在 Debian 10 上使用 Mediawiki 在本地域上使用 LDAP
LDAP on local domain with Mediawiki on Debian 10
我在本地网络的 Debian 10 linux VM 上有一个 MediaWiki (1.34) 运行。我们有一个由 Win Server 2008 R2 管理的本地域 (abc.local)。我正在尝试实施 LDAP,因此只有 abc.local 域用户可以使用我们的 wiki。我安装了所有必要的扩展,当我使用此测试 ldapprovider.json 进行测试时,一切 似乎都能正常工作 。我不知道这个测试域的凭据所以我得到这个:
这似乎告诉我 LDAP 正在工作,并尝试根据我提供的虚假用户凭据进行身份验证。所以,现在我尝试为我的本地域修改 ldapprovider.json。我第一次尝试的只是更改 "server"、"user" 和 "pass"。 5.5.5.5是我们内部的本地域控制器。
{
"LDAP": {
"connection": {
"server": "5.5.5.5",
"user": "cn=Administrator,dc=example,dc=com",
"pass": "XXXXXXXXXX",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=example,dc=com",
"groupbasedn": "dc=example,dc=com",
"userbasedn": "dc=example,dc=com",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,dc=example,dc=com",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail"
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "cn",
"nickname": "uid",
"language": "preferredlanguage"
}
},
"groupsync": {
"mapping": {
"mathematicians": "ou=mathematicians,dc=example,dc=com",
"scientists": "ou=scientists,dc=example,dc=com"
}
}
}
}
这次当我输入用户凭据时出现以下错误:
[f66f7d40890c442c71165a80] /index.php/Special:PluggableAuthLogin MWException from line 157 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials
Backtrace:
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(80): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}
我不知道如何为我的本地域 abc.local 修改 ldapprovider.json。不知道这是否有帮助,但是当我将计算机加入域时我使用 "abc.local",当用户登录时使用 "abc\username"。
p.s。我之所以走到这一步,是因为我收到了严重的 help/tutoring 。就是舍不得...
EDIT1:我 joined 我的 linux 机器到 windows 域,realm discover 得到以下结果、realm join 和 id 命令。工作正常 - 可以识别用户 rjsmith(他是用户,也在工程师组中)。
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root@mediawiki-linux:/etc# realm join abc.local
Password for Administrator:
root@mediawiki-linux:/etc#
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@abc.local
login-policy: allow-realm-logins
root@mediawiki-linux:/etc# id rjsmith@abc.local
uid=521401112(rjsmith@abc.local) gid=521400513(domain users@abc.local) groups=521400513(domain users@abc.local),521401111(engineers@abc.local)
EDIT2:这是我的 LocalSettings.php 文件中的 LDAPProviderDomainConfigProvider 函数。仍然出现 Could not bind to LDAP: (49) Invalid credentials. 错误。
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "cn=Administrator@abc.local,dc=abc,dc=local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
根据评论,您的错误看起来是您需要将 ldap 连接绑定到的用户名不是 cn=Administrator@abc.local,dc=abc,dc=local,而是 Administrator@abc.local。
因此,在您的 ldap 配置中将其更改为类似这样的扩展:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "Administrator@abc.local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
应该在登录时从 LDAP 检索用户信息(查看更改后的 user 属性)。
我在本地网络的 Debian 10 linux VM 上有一个 MediaWiki (1.34) 运行。我们有一个由 Win Server 2008 R2 管理的本地域 (abc.local)。我正在尝试实施 LDAP,因此只有 abc.local 域用户可以使用我们的 wiki。我安装了所有必要的扩展,当我使用此测试 ldapprovider.json 进行测试时,一切 似乎都能正常工作 。我不知道这个测试域的凭据所以我得到这个:
这似乎告诉我 LDAP 正在工作,并尝试根据我提供的虚假用户凭据进行身份验证。所以,现在我尝试为我的本地域修改 ldapprovider.json。我第一次尝试的只是更改 "server"、"user" 和 "pass"。 5.5.5.5是我们内部的本地域控制器。
{
"LDAP": {
"connection": {
"server": "5.5.5.5",
"user": "cn=Administrator,dc=example,dc=com",
"pass": "XXXXXXXXXX",
"options": {
"LDAP_OPT_DEREF": 1
},
"basedn": "dc=example,dc=com",
"groupbasedn": "dc=example,dc=com",
"userbasedn": "dc=example,dc=com",
"searchattribute": "uid",
"searchstring": "uid=USER-NAME,dc=example,dc=com",
"usernameattribute": "uid",
"realnameattribute": "cn",
"emailattribute": "mail"
},
"userinfo": {
"attributes-map": {
"email": "mail",
"realname": "cn",
"nickname": "uid",
"language": "preferredlanguage"
}
},
"groupsync": {
"mapping": {
"mathematicians": "ou=mathematicians,dc=example,dc=com",
"scientists": "ou=scientists,dc=example,dc=com"
}
}
}
}
这次当我输入用户凭据时出现以下错误:
[f66f7d40890c442c71165a80] /index.php/Special:PluggableAuthLogin MWException from line 157 of /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (49) Invalid credentials
Backtrace:
#0 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(80): MediaWiki\Extension\LDAPProvider\Client->establishBinding()
#1 /var/www/html/mediawiki/extensions/LDAPProvider/src/Client.php(313): MediaWiki\Extension\LDAPProvider\Client->init()
#2 /var/www/html/mediawiki/extensions/LDAPAuthentication2/src/PluggableAuth.php(76): MediaWiki\Extension\LDAPProvider\Client->canBindAs(string, string)
#3 /var/www/html/mediawiki/extensions/PluggableAuth/includes/PluggableAuthLogin.php(30): MediaWiki\Extension\LDAPAuthentication2\PluggableAuth->authenticate(NULL, string, NULL, NULL, NULL)
#4 /var/www/html/mediawiki/includes/specialpage/SpecialPage.php(575): PluggableAuthLogin->execute(NULL)
#5 /var/www/html/mediawiki/includes/specialpage/SpecialPageFactory.php(611): SpecialPage->run(NULL)
#6 /var/www/html/mediawiki/includes/MediaWiki.php(296): MediaWiki\Special\SpecialPageFactory->executePath(Title, RequestContext)
#7 /var/www/html/mediawiki/includes/MediaWiki.php(900): MediaWiki->performRequest()
#8 /var/www/html/mediawiki/includes/MediaWiki.php(527): MediaWiki->main()
#9 /var/www/html/mediawiki/index.php(44): MediaWiki->run()
#10 {main}
我不知道如何为我的本地域 abc.local 修改 ldapprovider.json。不知道这是否有帮助,但是当我将计算机加入域时我使用 "abc.local",当用户登录时使用 "abc\username"。
p.s。我之所以走到这一步,是因为我收到了严重的 help/tutoring
EDIT1:我 joined 我的 linux 机器到 windows 域,realm discover 得到以下结果、realm join 和 id 命令。工作正常 - 可以识别用户 rjsmith(他是用户,也在工程师组中)。
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
root@mediawiki-linux:/etc# realm join abc.local
Password for Administrator:
root@mediawiki-linux:/etc#
root@mediawiki-linux:/etc# realm discover abc.local
abc.local
type: kerberos
realm-name: abc.local
domain-name: abc.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U@abc.local
login-policy: allow-realm-logins
root@mediawiki-linux:/etc# id rjsmith@abc.local
uid=521401112(rjsmith@abc.local) gid=521400513(domain users@abc.local) groups=521400513(domain users@abc.local),521401111(engineers@abc.local)
EDIT2:这是我的 LocalSettings.php 文件中的 LDAPProviderDomainConfigProvider 函数。仍然出现 Could not bind to LDAP: (49) Invalid credentials. 错误。
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "cn=Administrator@abc.local,dc=abc,dc=local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
根据评论,您的错误看起来是您需要将 ldap 连接绑定到的用户名不是 cn=Administrator@abc.local,dc=abc,dc=local,而是 Administrator@abc.local。
因此,在您的 ldap 配置中将其更改为类似这样的扩展:
$LDAPProviderDomainConfigProvider = function() {
$config = [
'LDAP' => [
'connection' => [
"server" => "5.5.5.5"
"user" => "Administrator@abc.local",
"pass" => 'password',
"options" => [
"LDAP_OPT_DEREF" => 1
],
"basedn" => "dc=abc,dc=local",
"groupbasedn" => "dc=abc,dc=local",
"userbasedn" => "dc=abc,dc=local",
"searchattribute" => "uid",
"searchstring" => "uid=USER-NAME,dc=abc,dc=local",
"usernameattribute" => "uid",
"realnameattribute" => "cn",
"emailattribute" => "mail"
]
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
应该在登录时从 LDAP 检索用户信息(查看更改后的 user 属性)。