[MediaWiki-l] Help with LDAP Authorization

Wed, 11 Aug 2021 09:16:35 -0700 

Hello,

I set up a test instance of MediaWiki at our site and am trying to get it
configured for LDAP authentication.  Per the documentation I could find, I
installed and configured the following extensions:

  - LDAPAuthentication2
  - LDAPAuthorization
  - LDAPProvider
  - PluggableAuth

Without LDAPAuthorization enabled, basic LDAP authentication works fine.
However, when I enable LDAPAuthorization and try to filter access by
membership in a specific group, authentication fails every time with an
error saying the user is not authorized.

More specifically, I created a group in our LDAP system called wiki-users
and added myself as a member.  I then added an authorization block to the
json file and specified the full DN of this group as a required group.  I'm
using plaintext LDAP so I can run packet captures and see the traffic.
When I capture the LDAP traffic, I can see that it's authenticating the
bind user and then my own user, but at no point does it query for this
group.

A sanitized version of my json file is pasted below.  Any help is greatly
appreciated!

{
  "LDAP": {
    "connection": {
      "server": "my-LDAP-server.utica.edu",
      "port": "389",
      "enctype": "clear",
      "user": "cn=my-bind-user,dc=utica,dc=edu",
      "pass": "xxxxxxxxxxxx",
      "options": {
        "LDAP_OPT_DEREF": 1
      },
      "basedn": "dc=utica,dc=edu",
      "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
      "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
      "searchattribute": "uid",
      "searchstring": "uid=USER-NAME,ou=people,o=utica.edu,dc=utica,dc=edu",
      "usernameattribute": "uid",
      "realnameattribute": "ucPreferredName",
      "emailattribute": "mail"
    },
    "authorization": {
      "rules": {
        "groups": {
          "required": ["cn=wiki-users,ou=groups,o=utica.edu
,dc=utica,dc=edu"]
        }
      }
    },
    "groupsync": {
      "mechanism": "mappedgroups",
      "mapping": {
        "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
        "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
      }
    },
    "userinfo": {
      "email": "mail",
      "realname": "ucPreferredName"
    }
  }
}

-- 
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177

_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information: 
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

Reply via email to