A couple things:
Created a regular filter: (sAMAccountName=Joliver)
Entering getBaseDN
basedn is ou=Domain Users,dc=domain,dc=com
Using base: ou=Domain Users,dc=domain,dc=com
Fetched username is not a string (check your hook code...).
This message
can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN:
It didn't pull the user's DN. You mention the reason for this below...
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=qa employees,ou=security
groups,dc=domain,dc=com,cn=engineering employees,ou=security
groups,dc=domain,dc=com,cn=customer care employees,ou=security
groups,dc=domain,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is ou=Security Groups,dc=domain,dc=com
Search string: (&(=Joliver)(objectclass=))
This should say: Search string: (&(member=Joliver)(objectclass=group)).
You should have all of the following options set:
$wgLDAPGroupUseFullDN = array( "AD_DOMAIN"=>true );
$wgLDAPGroupObjectclass = array( "AD_DOMAIN"=>"group" );
$wgLDAPGroupAttribute = array( "AD_DOMAIN"=>"member" );
$wgLDAPGroupNameAttribute = array( "AD_DOMAIN"=>"cn" );
$wgLDAPSearchAttributes = array( "AD_DOMAIN"=>"sAMAccountName" );
I think this may be because my user isn't in
Domain Users... it's in
another folder called "IT". So, I tried:
$wgLDAPUserBaseDNs = array(
"AD_DOMAIN" => array(
"ou=Domain Users,dc=domain,dc=com",
"ou=IT,dc=domain,dc=com"
)
);
and now I still get the incorrect password error, and the
debug message
says:
Entering getBaseDN
basedn is Array
Using base: Array
I'm not sure if it's just saying that the BaseDN *is* an array, or if
it's reading the literal string, "Array".
You can only set one base dn. You need to set this to:
$wgLDAPUserBaseDNs = array( "AD_DOMAIN" => "dc=domain,dc=com" );
There is a practical reason to have all user accounts under a single OU
(or a set of OUs under a single OU). This is one of those reasons. In AD
land, there are other practical reasons including a sane group policy.
Also, I noticed that the debug says:
Pulled the user's DN:
Googling around has found examples where that is populated, like:
Pulled the user's DN: CN=John
Doe,OU=Users,OU=Administrators,DC=domainname,DC=com
Yep. That's what it *should* look like.
So, all of this said... The next version of the plugin will have
memberOf support, and will have an option to auto-configure all of the
annoying settings depending on schema type. It may or may not be out
soon depending on my level of lazyness.
V/r,
Ryan Lane