It's a stab in the dark, but there are some LDAP auth implementations that assume groups are returned when querying for a user, as that generally how LDAP servers work out of the box. If your groups are not included in user query results, and I'm guessing they're not based on your expectations, they break in the manner you describe. Depending on how battle tested the implementation is, it may make a second lookup to test if the user is in a group, which may be a separate config flag.
No clue if any of the listed extensions fall into the former or latter category of Auth implementations, but figured the LDAP trivia might be useful.
On Wed, 11 Aug 2021, 19:29 Dave Parker, dparker@utica.edu wrote:
Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition). In a group, each member is specified by a full user DN. Does the extension look for a member value matching just the username?
Thanks.
On Wed, Aug 11, 2021 at 12:15 PM Dave Parker dparker@utica.edu wrote:
Hello,
I set up a test instance of MediaWiki at our site and am trying to get it configured for LDAP authentication. Per the documentation I could find, I installed and configured the following extensions:
- LDAPAuthentication2
- LDAPAuthorization
- LDAPProvider
- PluggableAuth
Without LDAPAuthorization enabled, basic LDAP authentication works fine. However, when I enable LDAPAuthorization and try to filter access by membership in a specific group, authentication fails every time with an error saying the user is not authorized.
More specifically, I created a group in our LDAP system called wiki-users and added myself as a member. I then added an authorization block to the json file and specified the full DN of this group as a required group. I'm using plaintext LDAP so I can run packet captures and see the traffic. When I capture the LDAP traffic, I can see that it's authenticating the bind user and then my own user, but at no point does it query for this group.
A sanitized version of my json file is pasted below. Any help is greatly appreciated!
{ "LDAP": { "connection": { "server": "my-LDAP-server.utica.edu", "port": "389", "enctype": "clear", "user": "cn=my-bind-user,dc=utica,dc=edu", "pass": "xxxxxxxxxxxx", "options": { "LDAP_OPT_DEREF": 1 }, "basedn": "dc=utica,dc=edu", "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu", "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu", "searchattribute": "uid", "searchstring": "uid=USER-NAME,ou=people,o=utica.edu ,dc=utica,dc=edu", "usernameattribute": "uid", "realnameattribute": "ucPreferredName", "emailattribute": "mail" }, "authorization": { "rules": { "groups": { "required": ["cn=wiki-users,ou=groups,o=utica.edu ,dc=utica,dc=edu"] } } }, "groupsync": { "mechanism": "mappedgroups", "mapping": { "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu", "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu" } }, "userinfo": { "email": "mail", "realname": "ucPreferredName" } } }
-- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177
-- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177 _______________________________________________ MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/