[Mediawiki-l] Not updating Groups in the MW Database

Felix Feinhals ff at turtle-entertainment.de
Tue Nov 10 12:53:43 UTC 2009 

Hi,

we use the LDAP extension to sync LDAP groups with the MW Database, so
that other extensions like accesscontrol can use these groups. But its
not working anymore and i dont know what to do about it.

Here is our current configuration and debug logs of a test user logging
in:

$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDebug = 3;
$wgDebugLogGroups["ldap"] = "/tmp/test-wiki/ldap.debug.log";
$wgLDAPDomainNames = array( "domain" );
$wgLDAPServerNames = array( "domain"=>"server.com" );
$wgLDAPUseLocal = false;
$wgLDAPEncryptionType = array( "domain"=>"ssl" );
$wgLDAPSearchStrings = array( "domain"=>"domain\\USER-NAME" );
$wgLDAPProxyAgent = array(
"domain"=>"cn=searchonly,cn=Users,dc=server,dc=domain,dc=com" );
$wgLDAPProxyAgentPassword = array( "domain"=>"xxx" );
$wgLDAPSearchAttribudomains = array( "domain"=>"sAMAccountName" );
$wgLDAPBaseDNs = array( "domain"=>"dc=server,dc=domain,dc=com" );
$wgLDAPMailPassword = false;
$wgLDAPPreferences = array ( "domain"=>array(
"email"=>"mail","realname"=>"displayName","nickname"=>"cn","language"=>"
preferredLanguage") );
$wgLDAPDisableAutoCreate = array( "domain"=>false );
$wgMinimalPasswordLength = 1;
$wgLDAPGroupUseFullDN = array( "domain"=>true );
$wgLDAPGroupBaseDNs = array(
"domain"=>"ou=Groups,ou=department,dc=server,dc=domain,dc=com" );
$wgLDAPLowerCaseUsername = array( "domain"=>true );
$wgLDAPGroupUseRetrievedUsername = array( "domain"=>false );
$wgLDAPGroupObjectclass = array( "domain"=>"group" );
$wgLDAPGroupAttribudomain = array( "domain"=>"member" );
$wgLDAPGroupNameAttribudomain = array( "domain"=>"cn" );
$wgLDAPUseLDAPGroups = array( "domain"=>true );
$wgLDAPGroupLowerCaseUsername = array( "domain"=>true );


2009-10-28 09:47:26  wikidb_test: Entering validDomain
2009-10-28 09:47:26  wikidb_test: User is not using a valid domain.
2009-10-28 09:47:26  wikidb_test: Setting domain as: invaliddomain
2009-10-28 09:47:26  wikidb_test: Entering allowPasswordChange
2009-10-28 09:47:26  wikidb_test: Entering modifyUITemplate
2009-10-28 09:47:29  wikidb_test: Entering validDomain
2009-10-28 09:47:29  wikidb_test: User is not using a valid domain.
2009-10-28 09:47:29  wikidb_test: Setting domain as: invaliddomain
2009-10-28 09:47:29  wikidb_test: Entering allowPasswordChange
2009-10-28 09:47:29  wikidb_test: Entering modifyUITemplate
2009-10-28 09:47:34  wikidb_test: Entering validDomain
2009-10-28 09:47:34  wikidb_test: User is using a valid domain.
2009-10-28 09:47:34  wikidb_test: Setting domain as: domain
2009-10-28 09:47:34  wikidb_test: Entering getCanonicalName
2009-10-28 09:47:34  wikidb_test: Username isn't empty.
2009-10-28 09:47:34  wikidb_test: Munged username: Testneu
2009-10-28 09:47:34  wikidb_test: Entering authenticate
2009-10-28 09:47:34  wikidb_test:
2009-10-28 09:47:34  wikidb_test: Entering Connect
2009-10-28 09:47:34  wikidb_test: Using SSL
2009-10-28 09:47:34  wikidb_test: Using servers:  ldaps://server.com
2009-10-28 09:47:34  wikidb_test: Connected successfully
2009-10-28 09:47:34  wikidb_test: Lowercasing the username: Testneu
2009-10-28 09:47:34  wikidb_test: Entering getSearchString
2009-10-28 09:47:34  wikidb_test: Doing a straight bind
2009-10-28 09:47:34  wikidb_test: userdn is: domain\testneu
2009-10-28 09:47:34  wikidb_test:
2009-10-28 09:47:34  wikidb_test: Binding as the user
2009-10-28 09:47:39  wikidb_test: Bound successfully
2009-10-28 09:47:39  wikidb_test: Entering getUserDN
2009-10-28 09:47:39  wikidb_test: Created a regular filter:
(sAMAccountName=testneu)
2009-10-28 09:47:39  wikidb_test: Entering getBaseDN
2009-10-28 09:47:39  wikidb_test: basedn is not set for this type of
entry, trying to get the default basedn.
2009-10-28 09:47:39  wikidb_test: Entering getBaseDN
2009-10-28 09:47:39  wikidb_test: basedn is dc=server,dc=domain,dc=com
2009-10-28 09:47:39  wikidb_test: Using base: dc=server,dc=domain,dc=com
2009-10-28 09:47:39  wikidb_test: Fetched username is not a string
(check your hook code...). This message can be safely ignored if you do
not have the SetUsernameAttributeFromLDAP hook defined.
2009-10-28 09:47:39  wikidb_test: Pulled the user's DN: CN=test
userNEU,OU=Users,OU=department,DC=server,DC=domain,DC=com
2009-10-28 09:47:39  wikidb_test: Entering getGroups
2009-10-28 09:47:39  wikidb_test: Retrieving LDAP group membership
2009-10-28 09:47:39  wikidb_test: Searching for the groups
2009-10-28 09:47:39  wikidb_test: Entering searchGroups
2009-10-28 09:47:39  wikidb_test: Entering getBaseDN
2009-10-28 09:47:39  wikidb_test: basedn is
ou=Groups,ou=department,dc=server,dc=domain,dc=com
2009-10-28 09:47:39  wikidb_test: Search string: (&(member=CN=test
userNEU,OU=Users,OU=department,DC=server,DC=domain,DC=com)(objectclass=g
roup))
2009-10-28 09:47:39  wikidb_test: Binding as the proxyagent
2009-10-28 09:47:39  wikidb_test: Returned groups:
cn=test123,ou=groups,ou=department,dc=server,dc=domain,dc=com
2009-10-28 09:47:39  wikidb_test: Entering checkGroups
2009-10-28 09:47:39  wikidb_test: Entering getPreferences
2009-10-28 09:47:39  wikidb_test: Retrieving preferences
2009-10-28 09:47:39  wikidb_test: Retrieved email (test123 at test.com)
using attribute (mail)
2009-10-28 09:47:39  wikidb_test: Retrieved nickname (test userNEU)
using attribute (cn)
2009-10-28 09:47:39  wikidb_test: Entering synchUsername
2009-10-28 09:47:39  wikidb_test: Authentication passed
2009-10-28 09:47:39  wikidb_test: Entering updateUser
2009-10-28 09:47:39  wikidb_test: Setting user preferences.
2009-10-28 09:47:39  wikidb_test: Setting nickname.
2009-10-28 09:47:39  wikidb_test: Setting email.
2009-10-28 09:47:39  wikidb_test: Setting user groups.
2009-10-28 09:47:39  wikidb_test: Entering setGroups.
2009-10-28 09:47:39  wikidb_test: Locally managed groups is unset, using
defaults:  bot::sysop::bureaucrat
2009-10-28 09:47:39  wikidb_test: Available groups are:
bot::sysop::bureaucrat
2009-10-28 09:47:39  wikidb_test: Effective groups are:
*::user::autoconfirmed
2009-10-28 09:47:39  wikidb_test: Checking to see if user is in: bot
2009-10-28 09:47:39  wikidb_test: Entering hasLDAPGroup
2009-10-28 09:47:39  wikidb_test: Checking to see if user is in: sysop
2009-10-28 09:47:39  wikidb_test: Entering hasLDAPGroup
2009-10-28 09:47:39  wikidb_test: Checking to see if user is in:
bureaucrat
2009-10-28 09:47:39  wikidb_test: Entering hasLDAPGroup
2009-10-28 09:47:39  wikidb_test: Saving user settings.
2009-10-28 09:47:43  wikidb_test: Entering allowPasswordChange

If i understand the log correctly the group is returned but when i check
the database its not updated there.

I also posted my problem at the LDAP extension talk
http://www.mediawiki.org/wiki/Extension_talk:LDAP_Authentication#Not_upd
ating_Groups_in_the_MW_Database.

-- 
Turtle Entertainment GmbH
Felix Feinhals, Junior IT Operations Specialist
Siegburger Str. 189
50679 Cologne
Germany
fon. +49 221 880449-333
fax. +49 221 880449-399
http://www.turtle-entertainment.com/
http://www.esl.eu/
http://www.consoles.net/
Managing Directors: Jens Hilgers, Ralf Reichert
Register Court: Local Court Cologne, HRB 36678

More information about the MediaWiki-l mailing list