1. 技术文章
  2. LDAP on local domain with Mediawiki on Debian 10

LDAP on local domain with Mediawiki on Debian 10

ぃ、小莉子 提交于 2020-01-14 06:40:12

问题


I have a MediaWiki (1.34) running on a Debian 10 linux VM on our local network. We have a local domain (abc.local) managed by Win Server 2008 R2. I am trying to implement LDAP so only abc.local domain users can use our wiki. I installed all the necessary extensions and everything seems to work when i use this test ldapprovider.json to test. I don't know credentials for this test domain so i get this:

This seems to tell me that LDAP is working though and tried to authenticate based on the bogus user creds i supplied. So, now i tried to modify the ldapprovider.json for my local domain. All i tried at first attempt was to change "server", "user", and "pass". The 5.5.5.5 is our internal local domain controller.

{
    "LDAP": {
            "connection": {
                    "server": "5.5.5.5",
                    "user": "cn=Administrator,dc=example,dc=com",
                    "pass": "XXXXXXXXXX",
                    "options": {
                            "LDAP_OPT_DEREF": 1
                    },
                    "basedn": "dc=example,dc=com",
                    "groupbasedn": "dc=example,dc=com",
                    "userbasedn": "dc=example,dc=com",
                    "searchattribute": "uid",
                    "searchstring": "uid=USER-NAME,dc=example,dc=com",
                    "usernameattribute": "uid",
                    "realnameattribute": "cn",
                    "emailattribute": "mail"
            },
            "userinfo": {
                    "attributes-map": {
                            "email": "mail",
                            "realname": "cn",
                            "nickname": "uid",
                            "language": "preferredlanguage"
                    }
            },
            "groupsync": {
                    "mapping": {
                            "mathematicians": "ou=mathematicians,dc=example,dc=com",
                            "scientists": "ou=scientists,dc=example,dc=com"
                    }
            }
    }
}

This time when i enter user credentials i get the following error:

[f66f7d40890c442c71165a80] /index.php/Special:PluggableAuthLogin MWException from line 157 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials

Backtrace:

#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(80): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}

I do not know how to modify the ldapprovider.json for my local domain abc.local. Don't know if this helps, but when i join computers to the domain i use "abc.local" and when users login the use "abc\username".

p.s. I've only made it this far because of serious help/tutoring i received from this question. Just hate to give up...

EDIT1: I joined my linux machine to the windows domain and have the following results to the realm discover, realm join, and id commands. Working fine - can id a user rjsmith (he is user and also in engineers group).

root@mediawiki-linux:/etc# realm discover abc.local
abc.local
  type: kerberos
  realm-name: abc.local
  domain-name: abc.local
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin



root@mediawiki-linux:/etc# realm join abc.local
Password for Administrator:
root@mediawiki-linux:/etc#


root@mediawiki-linux:/etc# realm discover abc.local
abc.local
  type: kerberos
  realm-name: abc.local
  domain-name: abc.local
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin
  login-formats: %U@abc.local
  login-policy: allow-realm-logins


root@mediawiki-linux:/etc# id rjsmith@abc.local
uid=521401112(rjsmith@abc.local) gid=521400513(domain users@abc.local) groups=521400513(domain users@abc.local),521401111(engineers@abc.local)

EDIT2: This is my LDAPProviderDomainConfigProvider function in my LocalSettings.php file. Still getting the Could not bind to LDAP: (49) Invalid credentials. error.

$LDAPProviderDomainConfigProvider = function() {
    $config = [
        'LDAP' => [
            'connection' => [
                "server" => "5.5.5.5"
                "user" => "cn=Administrator@abc.local,dc=abc,dc=local",
                "pass" => 'password',
                "options" => [
                    "LDAP_OPT_DEREF" => 1
                ],
                "basedn" => "dc=abc,dc=local",
                "groupbasedn" => "dc=abc,dc=local",
                "userbasedn" => "dc=abc,dc=local",
                "searchattribute" => "uid",
                "searchstring" => "uid=USER-NAME,dc=abc,dc=local",
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
            ]
        ]
    ];

    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

回答1:


Based on the comments, your error looks to be that the username, you need to bind the ldap connection to, is not cn=Administrator@abc.local,dc=abc,dc=local but rather Administrator@abc.local.

So, changing that in your ldap configuration for the extension to something like that:

$LDAPProviderDomainConfigProvider = function() {
    $config = [
        'LDAP' => [
            'connection' => [
                "server" => "5.5.5.5"
                "user" => "Administrator@abc.local",
                "pass" => 'password',
                "options" => [
                    "LDAP_OPT_DEREF" => 1
                ],
                "basedn" => "dc=abc,dc=local",
                "groupbasedn" => "dc=abc,dc=local",
                "userbasedn" => "dc=abc,dc=local",
                "searchattribute" => "uid",
                "searchstring" => "uid=USER-NAME,dc=abc,dc=local",
                "usernameattribute" => "uid",
                "realnameattribute" => "cn",
                "emailattribute" => "mail"
            ]
        ]
    ];

    return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

should do the trick (take a look to the changed user property) for retrieving user information from the LDAP on login.



来源:https://stackoverflow.com/questions/59587380/ldap-on-local-domain-with-mediawiki-on-debian-10

标签
mediawiki
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!