Topic on Extension talk:LDAPProvider

Could not authenticate credentials against domain "mydomain"

16 comments • 07:53, 15 April 2024 7 months ago

16

Pysleto (talkcontribs)

I am trying to get the LDAP stack working with mediawiki (1.39.2) using the procedure Manual:Active Directory Integration

Both the LDAP and mediawiki are hosted on a Synology NAS.

Using the mediawiki login page returns the above error message

Running ShowUserInfo.php --domain "mydomain" --username "pytest" returns a valid outptup

Running CheckLogin.php --domain "mydomain" --username "pytest" however returns a Password: FAILED error message

Below is my ldapprovider.json file

{

"mydomain": {

"connection": {

"server": "ldap.XXXXX.nl",

"port": "389",

"user": "uid=root,cn=users,dc=ldap,dc=XXXXX,dc=com",

"pass": "XXXXX",

"enctype": "clear",

"options": {

"LDAP_OPT_DEREF": 1

},

"basedn": "dc=ldap,dc=XXXXX,dc=com",

"userbasedn": "dc=ldap,dc=XXXXX,dc=com",

"groupbasedn": "dc=ldap,dc=XXXXX,dc=com",

"searchattribute": "uid",

"usernameattribute": "USER-NAME",

"searchstring": "uid=USER-NAME,dc=ldap,dc=XXXXX,dc=com",

"realnameattribute": "cn",

"emailattribute": "mail"

},

"userinfo": [],

"authorization": [],

"groupsync": {

"mapping": {

"users": "cn=users,cn=groups,dc=ldap,dc=XXXXX,dc=com",

"sysop": "cn=administrators,cn=groups,dc=ldap,dc=XXXXX,dc=com"

}

I am running out of ideas and thank you for your help

Reply 13:58, 3 April 2024 7 months ago

Osnard (talkcontribs)

Can you please wire the debug logs and check if there is something in them?

Reply 09:48, 4 April 2024 7 months ago

Pysleto (talkcontribs)

Thank you for your reply and help

Below the debug logs. As you can see, could not bind to LDAP domain with given user. But I do not understand why... Oddly, local login does not work either (2nd attempt) unless I deactivate the LDAP stack.

2024-04-04 12:04:31 mydomain Test-Test: In execute()

2024-04-04 12:04:31 mydomain Test-Test: Getting PluggableAuth instance

2024-04-04 12:04:31 mydomain Test-Test: Plugin name: LDAPAuthentication2

2024-04-04 12:04:31 mydomain Test-Test: Try to authenticate user: pytest

2024-04-04 12:04:31 mydomain Test-Test: Not local login. Checking LDAP...

2024-04-04 12:04:31 mydomain Test-Test: LDAP domain: mydomain

2024-04-04 12:04:32 mydomain Test-Test: Could not bind to LDAP domain with given user: pytest

2024-04-04 12:04:32 mydomain Test-Test: Authentication failure.

2024-04-04 12:04:32 mydomain Test-Test: ERROR: Could not authenticate credentials against domain "mydomain"

2024-04-04 12:04:43 mydomain Test-Test: In execute()

2024-04-04 12:04:43 mydomain Test-Test: Getting PluggableAuth instance

2024-04-04 12:04:43 mydomain Test-Test: Plugin name: LDAPAuthentication2

2024-04-04 12:04:43 mydomain Test-Test: Try to authenticate user: Pysleto

2024-04-04 12:04:43 mydomain Test-Test: Not local login. Checking LDAP...

2024-04-04 12:04:43 mydomain Test-Test: LDAP domain: mydomain

2024-04-04 12:04:44 mydomain Test-Test: Could not bind to LDAP domain with given user: Pysleto

2024-04-04 12:04:44 mydomain Test-Test: Authentication failure.

2024-04-04 12:04:44 mydomain Test-Test: ERROR: Could not authenticate credentials against domain "mydomain"

Reply 12:08, 4 April 2024 7 months ago

Osnard (talkcontribs)

Does your LDAP server allow binding for this user?

Reply 06:22, 5 April 2024 7 months ago

Pysleto (talkcontribs)

I get a valid output when running the following command line. Anymous binding is disabled but allowing it does not solve the problem.

ldapsearch -x "uid=pytest" -H "ldap://ldap.mydomain.com:389" -D "uid=root,cn=users,dc=ldap,dc=mydomain,dc=com" -w "XXXXXXXXXX" -b "dc=ldap,dc=mydomain,dc=com"

or am I misunderstanding your point?

Thank you very much for your support

Reply 07:12, 5 April 2024 7 months ago

Osnard (talkcontribs)

Are there any log messages that start with / contain code ldap_? Have you wired all log channels?

Reply 06:36, 8 April 2024 7 months ago

Pysleto (talkcontribs)

The general debug.log file contains the following lines with a reference to LDAP, utlimately resulting in User::getBlockedStatus

[session] SessionBackend "cb9oc0i5slqfanhaslo63s5tjt9esiqu" data dirty due to dirty(): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->checkLDAPLogin/MediaWiki\Auth\AuthManager->setAuthenticationSessionData/MediaWiki\Session\Session->setSecret/MediaWiki\Session\Session->set/MediaWiki\Session\SessionBackend->dirty

[LDAPProvider] Setting LDAP_OPT_PROTOCOL_VERSION to 3

[LDAPProvider] Setting LDAP_OPT_REFERRALS to 0

[LDAPProvider] Setting LDAP_OPT_DEREF to 1

[LDAPProvider] MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=mydomain,dc=com'

I have wired the following log as suggested

$wgDebugLogFile = "$IP/debug.log";

$wgDebugLogGroups['PluggableAuth'] =

$wgDebugLogGroups['LDAP'] =

$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =

$wgDebugLogGroups['LDAPGroups'] =

$wgDebugLogGroups['LDAPUserInfo'] =

$wgDebugLogGroups['LDAPAuthentication2'] =

$wgDebugLogGroups['LDAPAuthorization'] = "$IP/tmp/LDAP.log";

Reply 07:43, 8 April 2024 7 months ago

Osnard (talkcontribs)

You should see something like here: https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/master/src/PlatformFunctionWrapper.php#L96-L98

Can you please add

$wgDebugLogGroups['LDAPProvider'] = "$IP/tmp/LDAP.log";

Reply 09:48, 8 April 2024 7 months ago

Pysleto (talkcontribs)

Thank you very much for your suport

I have set $wgDebugLogGroups['LDAPProvider'].

It adds 3 lines on setting CONSTANTS but I still do not see the expected ldap_ error message

Below the LDAP.log

2024-04-08 09:52:58 Test Test-test: In execute()

2024-04-08 09:52:58 Test Test-test: Getting PluggableAuth instance

2024-04-08 09:52:58 Test Test-test: Plugin name: LDAPAuthentication2

2024-04-08 09:52:58 Test Test-test: Try to authenticate user: pytest

2024-04-08 09:52:58 Test Test-test: Not local login. Checking LDAP...

2024-04-08 09:52:59 Test Test-test: LDAP domain: mydomain

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_REFERRALS to 0

2024-04-08 09:52:59 Test Test-test: Setting LDAP_OPT_DEREF to 1

2024-04-08 09:52:59 Test Test-test: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=mydomain,dc=com'

2024-04-08 09:52:59 Test Test-test: Could not bind to LDAP domain with given user: pytest

2024-04-08 09:52:59 Test Test-test: Authentication failure.

2024-04-08 09:52:59 Test Test-test: ERROR: Could not authenticate credentials against domain "mydomain"

Reply 09:59, 8 April 2024 7 months ago

Osnard (talkcontribs)

My apologies. There seems to be a bug in the software. Can you try to apply this patch? https://gerrit.wikimedia.org/r/c/mediawiki/extensions/LDAPProvider/+/1017821

Then we should see some more logging.

Reply 10:59, 8 April 2024 7 months ago

Pysleto (talkcontribs)

No need to apologise and once again, thank you for your support.

I have tried to apply the patch but get the following error

root@XXXXX:/volume1/web_packages/mediawiki/extensions/LDAPProvider# git apply 07c6aa5.diff

warning: src/Client.php has type 100755, expected 100644

error: patch failed: src/Client.php:125

error: src/Client.php: patch does not apply

My current installation is a direct download of the LDAPProvider extension for mediawiki 1.39.

Reply 12:20, 8 April 2024 7 months ago

Osnard (talkcontribs)

The patch has been merged in the mean time. Please try to update the extension completely from REL1_39 branch.

Reply 11:19, 9 April 2024 7 months ago

Pysleto (talkcontribs)

I have cloned the REL1_39 branch of the LDAPProvider extension in volume1/web_packages/mediawiki/extensions/

I get the following error message from the start when accessing mediawiki. I did not have via a direct download of the extension. I confirm the existence of the file /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json

Fatal error: Uncaught Exception: Unable to open file /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json: filemtime(): stat failed for /volume1/web_packages/mediawiki/extensions/LDAPProvider/extension.json in /volume1/web_packages/mediawiki/includes/registration/ExtensionRegistry.php:199 Stack trace: #0 /volume1/web_packages/mediawiki/includes/GlobalFunctions.php(53): ExtensionRegistry->queue('/volume1/web_pa...') #1 /volume1/web_packages/mediawiki/LocalSettings.php(208): wfLoadExtension('LDAPProvider') #2 /volume1/web_packages/mediawiki/includes/Setup.php(218): require_once('/volume1/web_pa...') #3 /volume1/web_packages/mediawiki/includes/WebStart.php(86): require_once('/volume1/web_pa...') #4 /volume1/web_packages/mediawiki/index.php(44): require('/volume1/web_pa...') #5 {main} thrown in /volume1/web_packages/mediawiki/includes/registration/ExtensionRegistry.php on line 199

Reply 10:14, 10 April 2024 7 months ago

Osnard (talkcontribs)

Looks like something went wrong with the cloning of the repository on your side. Try Special:ExtensionDistributor.

Reply 06:03, 11 April 2024 7 months ago

Pysleto (talkcontribs)

Here are the log messages. It looks like you already identified the issue in the comment you made 8 days ago.

I will welcome any tips on solving this issue.

Thanks

2024-04-12 09:58:47 byimogen ByImogen-BImgn: In execute()

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Getting PluggableAuth instance

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Plugin name: LDAPAuthentication2

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Try to authenticate user: pytest

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Not local login. Checking LDAP...

2024-04-12 09:58:47 byimogen ByImogen-BImgn: LDAP domain: mydomain

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_REFERRALS to 0

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Setting LDAP_OPT_DEREF to 1

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_bind( $linkID, $bindRDN = 'uid=root,cn=users,dc=ldap,dc=byimogen,dc=nl', $bindPassword = 'XXXX' );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns true

2024-04-12 09:58:47 byimogen ByImogen-BImgn: MediaWiki\Extension\LDAPProvider\Client::getSearchString: User DN is: 'uid=pytest,dc=ldap,dc=byimogen,dc=nl'

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ldap_bind( $linkID, $bindRDN = 'uid=pytest,dc=ldap,dc=byimogen,dc=nl', $bindPassword = 'XXXX' );

2024-04-12 09:58:47 byimogen ByImogen-BImgn: # returns false

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Could not bind to LDAP domain with given user: pytest

2024-04-12 09:58:47 byimogen ByImogen-BImgn: Authentication failure.

2024-04-12 09:58:47 byimogen ByImogen-BImgn: ERROR: Could not authenticate credentials against domain "mydomain"

Reply 10:07, 12 April 2024 7 months ago

Osnard (talkcontribs)

Apparently the first bind with uid=root,cn=users,dc=ldap,dc=byimogen,dc=nl does work, But the second does not.

This means in the second case:

Either the user DN is wrong
Or the password is wrong
Or this particular user is not allowed to do a direct bind (LDAP server side setting)

So, does the DN uid=pytest,dc=ldap,dc=byimogen,dc=nl look correct to you? Maybe it has been assembled wrongly.

Reply 07:53, 15 April 2024 7 months ago

Reply to "Could not authenticate credentials against domain "mydomain""