I am using Mediawiki 1.12 on a Linux Debian system. I
have installed the
LDAP_Authentication extension for medaiwiki version 1.12 [1]. The good news
is that I am able to connect and log into mediawiki using our company's
Active Directory server authentication with the following settings in
LocalSettings.php:
$wgLDAPEncryptionType = array( "mycompany.net" => "clear" );
However the bad news is that if I try to use the TLS encryption method like
this:
$wgLDAPEncryptionType = array( "mycompany.net" => "tls" );
I get the following debug messages:
**************************************************************************************
Entering validDomain
User is using a valid domain.
Setting domain as:
mycompany.net
Entering getCanonicalName
Username isn't empty.
Munged username: JohnS
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers:
ldap://ad1.mycompany.net
Using TLS<
Warning:ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS:
Decoding error in
/var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on
line 197
Failed to start TLS.Failed to connect
Entering strict.
Returning true in strict().
Entering modifyUITemplate
**************************************************************************************
with medaiwiki login page saying "Login error: Incorrect password entered.
Please try again."
How can I check if my Active Directory server uses TLS method? Is the
problem with the Active Directory or in my setup of the LDAP_Authentication
extension?
Thanks
I haven't tested recently with a version of MediaWiki that is this
old, but I doubt that is the problem.
First, I'm not sure if the default configuration of AD supports TLS.
I've never had luck with it. Try SSL (ldaps) instead:
$wgLDAPEncryptionType = array( "mycompany.net" => "ssl" );
Note that your AD server may also not support ldaps either, if the
server doesn't have an SSL certificate installed. This is fairly easy
to test using openssl:
openssl s_client -connect <yourservername>:636
After running the above command, you should get back a bunch of text,
including the server's CA certificate. If you are connected, and no
other text is returned, the problem is on the AD side.
If you do have an SSL certificate installed on the AD server, and
ldaps isn't working with the plugin, it is likely a certificate trust
issue. I have documentation for fixing this in the requirements
section:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Ce…
Sorry about not responding sooner. I got busy and forgot about the
post (I even had it starred and everything ;) ).
Respectfully,
Ryan Lane