所以我一直在尝试设置一个“免费”wiki,它与我的“免费”版本的 Active Directory(又名 OpenLdap)集成,这样我就可以为需要工作和交易的开发组进行超级简单的设置关于他们的部落知识。我以前见过这个操作,所以我知道它应该有效......到目前为止,其他所有内容都设置得很好:
- https://kifarunix.com/install-and-setup-openldap-on-centos-8/
- https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/
- https://kifarunix.com/configure-openldap-sssd-client-on-centos-6-7/
- https://www.mediawiki.org/wiki/Manual:Installation_guide
虽然这并不简单,但它确实很简单,如果我遵循 CentOS 规则,那么一切都会起作用(至少在 ProxMox 上)。现在问题来了,我尝试将 MediaWiki 与 OpenLdap 集成,这样我的用户身份验证就顺利了:
这就是我遇到了一个大障碍的地方。该文档并没有完全指导您如何执行此操作,而且很多时候,团体似乎正在解决 MSFT Active Directory,而不一定是我使用的开源工具。例如讨论中的最后一个线程:
当我按照此处所做的操作时,我的日志不会显示“绑定失败”消息,而是显示“在 LDAP 中未找到匹配的用户”消息:
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Setting domain as: sinbad
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering userExistsReal
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering Connect
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using TLS or not using encryption.
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using non-standard port: 389
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using servers: ldap://master.sinbad.com:389
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Using TLS
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getSearchString
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Doing a straight bind
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 userdn is: uid=Dsailor,ou=people,dc=master,dc=sinbad,dc=com
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Resource id #454 uid=Dsailor,ou=people,dc=master,dc=sinbad,dc=com
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Did not find a matching user in LDAP
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering strict.
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Entering getDomain
2020-07-31 14:40:35 master.sinbad.com my_wiki: 2.1.0 Returning true in strict()
这是我的 LDAP 配置:
$wgLDAPDomainNames = array('sinbadcomd');
$wgLDAPServerNames = array('sinbadcomd' => 'master.sinbad.com');
$wgLDAPSearchAttributes = array('sinbadcomd' => 'uid');
$wgLDAPSearchStrings = array('sinbadcomd' => 'uid=USER-NAME,ou=people,dc=master,dc=sinbad,dc=com');
$wgLDAPBaseDNs = array('sinbadcomd' => 'dc=master,dc=sinbad,dc=com');
# To pull e-mail address from LDAP
$wgLDAPPreferences = array('sinbadcomd' => array( 'email' => 'mail'));
$wgLDAPDebug = 3;
$wgLDAPUseLocal = false;
$wgMinimalPasswordLength = 1;
$wgLDAPRetrievePrefs = array( 'EUROPE.LAN' => true );
$wgLDAPEncryptionType = array('sinbadcomd' => 'tls');
//$wgLDAPEncryptionType = array('sinbadcomd' => 'ssl');
//$wgLDAPPort = array('sinbadcomd' => '636');
$wgLDAPPort = array('sinbadcomd' => '389');
$wgLDAPProxyAgent = array('sinbadcomd' => 'cn=proxyhost,ou=system,dc=master,dc=sinbad,dc=com');
$wgLDAPProxyAgentPassword = array('sinbadcomd' => '***');
$wgLDAPLowerCaseUsername = array('sinbadcomd' => true);
/*$wgLDAPUserBaseDNs = array('sinbadcomd' => 'ou=people,dc=master,dc=sinbad,dc=com');
//$wgLDAPUserBaseDNs = [];
# Group based restriction
$wgLDAPGroupUseFullDN = array( 'sinbadcomd' => false );
$wgLDAPGroupObjectclass = array( 'sinbadcomd' => "posixgroup" );
$wgLDAPGroupAttribute = array( 'sinbadcomd '=> "gidNumber" );
$wgLDAPGroupSearchNestedGroups = array( 'sinbadcomd' => false );
$wgLDAPGroupNameAttribute = array( 'sinbadcomd' => "cn" );
*/
脸在手上。有人可以在这里给我任何指示吗?顺便说一句:我知道我可以使用更新且可能更相关的系统,例如维基百科看来我接受了曾经对我有用的简单口号,而且,看来我需要一些帮助(不记得我上次使用 PHP 是什么时候)。
答案1
所以我最近花了相当多的时间尝试调试类似的东西。看看你在这里所做的,我认为你不需要这一行:
$wgLDAPRetrievePrefs = array( 'EUROPE.LAN' => true );
并且注释行使其阅读起来有点混乱。然而,据我所知,一个小补丁修复可以在这里提供帮助:
diff ~/src/LdapAuthentication/LdapAuthenticationPlugin.php extensions/LdapAuthentication/
532a533,536
>
> // If we are going to find and entry we need to bind first?
> $bindval = self::ldap_bind( $this->ldapconn, $this->getConf('ProxyAgent'), $this->getConf('ProxyAgentPassword') );
我做了这个更改,等待 MediaWiki 网站上的一些回应或同行评审: https://www.mediawiki.org/wiki/主题:Vr5s4thrk4imbxjx
但据我所知,它是有效的,这就是现在对我来说最重要的(这实际上花了我很长时间才能解决)。