广告组授权-用户未授权

Question

使用great help，我似乎在本地Windows域(abc.local)的内部wiki (运行在Debian10VM上)上部署了LDAP。我希望所有域用户都能够编辑维基。当我尝试使用测试帐户(rjsmith)登录维基时，我得到的是User rjsmith not authorized.。如果我故意为rjsmith输入错误的pwd，我会得到Could not authenticate credentials against domain "abc.local"。

下面是我的LocalSettings.php中的LDAP内联函数：

$LDAPProviderDomainConfigProvider = function()
{
        $config =
        [
        "abc.local" =>
                [
                "connection" =>
                        [
                        "server" => "5.5.5.5",
                        "user" => "Administrator@abc.local",
                        "pass" => "password",
                        "basedn" => "dc=abc,dc=local",
                        "groupbasedn" => "dc=abc,dc=local",
                        "userbasedn" => "dc=abc,dc=local",
                        "searchattribute" => "samaccountname",
                        "searchstring" => "USER-NAME@abc.local",
                        "usernameattribute" => "samaccountname",
                        "realnameattribute" => "cn",
                        "emailattribute" => "mail",
                        "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
                        ],
                        "authorization" =>
                        [
                                "rules" =>
                                [
                                "groups" =>
                                        [
                                        "required" => [ "cn=Users,dc=abc,dc=local" ]
                                        ]
                                ]
                        ],
                        "userinfo" =>
                        [
                                "email" => "mail",
                                "realname" => "cn",
                                "properties.gender" => "gender"
                        ]
                ]
        ];
        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};

我需要什么才能让Domain Users组中的任何域用户(abc.local/Users)都可以访问wiki？

谢谢，拉斯

Answer 1

是!即使是盲目的松鼠也会偶尔发现坚果！让它工作了！

经过多次尝试和错误，我最终只需要将"groups“部分更改为简单的"group" => "Users"。如果我想进一步限制它，我可以创建一个新的域组WikiUsers，并将选定的用户放入其中。然后我需要在下面设置"group" => "WikiUsers"。但是，我希望任何本地域用户有访问，所以我有下面的是完美的。

此外，我还对上面问题中显示的配置做了另一个更改。我创建了一个除了登录(readonly@abc.local)之外没有其他权限的常规域用户，因此我不必使用管理员帐户在明文中发送密码。

$LDAPProviderDomainConfigProvider = function()
{
        $config =
        [
        "abc.local" =>
                [
                "connection" =>
                        [
                        "server" => "5.5.5.5",
                        "user" => "readonly@abc.local",
                        "pass" => "password",
                        "basedn" => "dc=abc,dc=local",
                        "groupbasedn" => "dc=abc,dc=local",
                        "userbasedn" => "dc=abc,dc=local",
                        "searchattribute" => "samaccountname",
                        "searchstring" => "USER-NAME@abc.local",
                        "usernameattribute" => "samaccountname",
                        "realnameattribute" => "cn",
                        "emailattribute" => "mail",
                        "grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::fa$
                        ],
                        "authorization" =>
                        [
                                "rules" =>
                                [
                                "group" => "Users",
                                ]
                        ],
                        "userinfo" =>
                        [
                                "email" => "mail",
                                "realname" => "cn",
                                "properties.gender" => "gender"
                        ]
                ]
        ];

        return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};