[Mediawiki-l] LdapAuthentication Group Synchronization

Lane, Ryan Ryan.Lane at ocean.navo.navy.mil
Thu Jun 28 14:00:46 UTC 2007


[snip]

> Entering getUserGroups
> 
> Entering getGroups
> 
> Search string:
> (&(member=CN=wiki-rw,CN=Users,DC=smp-inc,DC=com)(objectclass=group))
> 
> Returned groups:cn=wiki-readwrite,cn=users,dc=smp-inc,dc=com
> 
> Returned groups:
> 

This looks like your problem... The plugin is getting the group, but
isn't getting the group's shortname (the cn), please set:

	$wgLDAPGroupNameAttribute = array( "SMP-INC"=>"cn" );

Also, MediaWiki seems to have an issue with long group names (more than
16 characters). It looks like your groups are ok, but it is something to
watch out for in the future.

> Found user in a group.
> 
> Retrieving LDAP group membership
> 
> Entering getUserGroups
> 
> Entering getAllGroups
> 
> Entering getGroups
> 
> Search string: (&(member=\5c2a)(objectclass=group))
> 
> Returned groups:
> 
> Returned groups:
> 

This looks like a bug...

In function getGroups change this line:

                $filter = "(&($attribute=" .
$this->getLdapEscapedString($dn) . ")(objectclass=$objectclass))";

to:

                if ($dn != "*") {
                        $dn = $this->getLdapEscapedString($dn);
                }
                $filter = "(&($attribute=" . $dn .
")(objectclass=$objectclass))";

I'll fix this tonight...

[snip]

> 
> You'll notice the line:  "Effective groups are: *,user".  
> Shouldn't this show wiki-readwrite, since that's the AD group 
> this user belongs to?  Or does it not check the AD groups 
> until it says "checking to see if user is in: 
> wiki-readwrite"?  Also, once the member is found in an AD 
> group, should the MySQL table "wikidb_user_groups" get an 
> UPDATE statement adding the userid to the AD group?
> 

These are the current effective user's groups for this user according to
MediaWiki. The plugin will later check the AD groups to see if the user
needs to be added/removed from a MediaWiki group.

> 
> I've read a lot and looked for Ryan Lane on Freenode.  I 
> think I'm having similar problems as this guy, but I have the 
> newer version:
>
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication/archive
1#Group_Synchronization
>

Ha. I wish I would have checked that link before I started tracing
through my code :). This link fixes half of your problems, as a user
mentioned that $wgLDAPGroupNameAttribute needed to be set. With that,
the plugin would add users to MediaWiki groups, but the bug would
probably cause the plugin to remove the user the next time they log in
(and then add them the next time, and so on).

I'm usually on freenode after 7:00pm cst. I can't access IRC from work.

V/r,

Ryan Lane



More information about the MediaWiki-l mailing list