Contact
subscribe to this post

Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3)

Jul 9, 2009
Ryan Lane
LDAP, MediaWiki

In part 1 of this series, I discussed basic password authentication for Active Directory (AD). In this article I will discuss enabling group restrictions and synchronization, and retrieving preferences for AD. I’ll first discuss group restrictions, then synchronization, then retrieving preferences.

Group restrictions and synchronization will require you to somewhat understand the LDAP structure that your AD environment is built upon. Don’t worry, this isn’t as scary as it sounds, and I’ll explain how to find all of the information you’ll require.

Prerequisites

Before you start, you must have authentication working. See part 1 of this series to enable authentication. Don’t try to get everything working at the same time. First ensure authentication is working, then enable group restrictions, then go from there.

For this article we will use the domain configured in part 1:

$wgLDAPDomainNames = array( "TESTAD" );

Group configuration

Shared group options

Telling the plugin how to map users to group members

AD stores full Distinguished Names (DN)s like cn=Ryan Lane,dc=testad,dc=example,dc=com in groups, so we’ll need to tell the plugin to use full DNs. Also, we’ll need to tell the plugin how to get the user’s DN. Place the following in LocalSettings.php:

$wgLDAPGroupUseFullDN = array( "TESTAD"=>true );
$wgLDAPBaseDNs = array( 'TESTAD' => 'dc=testad,dc=example,dc=com' );
$wgLDAPSearchAttributes = array( 'TESTAD' => 'sAMAccountName' );

Telling the plugin how to find users in groups

For the plugin to find your groups, it needs to know how to search for them. There are two methods for doing this: The first (and easiest) way to do this is to use memberOf. The second way is to tell the plugin the attribute and objectclass used by the group, and the attribute used for member of the group.

Using memberOf

Currently, the plugin cannot find the primary group of a user using memberOf. If you need to restrict groups based on user’s primary groups, do not use memberOf. To enable memberOf for AD, put the following in LocalSettings.php:

$wgLDAPGroupsUseMemberOf = array( "TESTAD" => true );
Manually configure the search

Thankfully, most (all?) AD configurations use the same attributes and objectclasses for group membership, so this is fairly straightforward. Put the following into LocalSettings.php:

//The objectclass of the groups we want to search for
$wgLDAPGroupObjectclass = array( "TESTAD"=>"group" );

//The attribute used for group members
$wgLDAPGroupAttribute = array( "TESTAD"=>"member" );

//The naming attribute of the group
$wgLDAPGroupNameAttribute = array( "TESTAD"=>"cn" );

Group restrictions

The LDAP plugin supports two types of group restriction. The first is a list of groups a user is required to be a member of (required groups), the second is a list of groups a user cannot be a member of (excluded groups). Both types of restrictions can be used simultaneously.

Required groups

To require a user to be a member of a group (such as cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com), put the following into LocalSettings.php:

$wgLDAPRequiredGroups = array( "TESTAD"=> array( "cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com" ) );

Excluded groups

To require a user to not be a member of a specific group (such as cn=excluded-wiki-users,ou=groups,dc=testad,dc=example,dc=com), put the following into LocalSettings.php:

$wgLDAPExcludedGroups = array( "TESTAD"=> array( "cn=excluded-wiki-users,ou=groups,dc=testad,dc=example,dc=com" ) );

Group synchronization

Group synchronization allows you to manage MediaWiki authorization using groups defined in your AD server. To enable synchronization, simply add the following to LocalSettings.php:

$wgLDAPUseLDAPGroups = array( "TESTAD"=>true );

To use LDAP groups, you’ll have to define their permissions; say for instance you have a group called “wiki-users”, you could enable edit permissions for users in that group by adding the following to LocalSettings.php:

$wgGroupPermissions['wiki-users']['edit'] = true;

If you’d like to add sysop permissions to a group called “wiki-admins”, you could put the following into LocalSettings.php:

$wgGroupPermissions['wiki-admin'] = $wgGroupPermissions['sysop'];

Overall, group synchronization is far more powerful than group restriction. See MediaWiki’s user rights documentation for more information on controlling access.

Retrieving preferences

The LDAP plugin can pull certain attributes from AD, and assign them to MediaWiki user preferences. The MediaWiki attributes currently available are email, realname, nickname, and language. You can configure which MediaWiki preference maps to which AD attribute; put the following in your LocalSettings.php to retrieve preferences:

$wgLDAPPreferences = array( "TESTAD"=>array( "email"=>"mail","realname"=>"cn","nickname"=>"sAMAccountName","language"=>"preferredLanguage") );

Finding user and group DNs, and object attributes

To find the DN of a user in an AD group for use in any options mentioned above, use the dsquery command:

dsquery group -name "wiki-users"
"cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com"

To get the value of specific attributes, use the dsquery command in conjunction with the dsget command:

dsquery user -name "test-user"
"cn=test-user,ou=Domain Users,dc=testad,dc=example,dc=com"
dsget "cn=test-user,ou=Domain Users,dc=testad,dc=example,dc=com" -upn
  upn
  test-user@TESTAD.EXAMPLE.COM

You can get a lot of information with these commands; to find out what else you can find, see the help documentation using dsquery /?.

Test your configuration by logging in with an LDAP user

If you are doing group synchronization, you should ensure users are being correctly added and removed from MediaWiki groups when they are being added and removed from your AD groups. If you are retrieving preferences, you should ensure they are being updated when you log in.

If you have any questions, you should post them on the discussion page for the plugin on mediawiki.org, or leave me a comment (the former is preferred).

Related posts:

  1. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 1)
  2. Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 2)
  3. Semi-anonymous users in MediaWiki using the LDAP Authentication extension
  4. New OpenSSO authentication plugin for MediaWiki
  5. OpenSSO web agent conflicts with the MediaWiki parser, and a workaround
42 Comments
Tags , ,

42 Responses to “Using the LDAP Authentication Plugin for MediaWiki – The Basics (Part 3)”

  1. dorscher says:
    July 15, 2009 at 8:28 pm

    Hi Ryan,

    Thanks for the article. I followed all the instructions, got authentication to work. Now, assuming the MW and LDAP groups are synced, should I be able to see all the LDAP groups under “User rights management” in the mediawiki? I don’t see them there unless I do “$wgGroupPermissions['group-name']['edit'] = true;”, but thats manual entry, aren’t they suppose to get synced automatically?

    I would really appreciate some guidance. Thanks!

    Reply
    • Ryan Lane says:
      July 15, 2009 at 10:49 pm

      Only groups defined in LocalSettings.php are shown in “User rights management”. This isn’t an LDAP plugin thing, this is a MediaWiki thing. It makes sense though; there isn’t a reason for a user to be in a group if a group doesn’t have any permissions.

      Reply
      • dorscher says:
        July 16, 2009 at 2:58 pm

        Where is the benefit of syncing then?

        Ideally I would want the users belonging to some group in LDAP be attached to a group with the same name in the wiki. So that way I could set appropriate permissions for all groups, and not having to manually attach individual users to some group through “User rights management” page (after they login).

        How do I get that to work?

        Reply
        • dorscher says:
          July 16, 2009 at 5:42 pm

          Never mind, I got it to work by adding “$wgGroupPermissions['group-name']['edit'] = true;” with the same group-name thats in the Active Directory. (the ones I used before didn’t match hence syncing didn’t work.)

          Your initial hint helped straighten this out. Thanks Ryan!

          Reply
  2. Chase says:
    July 30, 2009 at 8:51 pm

    I’m trying to set it up so that anyone in the AD group “Domain Admins” gets sysop abilities.

    I’ve done everything in the above tutorial, including
    $wgGroupPermissions['Domain Admins'] = $wgGroupPermissions['sysop'];

    dsquery of the group gives:
    “CN=Domain Admins,CN=Users,DC=MYDOMAIN,…”

    I don’t know if the fact its a two word group is causing issues, or the fact that there are two CN attributes.

    Any ideas? When I go to edit a users groups, it shows “Domain Admins” as a group, but its not checked for users that are in that AD group.

    Reply
    • Ryan Lane says:
      July 31, 2009 at 2:09 am

      Can you post your config and debug info with sensitive stuff snipped out? Without more info, I don’t really know what is going on.

      Reply
      • Chase says:
        August 4, 2009 at 4:52 pm

        Not sure where the debug info is, but here is the relative portion of LocalSettings.php

        require_once(“$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
        $wgAuth = new LdapAuthenticationPlugin();
        $wgLDAPDomainNames = array( “MYDOMAIN” );
        $wgLDAPServerNames = array( “MYDOMAIN” => “dc1.mydomain.domain.com dc2.mydomain.domain.com”);
        $wgLDAPSearchStrings = array( “MYDOMAIN” => “MYDOMAIN\\USER-NAME” );
        $wgLDAPEncryptionType = array( “MYDOMAIN” => “clear” );

        $wgLDAPPreferences = array(‘MYDOMAIN’=>array( “email”=>”mail”,”realname”=>”cn”,”nickname”=>”sAMAccountName”));

        $wgLDAPGroupUseFullDN = array( “MYDOMAIN”=>true );
        $wgLDAPBaseDNs = array( ‘MYDOMAIN’ => ‘dc=mydomain,dc=domain,dc=com’ );
        $wgLDAPSearchAttributes = array( ‘MYDOMAIN’ => ‘sAMAccountName’ );

        $wgLDAPGroupsUseMemberOf = array( “MYDOMAIN” => true );
        $wgLDAPUseLDAPGroups = array( “MYDOMAIN”=>true );

        $wgGroupPermissions['Domain Admins'] = $wgGroupPermissions['sysop'];

        Reply
        • Ryan Lane says:
          August 6, 2009 at 3:58 am

          Notice you are missing some options that are listed in this blog entry. You need the following:

          //The objectclass of the groups we want to search for
$wgLDAPGroupObjectclass = array( "MYDOMAIN"=>"group" );

//The attribute used for group members
$wgLDAPGroupAttribute = array( "MYDOMAIN"=>"member" );

//The naming attribute of the group
$wgLDAPGroupNameAttribute = array( "MYDOMAIN"=>"cn" );

          Also, for debug info, which is critical for troubleshooting, use the debug options listed on the extension’s options page.

          Reply
          • Chase says:
            August 10, 2009 at 4:59 pm

            I thought those options were only needed if you weren’t using the memberOf approach. I tried both ways, but I don’t think I ever had both of them set at the same time, so I’ll try that, and if its still not working get you the other output you need.

          • Chase says:
            August 10, 2009 at 5:24 pm

            I have the debug output from when I attempted to login. Its level 3. Is there a way I can get it to you privately?

      • Chase says:
        August 4, 2009 at 7:21 pm

        N:\>dsquery group -name “domain admins”
        “CN=Domain Admins,CN=Users,DC=mydomain,DC=domain,DC=com”

        Reply
  3. MuRDoCK says:
    September 3, 2009 at 2:52 pm

    Hi,

    The authentication work, but Preferences doesn’t work properly, this is the commands I use :
    $wgLDAPDomainNames = array( “MyDomain” );
    $wgLDAPServerNames = array( “MyDomain” => “xxx.MyDomain” );
    $wgLDAPSearchStrings = array( “MyDomain” => “USER-NAME@MyDomain” );
    $wgLDAPEncryptionType = array( “MyDomain” => “clear” );
    $wgLDAPUseLocal = false;
    $wgMinimalPasswordLength = 1;
    $wgLDAPBaseDNs = array( “MyDomain”=>”OU=Users_domain,DC=domain,DC=com” );
    ##$wgLDAPSearchAttributes = array( “MyDomain”=>”sAMAccountName” );
    ##$wgLDAPDebug = 3;
    $wgLDAPRetrievePrefs = array( “MyDomain”=>true );
    $wgShowExceptionDetails = true;
    $wgLDAPPreferences = array( “MyDomain”=>array( “email”=>”mail”,”realname”=>”cn”,”nickname”=>”sAMAccountName”,”language”=>”preferredLanguage” ) );

    could you help me

    Thanks

    MuRDoCK

    Reply
  4. Ashwin Patil says:
    September 21, 2009 at 9:28 am

    Hi

    Where I can find the document or discussion for the group based authentication and group restriction for the NON-AD LDAP [OpenLDAP] …?

    Regards
    Ashwin

    Reply
  5. Chris Hubbard says:
    October 22, 2009 at 6:53 pm

    Hi,

    Great extension and support. I’ve been able to get the plugin to authenticate for my test group and users are able to authenticate, however, I have a single user that fails. I have verified that that the user is a proper member of the group and that there were no _ in the user name or password. Any other suggestions?

    Reply
  6. WR says:
    November 9, 2009 at 6:45 pm

    I have a working wiki site that allows login thru LDAP. The problem I’m having is making members of a particular AD group SYSOPS on the wiki.

    I have the following line that lists the group name from AD that I want to have sysops rights:

    $wgGroupPermissions['AD GROUPNAME'] = $wgGroupPermissions['sysop'];

    So, when I go into WIKI w/ my authenticated AD account and visit the Special:ListGroupRights page I see the group from AD, but no members exist in this group.

    Would appreciate your help identifying my error. I’ve posted the info from my LocalSettings.php file below.

    #LDAP AUTHENTICATION

    require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );

    $wgAuth = new LdapAuthenticationPlugin();

    $wgLDAPDomainNames = array( “DOMAIN” );

    $wgLDAPServerNames = array( “DOMAIN” => “DOMAINCONTROLLER” );

    $wgLDAPEncryptionType = array( “DOMAIN” => “ssl” );

    $wgLDAPUseLocal = true;

    $wgMinimalPasswordLength = 1;

    $wgLDAPProxyAgent = array( “DOMAIN” => “CN=svc_mw,OU=1140,OU=GSC,OU=users,OU=BUSINESSNAME,DC=DOMAIN,DC=BUSINESSNAME,DC=com” );

    $wgLDAPProxyAgentPassword = array( “DOMAIN” => “PASSWORD HERE” );

    $wgLDAPBaseDNs = array( “DOMAIN” => “ou=hdsusers,ou=BUSINESSNAME,dc=DOMAIN,dc=BUSINESSNAME,dc=com” );

    $wgLDAPSearchAttributes = array( “DOMAIN” => “sAMAccountName” );

    $wgGroupPermissions['*']['edit'] = false;

    $wgGroupPermissions['*']['read'] = true;

    $wgLDAPRequiredGroups = array( “DOMAIN”=>array(“CN=GROUPNAME,OU=MailOnly,OU=LOG,OU=GROUPS,DC=DOMAIN,DC=BUSINESSNAME,DC=com”) );

    $wgLDAPGroupUseFullDN = array( “DOMAIN”=>true );

    $wgLDAPGroupObjectclass = array( “DOMAIN”=>”group” );

    $wgLDAPGroupAttribute = array( “DOMAIN”=>”member” );

    $wgLDAPGroupNameAttribute = array( “DOMAIN”=>”cn” );

    $wgLDAPBaseDNs = array( “DOMAIN”=>”DC=DOMAIN,DC=BUSINESSNAME,DC=com” );

    #$wgLDAPUseLDAPGroups = array( “DOMAIN”=>true );

    $wgLDAPUseLDAPGroups = array( “DOMAIN”=>true, “DOMAIN”=>true );

    $wgGroupPermissions['serveradmin'] = $wgGroupPermissions['sysop'];

    Reply
  7. Oleg Müller says:
    November 20, 2009 at 11:05 am

    Hi Ryan,

    I think this is wrong:

    $wgLDAPRequiredGroups = array( “TESTAD”=>”cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com” );

    this worked for me:

    $wgLDAPRequiredGroups = array( “TESTAD”=> array(“cn=wiki-users,ou=groups,dc=testad,dc=example,dc=com”) );

    Reply
  8. Dave Bhattacharya says:
    December 9, 2009 at 8:05 pm

    Ryan,

    OS – Windows 2003
    LDAP – Active Directory
    ldapauthentication – Authentication part is working

    I am trying to implement login for users from a specific AD group only

    Here is my configuration
    #Authenticate users from an Active Directory
    require_once( “/extensions/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “mydomain” );
    $wgLDAPServerNames = array( “mydomain” => “dgaad3.mydomain.com dgaad4@mydomain.com dgaad5.mydomain.com” );
    $wgLDAPSearchStrings = array( “mydomain” => “USER-NAME@mydomain” );
    $wgLDAPEncryptionType = array( “mydomain” => “clear” );

    # AD Group permisssions
    $wgLDAPRequiredGroups = array( “mydomain”=>array (“cn=ittest,cn=users,dc=mydomain,dc=com”) );
    $wgLDAPGroupUseFullDN = array( “mydomain”=>true );
    $wgLDAPGroupObjectclass = array( “mydomain”=>”ittest” );
    # $wgLDAPGroupAttribute = array( “mydomain”=>”member” );
    $wgLDAPGroupSearchNestedGroups = array( “mydomain”=>true );
    $wgLDAPGroupNameAttribute = array( “mydomain”=>”cn” );
    $wgLDAPBaseDNs = array( “dgadomain”=>”dc=mydomain,dc=com” );

    Here is the error msg that I am getting
    Entering Connect
    Using TLS or not using encryption.
    Using servers: ldap://dgaad3.dgadomain.com ldap://dgaad4@dgadomain.com ldap://dgaad5.dgadomain.com
    Connected successfully
    Entering getSearchString
    Doing a straight bind
    userdn is: Dbhattacharya@dgadomain

    Binding as the user
    Bound successfully
    Entering getUserDN
    Created a regular filter: (=Dbhattacharya)
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Using base: dc=dgadomain,dc=com
    Couldn’t find an entry
    Pulled the user’s DN:
    Checking for (new style) group membership
    Entering isMemberOfRequiredLdapGroup
    Required groups:cn=ittest,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(=)(objectclass=ittest))
    No entries returned from search.
    Couldn’t find the user in any groups (1).
    Entering strict.
    Returning true in strict().
    Entering allowPasswordChange
    Entering modifyUITemplate

    I have followed instructions step by step and am not sure where I am going wrong. Any suggestions will be mighty helpful.
    Thank you,

    Dave Bhattacharya

    Reply
    • Ryan Lane says:
      December 9, 2009 at 8:56 pm

      You should have the following set:

      $wgLDAPGroupObjectclass = array( “mydomain”=>”group” );
      $wgLDAPGroupAttribute = array( “mydomain”=>”member” );
      $wgLDAPGroupNameAttribute = array( “mydomain”=>”cn” );

      That is the schema that AD uses. So those shouldn’t be changed.

      Reply
  9. Dave Bhattacharya says:
    December 9, 2009 at 9:29 pm

    Thank you for the quick reply.
    I have changed the code to this
    #Authenticate users from an Active Directory
    require_once( “/extensions/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “dgadomain” );
    $wgLDAPServerNames = array( “dgadomain” => “dgaad3.dgadomain.com dgaad4@dgadomain.com dgaad5.dgadomain.com” );
    $wgLDAPSearchStrings = array( “dgadomain” => “USER-NAME@dgadomain” );
    $wgLDAPEncryptionType = array( “dgadomain” => “clear” );

    # AD Group permisssions
    $wgLDAPRequiredGroups = array( “dgadomain”=>array(“cn=itest,cn=users,dc=dgadomain,dc=com”) );
    $wgLDAPGroupUseFullDN = array( “dgadomain”=>true );
    $wgLDAPGroupObjectclass = array( “dgadomain”=>”group” );
    $wgLDAPGroupAttribute = array( “dgadomain”=>”member” );
    $wgLDAPGroupSearchNestedGroups = array( “dgadomain”=>true );
    $wgLDAPGroupNameAttribute = array( “dgadomain”=>”cn” );
    $wgLDAPBaseDNs = array( “dgadomain”=>”dc=dgadomain,dc=com” );

    In addition to the above mentioned log messages I am getting the following after
    Search string: (&(member=)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497

    Any thoughts?

    Reply
  10. Dave Bhattacharya says:
    December 9, 2009 at 10:02 pm

    Ryan,
    Thank you for working with me on this.
    I added the statement in but the debug error I get when I try to login is a tad different now but still no success

    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=group policy creator owners,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=group policy creator owners,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=administrators,cn=builtin,dc=dgadomain,dc=com)(objectclass=group))

    and it repeats a few times.

    I dont mean to monopolize your time. When you have a chance please let me know what is going on.

    Thank you,

    Dave Bhattacharya

    Reply
    • Ryan Lane says:
      December 9, 2009 at 10:12 pm

      That’s a really weird thing for it to be searching for. Somehow the DN returned for the user had to have been that. Can you post the full debug with sensitive stuff snipped out?

      Reply
  11. Dave Bhattacharya says:
    December 10, 2009 at 12:34 pm

    Here is my LDAP related part of Localsettings.php file

    #Authenticate users from an Active Directory
    require_once( “/extensions/LdapAuthentication/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();
    $wgLDAPDomainNames = array( “dgadomain” );
    $wgLDAPServerNames = array( “dgadomain” => “dgaad3.dgadomain.com dgaad4@dgadomain.com dgaad5.dgadomain.com” );
    $wgLDAPSearchStrings = array( “dgadomain” => “USER-NAME@dgadomain” );
    $wgLDAPEncryptionType = array( “dgadomain” => “clear” );

    # AD Group permisssions
    $wgLDAPRequiredGroups = array( “dgadomain”=>array(“cn=itest,cn=users,dc=dgadomain,dc=com”) );
    $wgLDAPGroupUseFullDN = array( “dgadomain”=>true );
    $wgLDAPGroupObjectclass = array( “dgadomain”=>”group” );
    $wgLDAPGroupAttribute = array( “dgadomain”=>”member” );
    $wgLDAPGroupSearchNestedGroups = array( “dgadomain”=>true );
    $wgLDAPGroupNameAttribute = array( “dgadomain”=>”cn” );
    $wgLDAPBaseDNs = array( “dgadomain”=>”dc=dgadomain,dc=com” );
    $wgLDAPSearchAttributes = array( “dgadomain” => “sAMAccountName” );

    # AD debug statements – helpful somewhat, remove pound sign to activate
    $wgLDAPDebug = 3;
    $wgDebugLogGroups["ldap"] = “/tmp/debug.log” ;

    Here is the full debug

    Using TLS or not using encryption.
    Using servers: ldap://dgaad3.dgadomain.com ldap://dgaad4@dgadomain.com ldap://dgaad5.dgadomain.com
    Connected successfully
    Entering getSearchString
    Doing a straight bind
    userdn is: Dbhattacharya@dgadomain

    Binding as the user
    Bound successfully
    Entering getUserDN
    Created a regular filter: (sAMAccountName=Dbhattacharya)
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Using base: dc=dgadomain,dc=com
    Fetched username is not a string (check your hook code…). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
    Pulled the user’s DN: CN=Dave X. Bhattacharya,OU=IT Techs,OU=IT Dept,OU=DGA Users,DC=DGADomain,DC=com
    Checking for (new style) group membership
    Entering isMemberOfRequiredLdapGroup
    Required groups:cn=itest,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=CN=Dave X. Bhattacharya,OU=IT Techs,OU=IT Dept,OU=DGA Users,DC=DGADomain,DC=com)(objectclass=group))
    Returned groups:cn=domain admins,cn=users,dc=dgadomain,dc=com,cn=administrators,cn=builtin,dc=dgadomain,dc=com,cn=backup operators,cn=builtin,dc=dgadomain,dc=com,cn=it dept,cn=users,dc=dgadomain,dc=com,cn=it dept distribution list,cn=users,dc=dgadomain,dc=com,cn=it staff,cn=users,dc=dgadomain,dc=com,cn=it alert list,cn=users,dc=dgadomain,dc=com,cn=it techs,cn=users,dc=dgadomain,dc=com,cn=employee status,cn=users,dc=dgadomain,dc=com,cn=full web access,cn=users,dc=dgadomain,dc=com,cn=ittest,ou=it techs,ou=it dept,ou=dga users,dc=dgadomain,dc=com
    Returned groups:domain admins,administrators,backup operators,it dept,it dept distribution list,it staff,it alert list,it techs,employee status,full web access,ittest
    Entering searchNestedGroups
    Checking groups:cn=domain admins,cn=users,dc=dgadomain,dc=com,cn=administrators,cn=builtin,dc=dgadomain,dc=com,cn=backup operators,cn=builtin,dc=dgadomain,dc=com,cn=it dept,cn=users,dc=dgadomain,dc=com,cn=it dept distribution list,cn=users,dc=dgadomain,dc=com,cn=it staff,cn=users,dc=dgadomain,dc=com,cn=it alert list,cn=users,dc=dgadomain,dc=com,cn=it techs,cn=users,dc=dgadomain,dc=com,cn=employee status,cn=users,dc=dgadomain,dc=com,cn=full web access,cn=users,dc=dgadomain,dc=com,cn=ittest,ou=it techs,ou=it dept,ou=dga users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=domain admins,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=administrators,cn=builtin,dc=dgadomain,dc=com,cn=callanalyst group,cn=users,dc=dgadomain,dc=com
    Returned groups:administrators,callanalyst group
    Group cn=domain admins,cn=users,dc=dgadomain,dc=com is in the following groups:cn=administrators,cn=builtin,dc=dgadomain,dc=com,cn=callanalyst group,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=administrators,cn=builtin,dc=dgadomain,dc=com
    Checking membership for: cn=callanalyst group,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=administrators,cn=builtin,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=administrators,cn=builtin,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=backup operators,cn=builtin,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=backup operators,cn=builtin,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it dept,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=callanalyst group,cn=users,dc=dgadomain,dc=com,cn=ademcostatus,cn=users,dc=dgadomain,dc=com,cn=580 employees,cn=users,dc=dgadomain,dc=com,cn=it mastermind,cn=users,dc=dgadomain,dc=com,cn=ramiv group,cn=users,dc=dgadomain,dc=com,cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com,cn=53rd st employees,cn=users,dc=dgadomain,dc=com
    Returned groups:callanalyst group,ademcostatus,580 employees,it mastermind,ramiv group,full access,53rd st employees
    Group cn=it dept,cn=users,dc=dgadomain,dc=com is in the following groups:cn=callanalyst group,cn=users,dc=dgadomain,dc=com,cn=ademcostatus,cn=users,dc=dgadomain,dc=com,cn=580 employees,cn=users,dc=dgadomain,dc=com,cn=it mastermind,cn=users,dc=dgadomain,dc=com,cn=ramiv group,cn=users,dc=dgadomain,dc=com,cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com,cn=53rd st employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=callanalyst group,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=ademcostatus,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=580 employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=it mastermind,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=ramiv group,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com
    Checking membership for: cn=53rd st employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it dept distribution list,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Returned groups:dga employees
    Group cn=it dept distribution list,cn=users,dc=dgadomain,dc=com is in the following groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it staff,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=it staff,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it alert list,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Returned groups:dga employees
    Group cn=it alert list,cn=users,dc=dgadomain,dc=com is in the following groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it techs,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Returned groups:dga employees
    Group cn=it techs,cn=users,dc=dgadomain,dc=com is in the following groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=employee status,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=employee status,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=full web access,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=full web access,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=ittest,ou=it techs,ou=it dept,ou=dga users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=ittest,ou=it techs,ou=it dept,ou=dga users,dc=dgadomain,dc=com is in the following groups:
    Entering searchNestedGroups
    Checking groups:cn=administrators,cn=builtin,dc=dgadomain,dc=com,cn=callanalyst group,cn=users,dc=dgadomain,dc=com,cn=callanalyst group,cn=users,dc=dgadomain,dc=com,cn=ademcostatus,cn=users,dc=dgadomain,dc=com,cn=580 employees,cn=users,dc=dgadomain,dc=com,cn=it mastermind,cn=users,dc=dgadomain,dc=com,cn=ramiv group,cn=users,dc=dgadomain,dc=com,cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com,cn=53rd st employees,cn=users,dc=dgadomain,dc=com,cn=dga employees,cn=users,dc=dgadomain,dc=com,cn=dga employees,cn=users,dc=dgadomain,dc=com,cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=administrators,cn=builtin,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=administrators,cn=builtin,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=callanalyst group,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=callanalyst group,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=callanalyst group,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=callanalyst group,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=ademcostatus,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=ademcostatus,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=580 employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=580 employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=it mastermind,cn=users,dc=dgadomain,dc=com)(objectclass=group))
    Returned groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Returned groups:dga employees
    Group cn=it mastermind,cn=users,dc=dgadomain,dc=com is in the following groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Checking membership for: cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=ramiv group,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=ramiv group,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=full access,ou=permissions,ou=salesproposal.dev,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=53rd st employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=53rd st employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=dga employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=dga employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=dga employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=dga employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=dga employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=dga employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering searchNestedGroups
    Checking groups:cn=dga employees,cn=users,dc=dgadomain,dc=com
    Entering getUserGroups
    Entering getGroups
    Entering getBaseDN
    basedn is not set for this type of entry, trying to get the default basedn.
    Entering getBaseDN
    basedn is dc=dgadomain,dc=com
    Search string: (&(member=cn=dga employees,cn=users,dc=dgadomain,dc=com)(objectclass=group))

    Warning: array_shift() expects parameter 1 to be array, null given in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1492

    Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\wiki\extensions\LdapAuthentication\LdapAuthentication.php on line 1497
    Returned groups:
    Returned groups:
    Group cn=dga employees,cn=users,dc=dgadomain,dc=com is in the following groups:
    Entering searchNestedGroups
    Couldn’t find user in any nested groups.
    Couldn’t find the user in any groups (2).
    Entering strict.
    Returning true in strict().
    Entering allowPasswordChange
    Entering modifyUITemplate

    Reply
    • Ryan Lane says:
      December 10, 2009 at 8:14 pm

      Based on this output, I’d have to imagine there is a bug in the nested search code. The plugin is definitely finding groups, but every time it hits array_shift on a group that isn’t in any groups, it loses the group info. AD always returns an entry whether there were actual results or not (which is really annoying), and the plugin has always had an issue with it, but it looks like this is the problem. Let me see if I can find the fix, and I’ll update the plugin in SVN. Until then, let’s try using memberof instead. Use the following configuration:

      # AD Group permisssions
      $wgLDAPRequiredGroups = array( “dgadomain”=>array(”cn=itest,cn=users,dc=dgadomain,dc=com”) );
      $wgLDAPGroupUseFullDN = array( “dgadomain”=>true );
      $wgLDAPGroupsUseMemberOf = array( “dgadomain” => true );

      You won’t need any of the other group settings for this. Notice that this will not work if you need to restrict based on someone’s primary group.

      Reply
  12. Dave Bhattacharya says:
    December 11, 2009 at 5:48 pm

    Ryan – Thank you. This worked like a charm.
    Before I implemented this I was playing around with AD and I noticed that testgoup ‘ittest’ was not part of an OU. I made it part of an OU and changed the parameter $wgLDAPRequiredGroups accordingly which worked.
    I took ‘ittest’ out of the OU and tested your solution and that worked as well.

    Thanks again for your input and help.

    Reply
  13. John randall says:
    January 12, 2010 at 12:36 am

    Hey Ryan,

    Having some issues with restricted groups. Authentication works, but we need to rerstrict authentication to a specific OU. Here is our setup:

    require_once( “$IP/extensions/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();

    // Working Basic Authentication
    $wgLDAPDomainNames = array(“EQ”);
    $wgLDAPServerNames = array(“EQ”=>”PORWAD01.corp.intranet”);
    $wgLDAPSearchStrings = array(“EQ” => “USER-NAME@EQ.INTRANET” );
    $wgLDAPEncryptionType = array(“EQ”=>”clear”);

    //Group Restrictions

    //Set to use FDN for groups
    $wgLDAPGroupUseFullDN = array( “EQ”=>true );

    //Set Base DNs for the domain
    $wgLDAPBaseDNs = array( “EQ” => “dc=eq,dc=intranet” );

    //Set AD search attribute
    $wgLDAPSearchAttributes = array( “EQ” => “sAMAccountName” );

    //The objectclass of the groups we want to search for
    $wgLDAPGroupObjectclass = array( “EQ”=>”group” );

    //The attribute used for group members
    $wgLDAPGroupAttribute = array( “EQ”=>”member” );

    //The naming attribute of the group
    $wgLDAPGroupNameAttribute = array( “EQ”=>”cn” );

    $wgLDAPGroupSearchNestedGroups = array( “EQ”=>true );

    $wgLDAPRequiredGroups = array( “eq”=> array( “ou=Desktop Support,ou=Domain Support Staff,ou=Domain Users,dc=eq,dc=intranet” ) );

    Authenticated users need to be a member of the Desktop Support ou. when I use DSQuerey on that OU it returns:

    “OU=Desktop Support,OU=Domain Support Staff,OU=Domain Users,DC=EQ,DC=Intranet”

    Any insight you might be able to give would be greatly appreciated. Thanks!

    Reply
  14. Ben says:
    February 16, 2010 at 3:21 am

    Hi,
    I got the same issue : I can authenticate, but when a valid user is created, the permissions are not added to the wiki database.

    LDAP : Windows 2003 R2 Enterprise x86
    Webserver : ubuntu 8.10

    Here is my config file :
    ############### LDAP Configurations #####################
    require_once( “$IP/extensions/LdapAuthentication.php” );#

    $wgAuth = new LdapAuthenticationPlugin(); #
    $wgLDAPDebug = 6;
    $wgDebugLogGroups["ldap"] = “/tmp/dLDAP.log” ;

    // disable local database
    #$wgLDAPUseLocal = false;

    // Connection to AD
    $wgLDAPDomainNames = array(“maison.local”);
    $wgLDAPServerNames = array(“maison.local”=>”chef.maison.local”);
    $wgLDAPSearchStrings = array(‘maison.local’=>’USER-NAME@maison.local’);
    $wgLDAPEncryptionType = array(“maison.local”=>”clear”);

    // Check if user is allowed to login

    // Group Configuration
    $wgLDAPGroupUseFullDN = array(“maison.local”=>true);
    $wgLDAPBaseDNs = array(‘maison.local’=>’dc=maison,dc=local’);
    $wgLDAPSearchAttributes = array(‘maison.local’=>’sAMAccountName’);
    $wgLDAPGroupsUseMemberOf = array(“maison.local”=>true);
    $wgLDAPGroupObjectclass = array(“maison.local”=>”group”);
    $wgLDAPGroupAttribute = array(“maison.local”=>”member”);
    $wgLDAPGroupNameAttribute = array(“maison.local”=>”cn”);

    // Check if user is allowed to login
    $wgLDAPRequiredGroups = array(“maison.local”=> array(“cn=wiki_users,ou=groups,ou=maison,dc=maison,dc=local”));

    // Excludes Users

    // Group Sync
    $wgLDAPUseLDAPGroups = array(“maison.local”=>true);

    // **************** Group Permissions **************** //
    $wgGroupPermissions['Wiki-Read']['edit'] = false;

    // Retreiving Preferences
    $wgLDAPPreferences = array( “maison.local”=>array(“email”=>”mail”,”realname”=>”cn”,”nickname”=>”sAMAccountName”,”language”=>”preferredLanguage”));

    Here is the output (debug file):
    2010-02-16 03:19:00 wikidb-wk_: Entering validDomain
    2010-02-16 03:19:00 wikidb-wk_: User is not using a valid domain.
    2010-02-16 03:19:00 wikidb-wk_: Setting domain as: invaliddomain
    2010-02-16 03:19:00 wikidb-wk_: Entering allowPasswordChange
    2010-02-16 03:19:00 wikidb-wk_: Entering modifyUITemplate
    2010-02-16 03:19:09 wikidb-wk_: Entering validDomain
    2010-02-16 03:19:09 wikidb-wk_: User is using a valid domain.
    2010-02-16 03:19:09 wikidb-wk_: Setting domain as: maison.local
    2010-02-16 03:19:09 wikidb-wk_: Entering getCanonicalName
    2010-02-16 03:19:09 wikidb-wk_: Username isn’t empty.
    2010-02-16 03:19:09 wikidb-wk_: Munged username: Benoit
    2010-02-16 03:19:09 wikidb-wk_: Entering authenticate
    2010-02-16 03:19:09 wikidb-wk_:
    2010-02-16 03:19:09 wikidb-wk_: Entering Connect
    2010-02-16 03:19:09 wikidb-wk_: Using TLS or not using encryption.
    2010-02-16 03:19:09 wikidb-wk_: Using servers: ldap://chef.maison.local
    2010-02-16 03:19:09 wikidb-wk_: Connected successfully
    2010-02-16 03:19:09 wikidb-wk_: Entering getSearchString
    2010-02-16 03:19:09 wikidb-wk_: Doing a straight bind
    2010-02-16 03:19:09 wikidb-wk_: userdn is: Benoit@maison.local
    2010-02-16 03:19:09 wikidb-wk_:
    2010-02-16 03:19:09 wikidb-wk_: Binding as the user
    2010-02-16 03:19:09 wikidb-wk_: Bound successfully
    2010-02-16 03:19:09 wikidb-wk_: Entering getUserDN
    2010-02-16 03:19:09 wikidb-wk_: Created a regular filter: (sAMAccountName=Benoit)
    2010-02-16 03:19:09 wikidb-wk_: Entering getBaseDN
    2010-02-16 03:19:09 wikidb-wk_: basedn is not set for this type of entry, trying to get the default basedn.
    2010-02-16 03:19:09 wikidb-wk_: Entering getBaseDN
    2010-02-16 03:19:09 wikidb-wk_: basedn is dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Using base: dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Fetched username is not a string (check your hook code…). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined.
    2010-02-16 03:19:09 wikidb-wk_: Pulled the user’s DN: CN=Benoit Elemond,OU=HomeUsers,OU=Maison,DC=maison,DC=local
    2010-02-16 03:19:09 wikidb-wk_: Entering getGroups
    2010-02-16 03:19:09 wikidb-wk_: Retrieving LDAP group membership
    2010-02-16 03:19:09 wikidb-wk_: Using memberOf
    2010-02-16 03:19:09 wikidb-wk_: Entering checkGroups
    2010-02-16 03:19:09 wikidb-wk_: Checking for (new style) group membership
    2010-02-16 03:19:09 wikidb-wk_: Required groups: cn=wiki_users,ou=groups,ou=maison,dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Checking against: cn=wiki_admin,ou=groups,ou=maison,dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Checking against: cn=wiki-read,ou=groups,ou=maison,dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Checking against: cn=wiki_users,ou=groups,ou=maison,dc=maison,dc=local
    2010-02-16 03:19:09 wikidb-wk_: Found user in a group.
    2010-02-16 03:19:09 wikidb-wk_: Entering getPreferences
    2010-02-16 03:19:09 wikidb-wk_: Retrieving preferences
    2010-02-16 03:19:09 wikidb-wk_: Retrieved email (benoit.elemond@gmail.com) using attribute (mail)
    2010-02-16 03:19:09 wikidb-wk_: Retrieved realname (Benoit Elemond) using attribute (cn)
    2010-02-16 03:19:09 wikidb-wk_: Entering synchUsername
    2010-02-16 03:19:09 wikidb-wk_: Authentication passed
    2010-02-16 03:19:09 wikidb-wk_: Entering updateUser
    2010-02-16 03:19:09 wikidb-wk_: Setting user preferences.
    2010-02-16 03:19:09 wikidb-wk_: Setting realname.
    2010-02-16 03:19:09 wikidb-wk_: Setting email.
    2010-02-16 03:19:09 wikidb-wk_: Setting user groups.
    2010-02-16 03:19:09 wikidb-wk_: Entering setGroups.
    2010-02-16 03:19:09 wikidb-wk_: Locally managed groups is unset, using defaults: bot::sysop::bureaucrat
    2010-02-16 03:19:09 wikidb-wk_: Available groups are: bot::sysop::bureaucrat::Wiki-Read
    2010-02-16 03:19:09 wikidb-wk_: Effective groups are: *::user::autoconfirmed
    2010-02-16 03:19:09 wikidb-wk_: Checking to see if user is in: bot
    2010-02-16 03:19:09 wikidb-wk_: Entering hasLDAPGroup
    2010-02-16 03:19:09 wikidb-wk_: Checking to see if user is in: sysop
    2010-02-16 03:19:09 wikidb-wk_: Entering hasLDAPGroup
    2010-02-16 03:19:09 wikidb-wk_: Checking to see if user is in: bureaucrat
    2010-02-16 03:19:09 wikidb-wk_: Entering hasLDAPGroup
    2010-02-16 03:19:09 wikidb-wk_: Checking to see if user is in: Wiki-Read
    2010-02-16 03:19:09 wikidb-wk_: Entering hasLDAPGroup
    2010-02-16 03:19:09 wikidb-wk_: Saving user settings.

    The user is member of Wiki_Users that allows him to connect, and he is also a member of Wiki-Read that disable the Edit feature. but when the users logs for the first time, the permissions/user-group are not created in the MySQL database. It seems that the script does not find the actual Group in the AD

    Can you help me out?

    Thanks!!

    Reply
    • Ryan Lane says:
      February 17, 2010 at 4:04 am

      Try setting:

      $wgGroupPermissions['Wiki-Read']['edit'] = false;

      to:

      $wgGroupPermissions['wiki-read']['edit'] = false;

      I convert everything to lower-case to make things easier to deal with in the code. Some things show up inconsistently cased in many people’s LDAP directories.

      Reply
  15. ich says:
    February 17, 2010 at 7:49 am

    Hi,

    i have a Working basic AD Authentifikation. But I must Auth at a normal no AD LDAP. I Changed the configuration. But after login the mediawiki said “Password Wrong” there is no ldap error….

    Reply
  16. Graham Seaman says:
    February 19, 2010 at 2:50 pm

    I have been authenticating against AD ok, using $wgLdapRequiredGroups to specify a required group membership. Now I need to add a second group, where people must be in one or both of the two groups (inclusive OR). I believe that adding more groups to the $wgLdapRequireGroups array ANDs the group requirements instead. Is there any way to do what I need?

    Thanks
    Graham

    Reply
  17. ricardo says:
    February 25, 2010 at 2:38 pm

    Hello,
    My authentication against AD is working. Requiring group membership to allow login is also working. But I would like to do more. I would like to restrict access to some areas, categories, or articles to especific groups. One group may only read, other may edit, etc…
    Is it possible?

    Thanks in advance!
    Ricardo

    Reply
    • Ryan Lane says:
      February 26, 2010 at 4:23 am

      Fine grained read restrictions aren’t safely possible in MediaWiki. There are a number of extensions that offer it, but none of them can really be trusted. MediaWiki natively supports write restrictions for namespaces based on groups though.

      Reply
  18. Tim says:
    March 11, 2010 at 9:41 am

    Hi,

    I can authenticate fine, but I’m having an issue with the group permissions. I think the name of the group permissions is not beeing recognized and therefor they are not assigned.

    2010-03-11 09:10:55 wiki-i2_: Pulled the user’s DN: CN=Testuser,OU=Testgroup,OU=Domain users,DC=domain,DC=local
    2010-03-11 09:10:55 wiki-i2_: Entering getGroups
    2010-03-11 09:10:55 wiki-i2_: Retrieving LDAP group membership
    2010-03-11 09:10:55 wiki-i2_: Using memberOf
    2010-03-11 09:10:55 wiki-i2_: Entering checkGroups
    2010-03-11 09:10:55 wiki-i2_: Checking for (new style) group membership
    2010-03-11 09:10:55 wiki-i2_: Required groups: cn=sv – wiki,ou=services,dc=domain,dc=local
    2010-03-11 09:10:55 wiki-i2_: Checking against: cn=sv – wiki,ou=services,dc=domain,dc=local
    2010-03-11 09:10:55 wiki-i2_: Found user in a group.
    2010-03-11 09:10:55 wiki-i2_: Entering getPreferences
    2010-03-11 09:10:55 wiki-i2_: Entering synchUsername
    2010-03-11 09:10:55 wiki-i2_: Authentication passed
    2010-03-11 09:10:55 wiki-i2_: Entering updateUser
    2010-03-11 09:10:55 wiki-i2_: Setting user groups.
    2010-03-11 09:10:55 wiki-i2_: Entering setGroups.
    2010-03-11 09:10:55 wiki-i2_: Locally managed groups is unset, using defaults: bot::sysop::bureaucrat
    2010-03-11 09:10:55 wiki-i2_: Available groups are: sv – wiki::bureaucrat
    2010-03-11 09:10:55 wiki-i2_: Effective groups are: *::user::autoconfirmed
    2010-03-11 09:10:55 wiki-i2_: Checking to see if user is in: sv – wiki
    2010-03-11 09:10:55 wiki-i2_: Entering hasLDAPGroup
    2010-03-11 09:10:55 wiki-i2_: Checking to see if user is in: bureaucrat
    2010-03-11 09:10:55 wiki-i2_: Entering hasLDAPGroup
    2010-03-11 09:10:55 wiki-i2_: Saving user settings.

    $wgGroupPermissions['*']['read'] = false;
    $wgGroupPermissions['user']['read'] = false;
    $wgGroupPermissions['sv - wiki']['read'] = true;
    $wgGroupPermissions['sv - wiki']['edit'] = true;
    $wgGroupPermissions['sv - wiki']['createpage'] = true;
    $wgGroupPermissions['sv - wiki']['minoredit'] = true;
    $wgWhitelistRead = array( “Special:Userlogout”, “Special:Userlogin”);

    Could someone shed some light on why this is occurring?

    Thanks!

    Reply
  19. Hugo Vasques says:
    April 13, 2010 at 7:20 pm

    Hello Ryan,

    I am Brazilian, sorry for any mistake in English.

    I have a wiki site that already works with LDAP authentication and SSO, functioning normally.

    Now I need to sync the AD groups with the Wiki.

    Ie create a group in AD with an X number of users and acknowledging that the Wiki with the privileges, permissions of the AD group. Could you help me? Below is how I put the LocalSettings.php.

    ## Integracao AD

    require_once( “extensions/LdapAuthentication.php” );
    $wgAuth = new LdapAuthenticationPlugin();

    ## Configuracao AD
    $wgLDAPDomainNames = array(“domain”);
    $wgLDAPServerNames = array(“domain”=>”FQDN do servidor”);
    $wgLDAPUseLocal = true;
    $wgLDAPEncryptionType = array(“domain”=>”clear”);
    $wgLDAPSearchStrings = array(“domain”=>”BR\\USER-NAME”);
    $wgLDAPSearchAttributes = array(“domain”=>”sAMAccountName”);
    $wgLDAPBaseDNs = array(“domain”=>”DC=xxx,DC=xxxx,DC=xxxx”);
    $wgLDAPUserBaseDNs = array (“domain”=>”OU=xxx,OU=Users,OU=xxxxxxx,DC=xx,DC=xxxxx,DC=xxxx”,
    $wgLDAPUseLDAPGroups = array(“BR”=>true);
    $wgLDAPGroupNameAttribute = array( “domain”=>”group=AL-WIKICORPORATIVO-BR,OU=Groups,OU=Resources,OU=xxxxxxxxx,DC=xxxxx,DC=xxxxxx,DC=xxxxx” );
    $wgLDAPGroupsPrevail = array(“domain”=>true);
    ##$wgLDAPGroupsPrevail = array(“domain”=>true);
    #$wgLDAPDebug = 1;

    In anticipation of his return.

    Thank you.

    Reply
  20. Nick says:
    April 15, 2010 at 11:37 am

    Hello Ryan,

    thanks for your article, it made setting up LDAP authentication (restricting access to members of some LDAP groups) really easy.
    Since we’re using a setup based on posixAccount/posixGroup we really needed the plugin to deal with primary groups as well. I made a patch that pulls a users primary group from LDAP. In case somebody is interested, you can find it here:
    http://www.biotec.tu-dresden.de/~nickd/patches/mediawiki-ldap-auth.patch

    Regards, Nick

    Reply

Trackbacks/Pingbacks

  1. How to Create Sysops in MediaWiki 1.15.1 with the Extension for LDAP Authentication 1.2a « Simples Assim says:
    March 15, 2010 at 1:57 am

    [...] You can also link to groups in the directory, as explained here. [...]

    Reply
Leave a Comment