Ryan,
Thanks again for your response. The $wgLDAPUseSSL = false line is in the wiki within the User Provided Examples. http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Ex...
I'm using 1.1d, though I thought I downloaded 1.1e.
Because we aren't sure whether we can have the wiki be able to trust the certificate, we are trying this unsecure. The security isn't crucial since we'll secure the login page and both AD and the wiki server will be on the same very protected subnet. But ideally, we'd like to secure everything.
So I finally got it to work unsecurely! I had the two ou= sections reversed accidentally. Here is the final configuration that I got to work:
## This is the LDAP method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP" ); $wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighLDAP"=>"cn=USER-NAME,ou=ir,ou=f-s,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" ); $wgMinimalPasswordLength = 1;
As a test, I changed the $wgLDAPEncryptionType to ssl and it bombed. What can I do to get the wiki software to trust the certificate of the AD server?
Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
$wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" );
These are not correct. I have no idea where everyone keeps getting "$wgLDAPUseSSL = false;" from, that hasn't been a config option in over a year :). If you don't want to use encryption, use:
$wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" );
See: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Domain.2C_se rver_and_connection_configuration_options for more information on encryption.
However, notice that AD, by default, is configured to require encryption when binding to the server. Unless your admin specifically turned that off, you may need to use encryption (either TLS, or SSL). You'll need to ensure the AD server has an SSL certificate installed that is signed by a CA your server trusts.
Also, are you using an older version of the plugin? I coulda swore the plugin fails when TLS doesn't start properly. I can't find it in the changelog, so I can't tell you the exact version I fixed that in...
V/r,
Ryan Lane
I'm trying to create a Mediawiki account, because my username isn't in the DB, yet. So when I fill out the username, password, pw-confirm, and real name, the result of the log output is the following:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
I'm definitely using the correct password, and I've confirm with the AD admin that cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct information. What am I missing?
Thanks, Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l