Ryan, A co-worker who had problems with a different box trying to authenticate via this AD server also pointed out to me that the new certifcate from the AD server does not have the fully-qualified domain name in it.
I used the x509 command to get info on the certficates. On the old one I see: Subject: CN=chaent3b.main.foo.com [name has been changed] On the new one I see: Subject: DC=com, DC=foo, DC=main, OU=Domain Controllers, CN=CHAENT3B
He also suggested I might just want to turn off SSL encryption for authentication. I tried commenting out the line that specifies ssl but got errors from TLS with that configuration.
If the right thing to do is to go up to the CA Cert, which PEM do I specify? I can use x509 to find the correct one probably, but not sure that certificate hasn't changed either since it was first loaded on my host.
The two certificates I have looked at so far with x509 (the AD server pem from a year ago and the one changed 2 days ago) have different CA Issuers listed: OLD: RI:http://foochaeca.foo.com/CertEnroll/longxxx.crt NEW: URI:http://multi.foo.com/ca/xxx.crt
Thanks much for your help. I'm so confused right now that my head is spinning! - Beth
-----Original Message----- From: Russell, Elizabeth Sent: Wednesday, March 26, 2008 10:44 AM To: 'MediaWiki announcements and site admin list' Subject: RE: [Mediawiki-l] LDAP-Error: Can't contact LDAP server
My predecessor had commneted out the TLS_CACERT line: #TLS_CACERT /usr/share/ssl/certs/tva_ad.pem TLS_CACERTDIR /usr/share/ssl/certs
I think he had also converted the AD server's certificate to PEM format, since I see about 5 .pem files in the ./certs directory
I should add.... We are authenticating via Active Directory server, and I am on Linux.
I've tried taking the certificate I downloaded from the AD server named in LocalSettings.php and just renaming as .pem, but I get the same errors.
Will the TSL_CACERT work with Active Directory configuration?
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Lane, Ryan Sent: Wednesday, March 26, 2008 10:29 AM To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] LDAP-Error: Can't contact LDAP server
The LDAP server where we are doing our authentication had to change certificate, and now when user attempts to login for edit purposes they get Login error: Incorrect password entered. Please try again.
You should trust the CA certificate, not the server certificate; if you do so, you won't have this problem next time.
If you are on a Linux system, the file you need to modify is going to be /etc/openldap/ldap.conf. You need to add the following options:
TLS_CACERT <path to the CA certificate that signed your server certificate> TLS_CACERTDIR <same as above, minus the filename>
I believe the ca cert file needs to be in PEM format (base64). If the CA certificate is in DER format for some reason (unlikely), you can convert to PEM with openssl:
openssl x509 -inform DER -outform PEM -in cacertinderformat.cer -out cacertinpemformat.cer
You can check the certificate information as well:
openssl x509 -noout -text -in cacert.cer
V/r,
Ryan Lane
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l