I am having an issue getting authenticated to an AD server. The thing is though, it works for one of my AD groups, but when I try to authenticate to another group it fails. It won't pull the user's DN according the the debug below. Both working and non-working debug look identical up until that point. Anyone have any ideas? I'm kind of under the gun to get this to work. Could it be a character limitation bug since the non-working group has a much deeper CN? Much appreciated to any help someone can give.
Thanks!
-GT
I'm using the 1.2a LdapAuthentication.php extension.
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication
The WORKING group debug level 3:
Entering validDomain User is using a valid domain. Setting domain as: domainname.com Entering getCanonicalName Username isn't empty. Munged username: doej Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ldap.domainname.com Connected successfully Entering getSearchString Doing a straight bind userdn is: doej@domainname.com Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=administrators,dc=domainname,dc=com Using base: ou=administrators,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=administrators,dc=domainname,dc=com Search string: (&(member=CN=John Doe,OU=Users,OU=Administrators,DC=domainname,DC=com)(objectclass=group)) Returned groups:cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-alert,ou=groups,ou=administrators,dc=domainname,dc=com,cn=ssltest,ou=groups,ou=administrators,dc=domainname,dc=com,cn=bomgar users,ou=groups,ou=administrators,dc=domainname,dc=com,cn=rds-vpn,ou=groups,ou=administrators,dc=domainname,dc=com Returned groups:,,,,,, Found user in a group. Authentication passed Entering updateUser
Relevant entries for LDAP authentication in LocalSettings.php
require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domainname.com" ); $wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com" ); $wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME@domainname.com" ); $wgLDAPEncryptionType = array( "domainname.com"=>"clear" ); $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1;
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "domainname.com"=>array("cn=dl-unix admin,ou=groups,ou=administrators,dc=domainname,dc=com") ); $wgLDAPGroupUseFullDN = array( "domainname.com"=>true ); $wgLDAPGroupObjectclass = array( "domainname.com"=>"group" ); $wgLDAPGroupAttribute = array( "domainname.com"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true ); $wgLDAPBaseDNs = array( "domainname.com"=>"ou=administrators,dc=domainname,dc=com" ); $wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );
NON WORKING group debug level 3:
Entering validDomain User is using a valid domain. Setting domain as: domainname.com Entering getCanonicalName Username isn't empty. Munged username: doej Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ldap.domainname.com Connected successfully Entering getSearchString Doing a straight bind userdn is: doej@domainname.com Binding as the user Bound successfully Entering getUserDN Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Using base: ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN: Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Search string: (&(member=)(objectclass=group)) Returned groups: Returned groups: Couldn't find the user in any groups (1). Entering strict. Returning false in strict(). Entering modifyUITemplate Allowing the local domain, adding it to the list.
Relevant entries for LDAP authentication in LocalSettings.php
require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "domainname.com" ); $wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com" ); $wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME@domainname.com" ); $wgLDAPEncryptionType = array( "domainname.com"=>"clear" ); $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1;
#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are... $wgLDAPRequiredGroups = array( "domainname.com"=>array("cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com") ); $wgLDAPGroupUseFullDN = array( "domainname.com"=>true ); $wgLDAPGroupObjectclass = array( "domainname.com"=>"group" ); $wgLDAPGroupAttribute = array( "domainname.com"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true ); $wgLDAPBaseDNs = array( "domainname.com"=>"ou=groups,ou=town a,ou=sites,dc=domainname,dc=com" ); $wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );
Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Using base: ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN:
This right here is the problem... For some reason, the plugin wasn't able to find the user's DN, which causes the problem below:
Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Search string: (&(member=)(objectclass=group))
Notice how this search wouldn't find anything?
Is your user somewhere under "ou=groups,ou=town a,ou=sites,dc=domainname,dc=com"? If not, you need to set your base DN to something closer to your root. If your AD is too large to be able to do this without performance impacts, you can set the user entry base dn to something separate than the group base dn:
$wgLDAPGroupBaseDNs = array( "domainname.com"=>"ou=groups,ou=town a,ou=sites,dc=domainname,dc=com" ); $wgLDAPUserBaseDNs = array( "domainname.com"=>"ou=users,ou=town a,ou=sites,dc=domainname,dc=com" );
Of course the $wgLDAPUserBaseDNs variable should be set to wherever in your tree contains your users.
V/r,
Ryan Lane
Ahhhhh. A light bulb just went off and know I understand. Thanks!
-GT
On 3/26/08, Lane, Ryan Ryan.Lane@ocean.navo.navy.mil wrote:
Created a regular filter: (sAMAccountName=doej) Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Using base: ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. Pulled the user's DN:
This right here is the problem... For some reason, the plugin wasn't able to find the user's DN, which causes the problem below:
Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Entering getUserGroups Entering getGroups Entering getBaseDN basedn is not set for this type of entry, trying to get the default basedn. Entering getBaseDN basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com Search string: (&(member=)(objectclass=group))
Notice how this search wouldn't find anything?
Is your user somewhere under "ou=groups,ou=town a,ou=sites,dc=domainname,dc=com"? If not, you need to set your base DN to something closer to your root. If your AD is too large to be able to do this without performance impacts, you can set the user entry base dn to something separate than the group base dn:
$wgLDAPGroupBaseDNs = array(
"domainname.com"=>"ou=groups,ou=town a,ou=sites,dc=domainname,dc=com" ); $wgLDAPUserBaseDNs = array( "domainname.com"=>"ou=users,ou=town a,ou=sites,dc=domainname,dc=com" );
Of course the $wgLDAPUserBaseDNs variable should be set to wherever in your tree contains your users.
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org