My predecessor had commneted out the TLS_CACERT line:
#TLS_CACERT /usr/share/ssl/certs/tva_ad.pem
TLS_CACERTDIR /usr/share/ssl/certs
I think he had also converted the AD server's certificate to PEM format,
since I see about 5 .pem files in the ./certs directory
I should add.... We are authenticating via Active Directory server, and
I am on Linux.
I've tried taking the certificate I downloaded from the AD server named
in LocalSettings.php and just renaming as .pem, but I get the same
errors.
Will the TSL_CACERT work with Active Directory configuration?
-----Original Message-----
From: mediawiki-l-bounces(a)lists.wikimedia.org
[mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Lane, Ryan
Sent: Wednesday, March 26, 2008 10:29 AM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] LDAP-Error: Can't contact LDAP server
The LDAP server where we are doing our authentication
had to change
certificate, and now when user attempts to login for edit
purposes they
get Login error: Incorrect password entered. Please try again.
You should trust the CA certificate, not the server certificate; if you
do so, you won't have this problem next time.
If you are on a Linux system, the file you need to modify is going to be
/etc/openldap/ldap.conf. You need to add the following options:
TLS_CACERT <path to the CA certificate that signed your server
certificate>
TLS_CACERTDIR <same as above, minus the filename>
I believe the ca cert file needs to be in PEM format (base64). If the CA
certificate is in DER format for some reason (unlikely), you can convert
to PEM with openssl:
openssl x509 -inform DER -outform PEM -in cacertinderformat.cer
-out cacertinpemformat.cer
You can check the certificate information as well:
openssl x509 -noout -text -in cacert.cer
V/r,
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l