Hi All,
I'm looking for some help with the LdapAuthentication extension, specifically group synchronization and access controls based on the LDAP group membership. Here's a lil info on my setup:
Gentoo Box with LAMP is running mediawiki:
* MediaWiki: 1.6.8
* PHP: 4.4.2-pl2-gentoo (apache2handler)
* MySQL: 4.1.14-log
* LDAP Authentication Plugin (version 1.1f (alpha)), LDAP Authentication plugin with support for multiple LDAP authentication methods, by Ryan Lane
(the latest download on the website has version 1.1f alpha listed, however when you view this file, you'll notice the version defined is 1.1f (non-alpha) and the code is different than the 1.1f alpha)
This is connecting to a Windows 2003 Active Directory LDAP server hosted on another machine.
Here is my config as it pertains to LDAP
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SMP-INC" );
$wgLDAPServerNames = array( "SMP-INC"=>"frodo.smp-inc.com legolas.smp-inc.com" );
$wgLDAPSearchStrings = array( "SMP-INC"=>"SMP-INC\USER-NAME" );
#$wgLDAPSearchStrings = array( "SMP-INC"=>"USER-NAME@SMP-INC.com" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPEncryptionType = array( "SMP-INC"=>'clear' ); // this is needed in >= 1.1c
$wgLDAPUseLocal = true; //allows mysql db driven auth (default Root user)
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "SMP-INC"=>true ); // this is needed in >= 1.1c
$wgLDAPUpdateLDAP = array( "SMP-INC"=>"false" ); //disables mediawiki from updating LDAP
$wgLDAPDebug = 3; //debugging
#GROUP BASED AUTH
$wgLDAPSearchAttributes = array( "SMP-INC"=>"sAMAccountName" );
$wgLDAPBaseDNs = array( "SMP-INC"=>"cn=users,dc=smp-inc,dc=com" );
$wgLDAPUseLDAPGroups = array( "SMP-INC"=>true );
$wgLDAPRequiredGroups = array(
"SMP-INC"=>array(
"cn=wiki-readonly,cn=users,dc=smp-inc,dc=com",
"cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com",
"cn=wiki-sysops,cn=users,dc=smp-inc,dc=com"
)
);
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupUseFullDN = array( "SMP-INC"=>true );
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupObjectclass = array( "SMP-INC"=>"group" );
$wgLDAPGroupAttribute = array( "SMP-INC"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "SMP-INC"=>true );
# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# But allow them to read the Login Page, and JS/CSS pages
$wgWhitelistRead = array( "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['wiki-readonly']['move'] = false;
$wgGroupPermissions['wiki-readonly']['read'] = true;
$wgGroupPermissions['wiki-readonly']['edit'] = false;
$wgGroupPermissions['wiki-readonly']['createpage'] = false;
$wgGroupPermissions['wiki-readonly']['createtalk'] = false;
$wgGroupPermissions['wiki-readonly']['upload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload-shared'] = false;
$wgGroupPermissions['wiki-readonly']['minoredit'] = false;
$wgGroupPermissions['wiki-readwrite']['move'] = true;
$wgGroupPermissions['wiki-readwrite']['read'] = true;
$wgGroupPermissions['wiki-readwrite']['edit'] = true;
$wgGroupPermissions['wiki-readwrite']['createpage'] = true;
$wgGroupPermissions['wiki-readwrite']['createtalk'] = true;
$wgGroupPermissions['wiki-readwrite']['upload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload-shared'] = true;
$wgGroupPermissions['wiki-readwrite']['minoredit'] = true;
$wgGroupPermissions['wiki-sysops']['block'] = true;
$wgGroupPermissions['wiki-sysops']['createaccount'] = true;
$wgGroupPermissions['wiki-sysops']['delete'] = true;
$wgGroupPermissions['wiki-sysops']['deletedhistory'] = true;
$wgGroupPermissions['wiki-sysops']['editinterface'] = true;
$wgGroupPermissions['wiki-sysops']['import'] = true;
$wgGroupPermissions['wiki-sysops']['importupload'] = true;
$wgGroupPermissions['wiki-sysops']['move'] = true;
$wgGroupPermissions['wiki-sysops']['patrol'] = true;
$wgGroupPermissions['wiki-sysops']['protect'] = true;
$wgGroupPermissions['wiki-sysops']['rollback'] = true;
$wgGroupPermissions['wiki-sysops']['upload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload-shared'] = true;
$wgGroupPermissions['wiki-sysops']['unwatchedpages'] = true;
$wgGroupPermissions['wiki-sysops']['autoconfirmed'] = true;
$wgGroupPermissions['wiki-sysops']['userrights'] = true;
I created 3 Active directory groups and a user for each group:
GROUP USER
wiki-readonly wiki-ro
wiki-readwrite wiki-rw
wiki-sysops wiki-user
I can successfully authenticate against LDAP groups as defined by $wgLDAPRequiredGroups. Users that are not in $wgLDAPRequiredGroups can NOT log in. So LDAP is working and group authentication is working. It is my understanding that at this point I should be able to set $wgGroupPermissions based on the Active Directory group name so long as wiki/AD sync is setup as defined by $wgLDAPUseLDAPGroups. With debugging set to 3, I can log in as any of the 3 defined users, however they all receive the same group memberships; users and *.
Entering validDomain
User is using a valid domain.
Setting domain as: SMP-INC
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki-rw
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
Connected successfully
Lowercasing the username: wiki-rw
Entering getSearchString
Doing a straight bind
userdn is: SMP-INC\wiki-rw
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=wiki-rw)
Using base: cn=users,dc=smp-inc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=wiki-rw,CN=Users,DC=smp-inc,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=wiki-readonly,cn=users,dc=smp-inc,dc=com,cn=wiki-readwrite,cn= users,dc=smp-inc,dc=com,cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
Returned groups:
Found user in a group.
Retrieving LDAP group membership
Entering getUserGroups
Entering getAllGroups
Entering getGroups
Search string: (&(member=\5c2a)(objectclass=group))
Returned groups:
Returned groups:
Retrieving preferences
Retrieved: , , wiki-rw, wiki-rw
Authentication passed
Entering updateUser
Setting user preferences.
Pulling groups from LDAP.
Available groups are: bot,sysop,bureaucrat,wiki-readonly,wiki-readwrite,wiki-sysops
Effective groups are: *,user
Checking to see if user is in: bot
Entering hasLDAPGroup
Checking to see if user is in: sysop
Entering hasLDAPGroup
Checking to see if user is in: bureaucrat
Entering hasLDAPGroup
Checking to see if user is in: wiki-readonly
Entering hasLDAPGroup
Checking to see if user is in: wiki-readwrite
Entering hasLDAPGroup
Checking to see if user is in: wiki-sysops
Entering hasLDAPGroup
Saving user settings.
You'll notice the line: "Effective groups are: *,user". Shouldn't this show wiki-readwrite, since that's the AD group this user belongs to? Or does it not check the AD groups until it says "checking to see if user is in: wiki-readwrite"? Also, once the member is found in an AD group, should the MySQL table "wikidb_user_groups" get an UPDATE statement adding the userid to the AD group?
I've read a lot and looked for Ryan Lane on Freenode. I think I'm having similar problems as this guy, but I have the newer version: http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive 1#Group_Synchronization
Thanks,
Kbruss