Mailing List Archive

Help with LDAP Authorization
Hello,

I set up a test instance of MediaWiki at our site and am trying to get it
configured for LDAP authentication. Per the documentation I could find, I
installed and configured the following extensions:

- LDAPAuthentication2
- LDAPAuthorization
- LDAPProvider
- PluggableAuth

Without LDAPAuthorization enabled, basic LDAP authentication works fine.
However, when I enable LDAPAuthorization and try to filter access by
membership in a specific group, authentication fails every time with an
error saying the user is not authorized.

More specifically, I created a group in our LDAP system called wiki-users
and added myself as a member. I then added an authorization block to the
json file and specified the full DN of this group as a required group. I'm
using plaintext LDAP so I can run packet captures and see the traffic.
When I capture the LDAP traffic, I can see that it's authenticating the
bind user and then my own user, but at no point does it query for this
group.

A sanitized version of my json file is pasted below. Any help is greatly
appreciated!

{
"LDAP": {
"connection": {
"server": "my-LDAP-server.utica.edu",
"port": "389",
"enctype": "clear",
"user": "cn=my-bind-user,dc=utica,dc=edu",
"pass": "xxxxxxxxxxxx",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=utica,dc=edu",
"groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
"userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,ou=people,o=utica.edu,dc=utica,dc=edu",
"usernameattribute": "uid",
"realnameattribute": "ucPreferredName",
"emailattribute": "mail"
},
"authorization": {
"rules": {
"groups": {
"required": ["cn=wiki-users,ou=groups,o=utica.edu
,dc=utica,dc=edu"]
}
}
},
"groupsync": {
"mechanism": "mappedgroups",
"mapping": {
"sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
"users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
}
},
"userinfo": {
"email": "mail",
"realname": "ucPreferredName"
}
}
}

--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
Re: Help with LDAP Authorization [ In reply to ]
Not sure if this matters, but we're using Oracle Directory Server (formerly
Sun Directory Server Enterprise Edition). In a group, each member is
specified by a full user DN. Does the extension look for a member value
matching just the username?

Thanks.

On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:

> Hello,
>
> I set up a test instance of MediaWiki at our site and am trying to get it
> configured for LDAP authentication. Per the documentation I could find, I
> installed and configured the following extensions:
>
> - LDAPAuthentication2
> - LDAPAuthorization
> - LDAPProvider
> - PluggableAuth
>
> Without LDAPAuthorization enabled, basic LDAP authentication works fine.
> However, when I enable LDAPAuthorization and try to filter access by
> membership in a specific group, authentication fails every time with an
> error saying the user is not authorized.
>
> More specifically, I created a group in our LDAP system called wiki-users
> and added myself as a member. I then added an authorization block to the
> json file and specified the full DN of this group as a required group. I'm
> using plaintext LDAP so I can run packet captures and see the traffic.
> When I capture the LDAP traffic, I can see that it's authenticating the
> bind user and then my own user, but at no point does it query for this
> group.
>
> A sanitized version of my json file is pasted below. Any help is greatly
> appreciated!
>
> {
> "LDAP": {
> "connection": {
> "server": "my-LDAP-server.utica.edu",
> "port": "389",
> "enctype": "clear",
> "user": "cn=my-bind-user,dc=utica,dc=edu",
> "pass": "xxxxxxxxxxxx",
> "options": {
> "LDAP_OPT_DEREF": 1
> },
> "basedn": "dc=utica,dc=edu",
> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
> "searchattribute": "uid",
> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
> ,dc=utica,dc=edu",
> "usernameattribute": "uid",
> "realnameattribute": "ucPreferredName",
> "emailattribute": "mail"
> },
> "authorization": {
> "rules": {
> "groups": {
> "required": ["cn=wiki-users,ou=groups,o=utica.edu
> ,dc=utica,dc=edu"]
> }
> }
> },
> "groupsync": {
> "mechanism": "mappedgroups",
> "mapping": {
> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
> }
> },
> "userinfo": {
> "email": "mail",
> "realname": "ucPreferredName"
> }
> }
> }
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177
>


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
Re: Help with LDAP Authorization [ In reply to ]
It's a stab in the dark, but there are some LDAP auth implementations that
assume groups are returned when querying for a user, as that generally how
LDAP servers work out of the box. If your groups are not included in user
query results, and I'm guessing they're not based on your expectations,
they break in the manner you describe. Depending on how battle tested the
implementation is, it may make a second lookup to test if the user is in a
group, which may be a separate config flag.

No clue if any of the listed extensions fall into the former or latter
category of Auth implementations, but figured the LDAP trivia might be
useful.

On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker@utica.edu> wrote:

> Not sure if this matters, but we're using Oracle Directory Server
> (formerly Sun Directory Server Enterprise Edition). In a group, each
> member is specified by a full user DN. Does the extension look for a
> member value matching just the username?
>
> Thanks.
>
> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
>
>> Hello,
>>
>> I set up a test instance of MediaWiki at our site and am trying to get it
>> configured for LDAP authentication. Per the documentation I could find, I
>> installed and configured the following extensions:
>>
>> - LDAPAuthentication2
>> - LDAPAuthorization
>> - LDAPProvider
>> - PluggableAuth
>>
>> Without LDAPAuthorization enabled, basic LDAP authentication works fine.
>> However, when I enable LDAPAuthorization and try to filter access by
>> membership in a specific group, authentication fails every time with an
>> error saying the user is not authorized.
>>
>> More specifically, I created a group in our LDAP system called wiki-users
>> and added myself as a member. I then added an authorization block to the
>> json file and specified the full DN of this group as a required group. I'm
>> using plaintext LDAP so I can run packet captures and see the traffic.
>> When I capture the LDAP traffic, I can see that it's authenticating the
>> bind user and then my own user, but at no point does it query for this
>> group.
>>
>> A sanitized version of my json file is pasted below. Any help is greatly
>> appreciated!
>>
>> {
>> "LDAP": {
>> "connection": {
>> "server": "my-LDAP-server.utica.edu",
>> "port": "389",
>> "enctype": "clear",
>> "user": "cn=my-bind-user,dc=utica,dc=edu",
>> "pass": "xxxxxxxxxxxx",
>> "options": {
>> "LDAP_OPT_DEREF": 1
>> },
>> "basedn": "dc=utica,dc=edu",
>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>> "searchattribute": "uid",
>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
>> ,dc=utica,dc=edu",
>> "usernameattribute": "uid",
>> "realnameattribute": "ucPreferredName",
>> "emailattribute": "mail"
>> },
>> "authorization": {
>> "rules": {
>> "groups": {
>> "required": ["cn=wiki-users,ou=groups,o=utica.edu
>> ,dc=utica,dc=edu"]
>> }
>> }
>> },
>> "groupsync": {
>> "mechanism": "mappedgroups",
>> "mapping": {
>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>> }
>> },
>> "userinfo": {
>> "email": "mail",
>> "realname": "ucPreferredName"
>> }
>> }
>> }
>>
>> --
>> Dave Parker '11
>> Database & Systems Administrator
>> Utica College
>> Integrated Information Technology Services
>> (315) 792-3229
>> Registered Linux User #408177
>>
>
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> List information:
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
Re: Help with LDAP Authorization [ In reply to ]
We've had this LDAP system for a long time, and have never run into
anything like this before. In general, there are two kinds of groups you
can use in it:

1. A standard group has a groupOfNames object class, and members are
specified using the "member" attribute, with each value being the DN of the
user. When a user is a member of a group like this, it also adds the
"isMemberOf" operational attribute on the user's LDAP record, the value of
which is the DN of the group.

2. A dynamic group has a groupOfUrls object class, and membership is
specified by one or more "memberURL" values which are LDAP search strings.
All records matching the search string are considered to be members of the
group. Oracle (and previously Sun) recommended using the "memberOf"
attribute on user records and in the search string, to build out these
groups. For example, our staff group has this memberURL:

ldap:///ou=people,o=utica.edu
,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o=
utica.edu,dc=utica,dc=edu))

So, when this group is queried for members, it returns any user with this
group's DN as a "memberOf" value. It gets convoluted and is easy to make
mistakes with dynamic groups, so we generally use plain old groups with
explicitly listed members instead. Group lookups have never given us any
trouble before, with any product. I've never seen an LDAP query return a
user's group memberships unless isMemberOf was included in the filter. In
general, the things I've used just lookup the user and then lookup the
group and check to make sure the user's DN is a member value of the group.

Thanks!


On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell244@gmail.com>
wrote:

> It's a stab in the dark, but there are some LDAP auth implementations that
> assume groups are returned when querying for a user, as that generally how
> LDAP servers work out of the box. If your groups are not included in user
> query results, and I'm guessing they're not based on your expectations,
> they break in the manner you describe. Depending on how battle tested the
> implementation is, it may make a second lookup to test if the user is in a
> group, which may be a separate config flag.
>
> No clue if any of the listed extensions fall into the former or latter
> category of Auth implementations, but figured the LDAP trivia might be
> useful.
>
> On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker@utica.edu> wrote:
>
>> Not sure if this matters, but we're using Oracle Directory Server
>> (formerly Sun Directory Server Enterprise Edition). In a group, each
>> member is specified by a full user DN. Does the extension look for a
>> member value matching just the username?
>>
>> Thanks.
>>
>> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
>>
>>> Hello,
>>>
>>> I set up a test instance of MediaWiki at our site and am trying to get
>>> it configured for LDAP authentication. Per the documentation I could find,
>>> I installed and configured the following extensions:
>>>
>>> - LDAPAuthentication2
>>> - LDAPAuthorization
>>> - LDAPProvider
>>> - PluggableAuth
>>>
>>> Without LDAPAuthorization enabled, basic LDAP authentication works
>>> fine. However, when I enable LDAPAuthorization and try to filter access by
>>> membership in a specific group, authentication fails every time with an
>>> error saying the user is not authorized.
>>>
>>> More specifically, I created a group in our LDAP system called
>>> wiki-users and added myself as a member. I then added an authorization
>>> block to the json file and specified the full DN of this group as a
>>> required group. I'm using plaintext LDAP so I can run packet captures and
>>> see the traffic. When I capture the LDAP traffic, I can see that it's
>>> authenticating the bind user and then my own user, but at no point does it
>>> query for this group.
>>>
>>> A sanitized version of my json file is pasted below. Any help is
>>> greatly appreciated!
>>>
>>> {
>>> "LDAP": {
>>> "connection": {
>>> "server": "my-LDAP-server.utica.edu",
>>> "port": "389",
>>> "enctype": "clear",
>>> "user": "cn=my-bind-user,dc=utica,dc=edu",
>>> "pass": "xxxxxxxxxxxx",
>>> "options": {
>>> "LDAP_OPT_DEREF": 1
>>> },
>>> "basedn": "dc=utica,dc=edu",
>>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>>> "searchattribute": "uid",
>>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
>>> ,dc=utica,dc=edu",
>>> "usernameattribute": "uid",
>>> "realnameattribute": "ucPreferredName",
>>> "emailattribute": "mail"
>>> },
>>> "authorization": {
>>> "rules": {
>>> "groups": {
>>> "required": ["cn=wiki-users,ou=groups,o=utica.edu
>>> ,dc=utica,dc=edu"]
>>> }
>>> }
>>> },
>>> "groupsync": {
>>> "mechanism": "mappedgroups",
>>> "mapping": {
>>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
>>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>>> }
>>> },
>>> "userinfo": {
>>> "email": "mail",
>>> "realname": "ucPreferredName"
>>> }
>>> }
>>> }
>>>
>>> --
>>> Dave Parker '11
>>> Database & Systems Administrator
>>> Utica College
>>> Integrated Information Technology Services
>>> (315) 792-3229
>>> Registered Linux User #408177
>>>
>>
>>
>> --
>> Dave Parker '11
>> Database & Systems Administrator
>> Utica College
>> Integrated Information Technology Services
>> (315) 792-3229
>> Registered Linux User #408177
>> _______________________________________________
>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>> List information:
>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>>
> _______________________________________________
> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
> List information:
> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
Re: Help with LDAP Authorization [ In reply to ]
I solved the mystery. I moved the LDAP config to LocalSettings.php but
still had no luck. Then I enabled debug logging, and found this in the log
after a failed login:

[LDAP] ldap_search( $linkID, $baseDN = 'ou=groups,o=utica.edu,dc=utica,dc=edu',
$filter = '(&(objectclass=group)(member=uid=dparker,ou=people,o=utica.edu,dc=utica,dc=edu))',
$attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref
= );

The "objectclass=group" was the core issue here. Our groups use the
objectclass "groupOfNames" so this search returned no results. The
solution was to use this:

"grouprequest" =>
"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",
"groupobjectclass" => "groupOfNames",
"groupattribute" => "member"

Voila! Successful group-controlled LDAP authentication. All set!

Thanks,
Dave

On Wed, Aug 11, 2021 at 3:25 PM Dave Parker <dparker@utica.edu> wrote:

> We've had this LDAP system for a long time, and have never run into
> anything like this before. In general, there are two kinds of groups you
> can use in it:
>
> 1. A standard group has a groupOfNames object class, and members are
> specified using the "member" attribute, with each value being the DN of the
> user. When a user is a member of a group like this, it also adds the
> "isMemberOf" operational attribute on the user's LDAP record, the value of
> which is the DN of the group.
>
> 2. A dynamic group has a groupOfUrls object class, and membership is
> specified by one or more "memberURL" values which are LDAP search strings.
> All records matching the search string are considered to be members of the
> group. Oracle (and previously Sun) recommended using the "memberOf"
> attribute on user records and in the search string, to build out these
> groups. For example, our staff group has this memberURL:
>
> ldap:///ou=people,o=utica.edu
> ,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o=
> utica.edu,dc=utica,dc=edu))
>
> So, when this group is queried for members, it returns any user with this
> group's DN as a "memberOf" value. It gets convoluted and is easy to make
> mistakes with dynamic groups, so we generally use plain old groups with
> explicitly listed members instead. Group lookups have never given us any
> trouble before, with any product. I've never seen an LDAP query return a
> user's group memberships unless isMemberOf was included in the filter. In
> general, the things I've used just lookup the user and then lookup the
> group and check to make sure the user's DN is a member value of the group.
>
> Thanks!
>
>
> On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell244@gmail.com>
> wrote:
>
>> It's a stab in the dark, but there are some LDAP auth implementations
>> that assume groups are returned when querying for a user, as that generally
>> how LDAP servers work out of the box. If your groups are not included in
>> user query results, and I'm guessing they're not based on your
>> expectations, they break in the manner you describe. Depending on how
>> battle tested the implementation is, it may make a second lookup to test if
>> the user is in a group, which may be a separate config flag.
>>
>> No clue if any of the listed extensions fall into the former or latter
>> category of Auth implementations, but figured the LDAP trivia might be
>> useful.
>>
>> On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker@utica.edu> wrote:
>>
>>> Not sure if this matters, but we're using Oracle Directory Server
>>> (formerly Sun Directory Server Enterprise Edition). In a group, each
>>> member is specified by a full user DN. Does the extension look for a
>>> member value matching just the username?
>>>
>>> Thanks.
>>>
>>> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
>>>
>>>> Hello,
>>>>
>>>> I set up a test instance of MediaWiki at our site and am trying to get
>>>> it configured for LDAP authentication. Per the documentation I could find,
>>>> I installed and configured the following extensions:
>>>>
>>>> - LDAPAuthentication2
>>>> - LDAPAuthorization
>>>> - LDAPProvider
>>>> - PluggableAuth
>>>>
>>>> Without LDAPAuthorization enabled, basic LDAP authentication works
>>>> fine. However, when I enable LDAPAuthorization and try to filter access by
>>>> membership in a specific group, authentication fails every time with an
>>>> error saying the user is not authorized.
>>>>
>>>> More specifically, I created a group in our LDAP system called
>>>> wiki-users and added myself as a member. I then added an authorization
>>>> block to the json file and specified the full DN of this group as a
>>>> required group. I'm using plaintext LDAP so I can run packet captures and
>>>> see the traffic. When I capture the LDAP traffic, I can see that it's
>>>> authenticating the bind user and then my own user, but at no point does it
>>>> query for this group.
>>>>
>>>> A sanitized version of my json file is pasted below. Any help is
>>>> greatly appreciated!
>>>>
>>>> {
>>>> "LDAP": {
>>>> "connection": {
>>>> "server": "my-LDAP-server.utica.edu",
>>>> "port": "389",
>>>> "enctype": "clear",
>>>> "user": "cn=my-bind-user,dc=utica,dc=edu",
>>>> "pass": "xxxxxxxxxxxx",
>>>> "options": {
>>>> "LDAP_OPT_DEREF": 1
>>>> },
>>>> "basedn": "dc=utica,dc=edu",
>>>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>>>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>>>> "searchattribute": "uid",
>>>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu
>>>> ,dc=utica,dc=edu",
>>>> "usernameattribute": "uid",
>>>> "realnameattribute": "ucPreferredName",
>>>> "emailattribute": "mail"
>>>> },
>>>> "authorization": {
>>>> "rules": {
>>>> "groups": {
>>>> "required": ["cn=wiki-users,ou=groups,o=utica.edu
>>>> ,dc=utica,dc=edu"]
>>>> }
>>>> }
>>>> },
>>>> "groupsync": {
>>>> "mechanism": "mappedgroups",
>>>> "mapping": {
>>>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu
>>>> ,dc=utica,dc=edu",
>>>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>>>> }
>>>> },
>>>> "userinfo": {
>>>> "email": "mail",
>>>> "realname": "ucPreferredName"
>>>> }
>>>> }
>>>> }
>>>>
>>>> --
>>>> Dave Parker '11
>>>> Database & Systems Administrator
>>>> Utica College
>>>> Integrated Information Technology Services
>>>> (315) 792-3229
>>>> Registered Linux User #408177
>>>>
>>>
>>>
>>> --
>>> Dave Parker '11
>>> Database & Systems Administrator
>>> Utica College
>>> Integrated Information Technology Services
>>> (315) 792-3229
>>> Registered Linux User #408177
>>> _______________________________________________
>>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>>> List information:
>>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>>>
>> _______________________________________________
>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>> List information:
>> https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>>
>
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177
>


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
Re: Help with LDAP Authorization [ In reply to ]
Excellently well done.

Kudos.

Guillermo Vanegas , Jr
DevOps & FinTech || AI Design
® Apple, Inc.

On Aug 11, 2021, at 16:14, Dave Parker <dparker@utica.edu> wrote:

?
I solved the mystery. I moved the LDAP config to LocalSettings.php but still had no luck. Then I enabled debug logging, and found this in the log after a failed login:

[LDAP] ldap_search( $linkID, $baseDN = 'ou=groups,o=utica.edu,dc=utica,dc=edu', $filter = '(&(objectclass=group)(member=uid=dparker,ou=people,o=utica.edu,dc=utica,dc=edu))', $attributes = [ 'dn' ], $attrsonly = , $sizelimit = , $timelimit = , $deref = );

The "objectclass=group" was the core issue here. Our groups use the objectclass "groupOfNames" so this search returned no results. The solution was to use this:

"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",
"groupobjectclass" => "groupOfNames",
"groupattribute" => "member"

Voila! Successful group-controlled LDAP authentication. All set!

Thanks,
Dave

On Wed, Aug 11, 2021 at 3:25 PM Dave Parker <dparker@utica.edu> wrote:
> We've had this LDAP system for a long time, and have never run into anything like this before. In general, there are two kinds of groups you can use in it:
>
> 1. A standard group has a groupOfNames object class, and members are specified using the "member" attribute, with each value being the DN of the user. When a user is a member of a group like this, it also adds the "isMemberOf" operational attribute on the user's LDAP record, the value of which is the DN of the group.
>
> 2. A dynamic group has a groupOfUrls object class, and membership is specified by one or more "memberURL" values which are LDAP search strings. All records matching the search string are considered to be members of the group. Oracle (and previously Sun) recommended using the "memberOf" attribute on user records and in the search string, to build out these groups. For example, our staff group has this memberURL:
>
> ldap:///ou=people,o=utica.edu,dc=utica,dc=edu??sub?(&(objectclass=person)(memberOf=cn=staff,ou=groups,o=utica.edu,dc=utica,dc=edu))
>
> So, when this group is queried for members, it returns any user with this group's DN as a "memberOf" value. It gets convoluted and is easy to make mistakes with dynamic groups, so we generally use plain old groups with explicitly listed members instead. Group lookups have never given us any trouble before, with any product. I've never seen an LDAP query return a user's group memberships unless isMemberOf was included in the filter. In general, the things I've used just lookup the user and then lookup the group and check to make sure the user's DN is a member value of the group.
>
> Thanks!
>
>
> On Wed, Aug 11, 2021 at 2:43 PM Matthew Dowdell <mdowdell244@gmail.com> wrote:
>> It's a stab in the dark, but there are some LDAP auth implementations that assume groups are returned when querying for a user, as that generally how LDAP servers work out of the box. If your groups are not included in user query results, and I'm guessing they're not based on your expectations, they break in the manner you describe. Depending on how battle tested the implementation is, it may make a second lookup to test if the user is in a group, which may be a separate config flag.
>>
>> No clue if any of the listed extensions fall into the former or latter category of Auth implementations, but figured the LDAP trivia might be useful.
>>
>> On Wed, 11 Aug 2021, 19:29 Dave Parker, <dparker@utica.edu> wrote:
>>> Not sure if this matters, but we're using Oracle Directory Server (formerly Sun Directory Server Enterprise Edition). In a group, each member is specified by a full user DN. Does the extension look for a member value matching just the username?
>>>
>>> Thanks.
>>>
>>> On Wed, Aug 11, 2021 at 12:15 PM Dave Parker <dparker@utica.edu> wrote:
>>>> Hello,
>>>>
>>>> I set up a test instance of MediaWiki at our site and am trying to get it configured for LDAP authentication. Per the documentation I could find, I installed and configured the following extensions:
>>>>
>>>> - LDAPAuthentication2
>>>> - LDAPAuthorization
>>>> - LDAPProvider
>>>> - PluggableAuth
>>>>
>>>> Without LDAPAuthorization enabled, basic LDAP authentication works fine. However, when I enable LDAPAuthorization and try to filter access by membership in a specific group, authentication fails every time with an error saying the user is not authorized.
>>>>
>>>> More specifically, I created a group in our LDAP system called wiki-users and added myself as a member. I then added an authorization block to the json file and specified the full DN of this group as a required group. I'm using plaintext LDAP so I can run packet captures and see the traffic. When I capture the LDAP traffic, I can see that it's authenticating the bind user and then my own user, but at no point does it query for this group.
>>>>
>>>> A sanitized version of my json file is pasted below. Any help is greatly appreciated!
>>>>
>>>> {
>>>> "LDAP": {
>>>> "connection": {
>>>> "server": "my-LDAP-server.utica.edu",
>>>> "port": "389",
>>>> "enctype": "clear",
>>>> "user": "cn=my-bind-user,dc=utica,dc=edu",
>>>> "pass": "xxxxxxxxxxxx",
>>>> "options": {
>>>> "LDAP_OPT_DEREF": 1
>>>> },
>>>> "basedn": "dc=utica,dc=edu",
>>>> "groupbasedn": "ou=groups,o=utica.edu,dc=utica,dc=edu",
>>>> "userbasedn": "ou=people,o=utica.edu,dc=utica,dc=edu",
>>>> "searchattribute": "uid",
>>>> "searchstring": "uid=USER-NAME,ou=people,o=utica.edu,dc=utica,dc=edu",
>>>> "usernameattribute": "uid",
>>>> "realnameattribute": "ucPreferredName",
>>>> "emailattribute": "mail"
>>>> },
>>>> "authorization": {
>>>> "rules": {
>>>> "groups": {
>>>> "required": ["cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"]
>>>> }
>>>> }
>>>> },
>>>> "groupsync": {
>>>> "mechanism": "mappedgroups",
>>>> "mapping": {
>>>> "sysop": "cn=wiki-admins,ou=groups,o=utica.edu,dc=utica,dc=edu",
>>>> "users": "cn=wiki-users,ou=groups,o=utica.edu,dc=utica,dc=edu"
>>>> }
>>>> },
>>>> "userinfo": {
>>>> "email": "mail",
>>>> "realname": "ucPreferredName"
>>>> }
>>>> }
>>>> }
>>>>
>>>> --
>>>> Dave Parker '11
>>>> Database & Systems Administrator
>>>> Utica College
>>>> Integrated Information Technology Services
>>>> (315) 792-3229
>>>> Registered Linux User #408177
>>>
>>>
>>> --
>>> Dave Parker '11
>>> Database & Systems Administrator
>>> Utica College
>>> Integrated Information Technology Services
>>> (315) 792-3229
>>> Registered Linux User #408177
>>> _______________________________________________
>>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>>> List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>> _______________________________________________
>> MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
>> List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/
>
>
> --
> Dave Parker '11
> Database & Systems Administrator
> Utica College
> Integrated Information Technology Services
> (315) 792-3229
> Registered Linux User #408177


--
Dave Parker '11
Database & Systems Administrator
Utica College
Integrated Information Technology Services
(315) 792-3229
Registered Linux User #408177
_______________________________________________
MediaWiki-l mailing list -- mediawiki-l@lists.wikimedia.org
List information: https://lists.wikimedia.org/postorius/lists/mediawiki-l.lists.wikimedia.org/