Hi
I have a AD server, it's domain name is exchangetest.umtest.local. I want to configure mediawiki using AD authentication. For example, A user login mediawiki, if he is in AD, then he will be created in mediawiki and log on successfully, if he is not in AD, he will log on failed.
I have read about LDAP Authentication,but can't resolve the issue. my LocallSeting.php is like below:
$wgGroupPermissions['*' ]['createaccount'] = false; $wgGroupPermissions['user']['createaccount'] = false; $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['*']['edit'] = false; $require_once("extensions/LdapAuthentication.php"); $wgAuth= new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "exchangetest" ); $wgLDAPServerNames = array( "exchangetest"=>" exchangetest.exchangetest.umtest.local" ); $wgLDAPProxyAgent = array("exchangetest"=>"cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local"); $wgLDAPProxyAgentPassword = array("exchangetest"=>"Password"); $wgLDAPSearchAttributes = array ("exchangestest"=>"sAMAccountName"); $wgLDAPBaseDNs = array("dc=exchangetest,dc=umtest,dc=local"); $wgLDAPUseSSL = array( "exchangetest"=>"ssl");
$wgLDAPUseLocal = false; $wgLDAPDisableAutoCreate = array("exchangetest"=>"false"); $wgMinimalPasswordLength = 1; I am a newbie on mediawiki, Could you please give me some advice?
Best Regards
hrwang
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
This should be:
$wgLDAPEncryptionType = array("exchangetest"=>"ssl");
As of right now you are actually using start_tls, and not ldaps (as the plugin defaults to start_tls for user protection purposes). If you have an SSL cert installed on your AD server, it should have the same effect, but they use different ports, and the encryption is slightly different; notice that not all AD servers are set up to use start_tls. By default AD doesn't use ldaps or start_tls, you are required to install a certificate.
If you have a certificate installed, you may have a certficate trust issue. If you use:
$wgLDAPEncryptionType = array("exchangetest"=>"clear");
and it works, you know this is an SSL issue. I strongly recommend against leaving this as "clear" though.
$wgLDAPUseLocal = false; $wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).
Set:
$wgLDAPDebug = 3;
That will give you debugging info. If you can't figure out the problem, post your debug info with sensitive stuff snipped out.
V/r,
Ryan Lane
Hi, Ryan Lane
Thanks for your reply first. I changed my configuration follow your directions, like below: $wgGroupPermissions['*' ]['createaccount'] = false; $wgGroupPermissions['user']['createaccount'] = false; $wgGroupPermissions['*']['read'] = true; $wgGroupPermissions['*']['edit'] = false;
$require_once("extensions/LdapAuthentication.php"); $wgAuth= new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "exchangetest" ); $wgLDAPServerNames = array( "exchangetest"=>" exchangetest.exchangetest.umtest.local" ); $wgLDAPProxyAgent = array("exchangetest"=>"cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local");
$wgLDAPProxyAgentPassword = array("exchangetest"=>"Password"); $wgLDAPSearchAttributes = array ("exchangestest"=>"sAMAccountName"); $wgLDAPBaseDNs = array("exchangetest"=>"dc=exchangetest,dc=umtest,dc=local"); $wgLDAPEncryptionType = array("exchangetest"=>"ssl"); $wgMinimalPasswordLength = 1; $wgLDAPDebug = 3;
then, I log on wiki, can find the debug messages: Entering validDomain User is using a valid domain. Setting domain as: exchangetest Entering getCanonicalName Username isn't empty. Munged username: Jma Entering authenticate Entering Connect Using SSL Using servers: ldaps://137.134.68.117 Connected successfully Entering getSearchString Doing a proxy bind Failed to bind as cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local Failed to bind User DN is blank Entering strict. Returning true in strict(). Entering modifyUITemplate
I am not clear why bind administrator failed. My environment are AD server (windows) and wiki server(linux). I check log file which in /var/log/httpd/ssl_error_log on wiki server, can find messages :
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Jun 13 13:44:41 2015] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
Could certificate on AD server cause binding error ?
2007/10/18, Lane, Ryan Ryan.Lane@ocean.navo.navy.mil:
$wgLDAPUseSSL = array( "exchangetest"=>"ssl");
This should be:
$wgLDAPEncryptionType = array("exchangetest"=>"ssl");As of right now you are actually using start_tls, and not ldaps (as the plugin defaults to start_tls for user protection purposes). If you have an SSL cert installed on your AD server, it should have the same effect, but they use different ports, and the encryption is slightly different; notice that not all AD servers are set up to use start_tls. By default AD doesn't use ldaps or start_tls, you are required to install a certificate.
If you have a certificate installed, you may have a certficate trust issue. If you use:
$wgLDAPEncryptionType = array("exchangetest"=>"clear");and it works, you know this is an SSL issue. I strongly recommend against leaving this as "clear" though.
$wgLDAPUseLocal = false; $wgLDAPDisableAutoCreate = array("exchangetest"=>"false");
These two default to false (pretty much everything defaults to false).
Set:
$wgLDAPDebug = 3;That will give you debugging info. If you can't figure out the problem, post your debug info with sensitive stuff snipped out.
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
then, I log on wiki, can find the debug messages: Entering validDomain User is using a valid domain. Setting domain as: exchangetest Entering getCanonicalName Username isn't empty. Munged username: Jma Entering authenticate Entering Connect Using SSL Using servers: ldaps://137.134.68.117
You really should be using a fully qualified domain name that matches the CN of your AD server's certificate. SSL will fail if the names don't match.
Connected successfully Entering getSearchString Doing a proxy bind Failed to bind as cn=administrator,cn=users,dc=exchangetest,dc=umtest,dc=local Failed to bind
Either the password for the proxy user is wrong, or you have an SSL issue. I'd bet it is an SSL issue.
Also, you *really* shouldn't use an admin account as your proxy agent. Make a special account for it, and if possible (after you have everything working), try to limit the user's rights to binding and searching for users; meaning, the user shouldn't be able to log into a desktop/server system.
User DN is blank Entering strict. Returning true in strict(). Entering modifyUITemplate
I am not clear why bind administrator failed. My environment are AD server (windows) and wiki server(linux). I check log file which in /var/log/httpd/ssl_error_log on wiki server, can find messages :
[Sat Jun 13 13:44:41 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Jun 13 13:44:41 2015] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!?
These are warnings about the certificate on your web server, not on the AD server.
Could certificate on AD server cause binding error ?
Yes, and this is likely the case. On your Linux system, put the following into /etc/ldap.conf, and /etc/openldap/ldap.conf (or remove /etc/openldap/ldap.conf, and link that file to /etc/ldap.conf):
TLS_CACERT /etc/pki/tls/certs/ca.crt TLS_CACERTDIR /etc/pki/tls/certs
Where ca.crt is the CA certificate that signed your AD server's certificate in PEM format. Notice you can use whatever directory is acceptable for your distro. Red Hat Enterprise Linux (RHEL) 5 uses the above location, RHEL 4 uses /usr/share/ssl/certs. You can also try:
TLS_REQCERT never
to tell your system to not check for validity of the certificate. This is, of course, more insecure as it can open you up to man in the middle attacks.
V/r,
Ryan Lane
Thanks, Ryan. I have a issue, Could you give me some suggestion please! My certificate on AD server is generated when I install Exhange2007. The certificate is sign by exchange, sign to exchange.
Entering Connect Using SSL Using servers: ldaps://exchangetest.exchangetest.umtest.local Connected successfully Entering getSearchString
From these debug information, I guess ssl is set up on AD. But, when I use
ldp.exe to connect AD by ssl port 636, can't open connection.
My AD's FQDN is exchangetest.exchangetest.umtest.local,when I write ldaps://exchangetest.exchangetest.umtest.local in browser, can't access it . Change url to ldap://exchangetest.exchangetest.umtest.local, can access it .
I think ssl is not set up on my AD, right ? Maybe I should create another certificate, sign to exchangetest.exchangetest.umtest.local ?
I apologize for my fool question. I change my LocalSetting.php many times for testing, but failed always.
Best Regards
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Thanks, Ryan. I have a issue, Could you give me some suggestion please! My certificate on AD server is generated when I install Exhange2007. The certificate is sign by exchange, sign to exchange.
Self signed certificates can be problematic, but using:
TLS_REQCERT never
in your ldap.conf *should* solve that issue.
Entering Connect Using SSL Using servers: ldaps://exchangetest.exchangetest.umtest.local Connected successfully Entering getSearchString
From these debug information, I guess ssl is set up on AD. But, when I use ldp.exe to connect AD by ssl port 636, can't open connection.
My AD's FQDN is exchangetest.exchangetest.umtest.local,when I write ldaps://exchangetest.exchangetest.umtest.local in browser, can't access it . Change url to ldap://exchangetest.exchangetest.umtest.local, can access it .
I think ssl is not set up on my AD, right ? Maybe I should create another certificate, sign to exchangetest.exchangetest.umtest.local ?
If you can't connect to port 636, you don't have a certificate installed, or you have a firewall blocking the port.
I apologize for my fool question. I change my LocalSetting.php many times for testing, but failed always.
No problem. Changing LocalSettings.php at this point in time won't help you, as the problem lies outside of MediaWiki.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org