Re: [Mediawiki-l] difficulty configuring LDAP extension

10 Jul 2007

Ryan,

Thanks again for your response.  The $wgLDAPUseSSL = false line is in 
the wiki within the User Provided Examples.
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_E…

I'm using 1.1d, though I thought I downloaded 1.1e.

Because we aren't sure whether we can have the wiki be able to trust the 
certificate, we are trying this unsecure.  The security isn't crucial 
since we'll secure the login page and both AD and the wiki server will 
be on the same very protected subnet.  But ideally, we'd like to secure 
everything.

So I finally got it to work unsecurely!  I had the two ou= sections 
reversed accidentally.  Here is the final configuration that I got to work:

## This is the LDAP method
require_once( 'LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "LehighLDAP" );
$wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu"  );
$wgLDAPSearchStrings = array( 
"LehighLDAP"=>"cn=USER-NAME,ou=ir,ou=f-s,dc=ad,dc=lehigh,dc=edu" 
);
$wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" );
$wgMinimalPasswordLength = 1;

As a test, I changed the $wgLDAPEncryptionType to ssl and it bombed. 
What can I do to get the wiki software to trust the certificate of the 
AD server?

Tim

Tim McGeary '99, '06G
Senior Systems Specialist
Lehigh University
610-758-4998
tim.mcgeary(a)lehigh.edu

Lane, Ryan wrote:
...
   $wgLDAPUseSSL
= false;
 $wgLDAPEncryptionType = array( "LehighLDAP"=>"" );  
 These are not correct. I have no idea where everyone keeps getting
 "$wgLDAPUseSSL = false;" from, that hasn't been a config option in over
 a year :). If you don't want to use encryption, use:

 	$wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" );

 See:
 http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Domain.2C_se
 rver_and_connection_configuration_options for more information on
 encryption.

 However, notice that AD, by default, is configured to require encryption
 when binding to the server. Unless your admin specifically turned that
 off, you may need to use encryption (either TLS, or SSL). You'll need to
 ensure the AD server has an SSL certificate installed that is signed by
 a CA your server trusts.

 Also, are you using an older version of the plugin? I coulda swore the
 plugin fails when TLS doesn't start properly. I can't find it in the
 changelog, so I can't tell you the exact version I fixed that in...

 V/r,

 Ryan Lane

  I'm trying to create a Mediawiki account,
because my username 
 isn't in the DB, yet.  So when I fill out the username, 
 password, pw-confirm, and real name, the result of the log 
 output is the following:

 Entering validDomain
 User is using a valid domain.
 Setting domain as: LehighLDAP
 Entering validDomain
 User is using a valid domain.
 Entering userExists
 Entering authenticate
 Entering Connect
 Using TLS or not using encryption.
 Using servers: ldap://ad.lehigh.edu
 Connected successfully
 Entering getSearchString
 Doing a straight bind
 userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu
 Binding as the user
 Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu
 Entering modifyUITemplate

 I'm definitely using the correct password, and I've confirm 
 with the AD admin that 
 cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct 
 information.  What am I missing?

 Thanks,
 Tim

 Tim McGeary '99, '06G
 Senior Systems Specialist
 Lehigh University
 610-758-4998
 tim.mcgeary(a)lehigh.edu

 Lane, Ryan wrote:
  That error comes from MediaWiki, not the plugin.

 Set:

 	$wgLDAPDebug = 3;

 V/r,

 Ryan Lane

  -----Original Message-----
 From: mediawiki-l-bounces(a)lists.wikimedia.org
 [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim 
 McGeary
 Sent: Monday, July 09, 2007 1:20 PM
 To: mediawiki-l(a)lists.wikimedia.org
 Subject: [Mediawiki-l] difficulty configuring LDAP extension

 Hi all,

 I've been trying to configure the LDAP Extension and during my 
 testing, I am getting an error within Mediawiki that says:

 "Login error: Incorrect password entered. Please try again."

 The problem I am having is that there is no such error in the LDAP 
 extension code and no error logs being produced, so I have no clue 
 what part of my configuration is wrong.  Am I not finding the ldap 
 server, am I not connecting, am I not binding, am I failing in a 
 search for the user?

 Anyone know how I can find out what the real error is?

 Thanks,
 Tim McGeary

 --
 Tim McGeary '99, '06G
 Senior Systems Specialist
 Lehigh University
 610-758-4998
 tim.mcgeary(a)lehigh.edu

 _______________________________________________
 MediaWiki-l mailing list
 MediaWiki-l(a)lists.wikimedia.org
 http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
  _______________________________________________
 MediaWiki-l mailing list
 MediaWiki-l(a)lists.wikimedia.org
 http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
  _______________________________________________
 MediaWiki-l mailing list
 MediaWiki-l(a)lists.wikimedia.org
 http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

Re: [Mediawiki-l] difficulty configuring LDAP extension