New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New stable authad plugin is broken #1616

Closed
urusha opened this Issue Jun 27, 2016 · 11 comments

Comments

Projects
None yet
7 participants
@urusha

urusha commented Jun 27, 2016

After updating to 2016-06-26 "Elenor of Tsort" I have such errors in the log:

PHP Fatal error: Call to protected method adLDAPUtils::ldapSlashes() from context 'adLDAPGroups' in lib/plugins/authad/adLDAP/classes/adLDAPGroups.php on line 423

A workaround attached
patch.txt

@themysteq

This comment has been minimized.

Show comment
Hide comment
@themysteq

themysteq Jun 27, 2016

Same error here. Used autoupdate feature.

php-fpm -v
PHP 5.6.22 (fpm-fcgi) (built: May 26 2016 15:37:05)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

patch worked for me. Thanks very much for fast fix :)

themysteq commented Jun 27, 2016

Same error here. Used autoupdate feature.

php-fpm -v
PHP 5.6.22 (fpm-fcgi) (built: May 26 2016 15:37:05)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies

patch worked for me. Thanks very much for fast fix :)

@barrydegraaff

This comment has been minimized.

Show comment
Hide comment
@barrydegraaff

barrydegraaff Jun 27, 2016

Yes, I have this problem too, after upgrading to 2016-06-26 "Elenor of Tsort", I can no longer log on and recieve a password/username is incorrect message when trying to log-on.

I have been using this configuration with admin upgrade module for a few years, and havent had this problem before.

Did something change in the Auth Ad??

barrydegraaff commented Jun 27, 2016

Yes, I have this problem too, after upgrading to 2016-06-26 "Elenor of Tsort", I can no longer log on and recieve a password/username is incorrect message when trying to log-on.

I have been using this configuration with admin upgrade module for a few years, and havent had this problem before.

Did something change in the Auth Ad??

@barrydegraaff

This comment has been minimized.

Show comment
Hide comment
@barrydegraaff

barrydegraaff Jun 27, 2016

Also the suggested patch above does not work for me, also I use AD groups, so that may have to do with it as well. Putting an older version of AuthAD back, also does not work.

barrydegraaff commented Jun 27, 2016

Also the suggested patch above does not work for me, also I use AD groups, so that may have to do with it as well. Putting an older version of AuthAD back, also does not work.

splitbrain added a commit that referenced this issue Jun 27, 2016

make adLDAP function public again. #1616
It seems some update of the adLDAP library made a crucial function
protected, thus breaking the authad plugin.

This just makes the function public again, which should fix the
immeadiate problem. A proper fix would need to do #1553 as well
@Klap-in

This comment has been minimized.

Show comment
Hide comment
@Klap-in

Klap-in Jun 27, 2016

Collaborator

public to protected was by this PR: #1552
I think I copied too much from a new version.

Collaborator

Klap-in commented Jun 27, 2016

public to protected was by this PR: #1552
I think I copied too much from a new version.

@bug bug added this to the Elenor of Tsort - stable release milestone Jun 30, 2016

@bug

This comment has been minimized.

Show comment
Hide comment
@bug

bug Jun 30, 2016

Collaborator

I'll roll out a hotfix with that fix included.
@splitbrain can you merge it?

Thank you all

Collaborator

bug commented Jun 30, 2016

I'll roll out a hotfix with that fix included.
@splitbrain can you merge it?

Thank you all

@bug

This comment has been minimized.

Show comment
Hide comment
@bug

bug Jun 30, 2016

Collaborator

Closing as the fix is in.

Collaborator

bug commented Jun 30, 2016

Closing as the fix is in.

@bug bug closed this Jun 30, 2016

@splitbrain

This comment has been minimized.

Show comment
Hide comment
@splitbrain

splitbrain Jun 30, 2016

Owner

@bug yeah. there's another report regarding problems with AD I want to have a look at tonight or tomorrow. I'll let you know when we're good to hotfix release.

Owner

splitbrain commented Jun 30, 2016

@bug yeah. there's another report regarding problems with AD I want to have a look at tonight or tomorrow. I'll let you know when we're good to hotfix release.

@barrydegraaff

This comment has been minimized.

Show comment
Hide comment
@barrydegraaff

barrydegraaff Jul 1, 2016

I looked into why my config did no longer work after upgrading, and apparently removing the $conf['plugin']['authad'] from the config file local.php and re-add them using the configuration manager works.

We used to have stuff like:
$conf['plugin']['authad']['debug'] = '1';
and that is now saved as:
$conf['plugin']['authad']['debug'] = 1;

Also for some reason I have troubles logging on with the bind user, but only some times, since I don't really need it (I think, I just removed it from the config)
$conf['plugin']['authad']['admin_username'] ....

Then the patch above works for me.

barrydegraaff commented Jul 1, 2016

I looked into why my config did no longer work after upgrading, and apparently removing the $conf['plugin']['authad'] from the config file local.php and re-add them using the configuration manager works.

We used to have stuff like:
$conf['plugin']['authad']['debug'] = '1';
and that is now saved as:
$conf['plugin']['authad']['debug'] = 1;

Also for some reason I have troubles logging on with the bind user, but only some times, since I don't really need it (I think, I just removed it from the config)
$conf['plugin']['authad']['admin_username'] ....

Then the patch above works for me.

@zeroluck

This comment has been minimized.

Show comment
Hide comment
@zeroluck

zeroluck Jul 5, 2016

I just updated today and it broke my working config. This instance was set up about 3 years ago and the configuration I had survived all the updates since then until Elenor of Tsort. To resolve I went back through the authad plugin documentation and reconfigured the parameters in local.protected.php from scratch. I'm not sure what I changed but it works now.

zeroluck commented Jul 5, 2016

I just updated today and it broke my working config. This instance was set up about 3 years ago and the configuration I had survived all the updates since then until Elenor of Tsort. To resolve I went back through the authad plugin documentation and reconfigured the parameters in local.protected.php from scratch. I'm not sure what I changed but it works now.

@Klap-in

This comment has been minimized.

Show comment
Hide comment
@Klap-in

Klap-in Jul 5, 2016

Collaborator

I guess that this could be due to remove of support for the old format of config for the auth plugins...
But without more clue about what is now different in your config, this is just a guess...
(do you have at the bottom of your Configuration Manager some not normal defined config options?)

Collaborator

Klap-in commented Jul 5, 2016

I guess that this could be due to remove of support for the old format of config for the auth plugins...
But without more clue about what is now different in your config, this is just a guess...
(do you have at the bottom of your Configuration Manager some not normal defined config options?)

@zeroluck

This comment has been minimized.

Show comment
Hide comment
@zeroluck

zeroluck Jul 6, 2016

old local.protected.php:

<?php
  // general DokuWiki options
  $conf['useacl']            = 1;
  $conf['disableactions']    = 'register,resendpwd';
  $conf['authtype']            = 'authad';

  // configure your Active Directory data here
  $conf['auth']['ad']['account_suffix']        = '@ad.domain.name';
  $conf['auth']['ad']['base_dn']            = 'DC=ad,DC=domain,DC=name';
  $conf['auth']['ad']['domain_controllers']    = 'dc.domain.name';

  // Enable SSO
  $conf['auth']['ad']['sso']                = 1;
  $conf['auth']['ad']['ad_username']        = 'wikibind';
//user account with permission to perform AD lookups
  $conf['auth']['ad']['ad_password']        = 'password';

  $conf['auth']['ad']['real_primarygroup']    = 1;
  $conf['auth']['ad']['use_ssl']            = 1;
  $conf['auth']['ad']['use_tls']            = 1;

  $conf['auth']['ad']['recursive_groups']    = 1;
  $conf['auth']['ad']['additional']            = 'department,office'; // additional attributes to fetch

  $conf['auth']['ad']['groupfilter']        = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)

  // Admin
  $conf['manager']                            = '@it_group_all';
  $conf['superuser']                         = '@domain_admins,@wiki_admins,admin';

  // Debug
  $conf['auth']['ad']['debug']                = 1;
  $conf['auth']['ad']['userinfo_debug']        = 1;

New local.protected.php

<?php
  // general DokuWiki options
  $conf['useacl']         = 1;
  $conf['authtype']       = 'authad';

  // configure your Active Directory data here
  $conf['plugin']['authad']['account_suffix']     = '@ad.domain.name';
  $conf['plugin']['authad']['base_dn']            = 'DC=ad,DC=domain,DC=name';
  $conf['plugin']['authad']['domain_controllers'] = 'dc.domain.name'; //multiple can be given

  $conf['plugin']['authad']['admin_username']        = 'wikibind';
  $conf['plugin']['authad']['admin_password']        = 'password';
  $conf['plugin']['authad']['sso']                = 1;
  $conf['plugin']['authad']['real_primarygroup']  = 1;
  $conf['plugin']['authad']['use_tls']            = 1; // Only one of them.
  $conf['plugin']['authad']['debug']              = 1;
  $conf['plugin']['authad']['recursive_groups']   = 1; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
  $conf['plugin']['authad']['additional']         = 'department,office'; // additional attributes to fetch
  // warn user about expiring password this many days in advance (in version 2012-03-10 and higher):

  $conf['manager']                            = '@it_group_all';
  $conf['superuser']                         = '@domain_admins,@wiki_admins,admin';

zeroluck commented Jul 6, 2016

old local.protected.php:

<?php
  // general DokuWiki options
  $conf['useacl']            = 1;
  $conf['disableactions']    = 'register,resendpwd';
  $conf['authtype']            = 'authad';

  // configure your Active Directory data here
  $conf['auth']['ad']['account_suffix']        = '@ad.domain.name';
  $conf['auth']['ad']['base_dn']            = 'DC=ad,DC=domain,DC=name';
  $conf['auth']['ad']['domain_controllers']    = 'dc.domain.name';

  // Enable SSO
  $conf['auth']['ad']['sso']                = 1;
  $conf['auth']['ad']['ad_username']        = 'wikibind';
//user account with permission to perform AD lookups
  $conf['auth']['ad']['ad_password']        = 'password';

  $conf['auth']['ad']['real_primarygroup']    = 1;
  $conf['auth']['ad']['use_ssl']            = 1;
  $conf['auth']['ad']['use_tls']            = 1;

  $conf['auth']['ad']['recursive_groups']    = 1;
  $conf['auth']['ad']['additional']            = 'department,office'; // additional attributes to fetch

  $conf['auth']['ad']['groupfilter']        = '(&(cn=*)(Member=%{dn})(objectClass=group))'; # find groups for current user(dn)

  // Admin
  $conf['manager']                            = '@it_group_all';
  $conf['superuser']                         = '@domain_admins,@wiki_admins,admin';

  // Debug
  $conf['auth']['ad']['debug']                = 1;
  $conf['auth']['ad']['userinfo_debug']        = 1;

New local.protected.php

<?php
  // general DokuWiki options
  $conf['useacl']         = 1;
  $conf['authtype']       = 'authad';

  // configure your Active Directory data here
  $conf['plugin']['authad']['account_suffix']     = '@ad.domain.name';
  $conf['plugin']['authad']['base_dn']            = 'DC=ad,DC=domain,DC=name';
  $conf['plugin']['authad']['domain_controllers'] = 'dc.domain.name'; //multiple can be given

  $conf['plugin']['authad']['admin_username']        = 'wikibind';
  $conf['plugin']['authad']['admin_password']        = 'password';
  $conf['plugin']['authad']['sso']                = 1;
  $conf['plugin']['authad']['real_primarygroup']  = 1;
  $conf['plugin']['authad']['use_tls']            = 1; // Only one of them.
  $conf['plugin']['authad']['debug']              = 1;
  $conf['plugin']['authad']['recursive_groups']   = 1; // If number of groups in AD is large switching to 0 will improve performance, but indirect membership will not work
  $conf['plugin']['authad']['additional']         = 'department,office'; // additional attributes to fetch
  // warn user about expiring password this many days in advance (in version 2012-03-10 and higher):

  $conf['manager']                            = '@it_group_all';
  $conf['superuser']                         = '@domain_admins,@wiki_admins,admin';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment