I solved the mystery. I moved the LDAP config to LocalSettings.php but still had no luck. Then I enabled debug logging, and found this in the log after a failed login:
[LDAP] ldap_search( $linkID, $baseDN = 'ou=groups,o=utica.edu,dc=utica,dc=edu', $filter = '(&(objectclass=group)(member=uid=dparker,ou=people,o=utica.edu,dc=utica,dc=edu))', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = ); The "objectclass=group" was the core issue here. Our groups use the objectclass "groupOfNames" so this search returned no results. The solution was to use this: "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory", "groupobjectclass" => "groupOfNames", "groupattribute" => "member" Voila! Successful group-controlled LDAP authentication. All set! Thanks, Dave On Wed, Aug 11, 2021 at 3:25 PM Dave Parker <dpar...@utica.edu> wrote: > We've had this LDAP system for a long time, and have never run into > anything like this before. In general, there are two kinds of groups you > can use in it: > > 1. A standard group has a groupOfNames object class, and members are > specified using the "member" attribute, with each value being the DN of the > user. When a user is a member of a group like this, it also adds the > "isMemberOf" operational attribute on the user's LDAP record, the value of > which is the DN of the group. > > 2. A dynamic group has a groupOfUrls object class, and membership is > specified by one or more "memberURL" values which are LDAP search strings. > All records matching the search string are considered to be members of the > group. Oracle (and previously Sun) recommended using the "memberOf" > attribute on user records and in the search string, to build out these > groups. For example, our staff group has this memberURL: > > ldap:///ou=people,o=utica.edu > ,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o= > utica.edu,dc=utica,dc=edu)) > > So, when this group is queried for members, it returns any user with this > group's DN as a "memberOf" value. It gets convoluted and is easy to make > mistakes with dynamic groups, so we generally use plain old groups with > explicitly listed members instead. Group lookups have never given us any > trouble before, with any product. I've never seen an LDAP query return a > user's group memberships unless isMemberOf was included in the filter. In > general, the things I've used just lookup the user and then lookup the > group and check to make sure the user's DN is a member value of the group. > > Thanks! > > > On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell...@gmail.com> > wrote: > >> It's a stab in the dark, but there are some LDAP auth implementations >> that assume groups are returned when querying for a user, as that generally >> how LDAP servers work out of the box. If your groups are not included in >> user query results, and I'm guessing they're not based on your >> expectations, they break in the manner you describe. Depending on how >> battle tested the implementation is, it may make a second lookup to test if >> the user is in a group, which may be a separate config flag. >> >> No clue if any of the listed extensions fall into the former or latter >> category of Auth implementations, but figured the LDAP trivia might be >> useful. >> >> On Wed, 11 Aug 2021, 19:29 Dave Parker, <dpar...@utica.edu> wrote: >> >>> Not sure if this matters, but we're using Oracle Directory Server >>> (formerly Sun Directory Server Enterprise Edition). In a group, each >>> member is specified by a full user DN. Does the extension look for a >>> member value matching just the username? >>> >>> Thanks. >>> >>> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dpar...@utica.edu> wrote: >>> >>>> Hello, >>>> >>>> I set up a test instance of MediaWiki at our site and am trying to get >>>> it configured for LDAP authentication. Per the documentation I could find, >>>> I installed and configured the following extensions: >>>> >>>> - LDAPAuthentication2 >>>> - LDAPAuthorization >>>> - LDAPProvider >>>> - PluggableAuth >>>> >>>> Without LDAPAuthorization enabled, basic LDAP authentication works >>>> fine. However, when I enable LDAPAuthorization and try to filter access by >>>> membership in a specific group, authentication fails every time with an >>>> error saying the user is not authorized. >>>> >>>> More specifically, I created a group in our LDAP system called >>>> wiki-users and added myself as a member. I then added an authorization >>>> block to the json file and specified the full DN of this group as a >>>> required group. I'm using plaintext LDAP so I can run packet captures and >>>> see the traffic. When I capture the LDAP traffic, I can see that it's >>>> authenticating the bind user and then my own user, but at no point does it >>>> query for this group. >>>> >>>> A sanitized version of my json file is pasted below. Any help is >>>> greatly appreciated! >>>> >>>> { >>>> "LDAP": { >>>> "connection": { >>>> "server": "my-LDAP-server.utica.edu", >>>> "port": "389", >>>> "enctype": "clear", >>>> "user": "cn=my-bind-user,dc=utica,dc=edu", >>>> "pass": "xxxxxxxxxxxx", >>>> "options": { >>>> "LDAP_OPT_DEREF": 1 >>>> }, >>>> "basedn": "dc=utica,dc=edu", >>>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu", >>>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu", >>>> "searchattribute": "uid", >>>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu >>>> ,dc=utica,dc=edu", >>>> "usernameattribute": "uid", >>>> "realnameattribute": "ucPreferredName", >>>> "emailattribute": "mail" >>>> }, >>>> "authorization": { >>>> "rules": { >>>> "groups": { >>>> "required": ["cn=wiki-users,ou=groups,o=utica.edu >>>> ,dc=utica,dc=edu"] >>>> } >>>> } >>>> }, >>>> "groupsync": { >>>> "mechanism": "mappedgroups", >>>> "mapping": { >>>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu >>>> ,dc=utica,dc=edu", >>>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu" >>>> } >>>> }, >>>> "userinfo": { >>>> "email": "mail", >>>> "realname": "ucPreferredName" >>>> } >>>> } >>>> } >>>> >>>> -- >>>> Dave Parker '11 >>>> Database & Systems Administrator >>>> Utica College >>>> Integrated Information Technology Services >>>> (315) 792-3229 >>>> Registered Linux User #408177 >>>> >>> >>> >>> -- >>> Dave Parker '11 >>> Database & Systems Administrator >>> Utica College >>> Integrated Information Technology Services >>> (315) 792-3229 >>> Registered Linux User #408177 >>> _______________________________________________ >>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org >>> List information: >>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/ >>> >> _______________________________________________ >> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org >> List information: >> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/ >> > > > -- > Dave Parker '11 > Database & Systems Administrator > Utica College > Integrated Information Technology Services > (315) 792-3229 > Registered Linux User #408177 > -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177
_______________________________________________ MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/