LDAP on local domain with Mediawiki on Debian 10

Question

I have a MediaWiki (1.34) running on a Debian 10 linux VM on our local network. We have a local domain (abc.local) managed by Win Server 2008 R2. I am trying to implement LDAP so only abc.local domain users can use our wiki. I installed all the necessary extensions and everything seems to work when i use this test ldapprovider.json to test. I don't know credentials for this test domain so i get this:

This seems to tell me that LDAP is working though and tried to authenticate based on the bogus user creds i supplied. So, now i tried to modify the ldapprovider.json for my local domain. All i tried at first attempt was to change "server", "user", and "pass". The 5.5.5.5 is our internal local domain controller.

{
    "LDAP": {
            "connection": {
                    "server": "5.5.5.5",
                    "user": "cn=Administrator,dc=example,dc=com",
                    "pass": "XXXXXXXXXX",
                    "options": {
                            "LDAP_OPT_DEREF": 1
                    },
                    "basedn": "dc=example,dc=com",
                    "groupbasedn": "dc=example,dc=com",
                    "userbasedn": "dc=example,dc=com",
                    "searchattribute": "uid",
                    "searchstring": "uid=USER-NAME,dc=example,dc=com",
                    "usernameattribute": "uid",
                    "realnameattribute": "cn",
                    "emailattribute": "mail"
            },
            "userinfo": {
                    "attributes-map": {
                            "email": "mail",
                            "realname": "cn",
                            "nickname": "uid",
                            "language": "preferredlanguage"
                    }
            },
            "groupsync": {
                    "mapping": {
                            "mathematicians": "ou=mathematicians,dc=example,dc=com",
                            "scientists": "ou=scientists,dc=example,dc=com"
                    }
            }
    }
}

This time when i enter user credentials i get the following error:

[f66f7d40890c442c71165a80] /index.php/Special:PluggableAuthLogin MWException from line 157 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials

Backtrace:

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(80): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}

I do not know how to modify the ldapprovider.json for my local domain abc.local. Don't know if this helps, but when i join computers to the domain i use "abc.local" and when users login the use "abc\username".

p.s. I've only made it this far because of serious help/tutoring i received from this question. Just hate to give up...

EDIT1: I joined my linux machine to the windows domain and have the following results to the realm discover, realm join, and id commands. Working fine - can id a user rjsmith (he is user and also in engineers group).

root@mediawiki-linux:/etc# realm discover abc.local
abc.local
  type: kerberos
  realm-name: abc.local
  domain-name: abc.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin



root@mediawiki-linux:/etc# realm join abc.local
Password for Administrator:
root@mediawiki-linux:/etc#


root@mediawiki-linux:/etc# realm discover abc.local
abc.local
  type: kerberos
  realm-name: abc.local
  domain-name: abc.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@abc.local
  login-policy: allow-realm-logins


root@mediawiki-linux:/etc# id rjsmith@abc.local
uid=521401112(rjsmith@abc.local) gid=521400513(domain users@abc.local) groups=521400513(domain users@abc.local),521401111(engineers@abc.local)

EDIT2: This is my LDAPProviderDomainConfigProvider function in my LocalSettings.php file. Still getting the Could not bind to LDAP: (49) Invalid credentials. error.

$LDAPProviderDomainConfigProvider = function() {
    $config = [
        'LDAP' => [
            'connection' => [
                "server" => "5.5.5.5"
                "user" => "cn=Administrator@abc.local,dc=abc,dc=local",
                "pass" => 'password',
                "options" => [
                    "LDAP_OPT_DEREF" => 1
                ],
                "basedn" => "dc=abc,dc=local",
                "groupbasedn" => "dc=abc,dc=local",
                "userbasedn" => "dc=abc,dc=local",
                "searchattribute" => "uid",
                "searchstring" => "uid=USER-NAME,dc=abc,dc=local",
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
            ]
        ]
    ];

    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

Can you check if the username and password combination works with `ldapsearch`: https://stackoverflow.com/questions/42845186/ldapsearch-with-username-and-password — Florian, Jan 04 '20 at 11:51
I tried both `ldapsearch` and `ldapwhoami` and they both return not found (e.g. `-bash: ldapwhoami: command not found`). So, now i'm running `apt-get install ldap-utils` to install [these utilities](https://manpages.debian.org/testing/ldap-utils/index.html). — relayman357, Jan 04 '20 at 16:03
When i run `ldapwhoami -x -D "cn=Administrator,dc=abc,dc=local" -W` i get an `Enter LDAP Password:` prompt but after entering password i get `ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)` — relayman357, Jan 04 '20 at 16:10
When i run `ldapsearch -x -LLL -h ip -D 'cn=Administrator,dc=abc,dc=local' -w PASSWORDHERE -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=Smith*` i get that same response (can't contact LDAP server). — relayman357, Jan 04 '20 at 16:13
I wonder if my Debian box needs to be [joined to the domain](https://www.server-world.info/en/note?os=Debian_10&p=realmd) before this will work? — relayman357, Jan 04 '20 at 16:16
Did you try to add the `-p` parameter for the port and `-h` for the servername? — Florian, Jan 04 '20 at 16:31
No, but i'll try to figure that out and try it now. I did go ahead and [join the domain](https://www.server-world.info/en/note?os=Debian_10&p=realmd) and am getting responses from the AD (i'll post as EDIT1 in my question). — relayman357, Jan 04 '20 at 16:33
Ok, if it is working with ldapsearch with the very same credentials, then I don't have an idea what is not working here, sorry. — Florian, Jan 04 '20 at 16:52
ldapsearch is not working yet. I just tried `ldapsearch -x -LLL -D 'cn=Administrator,dc=abc,dc=local' -W -b 'dc=users,dc=local' -s sub '(objectClass=*)' 'givenName=Smith*' -h 5.5.5.5` and now i'm getting `ldap_bind: Invalid credentials (49)` with additional info saying `AcceptSecurityContext error`. — relayman357, Jan 04 '20 at 17:06
The you need to first solve the credentials issue. Probably there's a configuration missing or wrong. — Florian, Jan 04 '20 at 17:25
Minor progress, based [this info](https://support.kemptechnologies.com/hc/en-us/articles/204990569-LDAP-Using-LDAP-Search-to-test-ESP-authentication) i tried the following `ldapsearch -H ldap://5.5.5.5-D "rjsmith@abc.local" -w 'userspwdhere'`. It works (binds) but finds no object (NameErr: DSID-031001E5, problem 2001 (NO_OBJECT)'. I'll pull that thread now. — relayman357, Jan 04 '20 at 18:58
This works! `ldapsearch -H ldap://5.5.5.5 -D "Administrator@abc.local" -w 'passwdhere' -b DC=abc,DC=local`. It barfs out a ton of details from the AD - user details, computer details etc. — relayman357, Jan 04 '20 at 19:08
So, now that `ldapsearch` works how do i modify my mediawiki configuration (LocalSettings.php and ldapprovider.json) to work with it? — relayman357, Jan 04 '20 at 19:32
You just use the same properties, based on the parameters used in the ldapsearch command. From what I see in the ldapsearch, the username you should use in the json is "Administrator@abc.local", even if that doesn't make much sense to be honest. It's worth a try :D — Florian, Jan 04 '20 at 21:47
Florian, can't thank you enough for all your help and patience. My last attempt is shown above as EDIT2. I just can't get it to bind to LDAP. I'm going to just throw in the towel and force our folks to create a local login on the wiki. Maybe they will build LDAP into Mediawiki in the future and i can migrate us. You have been a great help sir. — relayman357, Jan 05 '20 at 01:30
No, what I meant was the string "Administrator@abc.local" as a user, without any cn or dn. And, btw.: Ldap as authentication will most likely not end up in MediaWiki core anytime soon. The use case is just too special to be built into it. And, an extension exists, which works for most people :D And even if it ends up in MediaWiki core, the configuration would be roughly the same ;) And migrating local users to ldap is not as easy as you might think as of now :D — Florian, Jan 05 '20 at 10:30
So you mean just modify the “user” line in my LocalSettings.php file (shown in EDIT2 above)? — relayman357, Jan 05 '20 at 14:34
Yep, instead of `"user" => "cn=Administrator@abc.local,dc=abc,dc=local",` use `"user" => "Administrator@abc.local",`. I'm not sure, why this should be so weird, and I'm by far not a pro in Ldap related stuff, but when you use it like that in ldapsearch, I would at least try it in the MW extension, as well. — Florian, Jan 05 '20 at 14:36
This is real progress. I changed it like you said and now when i try a login with test user i get `User rjsmith not authorized.`. If i purposely put in wrong pwd i get `Could not authenticate credentials against domain "abc.local"` so it is clearly working nice with the AD. Now i think i just need to figure out how to give my domain users access to the wiki. — relayman357, Jan 05 '20 at 19:09
Now it depends on what your actual ldapprovider.json looks like. Is there anything group-related that does not match anymore? You probably really need to check the LDAP configuration of your LDAP server and the properties you used in the MediaWIki extension. They seem to not really match, tbh. — Florian, Jan 05 '20 at 20:20
I don't have an ldapprovider.json because i'm using the inline php. I will start a new question as this is sort of new topic. If you will make your comment about `"user" => "Administrator@abc.local"` into an Answer i will gladly accept it. Wish i could give you 1000 points. — relayman357, Jan 05 '20 at 20:47

score 2 · Accepted Answer · answered Jan 06 '20 at 17:25

Based on the comments, your error looks to be that the username, you need to bind the ldap connection to, is not cn=Administrator@abc.local,dc=abc,dc=local but rather Administrator@abc.local.

So, changing that in your ldap configuration for the extension to something like that:

$LDAPProviderDomainConfigProvider = function() {
    $config = [
        'LDAP' => [
            'connection' => [
                "server" => "5.5.5.5"
                "user" => "Administrator@abc.local",
                "pass" => 'password',
                "options" => [
                    "LDAP_OPT_DEREF" => 1
                ],
                "basedn" => "dc=abc,dc=local",
                "groupbasedn" => "dc=abc,dc=local",
                "userbasedn" => "dc=abc,dc=local",
                "searchattribute" => "uid",
                "searchstring" => "uid=USER-NAME,dc=abc,dc=local",
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
            ]
        ]
    ];

    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

should do the trick (take a look to the changed user property) for retrieving user information from the LDAP on login.

LDAP on local domain with Mediawiki on Debian 10

1 Answers1

Linked