We've had this LDAP system for a long time, and have never run into anything like this before.  In general, there are two kinds of groups you can use in it:

1. A standard group has a groupOfNames object class, and members are specified using the "member" attribute, with each value being the DN of the user.  When a user is a member of a group like this, it also adds the "isMemberOf" operational attribute on the user's LDAP record, the value of which is the DN of the group.

2. A dynamic group has a groupOfUrls object class, and membership is specified by one or more "memberURL" values which are LDAP search strings.  All records matching the search string are considered to be members of the group.  Oracle (and previously Sun) recommended using the "memberOf" attribute on user records and in the search string, to build out these groups.  For example, our staff group has this memberURL:

ldap:///ou=people,o=utica.edu,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o=utica.edu,dc=utica,dc=edu))

So, when this group is queried for members, it returns any user with this group's DN as a "memberOf" value.  It gets convoluted and is easy to make mistakes with dynamic groups, so we generally use plain old groups with explicitly listed members instead.  Group lookups have never given us any trouble before, with any product.  I've never seen an LDAP query return a user's group memberships unless isMemberOf was included in the filter.  In general, the things I've used just lookup the user and then lookup the group and check to make sure the user's DN is a member value of the group.

Thanks!


On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell244@gmail.com> wrote:
It's a stab in the dark, but there are some LDAP auth implementations that assume groups are returned when querying for a user, as that generally how LDAP servers work out of the box. If your groups are not included in user query results, and I'm guessing they're not based on your expectations, they break in the manner you describe. Depending on how battle tested the implementation is, it may make a second lookup to test if the user is in a group, which may be a separate config flag.

No clue if any of the listed extensions fall into the former or latter category of Auth implementations, but figured the LDAP trivia might be useful.

On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker@utica.edu> wrote:
Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition).  In a group, each member is specified by a full user DN.  Does the extension look for a member value matching just the username?

Thanks.

On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
Hello,

I set up a test instance of MediaWiki at our site and am trying to get it configured for LDAP authentication.  Per the documentation I could find, I installed and configured the following extensions:

  - LDAPAuthentication2
  - LDAPAuthorization
  - LDAPProvider
  - PluggableAuth

Without LDAPAuthorization enabled, basic LDAP authentication works fine.  However, when I enable LDAPAuthorization and try to filter access by membership in a specific group, authentication fails every time with an error saying the user is not authorized.

More specifically, I created a group in our LDAP system called wiki-users and added myself as a member.  I then added an authorization block to the json file and specified the full DN of this group as a required group.  I'm using plaintext LDAP so I can run packet captures and see the traffic.  When I capture the LDAP traffic, I can see that it's authenticating the bind user and then my own user, but at no point does it query for this group.

A sanitized version of my json file is pasted below.  Any help is greatly appreciated!

{
  "LDAP": {
    "connection": {
      "server": "my-LDAP-server.utica.edu",
      "port": "389",
      "enctype": "clear",
      "user": "cn=my-bind-user,dc=utica,dc=edu",
      "pass": "xxxxxxxxxxxx",
      "options": {
        "LDAP_OPT_DEREF": 1
      },
      "basedn": "dc=utica,dc=edu",
      "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
      "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
      "searchattribute": "uid",
      "searchstring": "uid=USER-NAME,ou=people,o=utica.edu,dc=utica,dc=edu",
      "usernameattribute": "uid",
      "realnameattribute": "ucPreferredName",
      "emailattribute": "mail"
    },
    "authorization": {
      "rules": {
        "groups": {
          "required": ["cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"]
        }
      }
    },
    "groupsync": {
      "mechanism": "mappedgroups",
      "mapping": {
        "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
        "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
      }
    },
    "userinfo": {
      "email": "mail",
      "realname": "ucPreferredName"
    }
  }
}

--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177