Jump to content

Topic on Project:Support desk

LDAP: User cannot be authenticated

One comment 21:07, 17 September 2024 15 hours ago
1
Summary last edited by Clump 21:07, 17 September 2024 15 hours ago

We had the wrong casing on searchattribute and usernameattribute.

There was a missing line in the ldap config: 'grouprequest' => 'MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory'

And we had included these extensions with either missing or lacking config: LDAPGroups and LDAPUserInfo. We just removed them from the install.

We did a lot more, but reverted most of it. This is is the net part of what we had to fix to get it working.

JohnnyBruv (talkcontribs)

Still working on migrating from a 1.35 Mediawiki on Centos 7, to 1.42 on Ubuntu. The Wiki is up and running fine, except for the LDAP connection.

I've tried to follow some guides, and also tried to get to know the different extensions when that didn't work well. I got a lot further from studying them - but not far enough.

When I try to log in with a domain user now, the MediaWiki login feedback is: User cannot be authenticated

In pluggableauth.log:

mediawiki: Getting PluggableAuth instance

mediawiki: Plugin name: LDAPAuthentication2

mediawiki: Authentication failure.

In LDAPAuthentication2.log:

mediawiki: Try to authenticate user: frodobaggins

mediawiki: Not local login. Checking LDAP...

mediawiki: LDAP domain: intratriona.se

mediawiki: Username not found in user info provided by LDAP!Please check LDAP domain configuration. Specifically usernameattribute

mediawiki: LDAP user info results for user frodobaggins: Array

(

<snip>

[samaccountname] => FrodoBaggins

LocalSettings.php and ldapprovider.json are as follows:


LocalSettings.php - LDAP part

wfLoadExtension('PluggableAuth');

wfLoadExtension('LDAPProvider');

wfLoadExtension('LDAPAuthentication2');

wfLoadExtension('LDAPAuthorization');

wfLoadExtension('LDAPUserInfo');

wfLoadExtension('LDAPGroups');

$LDAPProviderDomainConfigs = "/srv/mediawiki/ldapprovider.json";

$LDAPAuthentication2UsernameNormalizer = 'strtolower';

$LDAPAuthorizationAutoAuthUsernameNormalizer = 'strtolower';

$wgLDAPGroupUseFullDN = false; # Use short group names instead of full DNs (optional)

$wgLDAPGroupsPrevail = false;   # LDAP groups take precedence over MediaWiki's internal group settings

$wgPluggableAuth_Config['Domain login'] = [

       'plugin' => 'LDAPAuthentication2',

       'data' => [

           'domain' => 'ourfirm.com',

       ],

];

$wgLDAPPreferences = [

   "ourfirm.com" => [

       "email" => "mail",

       "realname" => "displayname"

       ]

];

------------------------

ldapprovider.json

{

   "ourfirm.com": {

       "connection": {

           "server": "ldaps.ourfirm.com",

           "port": "636",

           "user": "<password",

           "pass": "<username>",

           "enctype": "ssl",

           "options": {

               "LDAP_OPT_DEREF": 1

           },

           "basedn": "DC=ourfirm,DC=com",

           "groupbasedn": "OU=Groups,OU=Tech,DC=ourfirm,DC=com",

           "userbasedn": "OU=Users,OU=Tech,DC=ourfirm,DC=com",

           "searchattribute": "sAMAccountName",

           "usernameattribute": "sAMAccountName",

           "realnameattribute": "displayname",

           "emailattribute": "mail"

       },

       "authorization": {

           "rules": {

               "groups": {

                   "required": ["CN=Tech Users,OU=Admin,DC=ourfirm,DC=com"]

               }

           }

       }

   }

}

Any help with this would be much appreciated!

14:24, 13 September 2024 4 days ago
Retrieved from "https://www.mediawiki.org/wiki/Topic:Ycay7zglul384gz5"