Hi All,
I'm looking for some help with the LdapAuthentication extension, specifically group synchronization and access controls based on the LDAP group membership. Here's a lil info on my setup:
Gentoo Box with LAMP is running mediawiki:
* MediaWiki: 1.6.8
* PHP: 4.4.2-pl2-gentoo (apache2handler)
* MySQL: 4.1.14-log
* LDAP Authentication Plugin (version 1.1f (alpha)), LDAP Authentication plugin with support for multiple LDAP authentication methods, by Ryan Lane
(the latest download on the website has version 1.1f alpha listed, however when you view this file, you'll notice the version defined is 1.1f (non-alpha) and the code is different than the 1.1f alpha)
This is connecting to a Windows 2003 Active Directory LDAP server hosted on another machine.
Here is my config as it pertains to LDAP
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SMP-INC" );
$wgLDAPServerNames = array( "SMP-INC"=>"frodo.smp-inc.com legolas.smp-inc.com" );
$wgLDAPSearchStrings = array( "SMP-INC"=>"SMP-INC\USER-NAME" );
#$wgLDAPSearchStrings = array( "SMP-INC"=>"USER-NAME@SMP-INC.com" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPEncryptionType = array( "SMP-INC"=>'clear' ); // this is needed in >= 1.1c
$wgLDAPUseLocal = true; //allows mysql db driven auth (default Root user)
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "SMP-INC"=>true ); // this is needed in >= 1.1c
$wgLDAPUpdateLDAP = array( "SMP-INC"=>"false" ); //disables mediawiki from updating LDAP
$wgLDAPDebug = 3; //debugging
#GROUP BASED AUTH
$wgLDAPSearchAttributes = array( "SMP-INC"=>"sAMAccountName" );
$wgLDAPBaseDNs = array( "SMP-INC"=>"cn=users,dc=smp-inc,dc=com" );
$wgLDAPUseLDAPGroups = array( "SMP-INC"=>true );
$wgLDAPRequiredGroups = array(
"SMP-INC"=>array(
"cn=wiki-readonly,cn=users,dc=smp-inc,dc=com",
"cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com",
"cn=wiki-sysops,cn=users,dc=smp-inc,dc=com"
)
);
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupUseFullDN = array( "SMP-INC"=>true );
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupObjectclass = array( "SMP-INC"=>"group" );
$wgLDAPGroupAttribute = array( "SMP-INC"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "SMP-INC"=>true );
# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# But allow them to read the Login Page, and JS/CSS pages
$wgWhitelistRead = array( "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['wiki-readonly']['move'] = false;
$wgGroupPermissions['wiki-readonly']['read'] = true;
$wgGroupPermissions['wiki-readonly']['edit'] = false;
$wgGroupPermissions['wiki-readonly']['createpage'] = false;
$wgGroupPermissions['wiki-readonly']['createtalk'] = false;
$wgGroupPermissions['wiki-readonly']['upload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload-shared'] = false;
$wgGroupPermissions['wiki-readonly']['minoredit'] = false;
$wgGroupPermissions['wiki-readwrite']['move'] = true;
$wgGroupPermissions['wiki-readwrite']['read'] = true;
$wgGroupPermissions['wiki-readwrite']['edit'] = true;
$wgGroupPermissions['wiki-readwrite']['createpage'] = true;
$wgGroupPermissions['wiki-readwrite']['createtalk'] = true;
$wgGroupPermissions['wiki-readwrite']['upload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload-shared'] = true;
$wgGroupPermissions['wiki-readwrite']['minoredit'] = true;
$wgGroupPermissions['wiki-sysops']['block'] = true;
$wgGroupPermissions['wiki-sysops']['createaccount'] = true;
$wgGroupPermissions['wiki-sysops']['delete'] = true;
$wgGroupPermissions['wiki-sysops']['deletedhistory'] = true;
$wgGroupPermissions['wiki-sysops']['editinterface'] = true;
$wgGroupPermissions['wiki-sysops']['import'] = true;
$wgGroupPermissions['wiki-sysops']['importupload'] = true;
$wgGroupPermissions['wiki-sysops']['move'] = true;
$wgGroupPermissions['wiki-sysops']['patrol'] = true;
$wgGroupPermissions['wiki-sysops']['protect'] = true;
$wgGroupPermissions['wiki-sysops']['rollback'] = true;
$wgGroupPermissions['wiki-sysops']['upload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload-shared'] = true;
$wgGroupPermissions['wiki-sysops']['unwatchedpages'] = true;
$wgGroupPermissions['wiki-sysops']['autoconfirmed'] = true;
$wgGroupPermissions['wiki-sysops']['userrights'] = true;
I created 3 Active directory groups and a user for each group:
GROUP USER
wiki-readonly wiki-ro
wiki-readwrite wiki-rw
wiki-sysops wiki-user
I can successfully authenticate against LDAP groups as defined by $wgLDAPRequiredGroups. Users that are not in $wgLDAPRequiredGroups can NOT log in. So LDAP is working and group authentication is working. It is my understanding that at this point I should be able to set $wgGroupPermissions based on the Active Directory group name so long as wiki/AD sync is setup as defined by $wgLDAPUseLDAPGroups. With debugging set to 3, I can log in as any of the 3 defined users, however they all receive the same group memberships; users and *.
Entering validDomain
User is using a valid domain.
Setting domain as: SMP-INC
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki-rw
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
Connected successfully
Lowercasing the username: wiki-rw
Entering getSearchString
Doing a straight bind
userdn is: SMP-INC\wiki-rw
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=wiki-rw)
Using base: cn=users,dc=smp-inc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=wiki-rw,CN=Users,DC=smp-inc,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=wiki-readonly,cn=users,dc=smp-inc,dc=com,cn=wiki-readwrite,cn= users,dc=smp-inc,dc=com,cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
Returned groups:
Found user in a group.
Retrieving LDAP group membership
Entering getUserGroups
Entering getAllGroups
Entering getGroups
Search string: (&(member=\5c2a)(objectclass=group))
Returned groups:
Returned groups:
Retrieving preferences
Retrieved: , , wiki-rw, wiki-rw
Authentication passed
Entering updateUser
Setting user preferences.
Pulling groups from LDAP.
Available groups are: bot,sysop,bureaucrat,wiki-readonly,wiki-readwrite,wiki-sysops
Effective groups are: *,user
Checking to see if user is in: bot
Entering hasLDAPGroup
Checking to see if user is in: sysop
Entering hasLDAPGroup
Checking to see if user is in: bureaucrat
Entering hasLDAPGroup
Checking to see if user is in: wiki-readonly
Entering hasLDAPGroup
Checking to see if user is in: wiki-readwrite
Entering hasLDAPGroup
Checking to see if user is in: wiki-sysops
Entering hasLDAPGroup
Saving user settings.
You'll notice the line: "Effective groups are: *,user". Shouldn't this show wiki-readwrite, since that's the AD group this user belongs to? Or does it not check the AD groups until it says "checking to see if user is in: wiki-readwrite"? Also, once the member is found in an AD group, should the MySQL table "wikidb_user_groups" get an UPDATE statement adding the userid to the AD group?
I've read a lot and looked for Ryan Lane on Freenode. I think I'm having similar problems as this guy, but I have the newer version: http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive 1#Group_Synchronization
Thanks,
Kbruss
[snip]
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
Returned groups:
This looks like your problem... The plugin is getting the group, but isn't getting the group's shortname (the cn), please set:
$wgLDAPGroupNameAttribute = array( "SMP-INC"=>"cn" );
Also, MediaWiki seems to have an issue with long group names (more than 16 characters). It looks like your groups are ok, but it is something to watch out for in the future.
Found user in a group.
Retrieving LDAP group membership
Entering getUserGroups
Entering getAllGroups
Entering getGroups
Search string: (&(member=\5c2a)(objectclass=group))
Returned groups:
Returned groups:
This looks like a bug...
In function getGroups change this line:
$filter = "(&($attribute=" . $this->getLdapEscapedString($dn) . ")(objectclass=$objectclass))";
to:
if ($dn != "*") { $dn = $this->getLdapEscapedString($dn); } $filter = "(&($attribute=" . $dn . ")(objectclass=$objectclass))";
I'll fix this tonight...
[snip]
You'll notice the line: "Effective groups are: *,user". Shouldn't this show wiki-readwrite, since that's the AD group this user belongs to? Or does it not check the AD groups until it says "checking to see if user is in: wiki-readwrite"? Also, once the member is found in an AD group, should the MySQL table "wikidb_user_groups" get an UPDATE statement adding the userid to the AD group?
These are the current effective user's groups for this user according to MediaWiki. The plugin will later check the AD groups to see if the user needs to be added/removed from a MediaWiki group.
I've read a lot and looked for Ryan Lane on Freenode. I think I'm having similar problems as this guy, but I have the newer version:
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive 1#Group_Synchronization
Ha. I wish I would have checked that link before I started tracing through my code :). This link fixes half of your problems, as a user mentioned that $wgLDAPGroupNameAttribute needed to be set. With that, the plugin would add users to MediaWiki groups, but the bug would probably cause the plugin to remove the user the next time they log in (and then add them the next time, and so on).
I'm usually on freenode after 7:00pm cst. I can't access IRC from work.
V/r,
Ryan Lane
Good morning everyone. My university uses uPortal (specifically the Academus branding of it from Unicon) for our portal needs... It has a rather robust Single Sign On system, that allows us to pass username and password from it, to 3rd party applications that use the normal <FORM> based authentication methods.
The way it works is that you configure an xml file that tells the SSO engine what URL it should POST your username and password to via HTTP.
What I tried to do was POST the username and password to .../wiki/index.php?title=Special:Userlogin&action=submitlogin&ty pe=login&returnto=Main_Page (I have to put the & in or the XML doesn't parse the normal & sign.)
But when the page loads, it says "Login error: Incorrect password entered. Please try again." In a big red box above the login fields.
But... The login fields are already filled in with my username and ********** for my password. I click sign in, with out touching the fields, and it signs me in as though I have just typed the values in. I know it's the right data, because when I view the source on the rendered page, my password exists in the ... <input type='password' class='loginPassword' name="wpPassword" id="wpPassword1" tabindex="2" value="XXXXXXXXXXX" size='20' />
Is there another URL that I can try and pass the username and password to via a HTTP POST action that will login me in besides what I'm trying already (see below for the full URL I'm attempting to post to), or if I'm doing something else wrong.
Please let me know if there are any questions. Thank you in advance!
The XML code for the SSO configuration looks like this for us ... ** code block **
<target handle="init"> <url>http://sandbox.uarts.edu/wiki/index.php?title=Special:Userlogin& ;action=submitlogin&type=login&returnto=Main_Page</url> <method>GET</method> </target>
<target handle="log"> <url>http://sandbox.uarts.edu/wiki/index.php?title=Special:Userlogin& ;action=submitlogin&type=login&returnto=Main_Page</url> <method>POST</method> <parameter name="wpName"><value>{auth.username}</value></parameter> <parameter name="wpPassword"><value>{auth.password}</value></parameter> </target>
** end code block **
] duran goodyear ] web developer ] the university of the arts ] 215.717.6068
Goodyear, Duran wrote:
Good morning everyone. My university uses uPortal (specifically the Academus branding of it from Unicon) for our portal needs... It has a rather robust Single Sign On system, that allows us to pass username and password from it, to 3rd party applications that use the normal <FORM> based authentication methods.
The way it works is that you configure an xml file that tells the SSO engine what URL it should POST your username and password to via HTTP.
What I tried to do was POST the username and password to .../wiki/index.php?title=Special:Userlogin&action=submitlogin&ty pe=login&returnto=Main_Page (I have to put the & in or the XML doesn't parse the normal & sign.)
But when the page loads, it says "Login error: Incorrect password entered. Please try again." In a big red box above the login fields.
Just a guess, can MediaWiki be expecting that you have some cookies set (eg a session) when sending the POST?
A valid guess, but I'm not sure. The error message indicates the password is wrong...
But your thought is a good one...
Anyone know for sure? (I'll go look at the code too)
] duran goodyear ] web developer ] the university of the arts ] 215.717.6068
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Platonides Sent: Monday, July 02, 2007 6:18 AM To: mediawiki-l@lists.wikimedia.org Subject: Re: [Mediawiki-l] Passing username/password into the login system for media wiki via single sign on from uPortal
Goodyear, Duran wrote:
Good morning everyone. My university uses uPortal (specifically the Academus branding of it from Unicon) for our portal needs... It has a rather robust Single Sign On system, that allows us to pass username and password from it, to 3rd party applications that use the normal <FORM> based authentication methods.
The way it works is that you configure an xml file that tells the SSO engine what URL it should POST your username and password to via HTTP.
What I tried to do was POST the username and password to .../wiki/index.php?title=Special:Userlogin&action=submitlogin& ty pe=login&returnto=Main_Page (I have to put the & in or the XML doesn't parse the normal & sign.)
But when the page loads, it says "Login error: Incorrect password entered. Please try again." In a big red box above the login fields.
Just a guess, can MediaWiki be expecting that you have some cookies set (eg a session) when sending the POST?
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Hi Keith,
There's plugin called Plexcel (proprietary 60 day trial or up to 25 users) that you might want to look at. It does group authorization directly with AD groups.
Mike
On 6/27/07, Keith Bruss kbruss@smp-inc.com wrote:
Hi All,
I'm looking for some help with the LdapAuthentication extension, specifically group synchronization and access controls based on the LDAP group membership. Here's a lil info on my setup:
Gentoo Box with LAMP is running mediawiki:
MediaWiki: 1.6.8
PHP: 4.4.2-pl2-gentoo (apache2handler)
MySQL: 4.1.14-log
LDAP Authentication Plugin (version 1.1f (alpha)), LDAP Authentication
plugin with support for multiple LDAP authentication methods, by Ryan Lane
(the latest download on the website has version 1.1falpha listed, however when you view this file, you'll notice the version defined is 1.1f (non-alpha) and the code is different than the 1.1f alpha)
This is connecting to a Windows 2003 Active Directory LDAP server hosted on another machine.
Here is my config as it pertains to LDAP
require_once( "includes/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "SMP-INC" );
$wgLDAPServerNames = array( "SMP-INC"=>"frodo.smp-inc.com legolas.smp-inc.com" );
$wgLDAPSearchStrings = array( "SMP-INC"=>"SMP-INC\USER-NAME" );
#$wgLDAPSearchStrings = array( "SMP-INC"=>"USER-NAME@SMP-INC.com" );
$wgLDAPUseSSL = false; //not recommended but OK for testing
$wgLDAPEncryptionType = array( "SMP-INC"=>'clear' ); // this is needed in >= 1.1c
$wgLDAPUseLocal = true; //allows mysql db driven auth (default Root user)
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( "SMP-INC"=>true ); // this is needed in >= 1.1c
$wgLDAPUpdateLDAP = array( "SMP-INC"=>"false" ); //disables mediawiki from updating LDAP
$wgLDAPDebug = 3; //debugging
#GROUP BASED AUTH
$wgLDAPSearchAttributes = array( "SMP-INC"=>"sAMAccountName" );
$wgLDAPBaseDNs = array( "SMP-INC"=>"cn=users,dc=smp-inc,dc=com" );
$wgLDAPUseLDAPGroups = array( "SMP-INC"=>true );
$wgLDAPRequiredGroups = array(
"SMP-INC"=>array( "cn=wiki-readonly,cn=users,dc=smp-inc,dc=com", "cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com", "cn=wiki-sysops,cn=users,dc=smp-inc,dc=com" ) );$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupUseFullDN = array( "SMP-INC"=>true );
$wgLDAPLowerCaseUsername = array( "SMP-INC"=>true );
$wgLDAPGroupObjectclass = array( "SMP-INC"=>"group" );
$wgLDAPGroupAttribute = array( "SMP-INC"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "SMP-INC"=>true );
# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;
# Disable reading by anonymous users
$wgGroupPermissions['*']['read'] = false;
# But allow them to read the Login Page, and JS/CSS pages
$wgWhitelistRead = array( "Special:Userlogin", "-", "MediaWiki:Monobook.css" );
$wgGroupPermissions['wiki-readonly']['move'] = false;
$wgGroupPermissions['wiki-readonly']['read'] = true;
$wgGroupPermissions['wiki-readonly']['edit'] = false;
$wgGroupPermissions['wiki-readonly']['createpage'] = false;
$wgGroupPermissions['wiki-readonly']['createtalk'] = false;
$wgGroupPermissions['wiki-readonly']['upload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload'] = false;
$wgGroupPermissions['wiki-readonly']['reupload-shared'] = false;
$wgGroupPermissions['wiki-readonly']['minoredit'] = false;
$wgGroupPermissions['wiki-readwrite']['move'] = true;
$wgGroupPermissions['wiki-readwrite']['read'] = true;
$wgGroupPermissions['wiki-readwrite']['edit'] = true;
$wgGroupPermissions['wiki-readwrite']['createpage'] = true;
$wgGroupPermissions['wiki-readwrite']['createtalk'] = true;
$wgGroupPermissions['wiki-readwrite']['upload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload'] = true;
$wgGroupPermissions['wiki-readwrite']['reupload-shared'] = true;
$wgGroupPermissions['wiki-readwrite']['minoredit'] = true;
$wgGroupPermissions['wiki-sysops']['block'] = true;
$wgGroupPermissions['wiki-sysops']['createaccount'] = true;
$wgGroupPermissions['wiki-sysops']['delete'] = true;
$wgGroupPermissions['wiki-sysops']['deletedhistory'] = true;
$wgGroupPermissions['wiki-sysops']['editinterface'] = true;
$wgGroupPermissions['wiki-sysops']['import'] = true;
$wgGroupPermissions['wiki-sysops']['importupload'] = true;
$wgGroupPermissions['wiki-sysops']['move'] = true;
$wgGroupPermissions['wiki-sysops']['patrol'] = true;
$wgGroupPermissions['wiki-sysops']['protect'] = true;
$wgGroupPermissions['wiki-sysops']['rollback'] = true;
$wgGroupPermissions['wiki-sysops']['upload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload'] = true;
$wgGroupPermissions['wiki-sysops']['reupload-shared'] = true;
$wgGroupPermissions['wiki-sysops']['unwatchedpages'] = true;
$wgGroupPermissions['wiki-sysops']['autoconfirmed'] = true;
$wgGroupPermissions['wiki-sysops']['userrights'] = true;
I created 3 Active directory groups and a user for each group:
GROUP USER
wiki-readonly wiki-ro
wiki-readwrite wiki-rw
wiki-sysops wiki-user
I can successfully authenticate against LDAP groups as defined by $wgLDAPRequiredGroups. Users that are not in $wgLDAPRequiredGroups can NOT log in. So LDAP is working and group authentication is working. It is my understanding that at this point I should be able to set $wgGroupPermissions based on the Active Directory group name so long as wiki/AD sync is setup as defined by $wgLDAPUseLDAPGroups. With debugging set to 3, I can log in as any of the 3 defined users, however they all receive the same group memberships; users and *.
Entering validDomain
User is using a valid domain.
Setting domain as: SMP-INC
Entering getCanonicalName
Username isn't empty.
Munged username: Wiki-rw
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://frodo.smp-inc.com ldap://legolas.smp-inc.com
Connected successfully
Lowercasing the username: wiki-rw
Entering getSearchString
Doing a straight bind
userdn is: SMP-INC\wiki-rw
Binding as the user
Binded successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=wiki-rw)
Using base: cn=users,dc=smp-inc,dc=com
Fetched username is not a string (check your hook code...).
Pulled the user's DN: CN=wiki-rw,CN=Users,DC=smp-inc,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=wiki-readonly,cn=users,dc=smp-inc,dc=com,cn=wiki-readwrite,cn= users,dc=smp-inc,dc=com,cn=wiki-sysops,cn=users,dc=smp-inc,dc=com
Entering getUserGroups
Entering getGroups
Search string: (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
Returned groups:
Found user in a group.
Retrieving LDAP group membership
Entering getUserGroups
Entering getAllGroups
Entering getGroups
Search string: (&(member=\5c2a)(objectclass=group))
Returned groups:
Returned groups:
Retrieving preferences
Retrieved: , , wiki-rw, wiki-rw
Authentication passed
Entering updateUser
Setting user preferences.
Pulling groups from LDAP.
Available groups are: bot,sysop,bureaucrat,wiki-readonly,wiki-readwrite,wiki-sysops
Effective groups are: *,user
Checking to see if user is in: bot
Entering hasLDAPGroup
Checking to see if user is in: sysop
Entering hasLDAPGroup
Checking to see if user is in: bureaucrat
Entering hasLDAPGroup
Checking to see if user is in: wiki-readonly
Entering hasLDAPGroup
Checking to see if user is in: wiki-readwrite
Entering hasLDAPGroup
Checking to see if user is in: wiki-sysops
Entering hasLDAPGroup
Saving user settings.
You'll notice the line: "Effective groups are: *,user". Shouldn't this show wiki-readwrite, since that's the AD group this user belongs to? Or does it not check the AD groups until it says "checking to see if user is in: wiki-readwrite"? Also, once the member is found in an AD group, should the MySQL table "wikidb_user_groups" get an UPDATE statement adding the userid to the AD group?
I've read a lot and looked for Ryan Lane on Freenode. I think I'm having similar problems as this guy, but I have the newer version: http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive 1#Group_Synchronization
Thanks,
Kbruss
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I'm playing around with the Group Based Access Control Extension, and I've created a page, and put this content on to it
[[Personnel Services]] <accesscontrol>Staff,,Faculty</accesscontrol>
That's a link to another page, and I only want people who are Faculty and Staff to see this page. The authorization works, a "student" username that I use for this kind of testing can not load the page, but... When I'm looking at the rendered page, I see this...
Personnel Services
UNIQ5f89c1cd929fa61-accesscontrol-00000002-QINU
On the wiki page that has an access control rule on it, that weird string shows up. ... So... Uh, how do I prevent that from showing up?
This is on * MediaWiki: 1.10.0 * PHP: 5.1.6 (apache2handler) * MySQL: 5.0.22
Thanks!
] duran goodyear ] web developer ] the university of the arts ] 215.717.6068
Turns out the blog run by the creator of this extension explains it.
The work around is... //Hide weird access control messages $wgAccessControlDisableMessages = true;
I put it below the group access control require and include statements, and that fixed my problem.
] duran goodyear ] web developer ] the university of the arts ] 215.717.6068
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Goodyear, Duran Sent: Thursday, June 28, 2007 4:22 PM To: MediaWiki announcements and site admin list Subject: [Mediawiki-l] Group Based Access Control displaying weird string onthe rendered page...
I'm playing around with the Group Based Access Control Extension, and I've created a page, and put this content on to it
[[Personnel Services]] <accesscontrol>Staff,,Faculty</accesscontrol>
That's a link to another page, and I only want people who are Faculty and Staff to see this page. The authorization works, a "student" username that I use for this kind of testing can not load the page, but... When I'm looking at the rendered page, I see this...
Personnel Services
UNIQ5f89c1cd929fa61-accesscontrol-00000002-QINU
On the wiki page that has an access control rule on it, that weird string shows up. ... So... Uh, how do I prevent that from showing up?
This is on * MediaWiki: 1.10.0 * PHP: 5.1.6 (apache2handler) * MySQL: 5.0.22
Thanks!
] duran goodyear ] web developer ] the university of the arts ] 215.717.6068
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org