A couple things: > Created a regular filter: (sAMAccountName=Joliver) > Entering getBaseDN > basedn is ou=Domain Users,dc=domain,dc=com > Using base: ou=Domain Users,dc=domain,dc=com > Fetched username is not a string (check your hook code...). > This message > can be safely ignored if you do not have the > SetUsernameAttributeFromLDAP hook defined. > Pulled the user's DN:
It didn't pull the user's DN. You mention the reason for this below... > Checking for (new style) group membership > Entering isMemberOfRequiredLdapGroup > Required groups:cn=qa employees,ou=security > groups,dc=domain,dc=com,cn=engineering employees,ou=security > groups,dc=domain,dc=com,cn=customer care employees,ou=security > groups,dc=domain,dc=com > Entering getUserGroups > Entering getGroups > Entering getBaseDN > basedn is ou=Security Groups,dc=domain,dc=com > Search string: (&(=Joliver)(objectclass=)) This should say: Search string: (&(member=Joliver)(objectclass=group)). You should have all of the following options set: $wgLDAPGroupUseFullDN = array( "AD_DOMAIN"=>true ); $wgLDAPGroupObjectclass = array( "AD_DOMAIN"=>"group" ); $wgLDAPGroupAttribute = array( "AD_DOMAIN"=>"member" ); $wgLDAPGroupNameAttribute = array( "AD_DOMAIN"=>"cn" ); $wgLDAPSearchAttributes = array( "AD_DOMAIN"=>"sAMAccountName" ); > I think this may be because my user isn't in Domain Users... it's in > another folder called "IT". So, I tried: > > $wgLDAPUserBaseDNs = array( > "AD_DOMAIN" => array( > "ou=Domain Users,dc=domain,dc=com", > "ou=IT,dc=domain,dc=com" > ) > ); > > > and now I still get the incorrect password error, and the > debug message > says: > > Entering getBaseDN > basedn is Array > Using base: Array > > I'm not sure if it's just saying that the BaseDN *is* an array, or if > it's reading the literal string, "Array". > You can only set one base dn. You need to set this to: $wgLDAPUserBaseDNs = array( "AD_DOMAIN" => "dc=domain,dc=com" ); There is a practical reason to have all user accounts under a single OU (or a set of OUs under a single OU). This is one of those reasons. In AD land, there are other practical reasons including a sane group policy. > Also, I noticed that the debug says: > > Pulled the user's DN: > > Googling around has found examples where that is populated, like: > > Pulled the user's DN: CN=John > Doe,OU=Users,OU=Administrators,DC=domainname,DC=com > Yep. That's what it *should* look like. So, all of this said... The next version of the plugin will have memberOf support, and will have an option to auto-configure all of the annoying settings depending on schema type. It may or may not be out soon depending on my level of lazyness. V/r, Ryan Lane _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
