch failed: src/Client.php:125

error: src/Client.php: patch does not apply


My current installation is a direct download of the LDAPProvider extension for mediawiki 1.39.

Osnard (talkcontribs)

The patch has been merged in the mean time. Please try to update the extension completely from REL1_39 branch.

Pysleto (talkcontribs)

I have cloned the REL1_39 branch of the LDAPProvider extension in volume1/web_packages/mediawiki/extensions/

I get the following error message from the start when accessing mediawiki. I did not have via a direct download of the extension. I confirm the existence of the file /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json

Fatal error: Uncaught Exception: Unable to open file /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json: filemtime(): stat failed for /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json in /volume1/web_packages/mediawiki/includes/registration/ExtensionRegistry.php:199 Stack trace: #0 /volume1/web_packages/mediawiki/includes/GlobalFunctions.php(53): ExtensionRegistry->queue('/volume1/web_pa...') #1 /volume1/web_packages/mediawiki/LocalSettings.php(208): wfLoadExtension('LDAPProvider') #2 /volume1/web_packages/mediawiki/includes/Setup.php(218): require_once('/volume1/web_pa...') #3 /volume1/web_packages/mediawiki/includes/WebStart.php(86): require_once('/volume1/web_pa...') #4 /volume1/web_packages/mediawiki/index.php(44): require('/volume1/web_pa...') #5 {main} thrown in /volume1/web_packages/mediawiki/includes/registration/ExtensionRegistry.php on line 199

Osnard (talkcontribs)
Pysleto (talkcontribs)

Here are the log messages. It looks like you already identified the issue in the comment you made 8 days ago.

I will welcome any tips on solving this issue.

Thanks

2024-04-12 09:58:47 byimogen ByImogen-BImgn: In execute()

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Getting PluggableAuth instance

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Plugin name: LDAPAuthentication2

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Try to authenticate user: pytest

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Not local login. Checking LDAP...

2024-04-12 09:58:47 byimogen ByImogen-BImgn: LDAP domain: mydomain

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_REFERRALS to 0

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_DEREF to 1

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_bind( $linkID, $bindRDN = 'uid=root,cn=users,dc=ldap,dc=byimogen,dc=nl', $bindPassword = 'XXXX' );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=byimogen,dc=nl'

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_bind( $linkID, $bindRDN = 'uid=pytest,dc=ldap,dc=byimogen,dc=nl', $bindPassword = 'XXXX' );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns false

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Could not bind to LDAP domain with given user: pytest

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Authentication failure.

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ERROR: Could not authenticate credentials against domain "mydomain"

Osnard (talkcontribs)

Apparently the first bind with uid=root,cn=users,dc=ldap,dc=byimogen,dc=nl does work, But the second does not.

This means in the second case:

  • Either the user DN is wrong
  • Or the password is wrong
  • Or this particular user is not allowed to do a direct bind (LDAP server side setting)

So, does the DN uid=pytest,dc=ldap,dc=byimogen,dc=nl look correct to you? Maybe it has been assembled wrongly.

Reply to "Could not authenticate credentials against domain "mydomain""