Mediawiki and LDAP (active directory)

Forums › Linux › Mediawiki and LDAP (active directory)

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#255855 3-Sep-2019 16:59

Hi, Has anyone on here had any success making this work?

Plugins I am using

LDAPProvider

LDAPAuthentication2

PluggableAuth

LDAPAuthorization

I cant get it to create users in the wiki from LDAP tried multiple plugins/scripts without success

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

1 | 2

1573 posts

Uber Geek

#2310080 3-Sep-2019 17:09

I've got quite a bit of MediaWiki admin experience. Run it at work doing authentication against O365.

Just want to confirm some things first:
* Are you using on premises active directory only?
* You need accounts to be created automatically at first login and tied to the AD account
* MediaWiki version?

You mention ldap... So let's confirm it's against AD and not another ldap provider.

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2310203 3-Sep-2019 17:23

nzkc: Are you using on premises active directory only?

On Prem Active Directory Only

nzkc: You need accounts to be created automatically at first login and tied to the AD account

That is the ideal setup yes please

nzkc: MediaWiki version?

1.33.0

nzkc: You mention ldap... So let's confirm it's against AD and not another ldap provider.

Against AD no other LDAP Provider

Thanks for your help

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

nzkc

1573 posts

Uber Geek

#2310299 3-Sep-2019 21:00

So I'm a bit concerned that LDAP Authentication says its not compatible with 1.27. Could be things changed and its compatible with later versions - documentation is a bit vague there. I'll take this offline with you to discuss (cause you probably wont want to answer some of the upcoming questions here for security reasons!).

Edit: Or not as I cant PM you!

nzkc

1573 posts

Uber Geek

#2310301 3-Sep-2019 21:04

Have you tested you can access your domain controller from your mediawiki server? E.g. is port 389 open to it?

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2310685 4-Sep-2019 15:38

nzkc:

Have you tested you can access your domain controller from your mediawiki server? E.g. is port 389 open to it?

Sorry for late reply

DC access is fine, I have the following modules installed

LDAPAuthentication2 - https://www.mediawiki.org/wiki/Extension:LDAPAuthentication2

PluggableAuth - https://www.mediawiki.org/wiki/Extension:PluggableAuth

LDAPProvider - https://www.mediawiki.org/wiki/Extension:LDAPProvider

I get "The supplied credentials are not associated with any user on this wiki" when attempting to log in, so its authenticating ok

also configured in LocalSettings.php

$wgGroupPermissions['*']['autocreateaccount'] = true;
$wgGroupPermissions['*']['createaccount'] = false;

Auth_remoteuser and LDAPAuthorization I believe is the final piece of the puzzle I need to auto-create accounts but am at a road block

When I enable the plugin LDAPAuthorization I get "user not authorized"

Thanks Again!

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

nzkc

1573 posts

Uber Geek

#2310703 4-Sep-2019 16:16

Can you PM me the localsettings.php? Feel free to rip out sensitive info.

Want to compare to various documentation.

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2310762 4-Sep-2019 19:08

nzkc: Can you PM me the localsettings.php? Feel free to rip out sensitive info.

Want to compare to various documentation.

No probs, its all test lab stuff so nothing sensitive :)

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2315372 12-Sep-2019 07:50

nzkc: Can you PM me the localsettings.php? Feel free to rip out sensitive info.

Want to compare to various documentation.

Thanks for getting this working! you are a Legend!

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

kelirkenan

4 posts

Wannabe Geek
Inactive user

#2328225 2-Oct-2019 04:36

Hey, guys.

Surfing the internet in the search of an answer to my mediawiki setup I found your topic. I've just made the same steps nztim made, but I'm coming up with the same problem he had. What did nzkc to solve the problem? I'm really stuck with this. It's driving me crazy.

Thanks!

nztim

3832 posts

Uber Geek

ID Verified

Trusted

TEAMnetwork

Subscriber

#2328277 2-Oct-2019 08:58

kelirkenan:

Hey, guys.

Surfing the internet in the search of an answer to my mediawiki setup I found your topic. I've just made the same steps nztim made, but I'm coming up with the same problem he had. What did nzkc to solve the problem? I'm really stuck with this. It's driving me crazy.

Thanks!

For me it came down to Capitalisation in the LDAP settings (the conf files are very vert particular) @nzkc was awesome, and knows his stuff, also my PHP was a mix of old and new which didn't help

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

nzkc

1573 posts

Uber Geek

#2328315 2-Oct-2019 10:10

As nztim says it's all very case sensitive! I did follow a sample setup on the extension pages. Maybe nztim can post his config to you?

Happy to help you though I'm unavailable till next week (family holiday!)

kelirkenan

4 posts

Wannabe Geek
Inactive user

#2328693 2-Oct-2019 23:04

I don't believe my problem is related to case sensitivity, but as I've tried anything I've came up with, it can be. What I want is to authenticate users against my Active Directory server and, if it is the first time a user logs in, I want mediawiki to create its account. The configuration I have right now gives these two messages dependending on the correct input of the user and password or not. Let me show it to you:

- If I write the correct username and password of a user I get the following message: "The supplied credentials are not associated with any user on this wiki."

- If I write the correct username but an incorrect password of the user I get the following message: "Could not authenticate credentials against domain "myaddomain" "

Attending these behaviour, I believe the connection to the Active Directory server is correct, but mediawiki is configured to not create the new user account automatically. Am I right? I've tried to configure LDAPProvider extension with a JSON file and PHP, but they both show the same behaviour. I have the same lines in LocalSettings.php than nztim:

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['autocreateaccount'] = true;

Another thing I want to know is if I should use another extra extension for what I'm trying to accomplish. Right now I'm using these three extensions:

- LDAPAuthentication2

- PluggableAuth

- LDAPProvider

Maybe I'm lacking the use of LDAPAuthorization?

Thanks for yesterday's quick answers.

nzkc

1573 posts

Uber Geek

#2329347 4-Oct-2019 06:40

Sounds EXACTLY like nztim's issue TBH!

kelirkenan

4 posts

Wannabe Geek
Inactive user

#2333126 9-Oct-2019 03:20

I have finally been able to solve all my problems. Regarding that the actual documentation for LDAPStack is terrible I came up with a topic on mediawiki forums (https://www.mediawiki.org/wiki/Topic:V4vp8jf98hn5cpj5) where I found the solution. I had to add $this->domain = 'mydomain'; return true; into mediawiki/extensions/LDAPProvider/src/Hook/UserLoadAfterLoadFromSession.php in line 127. That line of code solved all my problems.

Hope anyone having issues with the new extensions will find this GeekZone topic and solve it!

Thanks!

awliste

2 posts

Wannabe Geek

#2362012 28-Nov-2019 09:01

If I beg nicely, would one of you fine folks send me a sanitized LocalSettings.php that is known good for PluggableAuth, LDAPProvider, LDAPAuthentication2, and LDAPAuthorization extensions? I can't get mine to cooperate to save my life. I don't think I have a case sensitivity issue in my config, and while I completely agree with @kelirkenan about mediawiki documentation, adding that line in changed nothing on my host.

My general symptom is I can authenticate a user, but when I try to edit a page, the mediawiki times me out. When I turn on authorization, my accounts are not authorized to login. This is a "follow the recipe" install on CentOS (it's a docker container. Happy to provide the Dockerfile if anyone has the need), pull down the extensions from mwf, un-tar them in extensions, adapt LocalSettings as appropriate and fire it up. php maintenance/update.php is.... interesting.

FWIW, and something kind of odd/interesting, I did a VM build (non docker) of Mediawiki so I could capture steps as I was putting together my Dockerfile. On that image, I CAN edit pages as a user, but when I turn on Authorization, I get the same symptom as the containerized mediawiki.

groupsrequest mechanism maybe? I don't know which method to use on OpenLDAP, or how to find that information.

Any help would be very, very much appreciated. Thanks for your time, thanks for putting this forum together, and thanks for helping me realize it's not just me living the struggle with this thing.

Take it easy.

R/,

- A

1 | 2