I am having an issue getting authenticated to an AD server. The thing is though, it works for one of my AD groups, but when I try to authenticate to another group it fails. It won't pull the user's DN according the the debug below. Both working and non-working debug look identical up until that point. Anyone have any ideas? I'm kind of under the gun to get this to work. Could it be a character limitation bug since the non-working group has a much deeper CN? Much appreciated to any help someone can give.
Thanks!
-GT
I'm using the 1.2a LdapAuthentication.php extension.
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication
The WORKING group debug level 3:
Entering validDomain User is using a valid domain. Setting domain as: domainname.com Entering getCanonicalName Username isn't empty. Munged username: doej Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ldap.domainname.com Connected successfully Entering getSearchString Doing a straight bind userdn is: doej@domainname.com Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=administrators,dc=domainname,dc=com Using base: ou=administrators,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=administrators,dc=domainname,dc=com Search string: (&(member=CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com)(objectclass=group)) Returned groups:cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-alert,ou=groups,ou=administrators,dc=domainname,dc=com,cn=ssltest,ou=groups,ou=administrators,dc=domainname,dc=com,cn=bomgar users,ou=groups,ou=administrators,dc=domainname,dc=com,cn=rds-vpn,ou=groups,ou=administrators,dc=domainname,dc=com Returned groups:,,,,,, Found user in a group. Authentication passed Entering updateUser
Relevant entries for LDAP authentication in LocalSettings.php
require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domainname.com" ); $wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com" ); $wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME@domainname.com" ); $wgLDAPEncryptionType = array( "domainname.com"=>"clear" ); $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1;
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "domainname.com"=>array("cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com") ); $wgLDAPGroupUseFullDN = array( "domainname.com"=>true ); $wgLDAPGroupObjectclass = array( "domainname.com"=>"group" ); $wgLDAPGroupAttribute = array( "domainname.com"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true ); $wgLDAPBaseDNs = array( "domainname.com"=>"ou=administrators,dc=domainname,dc=com" ); $wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );
NON WORKING group debug level 3:
Entering validDomain User is using a valid domain. Setting domain as: domainname.com Entering getCanonicalName Username isn't empty. Munged username: doej Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ldap.domainname.com Connected successfully Entering getSearchString Doing a straight bind userdn is: doej@domainname.com Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Using base: ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Search string: (&(member=)(objectclass=group)) Returned groups: Returned groups: Couldn't find the user in any groups (1). Entering strict. Returning false in strict(). Entering modifyUITemplate Allowing the local domain, adding it to the list.
Relevant entries for LDAP authentication in LocalSettings.php
require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domainname.com" ); $wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com" ); $wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME@domainname.com" ); $wgLDAPEncryptionType = array( "domainname.com"=>"clear" ); $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1;
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "domainname.com"=>array("cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com") ); $wgLDAPGroupUseFullDN = array( "domainname.com"=>true ); $wgLDAPGroupObjectclass = array( "domainname.com"=>"group" ); $wgLDAPGroupAttribute = array( "domainname.com"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true ); $wgLDAPBaseDNs = array( "domainname.com"=>"ou=groups,ou=town a,ou=sites,dc=domainname,dc=com" ); $wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );