Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition). In a group, each member is specified by a full user DN. Does the extension look for a member value matching just the username?
Thanks. On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <[email protected]> wrote: > Hello, > > I set up a test instance of MediaWiki at our site and am trying to get it > configured for LDAP authentication. Per the documentation I could find, I > installed and configured the following extensions: > > - LDAPAuthentication2 > - LDAPAuthorization > - LDAPProvider > - PluggableAuth > > Without LDAPAuthorization enabled, basic LDAP authentication works fine. > However, when I enable LDAPAuthorization and try to filter access by > membership in a specific group, authentication fails every time with an > error saying the user is not authorized. > > More specifically, I created a group in our LDAP system called wiki-users > and added myself as a member. I then added an authorization block to the > json file and specified the full DN of this group as a required group. I'm > using plaintext LDAP so I can run packet captures and see the traffic. > When I capture the LDAP traffic, I can see that it's authenticating the > bind user and then my own user, but at no point does it query for this > group. > > A sanitized version of my json file is pasted below. Any help is greatly > appreciated! > > { > "LDAP": { > "connection": { > "server": "my-LDAP-server.utica.edu", > "port": "389", > "enctype": "clear", > "user": "cn=my-bind-user,dc=utica,dc=edu", > "pass": "xxxxxxxxxxxx", > "options": { > "LDAP_OPT_DEREF": 1 > }, > "basedn": "dc=utica,dc=edu", > "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu", > "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu", > "searchattribute": "uid", > "searchstring": "uid=USER-NAME,ou=people,o=utica.edu > ,dc=utica,dc=edu", > "usernameattribute": "uid", > "realnameattribute": "ucPreferredName", > "emailattribute": "mail" > }, > "authorization": { > "rules": { > "groups": { > "required": ["cn=wiki-users,ou=groups,o=utica.edu > ,dc=utica,dc=edu"] > } > } > }, > "groupsync": { > "mechanism": "mappedgroups", > "mapping": { > "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu", > "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu" > } > }, > "userinfo": { > "email": "mail", > "realname": "ucPreferredName" > } > } > } > > -- > Dave Parker '11 > Database & Systems Administrator > Utica College > Integrated Information Technology Services > (315) 792-3229 > Registered Linux User #408177 > -- Dave Parker '11 Database & Systems Administrator Utica College Integrated Information Technology Services (315) 792-3229 Registered Linux User #408177
_______________________________________________ MediaWiki-l mailing list -- [email protected] List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
