then, I log on wiki, can find the debug messages: Entering validDomain User is using a valid domain. Setting domain as: exchangetest Entering getCanonicalName Username isn't empty. Munged username: Jma Entering authenticate Entering Connect Using SSL Using servers: ldaps://137.134.68.117
You really should be using a fully qualified domain name that matches the CN of your AD server's certificate. SSL will fail if the names don't match.
Connected successfully Entering getSearchString Doing a proxy bind Failed to bind as cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local Failed to bind
Either the password for the proxy user is wrong, or you have an SSL issue. I'd bet it is an SSL issue.
Also, you *really* shouldn't use an admin account as your proxy agent. Make a special account for it, and if possible (after you have everything working), try to limit the user's rights to binding and searching for users; meaning, the user shouldn't be able to log into a desktop/server system.
User DN is blank Entering strict. Returning true in strict(). Entering modifyUITemplate
I am not clear why bind administrator failed. My environment are AD server (windows) and wiki server(linux). I check log file which in /var/log/httpd/ssl_error_log on wiki server, can find messages :
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Jun 13 13:44:41 2015] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
These are warnings about the certificate on your web server, not on the AD server.
Could certificate on AD server cause binding error ?
Yes, and this is likely the case. On your Linux system, put the following into /etc/ldap.conf, and /etc/openldap/ldap.conf (or remove /etc/openldap/ldap.conf, and link that file to /etc/ldap.conf):
TLS_CACERT /etc/pki/tls/certs/ca.crt TLS_CACERTDIR /etc/pki/tls/certs
Where ca.crt is the CA certificate that signed your AD server's certificate in PEM format. Notice you can use whatever directory is acceptable for your distro. Red Hat Enterprise Linux (RHEL) 5 uses the above location, RHEL 4 uses /usr/share/ssl/certs. You can also try:
TLS_REQCERT never
to tell your system to not check for validity of the certificate. This is, of course, more insecure as it can open you up to man in the middle attacks.
V/r,
Ryan Lane