Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Thank you, Ryan. That will be helpful. I'm sure I'll be responding again with another question. I can do an LDAP search with authentication from the command line of Linx with ldapsearch, but it is failing here. We'll see what errors I get...
Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Ok, I'm trying to authentication to an AD server. We can use it as an LDAP server and not straight AD. So I'm doing the following configuration:
## This is the LDAP method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP" ); $wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighLDAP"=>"cn=USER-NAME,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" ); $wgMinimalPasswordLength = 1;
I'm trying to create a Mediawiki account, because my username isn't in the DB, yet. So when I fill out the username, password, pw-confirm, and real name, the result of the log output is the following:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
I'm definitely using the correct password, and I've confirm with the AD admin that cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct information. What am I missing?
Thanks, Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I've tried two other configurations. Here are the three total configurations I've tried and the three subsequent results. Let me know what you think might be wrong:
Configuration:
## This is the LDAP method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP" ); $wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighLDAP"=>"cn=USER-NAME,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" ); $wgMinimalPasswordLength = 1;
Result:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
-------------------------------------------------------------------------
Configuration:
## This is the AD method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighUniversityAD" ); $wgLDAPServerNames = array( "LehighUniversityAD"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighUniversityAD"=>"ad.lehigh.edu\USER-NAME" ); $wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighUniversityAD"=>"" ); $wgLDAPUseLocal = false; $wgMinimalPasswordLength = 1;
Result:
Entering validDomain User is using a valid domain. Setting domain as: LehighUniversityAD Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: ad.lehigh.edu\tmm8 Binding as the user Failed to bind as ad.lehigh.edu\tmm8 Entering modifyUITemplate
-------------------------------------------------------------------------
Configuration:
require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP2" ); $wgLDAPServerNames = array( "LehighLDAP2"=>"ad.lehigh.edu" ); $wgLDAPSearchAttributes = array( "LehighLDAP2"=>"cn" ); $wgLDAPBaseDNs = array( "LehighLDAP2"=>"ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP2"=>"" ); $wgMinimalPasswordLength = 1;
Result:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP2 Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing an anonymous bind Entering getUserDN Created a regular filter: (cn=tmm8) Using base: ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Couldn't find an entry userdn is: User DN is blank Entering modifyUITemplate
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Tim McGeary wrote:
Ok, I'm trying to authentication to an AD server. We can use it as an LDAP server and not straight AD. So I'm doing the following configuration:
## This is the LDAP method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP" ); $wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighLDAP"=>"cn=USER-NAME,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" ); $wgMinimalPasswordLength = 1;
I'm trying to create a Mediawiki account, because my username isn't in the DB, yet. So when I fill out the username, password, pw-confirm, and real name, the result of the log output is the following:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
I'm definitely using the correct password, and I've confirm with the AD admin that cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct information. What am I missing?
Thanks, Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
$wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" );
These are not correct. I have no idea where everyone keeps getting "$wgLDAPUseSSL = false;" from, that hasn't been a config option in over a year :). If you don't want to use encryption, use:
$wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" );
See: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Domain.2C_se rver_and_connection_configuration_options for more information on encryption.
However, notice that AD, by default, is configured to require encryption when binding to the server. Unless your admin specifically turned that off, you may need to use encryption (either TLS, or SSL). You'll need to ensure the AD server has an SSL certificate installed that is signed by a CA your server trusts.
Also, are you using an older version of the plugin? I coulda swore the plugin fails when TLS doesn't start properly. I can't find it in the changelog, so I can't tell you the exact version I fixed that in...
V/r,
Ryan Lane
I'm trying to create a Mediawiki account, because my username isn't in the DB, yet. So when I fill out the username, password, pw-confirm, and real name, the result of the log output is the following:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
I'm definitely using the correct password, and I've confirm with the AD admin that cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct information. What am I missing?
Thanks, Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Ryan,
Thanks again for your response. The $wgLDAPUseSSL = false line is in the wiki within the User Provided Examples. http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Configuration_Ex...
I'm using 1.1d, though I thought I downloaded 1.1e.
Because we aren't sure whether we can have the wiki be able to trust the certificate, we are trying this unsecure. The security isn't crucial since we'll secure the login page and both AD and the wiki server will be on the same very protected subnet. But ideally, we'd like to secure everything.
So I finally got it to work unsecurely! I had the two ou= sections reversed accidentally. Here is the final configuration that I got to work:
## This is the LDAP method require_once( 'LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "LehighLDAP" ); $wgLDAPServerNames = array( "LehighLDAP"=>"ad.lehigh.edu" ); $wgLDAPSearchStrings = array( "LehighLDAP"=>"cn=USER-NAME,ou=ir,ou=f-s,dc=ad,dc=lehigh,dc=edu" ); $wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" ); $wgMinimalPasswordLength = 1;
As a test, I changed the $wgLDAPEncryptionType to ssl and it bombed. What can I do to get the wiki software to trust the certificate of the AD server?
Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
$wgLDAPUseSSL = false; $wgLDAPEncryptionType = array( "LehighLDAP"=>"" );
These are not correct. I have no idea where everyone keeps getting "$wgLDAPUseSSL = false;" from, that hasn't been a config option in over a year :). If you don't want to use encryption, use:
$wgLDAPEncryptionType = array( "LehighLDAP"=>"clear" );
See: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Domain.2C_se rver_and_connection_configuration_options for more information on encryption.
However, notice that AD, by default, is configured to require encryption when binding to the server. Unless your admin specifically turned that off, you may need to use encryption (either TLS, or SSL). You'll need to ensure the AD server has an SSL certificate installed that is signed by a CA your server trusts.
Also, are you using an older version of the plugin? I coulda swore the plugin fails when TLS doesn't start properly. I can't find it in the changelog, so I can't tell you the exact version I fixed that in...
V/r,
Ryan Lane
I'm trying to create a Mediawiki account, because my username isn't in the DB, yet. So when I fill out the username, password, pw-confirm, and real name, the result of the log output is the following:
Entering validDomain User is using a valid domain. Setting domain as: LehighLDAP Entering validDomain User is using a valid domain. Entering userExists Entering authenticate Entering Connect Using TLS or not using encryption. Using servers: ldap://ad.lehigh.edu Connected successfully Entering getSearchString Doing a straight bind userdn is: cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Binding as the user Failed to bind as cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu Entering modifyUITemplate
I'm definitely using the correct password, and I've confirm with the AD admin that cn=tmm8,ou=f-s,ou=ir,dc=ad,dc=lehigh,dc=edu is the correct information. What am I missing?
Thanks, Tim
Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
Lane, Ryan wrote:
That error comes from MediaWiki, not the plugin.
Set:
$wgLDAPDebug = 3;
V/r,
Ryan Lane
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Tim McGeary Sent: Monday, July 09, 2007 1:20 PM To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] difficulty configuring LDAP extension
Hi all,
I've been trying to configure the LDAP Extension and during my testing, I am getting an error within Mediawiki that says:
"Login error: Incorrect password entered. Please try again."
The problem I am having is that there is no such error in the LDAP extension code and no error logs being produced, so I have no clue what part of my configuration is wrong. Am I not finding the ldap server, am I not connecting, am I not binding, am I failing in a search for the user?
Anyone know how I can find out what the real error is?
Thanks, Tim McGeary
-- Tim McGeary '99, '06G Senior Systems Specialist Lehigh University 610-758-4998 tim.mcgeary@lehigh.edu
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
So I finally got it to work unsecurely! I had the two ou= sections reversed accidentally. Here is the final configuration that I got to work:
Glad to hear it!
As a test, I changed the $wgLDAPEncryptionType to ssl and it bombed. What can I do to get the wiki software to trust the certificate of the AD server?
You need to make PHP/OpenLDAP trust the cert, not the wiki software. Discussion on ways of doing this are at:
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication#Trusting_sel f-signed_SSL_certificates
If that doesn't help you, check out PHP's LDAP documentation:
http://us2.php.net/manual/en/ref.ldap.php
http://us2.php.net/manual/en/function.ldap-connect.php#36156
Sorry about the lack of documentation, I rarely have to do this.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org