MediaWiki 1.13.0, LdapAuthentication 1.1g
I used http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/AD_Configuration... to set up a simple bind. But I cannot authenticate... the AD server never sees any attempt to authenticate (or at least doesn't log anything in the Event Viewer). With $wgLDAPDebug = 3; I get:
Entering validDomain User is using a valid domain. Setting domain as: domain Entering getCanonicalName Username isn't empty. Munged username: Joliver Entering userExists Entering authenticate Entering Connect Using SSL Using servers: ldaps://10.0.0.4 Connected successfully Entering getSearchString Doing a straight bind userdn is: DOMAIN\Joliver Binding as the user Failed to bind as DOMAIN\Joliver Entering modifyUITemplate
Using servers: ldaps://10.0.0.4
Does your AD server have an SSL certificate installed? If so, does your web server trust the AD server's certificate authority? If it is the former, you'll need to use clear instead of ssl (not recommended), or you'll have to install an SSL certificate. If it is the latter, you'll need to configure OpenLDAP client and OpenSSL on your web server to trust the Certificate Authority.
Where you place certificates for CA trusts varies from distro to distro, but in RHEL 4 it is /usr/share/ssl/certs. In RHEL 5 it is /etc/pki/tls/certs. You'll need to edit /etc/openldap/ldap.conf and put something like the following in (if you have RHEL4):
TLS_CACERTDIR /usr/share/ssl/certs TLS_CACERT /usr/share/ssl/certs/specificCACert.pem
You can also try the following if you are having problems (this can allow MITM attacks):
TLS_REQCERT never
If you want to check to see if your AD server is using SSL, you can do the following:
openssl s_client -connect 10.0.0.4:636
It should connect and return a bunch of information, including the public SSL certificate of the AD server in PEM (ascii) format.
If you need further help after checking the above, please also post your configuration with sensitive stuff snipped out.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org