Eikir commented 5 years ago

LdapAuth expects $wgLdapAuthDomainNames to be set, but openLDAP cannot handle requests like USERNAME@AUTHDOMAINNAME.

MediaWiki log file:

[authentication] Attempting to bind to LDAP for search with DN "uid=++++1++++,ou=people,dc=++++2++++,dc=++++3++++,dc=++++4++++@++++AUTHDOMAINNAME++++". [authentication] Bound successfully. [authentication] Username and Password do not match. Please try again. [authentication] Invalid DN syntax [GlobalTitleFail] MessageCache::parse called by Shanept\LdapAuth\Exceptions\ConnectionException->construct/Exception->construct/Message->__toString/Message->toString/Message->parseText/MessageCache->parse with no title set. [authentication] Login failed in primary authentication by Shanept\LdapAuth\Auth\PrimaryAuthenticationProvider

openLDAP log file:

2018-12-11T20:24:42.163198+01:00 ldap slapd[3036]: conn=78930 fd=30 ACCEPT from IP=++++++++:47748 (IP=0.0.0.0:389) 2018-12-11T20:24:42.163465+01:00 ldap slapd[3036]: conn=78930 op=0 BIND dn="uid=++++1++++,ou=people,dc=++++2++++,dc=++++3++++,dc=++++4++++" method=128 2018-12-11T20:24:42.163614+01:00 ldap slapd[3036]: conn=78930 op=0 BIND dn="uid=++++1++++,ou=people,dc=++++2++++,dc=++++3++++,dc=++++4++++" mech=SIMPLE ssf=0 2018-12-11T20:24:42.163775+01:00 ldap slapd[3036]: conn=78930 op=0 RESULT tag=97 err=0 text= 2018-12-11T20:24:42.174979+01:00 ldap slapd[3036]: conn=78930 op=1 BIND anonymous mech=implicit ssf=0 2018-12-11T20:24:42.175155+01:00 ldap slapd[3036]: conn=78930 op=1 do_bind: invalid dn (++++USERNAME++++@++++AUTHDOMAINNAME++++) 2018-12-11T20:24:42.175290+01:00 ldap slapd[3036]: conn=78930 op=1 RESULT tag=97 err=34 text=invalid DN 2018-12-11T20:24:42.224574+01:00 ldap slapd[3036]: conn=78930 op=2 UNBIND 2018-12-11T20:24:42.224859+01:00 ldap slapd[3036]: conn=78930 fd=30 closed

When $wgLdapAuthDomainNames is left empty or set to false an exception occurs.

[exception] [XBAJqy6jcZ8AAAJpZpIAAAAE] /index.php?title=Spezial:Anmelden&returnto=Spezial:Version TypeError from line 100 of /var/www/vhosts/++++++++/httpdocs/extensions/LdapAuth/src/Auth/PrimaryAuthenticationProvider.php: Argument 1 passed to Shanept\LdapAuth\Auth\PrimaryAuthenticationProvider::beginPrimaryLdapAuthentication() must be an instance of Shanept\LdapAuth\Auth\LdapAuthenticationRequest, null given, called in /var/www/vhosts/++++++++/httpdocs/extensions/LdapAuth/src/Auth/PrimaryAuthenticationProvider.php on line 88

LocalSettings.php

wfLoadExtension( 'LdapAuth' ); $wgLdapAuthDomainNames = '++++AUTHDOMAINNAME++++'; $wgLdapAuthServers = '++++++++'; $wgLdapAuthBindDN = 'uid=++++1++++,ou=people,dc=++++2++++,dc=++++3++++,dc=++++4++++'; $wgLdapAuthBindPass = '++++++++'; $wgLdapAuthSearchFilter = '(&(objectClass=person)(uid=%1$si))';

dmbekker commented 5 years ago

Any update on this? Would be really nice if OpenLDAP is supported in the near future.

Luticus commented 5 years ago

I'm also trying to do this with openldap. I found some settings that seemed to get me a little farther along, but still not working. It can't seem to validate, either saying that there is no user by the entered name on the server, or simply saying invalid credentials. I managed to get passed the invalid bind dn error I originally got by using some aparently hidden vars I found via your extension.json.

wfLoadExtension( 'LdapAuth' );

$wgLdapAuthDomainNames = 'Example.com';

$wgLdapAuthServers = 'ldap.example.com';

$wgLdapAuthBindDN = 'cn=account,dc=example,dc=com';

$wgLdapAuthBindPass = 'censored';

$wgLdapAuthBaseDN = 'DC=Example,DC=com';

$wgLdapAuthSearchTree = true;

$wgLdapAuthSearchFilter = '(|(uid=%1$s))';

$wgLdapAuthEncryptionType = 'ssl';

$wgLdapAuthUseLocal = true;

$wgLdapAuthRequireDomain = false;

$wgLdapAuthIsActiveDirectory = false;

$wgLdapAuthIsOpenLDAP = true;

$wgLdapAuthDisplayNameField = "uid";

Please let me know if there's anything I can do to make this work or if I should simply wait for an updated version?

shanept / mediawiki-LdapAuth

Not compatible with openLDAP #4