Hi, I seem to be running into some issues with getting LDAP working with mediawiki. In my setup I'm utilizing the dockerfile from canasta. Here's the link https://github.com/CanastaWiki/Canasta/blob/master/Dockerfile, I added the "php7.4-ldap" module into my dockerfile as well as installed libldap2-dev, and ldap-utils within the container. I performed a "ldapsearch" with a bind and was able to run queries against my AD server successfully.
Performing CheckLogin.php returns "OK"
Performing CheckUserInfo.php returns information on user specified
Performing CheckUserGroups.php for any specified user returns information aswell
If needed I can show the details of the logs that I've collected.
Here is my LocalSettings.php :
<?php
# Degbugging!
error_reporting( E_ALL );
ini_set( 'display_errors', 1 );
$wgShowExceptionDetails = true;
$wgDebugToolbar = true;
$wgShowErrors = true;
$wgShowError = true;
$wgShowDebug = true;
$wgDebugLogFile = '/tmp/debug.log';
$wgDebugLogGroups = array(
'PluggableAuth' => '/tmp/pa.log',
'LDAP' => '/tmp/LDAP.log',
'LDAPProvider' => '/tmp/LDAPProvider.log',
'LDAPAuthentication2' => '/tmp/LDAPAuthentication2.log',
'LDAPAuthorization' => '/tmp/authz.log',
'LDAPUserInfo' => '/tmp/LDAP_user.log',
'LDAPGroups' => '/tmp/LDAP_Groups.log',
'MediaWiki\\Extension\\LDAPProvider\\Client' => '/tmp/ldapprovider_client.log'
);
# This file was automatically generated by the MediaWiki 1.39.6
# installer. If you make manual changes, please keep track in case you
# need to recreate them later.
# LDAPExtensions
// Safe IP or not (for bypassing external login via AD)
$safeIPs = array('127.0.0.1','localhost');
$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');
foreach ($ipsVars as $ipsVar) {
if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) { $wikiRequestIP = $_SERVER[$ipsVar];
break; }
}
$wikiRequestSafe = ( isset($wikiRequestIP) && ( in_array($wikiRequestIP,$safeIPs) ));
// Private Wiki. External LDAP Login. Default NS requires login.
$wgEmailConfirmToEdit = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['sysop']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgBlockDisablesLogin = true;
$ldapJsonFile = "/var/www/ldapprovider.json";
$ldapConfig = false;
if (is_file($ldapJsonFile) && is_dir("/var/www/mediawiki/w/extensions/LDAPProvider")) {
$testJson = @json_decode(file_get_contents($ldapJsonFile), true);
if (is_array($testJson)) {
$ldapConfig = true;
} else {
error_log("Found invalid JSON in file: /var/www/ldapprovider.json");
}
}
if ($ldapConfig) {
wfLoadExtension('LDAPProvider');
wfLoadExtension('LDAPAuthentication2');
#wfLoadExtension('LDAPAuthorization');
wfLoadExtension('LDAPUserInfo');
wfLoadExtension('LDAPGroups');
wfLoadExtension('PluggableAuth');
$LDAPProviderDomainConfigs = $ldapJsonFile;
$wgLDAPProvider["CacheType"] = "CACHE_NONE";
$wgLDAPProvider["CacheTime"] = 3600;
// Force LDAPGroups to sync by choosing a domain (e.g. first JSON object in ldapprovider.json)
$LDAPProviderDefaultDomain = array_key_first(json_decode(file_get_contents($LDAPProviderDomainConfigs), true));
$wgPluggableAuth_EnableAutoLogin = false;
$wgPluggableAuth_EnableLocalLogin = false; # required to show the username and password field on login page
$wgPluggableAuth_EnableFastLogout = true;
$wgPluggableAuth_Config = array(
array(
"plugin" => "LDAPAuthentication2",
"buttonLabelMessage" => "Domain Login",
"data" => ["domain" => $LDAPProviderDefaultDomain]
),
#array("plugin" => "LDAPAuthorization"),
);
if ($wikiRequestSafe) { $LDAPAuthentication2AllowLocalLogin = true; }
}
# The configuration below is the method used to communicate to the LDAP server through a static .json file
$LDAPProviderDomainConfigs = "/var/www/ldapprovider.json";
# LDAPAuthentication2
// Whether or not to display a "local" psuedo-domain in the domain selector on "Special:Login", thus allowing to authenticate against the local user database. (defaults to false if not specified)
$LDAPAuthentication2AllowLocalLogin = true;
// Use this function for normalizing username for LDAP, for example 'strtolower'. (defaults to "")
$LDAPAuthentication2UsernameNormalizer = "";
# Auth_remoteuser
// Set the name for mapping into the local wiki user database. If the value is `null`, the extension defaults to using the enviornment variables `REMOTE_USER` and `REDIRECT_REMOTE_USER`
$wgAuthRemoteuserUserName = null; //default
#$wgAuthRemoteuserUserName = [
# $_SERVER[ 'REMOTE_USER' ],
# $_SERVER[ 'REDIRECT_REMOTE_USER' ]
#];
$wgAuthRemoteuserUserNameReplaceFilter = null; //default
# PluggableAuth Extension Configuration
// Should user login occur automatically when a user visits the wiki?
$wgPluggableAuth_EnableAutoLogin = true;
// Should user also be presented with username/password fields on the login page to allow local password-based login to the wiki
$wgPluggableAuth_EnableLocalLogin = true;
========================================================================
Here is my ldapprovider.json within the docker container:
{
"test.local": {
"connection": {
"server": "XXXXX.test.local",
"port": "389",
"user": "CN=XXXXX,CN=Users,DC=test,DC=local",
"pass": "XXXXX",
"enctype": "clear",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=test,dc=local",
"userbasedn": "dc=test,dc=local",
"groupbasedn": "dc=test,dc=local",
"searchattribute": "samaccountname",
"usernameattribute": "samaccountname",
"realnameattribute": "cn",
"emailattribute": "mail",
"grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory",
"presearchusernamemodifiers":["spacestounderscores", "lowercase"]
},
"userinfo": [],
"authorization": [],
"groupsync": {
"mapping": {
"sysop": "CN=Domain Admins,CN=Users,DC=test,DC=local"
}
}
}
}