Hi,
I'm trying to add LDAP Authentication to my MediaWiki 1.6.5 server and downloaded LdapAuthentication.php v1.0h.
I'm having a lot of trouble when trying to restrict the wiki to a specific LDAP group... here's the block I've added to LocalSettings.php:
# begin LDAP authentication part require_once( 'includes/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "NVIDIA.COM" ); $wgLDAPServerNames = array( "NVIDIA.COM"=>"ldap.nvidia.com" );
//$wgLDAPUseSSL = true; $wgLDAPUseSSL = false; $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
$wgLDAPAddLDAPUsers = false; $wgLDAPUpdateLDAP = false; $wgLDAPMailPassword = false; $wgLDAPRetrievePrefs = true; $wgLDAPDebug = 99;
//$wgLDAPSearchAttributes = array( "NVIDIA.COM"=>"sAMAccountName" );
$wgLDAPSearchStrings = array( "NVIDIA.COM"=>"NVIDIA.COM\USER-NAME" );
# testing group restriction below
$wgLDAPRequiredGroups = array( "NVIDIA.COM"=>array("cn=neteng-contractors,ou=departments,ou=distribution lists,ou=groups,dc=nvidia,dc=com") ); $wgLDAPGroupUseFullDN = array( "NVIDIA.COM"=>true ); $wgLDAPGroupObjectclass = array( "NVIDIA.COM"=>"group" ); $wgLDAPGroupAttribute = array( "NVIDIA.COM"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "NVIDIA.COM"=>false ); $wgLDAPBaseDNs = array( "NVIDIA.COM"=>"ou=groups,dc=nvidia,dc=com" );
Here is the error output that I'm getting:
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}} {*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 Entering validDomain User is using a valid domain Entering getCanonicalName Munged username: Cvo Entering Connect Entering Connect Not Using SSL Using servers: ldap://ldap.nvidia.com Connected successfully Entering getSearchString Doing a straight bind userdn is: NVIDIA.COM\Cvo Binding as the user Binded successfully Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=neteng-contractors,ou=departments,ou=distribution lists,ou=groups,dc=nvidia,dc=com Entering getGroups Search string: (&(member=NVIDIA.COM\Cvo)(objectclass=group))
\par *Warning*: ldap_get_entries(): supplied argument is not a valid ldap result resource in */srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line *857* \par \par *Warning*: array_shift() [function.array-shift]: The argument should be an array in */srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line * 860* \par \par *Warning*: Invalid argument supplied for foreach() in * /srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line *863* \par Returned groups: Couldn't find the user in any groups (1). \par \par }
If I uncomment the $wgLDAPSearchAttributes line and comment out $wgLDAPSearchStrings, I get the following:
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}} {*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 Entering validDomain User is using a valid domain Entering getCanonicalName Munged username: Cvo Entering Connect Entering Connect Not Using SSL Using servers: ldap://ldap.nvidia.com Connected successfully Entering getSearchString Doing a proxy or anonymous bind Entering getUserDN Doing an anonymous bind Created a regular filter: (sAMAccountName=Cvo) Using base: ou=groups,dc=nvidia,dc=com Couldn't find an entry userdn is: User DN is blank \par \par }
Can someone please help out? I can run dsquery on a Win2k3 server against my accountname (cvo) and it returns fine...
Please use 1.1d, and take a look at the documentation for changes in the syntax of options. What you are trying to do wasn't supported until 1.1d. Specifically, the reason you are having a problem is because you are using "NVIDIA.COM\USER-NAME" for the search string, so the plugin searches for "member=NVIDIA.COM\Cvo" in your groups, which is not what is in your groups. In 1.1d, the plugin will bind as the user, and get the user's DN; after doing so, it searches the groups using the full DN (which is what is in your group).
Btw, this isn't the right list for support issues, I believe that is mediawiki-l.
V/r,
Ryan Lane
-----Original Message----- From: wikitech-l-bounces@lists.wikimedia.org [mailto:wikitech-l-bounces@lists.wikimedia.org] On Behalf Of Christian Vo Sent: Wednesday, March 14, 2007 6:10 PM To: wikitech-l@lists.wikimedia.org Subject: [Wikitech-l] help needed with LDAP Authentication setup and grouprestriction
Hi,
I'm trying to add LDAP Authentication to my MediaWiki 1.6.5 server and downloaded LdapAuthentication.php v1.0h.
I'm having a lot of trouble when trying to restrict the wiki to a specific LDAP group... here's the block I've added to LocalSettings.php:
# begin LDAP authentication part require_once( 'includes/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "NVIDIA.COM" ); $wgLDAPServerNames = array( "NVIDIA.COM"=>"ldap.nvidia.com" );
//$wgLDAPUseSSL = true; $wgLDAPUseSSL = false; $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
$wgLDAPAddLDAPUsers = false; $wgLDAPUpdateLDAP = false; $wgLDAPMailPassword = false; $wgLDAPRetrievePrefs = true; $wgLDAPDebug = 99;
//$wgLDAPSearchAttributes = array( "NVIDIA.COM"=>"sAMAccountName" );
$wgLDAPSearchStrings = array( "NVIDIA.COM"=>"NVIDIA.COM\USER-NAME" );
# testing group restriction below
$wgLDAPRequiredGroups = array( "NVIDIA.COM"=>array("cn=neteng-contractors,ou=departments,ou=d istribution lists,ou=groups,dc=nvidia,dc=com") ); $wgLDAPGroupUseFullDN = array( "NVIDIA.COM"=>true ); $wgLDAPGroupObjectclass = array( "NVIDIA.COM"=>"group" ); $wgLDAPGroupAttribute = array( "NVIDIA.COM"=>"member" ); $wgLDAPGroupSearchNestedGroups = array( "NVIDIA.COM"=>false ); $wgLDAPBaseDNs = array( "NVIDIA.COM"=>"ou=groups,dc=nvidia,dc=com" );
Here is the error output that I'm getting:
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\ fcharset0 Arial;}} {*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 Entering validDomain User is using a valid domain Entering getCanonicalName Munged username: Cvo Entering Connect Entering Connect Not Using SSL Using servers: ldap://ldap.nvidia.com Connected successfully Entering getSearchString Doing a straight bind userdn is: NVIDIA.COM\Cvo Binding as the user Binded successfully Checking for (new style) group membership Entering isMemberOfRequiredLdapGroup Required groups:cn=neteng-contractors,ou=departments,ou=distribution lists,ou=groups,dc=nvidia,dc=com Entering getGroups Search string: (&(member=NVIDIA.COM\Cvo)(objectclass=group))
\par *Warning*: ldap_get_entries(): supplied argument is not a valid ldap result resource in */srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line *857* \par \par *Warning*: array_shift() [function.array-shift]: The argument should be an array in */srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line * 860* \par \par *Warning*: Invalid argument supplied for foreach() in * /srv/www/htdocs/wiki/includes/LdapAuthentication.php* on line *863* \par Returned groups: Couldn't find the user in any groups (1). \par \par }
If I uncomment the $wgLDAPSearchAttributes line and comment out $wgLDAPSearchStrings, I get the following:
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\ fcharset0 Arial;}} {*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 Entering validDomain User is using a valid domain Entering getCanonicalName Munged username: Cvo Entering Connect Entering Connect Not Using SSL Using servers: ldap://ldap.nvidia.com Connected successfully Entering getSearchString Doing a proxy or anonymous bind Entering getUserDN Doing an anonymous bind Created a regular filter: (sAMAccountName=Cvo) Using base: ou=groups,dc=nvidia,dc=com Couldn't find an entry userdn is: User DN is blank \par \par }
Can someone please help out? I can run dsquery on a Win2k3 server against my accountname (cvo) and it returns fine... _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/wikitech-l
wikitech-l@lists.wikimedia.org