then, I log on wiki, can find the debug messages:
Entering validDomain
User is using a valid domain.
Setting domain as: exchangetest
Entering getCanonicalName
Username isn't empty.
Munged username: Jma
Entering authenticate
Entering Connect
Using SSL
Using servers: ldaps://137.134.68.117
You really should be using a fully qualified domain name that matches
the CN of your AD server's certificate. SSL will fail if the names don't
match.
Connected successfully
Entering getSearchString
Doing a proxy bind
Failed to bind as
cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local
Failed to bind
Either the password for the proxy user is wrong, or you have an SSL
issue. I'd bet it is an SSL issue.
Also, you *really* shouldn't use an admin account as your proxy agent.
Make a special account for it, and if possible (after you have
everything working), try to limit the user's rights to binding and
searching for users; meaning, the user shouldn't be able to log into a
desktop/server system.
User DN is blank
Entering strict.
Returning true in strict().
Entering modifyUITemplate
I am not clear why bind administrator failed. My environment
are AD server
(windows) and wiki server(linux).
I check log file which in /var/log/httpd/ssl_error_log on
wiki server, can find messages :
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a
CA certificate
(BasicConstraints: CA == TRUE !?)
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate
CommonName (CN) `localhost.localdomain' does NOT match server name!?
These are warnings about the certificate on your web server, not on the
AD server.
Could certificate on AD server cause binding error ?
Yes, and this is likely the case. On your Linux system, put the
following into /etc/ldap.conf, and /etc/openldap/ldap.conf (or remove
/etc/openldap/ldap.conf, and link that file to /etc/ldap.conf):
TLS_CACERT /etc/pki/tls/certs/ca.crt
TLS_CACERTDIR /etc/pki/tls/certs
Where ca.crt is the CA certificate that signed your AD server's
certificate in PEM format. Notice you can use whatever directory is
acceptable for your distro. Red Hat Enterprise Linux (RHEL) 5 uses the
above location, RHEL 4 uses /usr/share/ssl/certs. You can also try:
TLS_REQCERT never
to tell your system to not check for validity of the certificate. This
is, of course, more insecure as it can open you up to man in the middle
attacks.
V/r,
Ryan Lane