Hi all, I have just installed mediawiki at my site and I would like to use LDAP authentication in order to centralize user management. We have a LDAPs server up and running and I am trying to use LDAP authentication extension (http://www.mediawiki.org/wiki/Extension:LDAP_Authentication). The system is a Fedora Core 10 on a x86_64 I have followed the instruction on the web, at least I think so, and can't login with a valid LDAP user. I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created The configuration in LocalSettins.php is:
-------------------------------------------------------- require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" ); ------------------------------------------------------
I am quite lost at the moment and don't know what have to do next.
Any advice?
Thanks in advance Marc
------------------------------------------------------ Marc Noguera i Julian, PhD Genomics unit / Bioinformatics Institut de Medicina Preventiva i Personalitzada del Càncer (IMPPC) B-10 Office email: mnoguera_at_imppc.org web: http://klingon.uab.es/marc Tlf/Phone: 00 34 935543076 -------------------------------------------------------
Ive not done exactly this, but in other situations I find that you have to create the file and give it permissions so that it can be updated by httpd.
/Sam
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Marc Noguera Sent: 12 August 2009 16:34 To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
Hi all, I have just installed mediawiki at my site and I would like to use LDAP authentication in order to centralize user management. We have a LDAPs server up and running and I am trying to use LDAP authentication extension (http://www.mediawiki.org/wiki/Extension:LDAP_Authentication). The system is a Fedora Core 10 on a x86_64 I have followed the instruction on the web, at least I think so, and can't login with a valid LDAP user. I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created The configuration in LocalSettins.php is:
-------------------------------------------------------- require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" ); ------------------------------------------------------
I am quite lost at the moment and don't know what have to do next.
Any advice?
Thanks in advance Marc
------------------------------------------------------ Marc Noguera i Julian, PhD Genomics unit / Bioinformatics Institut de Medicina Preventiva i Personalitzada del Càncer (IMPPC) B-10 Office email: mnoguera_at_imppc.org web: http://klingon.uab.es/marc Tlf/Phone: 00 34 935543076 ------------------------------------------------------- _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.
I guess you are referring to the debug file. I have tried this, but still no exit
-rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
thanks Marc ________________________________________ De: mediawiki-l-bounces@lists.wikimedia.org [mediawiki-l-bounces@lists.wikimedia.org] En nom de Sam.Sexton@thomsonreuters.com [Sam.Sexton@thomsonreuters.com] Enviat el: dimecres, 12 / agost / 2009 17:38 Per a: mediawiki-l@lists.wikimedia.org Tema: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
Ive not done exactly this, but in other situations I find that you have to create the file and give it permissions so that it can be updated by httpd.
/Sam
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Marc Noguera Sent: 12 August 2009 16:34 To: mediawiki-l@lists.wikimedia.org Subject: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
Hi all, I have just installed mediawiki at my site and I would like to use LDAP authentication in order to centralize user management. We have a LDAPs server up and running and I am trying to use LDAP authentication extension (http://www.mediawiki.org/wiki/Extension:LDAP_Authentication). The system is a Fedora Core 10 on a x86_64 I have followed the instruction on the web, at least I think so, and can't login with a valid LDAP user. I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created The configuration in LocalSettins.php is:
-------------------------------------------------------- require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" ); ------------------------------------------------------
I am quite lost at the moment and don't know what have to do next.
Any advice?
Thanks in advance Marc
------------------------------------------------------ Marc Noguera i Julian, PhD Genomics unit / Bioinformatics Institut de Medicina Preventiva i Personalitzada del Càncer (IMPPC) B-10 Office email: mnoguera_at_imppc.org web: http://klingon.uab.es/marc Tlf/Phone: 00 34 935543076 ------------------------------------------------------- _______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I guess you are referring to the debug file. I have tried this, but still no exit
-rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
[snip]
I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created
There could be a number of issues with the log not being created. I can't really tell why without more info...
Which version of the plugin are you using? Are you adding these options to the bottom of LocalSettings.php? When you go to the Log in page, does it have a domain list drop down box? Does the LDAP plugin show up as an extension in Special:Version?
The configuration in LocalSettins.php is:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" );
Have you checked your directory server access logs to see if MediaWiki is trying to connect? When you check your logs, is the system connecting, then immediately disconnecting?
Notice you are using SSL, but you are using an IP address for the host name of the server. This won't work by default. PHP uses the openldap client libraries, and openldap's configuration files for settings. By default openldap requires a full SSL trust. This means the hostname provided needs to match the CN field of the certificate on the LDAP server, and the DNS entry for the LDAP server. Also, openldap needs to trust the root certificate authority of your server's certificate. You can get around these requirements by setting "TLS_REQCERT never" in /etc/openldap/ldap.conf (you need to restart your web server after doing this).
I have a blog entry that goes into a bit of depth on this topic, which I feel are out of the scope of the documentation on mediawiki.org:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f or-mediawiki-the-basics-part-2/
That article is kind of an in depth how-to for enabling this for your kind of environment.
BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs since you are using straight binds (using $wgLDAPSearchStrings).
V/r,
Ryan Lane
Ryan,
If you're using wfDebugLog (and not just wfDebug) as per http://www.mediawiki.org/wiki/How_to_debug#Logging, then I suggest you try changing the log file location to somewhere below htdocs as in the example on that page - my experience in this area is limited, but I'm not sure whether an arbitrary location is OK.
/Sam
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Lane, Ryan Sent: 12 August 2009 18:27 To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
I guess you are referring to the debug file. I have tried this, but still no exit
-rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
[snip]
I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created
There could be a number of issues with the log not being created. I can't really tell why without more info...
Which version of the plugin are you using? Are you adding these options to the bottom of LocalSettings.php? When you go to the Log in page, does it have a domain list drop down box? Does the LDAP plugin show up as an extension in Special:Version?
The configuration in LocalSettins.php is:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs =
array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" );
Have you checked your directory server access logs to see if MediaWiki is trying to connect? When you check your logs, is the system connecting, then immediately disconnecting?
Notice you are using SSL, but you are using an IP address for the host name of the server. This won't work by default. PHP uses the openldap client libraries, and openldap's configuration files for settings. By default openldap requires a full SSL trust. This means the hostname provided needs to match the CN field of the certificate on the LDAP server, and the DNS entry for the LDAP server. Also, openldap needs to trust the root certificate authority of your server's certificate. You can get around these requirements by setting "TLS_REQCERT never" in /etc/openldap/ldap.conf (you need to restart your web server after doing this).
I have a blog entry that goes into a bit of depth on this topic, which I feel are out of the scope of the documentation on mediawiki.org:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plug in-f or-mediawiki-the-basics-part-2/
That article is kind of an in depth how-to for enabling this for your kind of environment.
BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs since you are using straight binds (using $wgLDAPSearchStrings).
V/r,
Ryan Lane
This email was sent to you by Thomson Reuters, the global news and information company. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.
If you're using wfDebugLog (and not just wfDebug) as per http://www.mediawiki.org/wiki/How_to_debug#Logging, then I suggest you try changing the log file location to somewhere below htdocs as in the example on that page - my experience in this area is limited, but I'm not sure whether an arbitrary location is OK.
The log location is definable by the end-user. I've used /tmp before, and it worked perfectly fine. It really depends on the web server configuration though.
V/r,
Ryan Lane
Thanks for the rapid answer, After adding TLS_REQCERT never it works! Thanks.
Just for the record. I am using the last stable version (1.2a, I think). The options for debug file are just beneath the <?php in LocalSettings.php file. Defined domain ($wgLDAPDomainNames value) appears at the login page in the drop-down menu. I don't know how to check if the LDAP plugin shows up as an extension.
LDAP logs gave the following output each time I try to login to
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT from IP=myip:56555 (IP=0.0.0.0:636) Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed (TLS negotiation failure)
ldap.conf has tls_checkpeer to no, otherwise error above is repeated for ssh or toher client software. I think key+Certificate are correctly setup, however, but I am probably wrong.
Thanks again Marc
________________________________________ De: mediawiki-l-bounces@lists.wikimedia.org [mediawiki-l-bounces@lists.wikimedia.org] En nom de Lane, Ryan [Ryan.Lane@ocean.navo.navy.mil] Enviat el: dimecres, 12 / agost / 2009 19:27 Per a: MediaWiki announcements and site admin list Tema: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem
I guess you are referring to the debug file. I have tried this, but still no exit
-rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
[snip]
I ahve enabled LocalSettings.php in order to get debug info with:
$wgLDAPDebug=3; $wgDebugLogGroups["ldap"]="/tmp/debug.log";
but the debug.log file is not created
There could be a number of issues with the log not being created. I can't really tell why without more info...
Which version of the plugin are you using? Are you adding these options to the bottom of LocalSettings.php? When you go to the Log in page, does it have a domain list drop down box? Does the LDAP plugin show up as an extension in Special:Version?
The configuration in LocalSettins.php is:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => "ssl" ); $wgLDAPSearchStrings = array( "domain" => "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org"); $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
$wgLDAPEncryptionType = array( "domain" => "ssl" );
Have you checked your directory server access logs to see if MediaWiki is trying to connect? When you check your logs, is the system connecting, then immediately disconnecting?
Notice you are using SSL, but you are using an IP address for the host name of the server. This won't work by default. PHP uses the openldap client libraries, and openldap's configuration files for settings. By default openldap requires a full SSL trust. This means the hostname provided needs to match the CN field of the certificate on the LDAP server, and the DNS entry for the LDAP server. Also, openldap needs to trust the root certificate authority of your server's certificate. You can get around these requirements by setting "TLS_REQCERT never" in /etc/openldap/ldap.conf (you need to restart your web server after doing this).
I have a blog entry that goes into a bit of depth on this topic, which I feel are out of the scope of the documentation on mediawiki.org:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f or-mediawiki-the-basics-part-2/
That article is kind of an in depth how-to for enabling this for your kind of environment.
BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs since you are using straight binds (using $wgLDAPSearchStrings).
V/r,
Ryan Lane
Thanks for the rapid answer, After adding TLS_REQCERT never it works! Thanks.
Just for the record. I am using the last stable version (1.2a, I think). The options for debug file are just beneath the <?php in LocalSettings.php file. Defined domain ($wgLDAPDomainNames value) appears at the login page in the drop-down menu. I don't know how to check if the LDAP plugin shows up as an extension.
As mentioned, you need to put all configuration options at the bottom of LocalSettings.php, for every extension, always.
You can see if the LDAP plugin is enabled by going to Special:Version, and see if it is listed as an enabled extension.
LDAP logs gave the following output each time I try to login to
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT from IP=myip:56555 (IP=0.0.0.0:636) Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed (TLS negotiation failure)
ldap.conf has tls_checkpeer to no, otherwise error above is repeated for ssh or toher client software. I think key+Certificate are correctly setup, however, but I am probably wrong.
It is nice that it at least tells you it was a TLS negotiation failure. Lots of directory servers won't even tell you that. Whenever you see a connection, and an immediate disconnection, it is almost guaranteed to be an SSL/TLS trust issue.
LDAP has two configuration files on a system. One is for pam_ldap, the other is for openldap clients. PHP should use /etc/openldap/ldap.conf. I usually just delete /etc/openldap/ldap.conf and link it to /etc/ldap.conf, and put all my configuration in there though.
Did you read my blog post? You should try using openssl s_client to check your SSL configuration for LDAP:
openssl s_client -connect localhost:636
Check the CN field of the certificate:
Certificate chain 0 s:/C=US/O=Test/OU=My department/OU=My branch/OU=My team/CN=example.com i:/C=US/O=Test/OU=My department/OU=My branch/OU=My team/CN=example.com
This is what you need to put in for $wgLDAPServernames (in this case example.com).
Now you can take the certificate from the output of s_client, and use it to trust your LDAP server. Take everything between and including:
-----BEGIN CERTIFICATE-----
And
-----END CERTIFICATE-----
Put this into a file like (644 root:root) /etc/pki/tls/certs/example.crt. You can check the certificate's contents with:
openssl x509 -noout -text -in /etc/pki/tls/certs/example.crt
Now edit /etc/openldap/ldap.conf, and add:
TLS_CACERTDIR /etc/pki/tls/certs TLS_CACERT /etc/pki/tls/certs/example.crt
It is possible that PHP is reading /etc/ldap.conf (although I doubt it). So you can put the same things in there as well.
Notice that my example uses a self signed certificate. If line 0 of the certificate chain of the s_client command has something different for s: and i:, your certificate isn't self signed, and you'll need to also get the issuer's certificate, and it's root certificate, and place those in /etc/pki/tls/certs as well.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org