本地域上的LDAP与Debian 10上的Mediawiki [英] LDAP on local domain with Mediawiki on Debian 10
问题描述
我在本地网络的Debian 10 linux VM上运行了MediaWiki(1.34).我们有一个由Win Server 2008 R2管理的本地域(abc.local).我正在尝试实施LDAP,因此只有abc.local域用户可以使用我们的Wiki.当我使用此测试
I have a MediaWiki (1.34) running on a Debian 10 linux VM on our local network. We have a local domain (abc.local) managed by Win Server 2008 R2. I am trying to implement LDAP so only abc.local domain users can use our wiki. I installed all the necessary extensions and everything seems to work when i use this test ldapprovider.json to test. I don't know credentials for this test domain so i get this:
这似乎告诉我LDAP正在运行,并尝试根据我提供的虚假用户凭据进行身份验证.因此,现在我尝试为本地域修改ldapprovider.json.我最初尝试的所有操作都是更改服务器",用户"和通过". 5.5.5.5是我们的内部本地域控制器.
This seems to tell me that LDAP is working though and tried to authenticate based on the bogus user creds i supplied. So, now i tried to modify the ldapprovider.json for my local domain. All i tried at first attempt was to change "server", "user", and "pass". The 5.5.5.5 is our internal local domain controller.
{
"LDAP": {
"connection": {
"server": "5.5.5.5",
"user": "cn=Administrator,dc=example,dc=com",
"pass": "XXXXXXXXXX",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=example,dc=com",
"groupbasedn": "dc=example,dc=com",
"userbasedn": "dc=example,dc=com",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,dc=example,dc=com",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail"
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "cn",
"nickname": "uid",
"language": "preferredlanguage"
}
},
"groupsync": {
"mapping": {
"mathematicians": "ou=mathematicians,dc=example,dc=com",
"scientists": "ou=scientists,dc=example,dc=com"
}
}
}
}
这一次,当我输入用户凭据时,出现以下错误:
This time when i enter user credentials i get the following error:
[f66f7d40890c442c71165a80] /index.php/Special:PluggableAuthLogin MWException from line 157 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials
Backtrace:
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(80): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}
我不知道如何为本地域abc.local修改ldapprovider.json.不知道这是否有帮助,但是当我将计算机加入域时,我使用"abc.local",而用户登录时使用"abc \ username".
I do not know how to modify the ldapprovider.json for my local domain abc.local. Don't know if this helps, but when i join computers to the domain i use "abc.local" and when users login the use "abc\username".
p.s.由于获得了认真的帮助/辅导,我才走了这么远. >根据这个问题.只是讨厌放弃...
p.s. I've only made it this far because of serious help/tutoring i received from this question. Just hate to give up...
EDIT1 :我加入了我的Linux机器连接到Windows域,并且realm discover,realm join和id命令具有以下结果.工作正常-可以为用户rjsmith(他既是用户,也是工程师组成员)提供ID.
EDIT1: I joined my linux machine to the windows domain and have the following results to the realm discover, realm join, and id commands. Working fine - can id a user rjsmith (he is user and also in engineers group).
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root@mediawiki-linux:/etc# realm join abc.local
Password for Administrator:
root@mediawiki-linux:/etc#
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@abc.local
login-policy: allow-realm-logins
root@mediawiki-linux:/etc# id rjsmith@abc.local
uid=521401112(rjsmith@abc.local) gid=521400513(domain users@abc.local) groups=521400513(domain users@abc.local),521401111(engineers@abc.local)
EDIT2 :这是我的LocalSettings.php文件中的LDAPProviderDomainConfigProvider函数.仍然出现Could not bind to LDAP: (49) Invalid credentials.错误.
EDIT2: This is my LDAPProviderDomainConfigProvider function in my LocalSettings.php file. Still getting the Could not bind to LDAP: (49) Invalid credentials. error.
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "cn=Administrator@abc.local,dc=abc,dc=local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
推荐答案
基于注释,您的错误似乎是您需要将ldap连接绑定到的用户名不是cn=Administrator@abc.local,dc=abc,dc=local而是Administrator@abc.local
Based on the comments, your error looks to be that the username, you need to bind the ldap connection to, is not cn=Administrator@abc.local,dc=abc,dc=local but rather Administrator@abc.local.
因此,请将您的ldap配置中的扩展名更改为类似的内容:
So, changing that in your ldap configuration for the extension to something like that:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "Administrator@abc.local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
应该可以做到这一点(看看更改后的user属性),以便在登录时从LDAP检索用户信息.
should do the trick (take a look to the changed user property) for retrieving user information from the LDAP on login.
这篇关于本地域上的LDAP与Debian 10上的Mediawiki的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
