1

With great help i seem to have LDAP in place on our internal wiki (running on a Debian 10 VM) in our local windows domain (abc.local). I want all domain users to be able to edit the wiki. When i try to login to the wiki with a test account (rjsmith) i get User rjsmith not authorized.. If i intentionally put in wrong pwd for rjsmith i get Could not authenticate credentials against domain "abc.local".

Here is the LDAP inline function from my LocalSettings.php:

$LDAPProviderDomainConfigProvider = function()
{
        $config =
        [
        "abc.local" =>
                [
                "connection" =>
                        [
                        "server" => "5.5.5.5",
                        "user" => "Administrator@abc.local",
                        "pass" => "password",
                        "basedn" => "dc=abc,dc=local",
                        "groupbasedn" => "dc=abc,dc=local",
                        "userbasedn" => "dc=abc,dc=local",
                        "searchattribute" => "samaccountname",
                        "searchstring" => "USER-NAME@abc.local",
                        "usernameattribute" => "samaccountname",
                        "realnameattribute" => "cn",
                        "emailattribute" => "mail",
                        "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
                        ],
                        "authorization" =>
                        [
                                "rules" =>
                                [
                                "groups" =>
                                        [
                                        "required" => [ "cn=Users,dc=abc,dc=local" ]
                                        ]
                                ]
                        ],
                        "userinfo" =>
                        [
                                "email" => "mail",
                                "realname" => "cn",
                                "properties.gender" => "gender"
                        ]
                ]
        ];
        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

What do i need so that any domain user in group Domain Users (abc.local/Users) can access the wiki?

thanks, russ

relayman357
  • 793
  • 1
  • 6
  • 30
  • 1
    `abc.local` is a bad domain to use. The `.local` TLD is used by mDNS and you will run into problems. Also, putting your Administrator credentials anywhere, especially in plaintext is a *horrible* idea. If you use LDAP software that requires a bind account (sigh) rather create an account for this specific purpose, and remove all of its permissions. Any authenticated user can bind to LDAP. – Jonathon Reinhart Jan 05 '20 at 21:01

1 Answers1

0

Yes! Even a blind squirrel finds a nut every once in awhile! Got it working!

By lots of trial and error i ended up needing to only change the "groups" section to simply "group" => "Users". If i wanted to restrict it further i could have created a new domain group, WikiUsers, and put select users into it. Then i would need to set "group" => "WikiUsers" below. But, i want any local domain user to have access so what i have below is perfect.

Also, i made one other change from the configuration i show in my question above. I created a regular domain user that has no rights other than to log in (readonly@abc.local) so i don't have to use Administrator account sending pwd in the clear.

$LDAPProviderDomainConfigProvider = function()
{
        $config =
        [
        "abc.local" =>
                [
                "connection" =>
                        [
                        "server" => "5.5.5.5",
                        "user" => "readonly@abc.local",
                        "pass" => "password",
                        "basedn" => "dc=abc,dc=local",
                        "groupbasedn" => "dc=abc,dc=local",
                        "userbasedn" => "dc=abc,dc=local",
                        "searchattribute" => "samaccountname",
                        "searchstring" => "USER-NAME@abc.local",
                        "usernameattribute" => "samaccountname",
                        "realnameattribute" => "cn",
                        "emailattribute" => "mail",
                        "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::fa$
                        ],
                        "authorization" =>
                        [
                                "rules" =>
                                [
                                "group" => "Users",
                                ]
                        ],
                        "userinfo" =>
                        [
                                "email" => "mail",
                                "realname" => "cn",
                                "properties.gender" => "gender"
                        ]
                ]
        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
relayman357
  • 793
  • 1
  • 6
  • 30