Hi, Ryan Lane
Thanks for your reply first. I changed my configuration follow your directions, like below: $wgGroupPermissions['*' ]['createaccount'] = false; $wgGroupPermissions['user']['createaccount'] = false; $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['*']['edit'] = false;
$require_once("extensions/LdapAuthentication.php"); $wgAuth= new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "exchangetest" ); $wgLDAPServerNames = array( "exchangetest"=>" exchangetest.exchangetest.umtest.local" ); $wgLDAPProxyAgent = array("exchangetest"=>"cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local");
$wgLDAPProxyAgentPassword = array("exchangetest"=>"Password"); $wgLDAPSearchAttributes = array ("exchangestest"=>"sAMAccountName"); $wgLDAPBaseDNs = array("exchangetest"=>"dc=exchangetest,dc=umtest,dc=local"); $wgLDAPEncryptionType = array("exchangetest"=>"ssl"); $wgMinimalPasswordLength = 1; $wgLDAPDebug = 3;
then, I log on wiki, can find the debug messages: Entering validDomain User is using a valid domain. Setting domain as: exchangetest Entering getCanonicalName Username isn't empty. Munged username: Jma Entering authenticate Entering Connect Using SSL Using servers: ldaps://137.134.68.117 Connected successfully Entering getSearchString Doing a proxy bind Failed to bind as cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local Failed to bind User DN is blank Entering strict. Returning true in strict(). Entering modifyUITemplate
I am not clear why bind administrator failed. My environment are AD server (windows) and wiki server(linux). I check log file which in /var/log/httpd/ssl_error_log on wiki server, can find messages :
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Jun 13 13:44:41 2015] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
Could certificate on AD server cause binding error ?
2007/10/18, Lane, Ryan Ryan.Lane@ocean.navo.navy.mil:
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
This should be:
$wgLDAPEncryptionType = array("exchangetest"=>"ssl");
As of right now you are actually using start_tls, and not ldaps (as the plugin defaults to start_tls for user protection purposes). If you have an SSL cert installed on your AD server, it should have the same effect, but they use different ports, and the encryption is slightly different; notice that not all AD servers are set up to use start_tls. By default AD doesn't use ldaps or start_tls, you are required to install a certificate.
If you have a certificate installed, you may have a certficate trust issue. If you use:
$wgLDAPEncryptionType = array("exchangetest"=>"clear");
and it works, you know this is an SSL issue. I strongly recommend against leaving this as "clear" though.
$wgLDAPUseLocal = false; $wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).
Set:
$wgLDAPDebug = 3;
That will give you debugging info. If you can't figure out the problem, post your debug info with sensitive stuff snipped out.
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l