Thanks for the rapid answer, After adding TLS_REQCERT never it works! Thanks.
Just for the record. I am using the last stable version (1.2a, I think). The options for debug file are just beneath the <?php in LocalSettings.php file. Defined domain ($wgLDAPDomainNames value) appears at the login page in the drop-down menu. I don't know how to check if the LDAP plugin shows up as an extension.
LDAP logs gave the following output each time I try to login to
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT from IP=myip:56555 (IP=0.0.0.0:636) Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed (TLS negotiation failure)
ldap.conf has tls_checkpeer to no, otherwise error above is repeated for ssh or toher client software. I think key+Certificate are correctly setup, however, but I am probably wrong.
Thanks again Marc
________________________________________ De: mediawiki-l-bounces@lists.wikimedia.org [mediawiki-l-bounces@lists.wikimedia.org] En nom de Lane, Ryan [Ryan.Lane@ocean.navo.navy.mil] Enviat el: dimecres, 12 / agost / 2009 19:27 Per a: MediaWiki announcements and site admin list Tema: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
I guess you are referring to the debug file. I have tried this, but still no exit
-rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
[snip]
I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created
There could be a number of issues with the log not being created. I can't really tell why without more info...
Which version of the plugin are you using? Are you adding these options to the bottom of LocalSettings.php? When you go to the Log in page, does it have a domain list drop down box? Does the LDAP plugin show up as an extension in Special:Version?
The configuration in LocalSettins.php is:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" );
Have you checked your directory server access logs to see if MediaWiki is trying to connect? When you check your logs, is the system connecting, then immediately disconnecting?
Notice you are using SSL, but you are using an IP address for the host name of the server. This won't work by default. PHP uses the openldap client libraries, and openldap's configuration files for settings. By default openldap requires a full SSL trust. This means the hostname provided needs to match the CN field of the certificate on the LDAP server, and the DNS entry for the LDAP server. Also, openldap needs to trust the root certificate authority of your server's certificate. You can get around these requirements by setting "TLS_REQCERT never" in /etc/openldap/ldap.conf (you need to restart your web server after doing this).
I have a blog entry that goes into a bit of depth on this topic, which I feel are out of the scope of the documentation on mediawiki.org:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f or-mediawiki-the-basics-part-2/
That article is kind of an in depth how-to for enabling this for your kind of environment.
BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs since you are using straight binds (using $wgLDAPSearchStrings).
V/r,
Ryan Lane