Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition).  In a group, each member is specified by a full user DN.  Does the extension look for a member value matching just the username?

Thanks.

On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
Hello,

I set up a test instance of MediaWiki at our site and am trying to get it configured for LDAP authentication.  Per the documentation I could find, I installed and configured the following extensions:

  - LDAPAuthentication2
  - LDAPAuthorization
  - LDAPProvider
  - PluggableAuth

Without LDAPAuthorization enabled, basic LDAP authentication works fine.  However, when I enable LDAPAuthorization and try to filter access by membership in a specific group, authentication fails every time with an error saying the user is not authorized.

More specifically, I created a group in our LDAP system called wiki-users and added myself as a member.  I then added an authorization block to the json file and specified the full DN of this group as a required group.  I'm using plaintext LDAP so I can run packet captures and see the traffic.  When I capture the LDAP traffic, I can see that it's authenticating the bind user and then my own user, but at no point does it query for this group.

A sanitized version of my json file is pasted below.  Any help is greatly appreciated!

{
  "LDAP": {
    "connection": {
      "server": "my-LDAP-server.utica.edu",
      "port": "389",
      "enctype": "clear",
      "user": "cn=my-bind-user,dc=utica,dc=edu",
      "pass": "xxxxxxxxxxxx",
      "options": {
        "LDAP_OPT_DEREF": 1
      },
      "basedn": "dc=utica,dc=edu",
      "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
      "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
      "searchattribute": "uid",
      "searchstring": "uid=USER-NAME,ou=people,o=utica.edu,dc=utica,dc=edu",
      "usernameattribute": "uid",
      "realnameattribute": "ucPreferredName",
      "emailattribute": "mail"
    },
    "authorization": {
      "rules": {
        "groups": {
          "required": ["cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"]
        }
      }
    },
    "groupsync": {
      "mechanism": "mappedgroups",
      "mapping": {
        "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
        "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
      }
    },
    "userinfo": {
      "email": "mail",
      "realname": "ucPreferredName"
    }
  }
}

--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177