0

So I have been trying to setup a "Free" wiki that integrates with my "Free" version of Active Directory (aka. OpenLdap), so I can get a super simple setup together for a dev group, that needs to work and trade spars about their tribal knowledge. I've seen this in action before, so I know it should work... and everything else has been setup pretty fine till now:

While this wasn't simple, it sure was straight forward, and if I followed the CentOS rules, it all just worked (At least on ProxMox). Now here comes the kicker, I tried to integrate MediaWiki with OpenLdap so my user authentication was seemless:

That is where I hit a big snag. The documentation doesn't exactly guide you through how to do this, and many times groups seem to be addressing MSFT Active Directory, not necessarily the open source tools I use. For instance the last most recent thread in the discussion:

when I follow what was done here, my log doesn't show a 'Failed to bind as' message, instead I get this one 'Did not find a matching user in LDAP':

2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Setting domain as: sinbad
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering Connect
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using servers: ldap://master.sinbad.com:389
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using TLS
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 userdn is: uid=Dsailor,ou=people,dc=master,dc=sinbad,dc=com
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Resource id #454  uid=Dsailor,ou=people,dc=master,dc=sinbad,dc=com
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Did not find a matching user in LDAP
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering strict.
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Returning true in strict()

Here is my Ldap configuration:

$wgLDAPDomainNames = array('sinbadcomd');
$wgLDAPServerNames = array('sinbadcomd' => 'master.sinbad.com');
$wgLDAPSearchAttributes = array('sinbadcomd' => 'uid');
$wgLDAPSearchStrings =  array('sinbadcomd' => 'uid=USER-NAME,ou=people,dc=master,dc=sinbad,dc=com');
$wgLDAPBaseDNs = array('sinbadcomd' => 'dc=master,dc=sinbad,dc=com');


# To pull e-mail address from LDAP
$wgLDAPPreferences = array('sinbadcomd' => array( 'email' => 'mail'));

$wgLDAPDebug = 3;
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( 'EUROPE.LAN' => true );

$wgLDAPEncryptionType = array('sinbadcomd' => 'tls');
//$wgLDAPEncryptionType = array('sinbadcomd' => 'ssl');
//$wgLDAPPort = array('sinbadcomd' => '636');
$wgLDAPPort = array('sinbadcomd' => '389');
$wgLDAPProxyAgent = array('sinbadcomd' => 'cn=proxyhost,ou=system,dc=master,dc=sinbad,dc=com');
$wgLDAPProxyAgentPassword = array('sinbadcomd' => '***');
$wgLDAPLowerCaseUsername = array('sinbadcomd' => true);


/*$wgLDAPUserBaseDNs = array('sinbadcomd' => 'ou=people,dc=master,dc=sinbad,dc=com');
//$wgLDAPUserBaseDNs = [];

# Group based restriction
$wgLDAPGroupUseFullDN = array( 'sinbadcomd' => false );
$wgLDAPGroupObjectclass = array( 'sinbadcomd' => "posixgroup" );
$wgLDAPGroupAttribute = array( 'sinbadcomd '=> "gidNumber" );
$wgLDAPGroupSearchNestedGroups = array( 'sinbadcomd' => false );
$wgLDAPGroupNameAttribute = array( 'sinbadcomd' => "cn" );
*/

Face in hands. Can someone give me any pointers here? BTW: I know I can use much newer and likely more relevant systems like Wiki JS it seems I bought into the something simple that used to work for me slogan, and well, seems I need some help (Can't remember when I used PHP last).

Davy Jones
  • 1
  • 1

1 Answers1

0

So I spent quite a bit of time trying to debug something similar recently. Looking at what you did here, I don't think you need this line:

$wgLDAPRetrievePrefs = array( 'EUROPE.LAN' => true );

and the commented lines make it a bit confusing to read. However from what I could find a small patch fix can help here:

diff ~/src/LdapAuthentication/LdapAuthenticationPlugin.php extensions/LdapAuthentication/
532a533,536
>
>                                 // If we are going to find and entry we need to bind first?
>                                 $bindval = self::ldap_bind( $this->ldapconn, $this->getConf('ProxyAgent'), $this->getConf('ProxyAgentPassword') );

I have this change I made awaiting some response or peer review on the MediaWiki site: https://www.mediawiki.org/wiki/Topic:Vr5s4thrk4imbxjx

but as far as I can tell it works, and that is what is most important to me right now (This took me quite a while to solve actually).

DaveKlassen
  • 21
  • 4