Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition). In a group, each member is specified by a full user DN. Does the extension look for a member value matching just the username?
Thanks.
On Wed, Aug 11, 2021 at 12:15 PM Dave Parker dparker@utica.edu wrote:
Hello,
I set up a test instance of MediaWiki at our site and am trying to get it configured for LDAP authentication. Per the documentation I could find, I installed and configured the following extensions:
- LDAPAuthentication2
- LDAPAuthorization
- LDAPProvider
- PluggableAuth
Without LDAPAuthorization enabled, basic LDAP authentication works fine. However, when I enable LDAPAuthorization and try to filter access by membership in a specific group, authentication fails every time with an error saying the user is not authorized.
More specifically, I created a group in our LDAP system called wiki-users and added myself as a member. I then added an authorization block to the json file and specified the full DN of this group as a required group. I'm using plaintext LDAP so I can run packet captures and see the traffic. When I capture the LDAP traffic, I can see that it's authenticating the bind user and then my own user, but at no point does it query for this group.
A sanitized version of my json file is pasted below. Any help is greatly appreciated!
{ "LDAP": { "connection": { "server": "my-LDAP-server.utica.edu", "port": "389", "enctype": "clear", "user": "cn=my-bind-user,dc=utica,dc=edu", "pass": "xxxxxxxxxxxx", "options": { "LDAP_OPT_DEREF": 1 }, "basedn": "dc=utica,dc=edu", "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu", "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu", "searchattribute": "uid", "searchstring": "uid=USER-NAME,ou=people,o=utica.edu ,dc=utica,dc=edu", "usernameattribute": "uid", "realnameattribute": "ucPreferredName", "emailattribute": "mail" }, "authorization": { "rules": { "groups": { "required": ["cn=wiki-users,ou=groups,o=utica.edu ,dc=utica,dc=edu"] } } }, "groupsync": { "mechanism": "mappedgroups", "mapping": { "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu", "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu" } }, "userinfo": { "email": "mail", "realname": "ucPreferredName" } } }
-- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177