[Mediawiki-l] Issue with LDAP Authentication to AD server

[GT4NE1]

I am having an issue getting authenticated to an AD server.  The thing
is though, it works for one of my AD groups, but when I try to
authenticate to another group it fails.  It won't pull the user's DN
according the the debug below.  Both working and non-working debug
look identical up until that point.  Anyone have any ideas? I'm kind
of under the gun to get this to work.  Could it be a character
limitation bug since the non-working group has a much deeper CN?  Much
appreciated to any help someone can give.

Thanks!

-GT

I'm using the 1.2a LdapAuthentication.php extension.

http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication

The WORKING group debug level 3:

Entering validDomain
User is using a valid domain.
Setting domain as: domainname.com
Entering getCanonicalName
Username isn't empty.
Munged username: doej
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ldap.domainname.com
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: doej at domainname.com
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=doej)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is ou=administrators,dc=domainname,dc=com
Using base: ou=administrators,dc=domainname,dc=com
Fetched username is not a string (check your hook code...). This
message can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN: CN=John
Doe,OU=Users,OU=Administrators,DC=domainname,DC=com
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=dl-unix
admin,ou=groups,ou=administrators,dc=domainname,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is ou=administrators,dc=domainname,dc=com
Search string: (&(member=CN=John
Doe,OU=Users,OU=Administrators,DC=domainname,DC=com)(objectclass=group))
Returned groups:cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-tech,ou=groups,ou=administrators,dc=domainname,dc=com,cn=dl-unix
admin,ou=groups,ou=administrators,dc=domainname,dc=com,cn=mis-alert,ou=groups,ou=administrators,dc=domainname,dc=com,cn=ssltest,ou=groups,ou=administrators,dc=domainname,dc=com,cn=bomgar
users,ou=groups,ou=administrators,dc=domainname,dc=com,cn=rds-vpn,ou=groups,ou=administrators,dc=domainname,dc=com
Returned groups:,,,,,,
Found user in a group.
Authentication passed
Entering updateUser

Relevant entries for LDAP authentication in LocalSettings.php

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domainname.com" );
$wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com"  );
$wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME at domainname.com"  );
$wgLDAPEncryptionType = array( "domainname.com"=>"clear" );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result
attribute values are...
$wgLDAPRequiredGroups = array( "domainname.com"=>array("cn=dl-unix
admin,ou=groups,ou=administrators,dc=domainname,dc=com") );
$wgLDAPGroupUseFullDN = array( "domainname.com"=>true );
$wgLDAPGroupObjectclass = array( "domainname.com"=>"group" );
$wgLDAPGroupAttribute = array( "domainname.com"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true );
$wgLDAPBaseDNs = array(
"domainname.com"=>"ou=administrators,dc=domainname,dc=com" );
$wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );


NON WORKING group debug level 3:

Entering validDomain
User is using a valid domain.
Setting domain as: domainname.com
Entering getCanonicalName
Username isn't empty.
Munged username: doej
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ldap.domainname.com
Connected successfully
Entering getSearchString
Doing a straight bind
userdn is: doej at domainname.com
Binding as the user
Bound successfully
Entering getUserDN
Created a regular filter: (sAMAccountName=doej)
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com
Using base: ou=groups,ou=town a,ou=sites,dc=domainname,dc=com
Fetched username is not a string (check your hook code...). This
message can be safely ignored if you do not have the
SetUsernameAttributeFromLDAP hook defined.
Pulled the user's DN:
Checking for (new style) group membership
Entering isMemberOfRequiredLdapGroup
Required groups:cn=wiki-w,ou=groups,ou=town a,ou=sites,dc=domainname,dc=com
Entering getUserGroups
Entering getGroups
Entering getBaseDN
basedn is not set for this type of entry, trying to get the default basedn.
Entering getBaseDN
basedn is ou=groups,ou=town a,ou=sites,dc=domainname,dc=com
Search string: (&(member=)(objectclass=group))
Returned groups:
Returned groups:
Couldn't find the user in any groups (1).
Entering strict.
Returning false in strict().
Entering modifyUITemplate
Allowing the local domain, adding it to the list.

Relevant entries for LDAP authentication in LocalSettings.php

require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domainname.com" );
$wgLDAPServerNames = array( "domainname.com"=>"ldap.domainname.com"  );
$wgLDAPSearchStrings = array( "domainname.com"=>"USER-NAME at domainname.com"  );
$wgLDAPEncryptionType = array( "domainname.com"=>"clear" );
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;

#DNs in $wgLDAPRequiredGroups must be lowercase, as search result
attribute values are...
$wgLDAPRequiredGroups = array(
"domainname.com"=>array("cn=wiki-w,ou=groups,ou=town
a,ou=sites,dc=domainname,dc=com") );
$wgLDAPGroupUseFullDN = array( "domainname.com"=>true );
$wgLDAPGroupObjectclass = array( "domainname.com"=>"group" );
$wgLDAPGroupAttribute = array( "domainname.com"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "domainname.com"=>true );
$wgLDAPBaseDNs = array( "domainname.com"=>"ou=groups,ou=town
a,ou=sites,dc=domainname,dc=com" );
$wgLDAPSearchAttributes = array( "domainname.com"=>"sAMAccountName" );