Not sure if this matters, but we're using Oracle Directory Server (formerly
Sun Directory Server Enterprise Edition). In a group, each member is
specified by a full user DN. Does the extension look for a member value
matching just the username?
Thanks.
On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker(a)utica.edu> wrote:
Hello,
I set up a test instance of MediaWiki at our site and am trying to get it
configured for LDAP authentication. Per the documentation I could find, I
installed and configured the following extensions:
- LDAPAuthentication2
- LDAPAuthorization
- LDAPProvider
- PluggableAuth
Without LDAPAuthorization enabled, basic LDAP authentication works fine.
However, when I enable LDAPAuthorization and try to filter access by
membership in a specific group, authentication fails every time with an
error saying the user is not authorized.
More specifically, I created a group in our LDAP system called wiki-users
and added myself as a member. I then added an authorization block to the
json file and specified the full DN of this group as a required group. I'm
using plaintext LDAP so I can run packet captures and see the traffic.
When I capture the LDAP traffic, I can see that it's authenticating the
bind user and then my own user, but at no point does it query for this
group.
A sanitized version of my json file is pasted below. Any help is greatly
appreciated!
{
"LDAP": {
"connection": {
"server": "my-LDAP-server.utica.edu",
"port": "389",
"enctype": "clear",
"user": "cn=my-bind-user,dc=utica,dc=edu",
"pass": "xxxxxxxxxxxx",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=utica,dc=edu",
"groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
"userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,ou=people,o=utica.edu
,dc=utica,dc=edu",
"usernameattribute": "uid",
"realnameattribute": "ucPreferredName",
"emailattribute": "mail"
},
"authorization": {
"rules": {
"groups": {
"required": ["cn=wiki-users,ou=groups,o=utica.edu
,dc=utica,dc=edu"]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"sysop":
"cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
"users":
"cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
}
},
"userinfo": {
"email": "mail",
"realname": "ucPreferredName"
}
}
}
--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177