I solved the mystery. I moved the LDAP config to LocalSettings.php but
still had no luck. Then I enabled debug logging, and found this in the log
after a failed login:
[LDAP] ldap_search( $linkID, $baseDN = 'ou=groups,o=utica.edu,dc=utica,dc=edu',
$filter =
'(&(objectclass=group)(member=uid=dparker,ou=people,o=utica.edu,dc=utica,dc=edu))',
$attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref
= );
The "objectclass=group" was the core issue here. Our groups use the
objectclass "groupOfNames" so this search returned no results. The
solution was to use this:
"grouprequest" =>
"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",
"groupobjectclass" => "groupOfNames",
"groupattribute" => "member"
Voila! Successful group-controlled LDAP authentication. All set!
Thanks,
Dave
On Wed, Aug 11, 2021 at 3:25 PM Dave Parker <dpar...@utica.edu> wrote:
> We've had this LDAP system for a long time, and have never run into
> anything like this before. In general, there are two kinds of groups you
> can use in it:
>
> 1. A standard group has a groupOfNames object class, and members are
> specified using the "member" attribute, with each value being the DN of the
> user. When a user is a member of a group like this, it also adds the
> "isMemberOf" operational attribute on the user's LDAP record, the value of
> which is the DN of the group.
>
> 2. A dynamic group has a groupOfUrls object class, and membership is
> specified by one or more "memberURL" values which are LDAP search strings.
> All records matching the search string are considered to be members of the
> group. Oracle (and previously Sun) recommended using the "memberOf"
> attribute on user records and in the search string, to build out these
> groups. For example, our staff group has this memberURL:
>
> ldap:///ou=people,o=utica.edu
> ,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o=
> utica.edu,dc=utica,dc=edu))
>
> So, when this group is queried for members, it returns any user with this
> group's DN as a "memberOf" value. It gets convoluted and is easy to make
> mistakes with dynamic groups, so we generally use plain old groups with
> explicitly listed members instead. Group lookups have never given us any
> trouble before, with any product. I've never seen an LDAP query return a
> user's group memberships unless isMemberOf was included in the filter. In
> general, the things I've used just lookup the user and then lookup the
> group and check to make sure the user's DN is a member value of the group.
>
> Thanks!
>
>
> On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell...@gmail.com>
> wrote:
>
>> It's a stab in the dark, but there are some LDAP auth implementations
>> that assume groups are returned when querying for a user, as that generally
>> how LDAP servers work out of the box. If your groups are not included in
>> user query results, and I'm guessing they're not based on your
>> expectations, they break in the manner you describe. Depending on how
>> battle tested the implementation is, it may make a second lookup to test if
>> the user is in a group, which may be a separate config flag.
>>
>> No clue if any of the listed extensions fall into the former or latter
>> category of Auth implementations, but figured the LDAP trivia might be
>> useful.
>>
>> On Wed, 11 Aug 2021, 19:29 Dave Parker, <dpar...@utica.edu> wrote:
>>
>>> Not sure if this matters, but we're using Oracle Directory Server
>>> (formerly Sun Directory Server Enterprise Edition). In a group, each
>>> member is specified by a full user DN. Does the extension look for a
>>> member value matching just the username?
>>>
>>> Thanks.
>>>
>>> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dpar...@utica.edu> wrote:
>>>
>>>> Hello,
>>>>
>>>> I set up a test instance of MediaWiki at our site and am trying to get
>>>> it configured for LDAP authentication. Per the documentation I could find,
>>>> I installed and configured the following extensions:
>>>>
>>>> - LDAPAuthentication2
>>>> - LDAPAuthorization
>>>> - LDAPProvider
>>>> - PluggableAuth
>>>>
>>>> Without LDAPAuthorization enabled, basic LDAP authentication works
>>>> fine. However, when I enable LDAPAuthorization and try to filter access by
>>>> membership in a specific group, authentication fails every time with an
>>>> error saying the user is not authorized.
>>>>
>>>> More specifically, I created a group in our LDAP system called
>>>> wiki-users and added myself as a member. I then added an authorization
>>>> block to the json file and specified the full DN of this group as a
>>>> required group. I'm using plaintext LDAP so I can run packet captures and
>>>> see the traffic. When I capture the LDAP traffic, I can see that it's
>>>> authenticating the bind user and then my own user, but at no point does it
>>>> query for this group.
>>>>
>>>> A sanitized version of my json file is pasted below. Any help is
>>>> greatly appreciated!
>>>>
>>>> {
>>>> "LDAP": {
>>>> "connection": {
>>>> "server": "my-LDAP-server.utica.edu",
>>>> "port": "389",
>>>> "enctype": "clear",
>>>> "user": "cn=my-bind-user,dc=utica,dc=edu",
>>>> "pass": "xxxxxxxxxxxx",
>>>> "options": {
>>>> "LDAP_OPT_DEREF": 1
>>>> },
>>>> "basedn": "dc=utica,dc=edu",
>>>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>>>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>>>> "searchattribute": "uid",
>>>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
>>>> ,dc=utica,dc=edu",
>>>> "usernameattribute": "uid",
>>>> "realnameattribute": "ucPreferredName",
>>>> "emailattribute": "mail"
>>>> },
>>>> "authorization": {
>>>> "rules": {
>>>> "groups": {
>>>> "required": ["cn=wiki-users,ou=groups,o=utica.edu
>>>> ,dc=utica,dc=edu"]
>>>> }
>>>> }
>>>> },
>>>> "groupsync": {
>>>> "mechanism": "mappedgroups",
>>>> "mapping": {
>>>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu
>>>> ,dc=utica,dc=edu",
>>>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>>>> }
>>>> },
>>>> "userinfo": {
>>>> "email": "mail",
>>>> "realname": "ucPreferredName"
>>>> }
>>>> }
>>>> }
>>>>
>>>> --
>>>> Dave Parker '11
>>>> Database & Systems Administrator
>>>> Utica College
>>>> Integrated Information Technology Services
>>>> (315) 792-3229
>>>> Registered Linux User #408177
>>>>
>>>
>>>
>>> --
>>> Dave Parker '11
>>> Database & Systems Administrator
>>> Utica College
>>> Integrated Information Technology Services
>>> (315) 792-3229
>>> Registered Linux User #408177
>>> _______________________________________________
>>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>>> List information:
>>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>>>
>> _______________________________________________
>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>> List information:
>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>>
>
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177
>
--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information:
https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
