It's a stab in the dark, but there are some LDAP auth implementations that
assume groups are returned when querying for a user, as that generally how
LDAP servers work out of the box. If your groups are not included in user
query results, and I'm guessing they're not based on your expectations,
they break in the manner you describe. Depending on how battle tested the
implementation is, it may make a second lookup to test if the user is in a
group, which may be a separate config flag.

No clue if any of the listed extensions fall into the former or latter
category of Auth implementations, but figured the LDAP trivia might be
useful.

On Wed, 11 Aug 2021, 19:29 Dave Parker, <dpar...@utica.edu> wrote:

> Not sure if this matters, but we're using Oracle Directory Server
> (formerly Sun Directory Server Enterprise Edition).  In a group, each
> member is specified by a full user DN.  Does the extension look for a
> member value matching just the username?
>
> Thanks.
>
> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dpar...@utica.edu> wrote:
>
>> Hello,
>>
>> I set up a test instance of MediaWiki at our site and am trying to get it
>> configured for LDAP authentication.  Per the documentation I could find, I
>> installed and configured the following extensions:
>>
>>   - LDAPAuthentication2
>>   - LDAPAuthorization
>>   - LDAPProvider
>>   - PluggableAuth
>>
>> Without LDAPAuthorization enabled, basic LDAP authentication works fine.
>> However, when I enable LDAPAuthorization and try to filter access by
>> membership in a specific group, authentication fails every time with an
>> error saying the user is not authorized.
>>
>> More specifically, I created a group in our LDAP system called wiki-users
>> and added myself as a member.  I then added an authorization block to the
>> json file and specified the full DN of this group as a required group.  I'm
>> using plaintext LDAP so I can run packet captures and see the traffic.
>> When I capture the LDAP traffic, I can see that it's authenticating the
>> bind user and then my own user, but at no point does it query for this
>> group.
>>
>> A sanitized version of my json file is pasted below.  Any help is greatly
>> appreciated!
>>
>> {
>>   "LDAP": {
>>     "connection": {
>>       "server": "my-LDAP-server.utica.edu",
>>       "port": "389",
>>       "enctype": "clear",
>>       "user": "cn=my-bind-user,dc=utica,dc=edu",
>>       "pass": "xxxxxxxxxxxx",
>>       "options": {
>>         "LDAP_OPT_DEREF": 1
>>       },
>>       "basedn": "dc=utica,dc=edu",
>>       "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>>       "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>>       "searchattribute": "uid",
>>       "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
>> ,dc=utica,dc=edu",
>>       "usernameattribute": "uid",
>>       "realnameattribute": "ucPreferredName",
>>       "emailattribute": "mail"
>>     },
>>     "authorization": {
>>       "rules": {
>>         "groups": {
>>           "required": ["cn=wiki-users,ou=groups,o=utica.edu
>> ,dc=utica,dc=edu"]
>>         }
>>       }
>>     },
>>     "groupsync": {
>>       "mechanism": "mappedgroups",
>>       "mapping": {
>>         "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
>>         "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>>       }
>>     },
>>     "userinfo": {
>>       "email": "mail",
>>       "realname": "ucPreferredName"
>>     }
>>   }
>> }
>>
>> --
>> Dave Parker '11
>> Database & Systems Administrator
>> Utica College
>> Integrated Information Technology Services
>> (315) 792-3229
>> Registered Linux User #408177
>>
>
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> List information:
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information: 
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/

Reply via email to