It's a stab in the dark, but there are some LDAP auth implementations that
assume groups are returned when querying for a user, as that generally how
LDAP servers work out of the box. If your groups are not included in user
query results, and I'm guessing they're not based on your expectations,
they break in the manner you describe. Depending on how battle tested the
implementation is, it may make a second lookup to test if the user is in a
group, which may be a separate config flag.
No clue if any of the listed extensions fall into the former or latter
category of Auth implementations, but figured the LDAP trivia might be
useful.
On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker(a)utica.edu> wrote:
Not sure if this matters, but we're using Oracle
Directory Server
(formerly Sun Directory Server Enterprise Edition). In a group, each
member is specified by a full user DN. Does the extension look for a
member value matching just the username?
Thanks.
On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker(a)utica.edu> wrote:
Hello,
I set up a test instance of MediaWiki at our site and am trying to get it
configured for LDAP authentication. Per the documentation I could find, I
installed and configured the following extensions:
- LDAPAuthentication2
- LDAPAuthorization
- LDAPProvider
- PluggableAuth
Without LDAPAuthorization enabled, basic LDAP authentication works fine.
However, when I enable LDAPAuthorization and try to filter access by
membership in a specific group, authentication fails every time with an
error saying the user is not authorized.
More specifically, I created a group in our LDAP system called wiki-users
and added myself as a member. I then added an authorization block to the
json file and specified the full DN of this group as a required group. I'm
using plaintext LDAP so I can run packet captures and see the traffic.
When I capture the LDAP traffic, I can see that it's authenticating the
bind user and then my own user, but at no point does it query for this
group.
A sanitized version of my json file is pasted below. Any help is greatly
appreciated!
{
"LDAP": {
"connection": {
"server": "my-LDAP-server.utica.edu",
"port": "389",
"enctype": "clear",
"user": "cn=my-bind-user,dc=utica,dc=edu",
"pass": "xxxxxxxxxxxx",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=utica,dc=edu",
"groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
"userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,ou=people,o=utica.edu
,dc=utica,dc=edu",
"usernameattribute": "uid",
"realnameattribute": "ucPreferredName",
"emailattribute": "mail"
},
"authorization": {
"rules": {
"groups": {
"required": ["cn=wiki-users,ou=groups,o=utica.edu
,dc=utica,dc=edu"]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"sysop":
"cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
"users":
"cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
}
},
"userinfo": {
"email": "mail",
"realname": "ucPreferredName"
}
}
}
--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l(a)lists.wikimedia.org
List information:
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/