Could not authenticate credentials against "LDAP" - MediaWiki

Question

hoping someone can shine a light for me. the site said dont take this job on as a newb and i of course totally ignored that suggestion.

i have MediaWiki 1.41.0, PHP 8.3.3 on Windows Server 2016 ( i know, its old), with IIS 10

I have extensions:

wfLoadExtension( 'LDAPProvider' );

wfLoadExtension( 'LDAPAuthentication2' );

wfLoadExtension( 'LDAPAuthorization' );

wfLoadExtension( 'LDAPGroups');

wfLoadExtension( 'LDAPUserInfo');

wfLoadExtension( 'PluggableAuth' );

when using good accounts to authenticate, getting "Could not authenticate credentials against domain "LDAP"

see below, do i have too much configured? not enough? any suggestion at all would be cool. thanks to any who responds

LOCALSETTINGS BELOW:

# Safe IP or not (for bypassing external login via AD)

$safeIPs = array('10.0.0.0', '10.255.255.255'); // Replace with your desired range

$ipsVars = array('HTTP_X_FORWARDED_FOR', 'HTTP_X_REAL_IP', 'REMOTE_ADDR');

foreach ($ipsVars as $ipsVar) {

    if (isset($_SERVER[$ipsVar]) && mb_strlen($_SERVER[$ipsVar]) > 3 ) {

        $wikiRequestIP = $_SERVER[$ipsVar];

        break;

    }

}

$wikiRequestSafe = (isset($wikiRequestIP) && (in_array($wikiRequestIP, $safeIPs)));

# Load LDAP Config from JSON

$ldapJsonFile = dirname(__FILE__) . "/extensions/LDAPProvider/ldapprovider.json";

$ldapConfig = false;

if (is_file($ldapJsonFile)) {

    $testJson = @json_decode(file_get_contents($ldapJsonFile), true);

    if (is_array($testJson)) {

        $LDAPProviderDomainConfigs = $testJson;

        $ldapConfig = true;

    } else {

        error_log("Found invalid JSON in file: $ldapJsonFile");

    }

}

# Activate extensions

if ($ldapConfig) {

    wfLoadExtension( 'LDAPProvider' );

    wfLoadExtension( 'LDAPAuthentication2' );

    wfLoadExtension( 'LDAPAuthorization' );

    wfLoadExtension( 'LDAPGroups');

    wfLoadExtension( 'LDAPUserInfo');

    wfLoadExtension( 'PluggableAuth' );   

   

    $LDAPProviderDomainConfigs = $ldapJsonFile;

   

    $LDAPProviderPreSearchUsernameModifierRegistry = [

        'lowercase' => function () {

        return \MediaWiki\Extension\LDAPProvider\PreSearchUsernameModifier\ToLower::newInstance();

        }

    ];

    $wgLDAPProvider['CacheType'] = 'CACHE_NONE';

    $wgLDAPProvider['CacheTime'] = 3600;


    # LDAPAuthentication2 configuration

    $LDAPAuthentication2AllowLocalLogin = true;

    $LDAPAuthentication2UsernameNormalizer = 'lowercase';   

    $wgLDAPAuthentication2['authentication']['usernameattribute'] = 'samaccountName';


    # Configure PluggableAuth settings

    $wgPluggableAuth_EnableAutoLogin = false;

    $wgPluggableAuth_EnableLocalLogin = false;

    $wgPluggableAuth_EnableLocalProperties = false;

    $wgPluggableAuth_EnableFastLogout = true;

    $wgPluggableAuth_Config = [

        "RAA Wiki Login" => [

            'plugin' => 'LDAPAuthentication2',

            'data' => ['domain' => 'LDAP']

        ]

    ];

    $LDAPGroupsSyncMechanismRegistry = [

        'mappedgroups' => 'MediaWiki\\Extension\\LDAPGroups\\SyncMechanism\\MappedGroups::factory'

    ];

}

LDAPPROVIDER.JSON BELOW

"LDAP": {
    "connection": {
        "server": "ldap-server",
        "port": 389,
        "enctype": "clear",
        "user": "cn=mediawiki,ou=service accounts,dc=acme,dc=org",
        "pass": "pass",
        "options": {
            "LDAP_OPT_DEREF": 1
        },
        "basedn": "dc=acme,dc=org",
        "userbasedn": "ou=users,dc=acme,dc=org",
        "groupbasedn": "ou=groups,dc=acme,dc=org",
        "usersearch": "samaccountname",
        "groupsearch": "$dn",
        "searchattribute": "samaccountname",
        "usernameattribute": "samaccountname",
        "realnameattribute": "cn",
        "grouprequest": "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
        "presearchusernamemodifiers": [ "lowercase" ],
        "searchstring": "(samaccountname=%{username})"
    },
    "authorization": {
        "rules": {
            "groups": {
                "required": [
                    "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
                    "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
                ]
            }
        }
    },
    "groupsync": {
        "mechanism": "mappedgroups",
            "mapping": {
                "information_technology": "CN=Information Technology,OU=GROUPS,DC=ACME,DC=ORG",
                "human_resources": "CN=Human Resources,OU=GROUPS,DC=ACME,DC=ORG"
            }
        },
        "userinfo": {
            "realname": "samaccountname"
        }
    }
}

---

help me obi wan kenobi, youre my only hope

as you can see above, those are my LocalSettings.php and ldapprovider.json (desensitized of course)

when i run the 4 maintenance scripts: CheckConnection, CheckLogin, ShowUserGroups, ShowUserInfo...i can get them all to run successfully. yet an actual log in doesnt work.

ANY suggestion or help or whatever would be nice. ALSO, is using LDAP or Azure/Entra easier to set up in mediawiki? because if its Entra, i'll blow LDAP up immediately and start over

EDIT some of the errors I can pull: [authentication] Login failed in primary authentication by MediaWiki\Extension\PluggableAuth\PrimaryAuthenticationProvider [session] SessionBackend "eo7aoj846bqo4lvvtcl8socbpd5rdfr3" data dirty due to dirty(): MediaWiki\SpecialPage\AuthManagerSpecialPage->handleFormSubmit/MediaWiki\SpecialPage\AuthManagerSpecialPage->performAuthenticationStep/MediaWiki\Auth\AuthManager->continueAuthentication/MediaWiki\Session\Session->remove/MediaWiki\Session\SessionBackend->dirty [session] SessionBackend "eo7aoj846bqo4lvvtcl8socbpd5rdfr3" save: dataDirty=1 metaDirty=0 forcePersist=0

---

not sure where else i could pull errors/logs from.