LDAP on local domain with Mediawiki

Question

Just got my MediaWiki running on a local domain (running as container on Synology nas). Now I want to configure so only domain users can access the Wiki and are automatically logged in.
This is for the sole purpose of tracking user name with page edits.
My local domain is abc.local and my domain controller is Windows Server 2008 R2.

I've done the following:

Installed extensions LDAPProvider, LDAPAuthentication2, and PluggableAuth.
Added the following to the bottom of my LocalSettings.php.

wfLoadExtension( 'PluggableAuth' );                                                                                             
$wgPluggableAuth_EnabledAutoLogin = true;                                                                                       
wfLoadExtension( 'LDAPAuthentication2' );  
wfLoadExtension( 'LDAPProvider' );                                                                        
$LDAPProviderDomainConfigProvider = function () {                                                            
$config = [                                                                                                  
    'LDAP' => [                                                                                         
         'connection' => [                                                                                                
         "server" => "abc.local",                                                                                       
         "user" => "cn=Administrator,dc=abc,dc=local",
         "pass" => 'passwordhere',                                                                                  
         "options" => [                                                                                   
             "LDAP_OPT_DEREF" => 1
         ],
         "basedn" => "dc=abc,dc=local",                                                                    
         "groupbasedn" => "dc=abc,dc=local",                                                               
         "userbasedn" => "dc=abc,dc=local",                                                                
         "searchstring" => "uid=USER-NAME,dc=abc,dc=local",                                                
         "emailattribute" => "mail"                                                                        
         "usernameattribute" => "uid",                                                                     
         "realnameattribute" => "cn",                                                                      
         "searchattribute" => "uid",                                                                       
         ]                                                                                                  
    ]                                                                                                           
];         
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );                   
};

The pluggins are running:

When i go to the main page i'm not automatically logged in, so i try to log in with domain creds and get the following:

I'm pretty green here and not sure how to configure things. Any ideas?

thanks, russ

EDIT: After adding $wgShowExceptionDetails = true; I'm getting the following error message:

EDIT2: Snip from phpinfo()

EDIT3: Started over with new containers in attempt to get php-ldap extension working and get around the ldap_connect() error.
Here are the steps I took with my last attempt:

REFERENCE: https://wiki.chairat.me/books/docker/page/how-to-setup-mediawiki-with-docker

Enable SSH service from control panel Terminal & SNMP and then open an SSH connection to the Synology box (using Putty). Login as box admin.
Run the following command to create a new docker container named mediawiki based on the latest mediawiki image:

sudo docker container run -d --name mediawiki -p 8080:80 mediawiki
Run the following command to create a new docker container named mediakwiki-mysql based on the latest MySQL image.
Replace <root_pwd> with desired MySQL root password:

sudo docker container run -d --name mediawiki-mysql -v mediawiki-mysql:/var/lib/mysql -e MYSQL_ROOT_PASSWORD=<root_pwd> mysql
Run the following 3 commands to create a docker network and then tie both images into it:
```
sudo docker network create mediawiki
sudo docker network connect mediawiki mediawiki
sudo docker network connect mediawiki mediawiki-mysql
```
REFERENCE: https://www.digitalocean.com/community/tutorials/how-to-install-linux-apache-mysql-php-lamp-stack-ubuntu-18-04#step-2-%E2%80%94-installing-mysql

Next, open a bash terminal in the mediawiki-mysql container and set the root plugin to mysql_native_password if necessary:

mysql -uroot -p<root_pwd> (this opens a MySQL prompt where <root_pwd> is what you set up in 3. without the <>)

SELECT user,authentication_string,plugin,host FROM mysql.user;    (this lists user attributes)
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';   (password is the <root_pwd> set above too)
ALTER USER 'root'@'%' IDENTIFIED WITH mysql_native_password BY 'password';

Add a volume mapping in the mediawiki-mysql container so you can copy files to/from the container and a share you can access with File Station on the Synology.

Stop the container if it is running.
Right-click and select Edit, then click on Volume.
Click "Add Folder" and select the shared volume you will use.
For "Mount path" put /var/lib/mysql
Start the container.

REFERENCE: https://computingforgeeks.com/how-to-install-php-7-3-on-debian-9-debian-8/

Add php-ldap extension to the mediawiki container if you want to enable LDAP authentication (e.g. if you have domain with active directory etc.). Open a bash terminal in the mediawiki container:

php -m        (this will list all of the active PHP modules - ldap is not listed if not installed yet)
php -v        (this will show you what version of PHP you are running)
apt-get update
apt-get upgrade -y
apt-get install libldb-dev libldap2-dev
cd /usr/local/bin
docker-php-ext-install ldap    (this takes a while)
php -m       (this shows ldap in the list)

Setup the MediaWiki before going on to the LDAP extension stuff.

Open "http://XXX.XXX.XXX.XXX:8080/" in browser and configure.
Use "mediawiki-mysql" in place of "localhost" for mysql.
Put LocalSettings.php into the /usr/www/html folder.

REFERENCE: https://www.mediawiki.org/wiki/Special:ExtensionDistributor?extdistname=LDAPProvider&extdistversion=master

Install the LDAPProvider mediawiki extension needed to support LdapAuthentication2

wget "https://extdist.wmflabs.org/dist/extensions/LDAPProvider-master-04dc101.tar.gz"
tar -xzf LDAPProvider-master-04dc101.tar.gz -C /var/www/html/extensions
rm LDAPProvider-master-04dc101.tar.gz
add "wfLoadExtension( 'LDAPProvider' );"  to the LocalSettings.php file.
run "php maintenance/update.php"  to create the required databases (takes a few seconds).
wget "https://extdist.wmflabs.org/dist/extensions/PluggableAuth-REL1_34-17fb1ea.tar.gz"
tar -xzf PluggableAuth-REL1_34-17fb1ea.tar.gz -C /var/www/html/extensions
rm PluggableAuth-REL1_34-17fb1ea.tar.gz 
add "wfLoadExtension( 'PluggableAuth' );"  to the LocalSettings.php file.
wget "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-master-cb07184.tar.gz"
tar -xzf LDAPAuthentication2-master-cb07184.tar.gz -C /var/www/html/extensions
rm LDAPAuthentication2-master-cb07184.tar.gz
add "wfLoadExtension( 'LDAPAuthentication2' );"  to the LocalSettings.php file.
copy in the LocalSettings.php file that has the LDAP configuration (item 2 in my original question above).

First of all: Can you add `$wgShowExceptionDetails = true;` to your LocalSettings.php? That should give you more information about the exception thrown (or you can take a look at your logging, what you prefer). With the exception it should be easier to help :) And: Why are you using these three extensions together? Shouldn't one of them be sufficient? — Florian, Dec 30 '19 at 10:52
As soon as I get to office I’ll do this. I have all 3 extensions because I thought [the documentation](https://m.mediawiki.org/wiki/Extension:LDAPAuthentication2) requires it. Thank you for help. — relayman357, Dec 30 '19 at 13:07
I added `wgShowExceptionDetails = true;` and get the error page i show at updated bottom of my question. I also ran a phpinfo() and down in the output of that i see, `Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps...` so i assume php will work with ldap. I did do an `apt-get install php5-ldap` after that error but i get `Package php5-ldap is not available`. — relayman357, Dec 30 '19 at 14:52
php -v gives me, `PHP 7.3.13 (cli)...` And my Mediawiki container is running, `Debian Gnu/Linux 10 (buster)` — relayman357, Dec 30 '19 at 15:02
I tried `apt-get install php7.3-ldap` and get, `Package php7.3-ldap is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source.` I'll follow this rabbit to see if can install somehow. — relayman357, Dec 30 '19 at 15:16
All kinds of errors trying to get `php7.3-ldap` installed. I did `apt-get install psmisc` and then `dpkg -i php-common_69_all.deb`, `dpkg -i php7.3-ldap_7.3.11-1_deb10u1_amd64.deb`, and, `dpkg -i php7.3-common_7.3.11-1_deb10u1_amd64.deb` and after restarting container i'm still getting that same error about call to undefined function ldap_connect(). — relayman357, Dec 30 '19 at 16:12
What php image are you using? It might be needed that you also need to add the extension to your php.ini file in order to get the extension loaded. But that depends on what image you're using :) — Florian, Dec 30 '19 at 20:17
The default that came with the Debian image when i grabbed the latest Mediawiki container (1.34). It is php7.3.13. I just did a phpinfo() and i see `Loaded Configuration File => (none)` but then it loads some other .ini. I added snip under my EDIT2 in question. — relayman357, Dec 30 '19 at 20:59
I created an `/usr/local/etc/php/php.ini` and put `extension=php_ldap.so` in it. Restarted both containers (MySQL and Mediawiki) and still have the `Call to undefined function ldap_connect()` error. — relayman357, Dec 30 '19 at 21:04
So, I assume https://hub.docker.com/_/php ??? What happens if you install the extension in the recommended way (section "How to install more PHP extensions", `docker-php-ext-install`). — Florian, Dec 30 '19 at 22:30
I ran a `php -m` and `ldap` is listed. I ran `docker-php-ext-install ldap` and at the end it stopped on `configure: error: Cannot find ldap.h`. This is my first time with php so i'm grasping. After this fail, i did a test by making a new temporary docker container with `docker run --rm -it php:7.2 bash` and then i changed dir to /usr/local/bin and ran `docker-php-ext-install ldap` and it ran fine until the end where it had that same `configure: error: Cannot find ldap.h` error. This was completely clean PHP7.2 container. — relayman357, Dec 31 '19 at 00:44
Ok, i ran `apt-get install libldb-dev libldap2-dev` ([this helped](https://www.youtube.com/watch?v=BBRS-8leLKc) as did [this](https://serverfault.com/questions/633394/php-configure-not-finding-ldap-header-libraries)) and after that i ran the `docker-php-ext-install ldap` from the /usr/local/bin folder and it ran clean this time. I tested again and still getting the `ldap-connect()` error when trying a login. I then ran `php -m | grep ldap` and the result is shown in next comment. — relayman357, Dec 31 '19 at 00:57
`php -m | grep ldap` gives the following: `PHP Warning: PHP Startup: Unable to load dynamic library 'php_ldap.so' (tried: /usr/local/lib/php/extensions/no-debug-non-zts-20180731/php_ldap.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/php_ldap.so: cannot open shared object file: No such file or directory), /usr/local/lib/php/extensions/no-debug-non-zts-20180731/php_ldap.so.so (/usr/local/lib/php/extensions/no-debug-non-zts-20180731/php_ldap.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0 `. I'll start over with this in morning... — relayman357, Dec 31 '19 at 00:58
I'm at very beginning and haven't done any serious dev on my mediawiki. i can start over from scratch if need be. — relayman357, Dec 31 '19 at 01:05
So, I tried your steps on my local docker env as well and it worked perfectly fine with alpine. I did the same with `php:7.3-fpm-stretch` and this worked as well. So, would be nice if you could somewhere post your Dockerfile you're using to build your image. The warning you got indicates that the extension file does not exist, can you check if it is present in the directory mentioned in the error? Here's the Dockerfile I used: https://pastebin.com/R3iK5k5b — Florian, Dec 31 '19 at 10:47
Thank you @Florian. I exported the Dockerfile i used to build my mediawiki image. It is [here](http://relayman.org/temp/_4Florian/). I'm going to start over since you had no problems with alpine and stretch. Surely i've done something to corrupt my build. — relayman357, Dec 31 '19 at 15:36
Sorry, that's not the Dockerfile, it's the resulting image. Please provide the Dockerfile only :) — Florian, Jan 01 '20 at 11:23
Oh, I’m sorry. I didn’t use a docker file, just the commands [listed here](https://wiki.chairat.me/books/docker/page/how-to-setup-mediawiki-with-docker) except those for SMTP which I did not need. — relayman357, Jan 01 '20 at 16:15
And how did you then add the ldap extension to your mediawiki/php container/image? — Florian, Jan 01 '20 at 17:16
I followed the instructions [here](https://m.mediawiki.org/wiki/Extension:LDAPAuthentication2) using wget from bash to download to container. — relayman357, Jan 01 '20 at 17:43
I mean the php extension ;) You need to create your own image, if you want to add php-extensions to the container. It seems to me, you didn't really do that, that's why the ldap_connect function does not exist. So, you need to create your own Dockerfile, inherit from the mediawiki image and add the php_ldap extension in this container :) — Florian, Jan 01 '20 at 18:30
@Florian - how do i do this (add the php extension). I've tried and tried (with several different containers) but still getting that ldap_connect() error. See my Edit3 above for steps i took. I just can't get past it. The stuff starting at 7. is the php-ldap related stuff. — relayman357, Jan 03 '20 at 02:58
I think, I get the problem here now. Please see my answer :) — Florian, Jan 03 '20 at 11:55

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

Based on the comments conversation and the additional step-by-step list above, here some thoughts:

Add php-ldap extension to the mediawiki container if you want to enable ldap authentication (e.g. if you have domain with active directory etc.). Open a bash terminal in the mediawiki container:

php -m (this will list all of the active PHP modules - ldap is not listed if not installed yet)

php -v (this will show you what version of PHP you are running)

apt-get update

apt-get upgrade -y

apt-get install libldb-dev libldap2-dev

cd /usr/local/bin

docker-php-ext-install ldap (this takes a while)

php -m (this shows ldap in the list)

I strongly doubt that this is working both at all and even if it would work, then I doubt it would work in a sustainable way. The problems with this "solution" are:

You're just changing the container state, not the image. Whenever the container is deleted, you've no easy way to reproduce the setup, except by doing all these manual steps again. That's not really what docker containers are about
You're "just" changing the php installation, that requires a restart of the php daemon or the apache daemon, if you're using apache. As you're not doing that, the php process handling your requests does not know about the new extension, whereas the php cli is perfectly fine showing you the ldap extension.

The solution, that will work with your problem, is to create your own image, based on the mediawiki:latest docker image. In this you can then add all the required libraries and use this image instead of the base one. Here're the steps you need to do to achieve that:

Create a new directory on your host where you're running docker as well
Create a Dockerfile in this directory on your host: This file is a set of instructions for docker to know how to build the image.
Fill it with this contents:

# inherit from the official mediawiki image
FROM mediawiki:latest

# Install the required libraries for adding the ldap extension for php
RUN apt-get update && \
    apt-get install -y libldb-dev libldap2-dev && \
    rm -rf /var/lib/apt/lists/*

RUN docker-php-ext-install ldap

Build the image with docker by navigating into the directory and run this command: docker build -t mediawiki:local . The -t creates a tag for the resulting image so that you can use this meaningful name instead of the checksum of the image. You can, however, choose whatever name and tag you want.
Run the container with this new image: docker run -v /path/to/LocalSettings.php:/var/www/html/LocalSettings.php -p 8080:80 --rm=true -d mediawiki:local. The command may be different from what you use, the important bit is the new image name, which is mediawiki:local or whatever tag you used in the build step before.

The resulting container has the ldap plugin installed and it can also be used from the php daemon which handles incoming requests.

Some remarks to your subsequent setup: If I understand it correctly, you're also installing extensions in the container itself, as well, by using a shell in the container and downaloding the extension. This is also not the best idea of doing, as, as I said already, when you recreate the container (which shouldbe possible always and you shouldn't think about that), the extensions are deleted as well. You should inject the extensions directory as a volume to the container and save the extensions on your hosts disk. Or, as an alternative, you can install the MediaWiki extension in the Dockerfile where you install the ldap php extension as well.

When i run your command 5. it is working, but i can't specify a name for the container. i tried to add the --name switch to your command string `sudo docker run -v /volume1/docker/mediawiki_volume/LocalSettings.php:/var/www/html/LocalSettings.php -p 8080:80 --rm=true -d mediawiki:local --name mediawiki-mywiki` and i get a new container that doesn't start and disappears after few seconds. — relayman357, Jan 03 '20 at 20:40
I also tried just using your string as-is (which gives me a generic-named container) and then doing a `docker rename generic-named mediawiki-mywiki`. The container is created fine but when i do this rename it does not show up as renamed in the Synology Docker window. I try to stop it and i get `Container does not exist.` It looks like Synology's version of Docker is 18.09.0-0506 right now (as of [DSM 6.2.2-24922 Update 4](https://www.synology.com/en-us/releaseNote/DS1513+#ver_24922-4)). I'll just live with the wierd named container and keep pressing on. Can't thank you enough Florian! — relayman357, Jan 03 '20 at 20:45
Plus, i can't get rid of that generic-named container either (can't do anything with it after rename). Synology bug i guess - i'll report. Edit: For some reason, the new container created as per your 5. is a complete orphan after a rename. I tested with other containers and have similar problem - but for them simply logging out of dsm and back in "refreshes" their name in the list of containers. So, again, i'll just live with the generic name. Submitted bug report to Synology. — relayman357, Jan 03 '20 at 21:28
For the name: you need to put in the `--name` option _before_ the image name. The docker run command is defined as: `docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]` which means, that the `--name` command as you used it was an argument for the command run inside of the container. The argument needs to be passed as an option to `docker run`, so just put it before the image name :) — Florian, Jan 04 '20 at 11:25

LDAP on local domain with Mediawiki

1 Answers1

Linked