I'm setting up a MediaWiki system, and am trying to get the system to authenticate to eDirectory. The MediaWiki server is running on a Suse Linux Enterprise 11 server (Novell), and authenticating against a Novell Netware 6.5 server. The Linux server is NOT running eDirectory, but needs to authenticate against another server.
I've run a DSTRACE on the Novell server, and don't even see the MW system trying to authenticate. I cannot find the proper settings to turn on debugging tools on the MW system to see what the problem might be.
Any suggestions would be greatly appreciated.
I'm setting up a MediaWiki system, and am trying to get the system to authenticate to eDirectory. The MediaWiki server is running on a Suse Linux Enterprise 11 server (Novell), and authenticating against a Novell Netware 6.5 server. The Linux server is NOT running eDirectory, but needs to authenticate against another server.
I've run a DSTRACE on the Novell server, and don't even see the MW system trying to authenticate. I cannot find the proper settings to turn on debugging tools on the MW system to see what the problem might be.
Any suggestions would be greatly appreciated.
* What versions of MediaWiki and the LDAP plugin are you using? * Is LDAP support for PHP available? * Do you have the LDAP plugin enabled at the bottom of LocalSettings.php? * Is the client connecting to the eDirectory server at all? Check netstat, and check your logs for connections. If it is connecting, and immediately disconnecting, you have an SSL/TLS trust issue. * Turn on debugging on the plugin [1]
I'm betting LDAP support isn't available in PHP.
V/r,
Ryan Lane
[1] http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin g_options
Thanks for your response! I had tried leaving a message on your blog, good to find you here! I'll do my best on answering:
1) Versions Product Version MediaWiki http://www.mediawiki.org/ 1.15.1 PHPhttp://www.php.net/ 5.2.6 (apache2handler) MySQL http://www.mysql.com/ 5.0.67 Product Version MediaWiki http://www.mediawiki.org/ 1.15.1 PHPhttp://www.php.net/ 5.2.6 (apache2handler) MySQL http://www.mysql.com/ 5.0.67 Product Version MediaWiki http://www.mediawiki.org/ 1.15.1 PHPhttp://www.php.net/ 5.2.6 (apache2handler) MySQL http://www.mysql.com/ 5.0.67 Product Version MediaWiki http://www.mediawiki.org/ 1.15.1 PHPhttp://www.php.net/ 5.2.6 (apache2handler) MySQL http://www.mysql.com/ 5.0.67 MediaWiki 1.15.1 LDAP Plugin 1.2a (beta) 2) LDAP support for PHP I THINK so. I was under the impression that the SLES 11 server has this built in. How do I confirm (especially since you think this is the issue)
3) LDAP enabled - Yes, I've tried several different configurations, here is the most current (sorry, I have to hide actual container names, but I think you'll get the idea):
#LDAP Authentication Require_once( 'extensions/LDAPAuthentication/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "FOSAWiki" ); $wgLDAPServerNames = array( "FOSAWiki"=>"172.28.xxx.xxx" ); $wgLDAPSearchStrings = array( "FOSAWiki"=>"cn=USER-NAME,ou=SecondLevel,ou=FirstLevel,o=ORGANIZATION" ); $wgLDAPSearchAttributes = array( "FOSAWiki"=>"uid" ); $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" ); $wgMinimalPasswordLength = 1;
4) I have to apologize on this one. I'm not familiar enough with Linux to know where to look in the log files. Issuing a netstat from the Linux box running the MW system just gives me a screen shot of current activity. Running it on the NetWare server (that has eDirectory/LDAP services) gave me a prompt for additional swtiches (I was surprised, I didn't realize there was a netstat nlm for NetWare).
Usage: netstat [-aLn] [-f address_family] netstat [-rn] [-f address_family] netstat [-bdi] [-I interface] -w wait netstat [-s] [-p protocol] netstat [-s] [-f address_family] [-i] [-I interface] netstat -help
List of possible address families: inet (DARPA Internet) 5) I tried turning on debugging, but am not 100% sure I placed the /tmp directory correctly. On my server, apache2 runs out of /srv/www/ with the default docs directory /srv/www/htdocs I have MediaWiki running out of /srv/www/htdocs/w I added the following tmp directories /srv/www/htdocs/tmp and /srv/www/htdocs/w/tmp with debug.log in both, and both set to 666 (for now) on rights. I added the following to the local configuration file, but both debug.log files remain unchanged when enabling the LDAP module:
$wgLDAPDebug = 1; $wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;
=== Again, thanks for your response, and sorry for being such a noob to Linux.
On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan Ryan.Lane@ocean.navo.navy.milwrote:
- What versions of MediaWiki and the LDAP plugin are you using?
- Is LDAP support for PHP available?
- Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
- Is the client connecting to the eDirectory server at all? Check netstat,
and check your logs for connections. If it is connecting, and immediately disconnecting, you have an SSL/TLS trust issue.
- Turn on debugging on the plugin [1]
I'm betting LDAP support isn't available in PHP.
V/r,
Ryan Lane
[1]
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin g_options
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
OK, I did some more research, and found how to check whether LDAP was enabled, it wasn't. I added that, and rebooted. Now I show this:
LDAP Support enabled RCS Version $Id: ldap.c,v 1.161.2.3.2.12 2007/12/31 07:20:07 sebastian Exp $ Total Links 0/unlimited API Version 3001 Vendor Name OpenLDAP Vendor Version 20412 SASL Support Enabled
I also show on the NetWare server that it is listening on port 636
I'm still getting the same results though. Nothing on the DSTrace screen on the NetWare server, and no debugging information.
On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan Ryan.Lane@ocean.navo.navy.milwrote:
I'm setting up a MediaWiki system, and am trying to get the system to authenticate to eDirectory. The MediaWiki server is running on a Suse Linux Enterprise 11 server (Novell), and authenticating against a Novell Netware 6.5 server. The Linux server is NOT running eDirectory, but needs to authenticate against another server.
I've run a DSTRACE on the Novell server, and don't even see the MW system trying to authenticate. I cannot find the proper settings to turn on debugging tools on the MW system to see what the problem might be.
Any suggestions would be greatly appreciated.
- What versions of MediaWiki and the LDAP plugin are you using?
- Is LDAP support for PHP available?
- Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
- Is the client connecting to the eDirectory server at all? Check netstat,
and check your logs for connections. If it is connecting, and immediately disconnecting, you have an SSL/TLS trust issue.
- Turn on debugging on the plugin [1]
I'm betting LDAP support isn't available in PHP.
V/r,
Ryan Lane
[1]
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin g_options
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I have some further information.
After properly setting up LDAP in PHP, I now get error messages in the apache error log. Here's what I show:
[Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentication.php on line 213, referer: https://192.168.1 .130/w/index.php5?title=Special:UserLogin&returnto=Main_Page
.240 is the workstation I'm on .130 is the server MediWiki is running on .5 is the LDAP server
Here are the settings I'm using in the LocalSettings.php file:
#LDAP Authentication Require_once( 'extensions/LDAPAuthentication/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "FOSAWiki" ); $wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" ); $wgLDAPSearchStrings = array( "FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" ); $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" ); $wgMinimalPasswordLength = 1;
On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan Ryan.Lane@ocean.navo.navy.milwrote:
- What versions of MediaWiki and the LDAP plugin are you using?
- Is LDAP support for PHP available?
- Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
- Is the client connecting to the eDirectory server at all? Check netstat,
and check your logs for connections. If it is connecting, and immediately disconnecting, you have an SSL/TLS trust issue.
- Turn on debugging on the plugin [1]
I'm betting LDAP support isn't available in PHP.
V/r,
Ryan Lane
[1]
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin g_options
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I have some further information.
After properly setting up LDAP in PHP, I now get error messages in the apache error log. Here's what I show:
[Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentica tion.php on line 213, referer: https://192.168.1 .130/w/index.php5?title=Special:UserLogin&returnto=Main_Page
.240 is the workstation I'm on .130 is the server MediWiki is running on .5 is the LDAP server
Here are the settings I'm using in the LocalSettings.php file:
#LDAP Authentication Require_once( 'extensions/LDAPAuthentication/LdapAuthentication.php' ); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array( "FOSAWiki" ); $wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" );
This needs to be the fully qualified domain name of the LDAP server, not the IP address.
$wgLDAPSearchStrings = array( "FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" ); $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );
This should be:
$wgLDAPUseSSL = array( "FOSAWiki"=>"ssl" );
Notice that even after setting this, you may still have SSL issues. If you have SSL issues, see:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f or-mediawiki-the-basics-part-2/#configuring-the-ssl-trust
V/r,
Ryan Lane
I'll hit up on the FQDN issue. I don't think though, that the LDAP server has a DNS entry. I'm assuming that if they don't, I can do it with a host entry.
On your second correction, the corrected version is what I had at one time, I dropped it attempting things.
However, I think your last recommendation is the correct one. I had pretty much decided that it was a cert issue, but couldn't get the exact information on what I needed to do to correct it. Your blog looks like it had it all along. Will try that this evening or tomorrow, and see what I get.
On Tue, Sep 22, 2009 at 4:12 PM, Lane, Ryan Ryan.Lane@ocean.navo.navy.milwrote:
$wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" );
This needs to be the fully qualified domain name of the LDAP server, not the IP address.
$wgLDAPSearchStrings = array( "FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" ); $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );
This should be:
$wgLDAPUseSSL = array( "FOSAWiki"=>"ssl" );
Notice that even after setting this, you may still have SSL issues. If you have SSL issues, see:
http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f or-mediawiki-the-basics-part-2/#configuring-the-ssl-trust
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I'll hit up on the FQDN issue. I don't think though, that the LDAP server has a DNS entry. I'm assuming that if they don't, I can do it with a host entry.
On your second correction, the corrected version is what I had at one time, I dropped it attempting things.
However, I think your last recommendation is the correct one. I had pretty much decided that it was a cert issue, but couldn't get the exact information on what I needed to do to correct it. Your blog looks like it had it all along. Will try that this evening or tomorrow, and see what I get.
If your server doesn't have a DNS entry, then it probably has a self-signed certificate too. If this is the case, you'll have to put the following into your ldap.conf:
TLS_REQCERT never
V/r,
Ryan Lane
Well, I've tried changing that setting, and still get the same error message. I'm pretty sure this is a certificate issue, just don't know how it's resolved.
The NetWare server has a certificate that's issued from eDirectory. I see lots of stuff about putting the certs in the /ect/pki directory on Red Hat, but nothing about where they should go on Suse Linux, and what configuration files need to be modified to make them recognized.
I've been able to successfully LDAP to the NetWare server using another LDAP utility, and it prompts me to accept the certificate, this is why I'm pretty sure it's a cert problem.
At this point, I'm stumped.
If any of you know of anyone that is successfully using a similar setup, running MW on a Linux box authenticating to an eDirectory system, I'd sure appreciate any insight.
On Tue, Sep 22, 2009 at 5:25 PM, Lane, Ryan Ryan.Lane@ocean.navo.navy.milwrote:
I'll hit up on the FQDN issue. I don't think though, that the LDAP server has a DNS entry. I'm assuming that if they don't, I can do it with a host entry.
On your second correction, the corrected version is what I had at one time, I dropped it attempting things.
However, I think your last recommendation is the correct one. I had pretty much decided that it was a cert issue, but couldn't get the exact information on what I needed to do to correct it. Your blog looks like it had it all along. Will try that this evening or tomorrow, and see what I get.
If your server doesn't have a DNS entry, then it probably has a self-signed certificate too. If this is the case, you'll have to put the following into your ldap.conf:
TLS_REQCERT never
V/r,
Ryan Lane
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Well, I've tried changing that setting, and still get the same error message. I'm pretty sure this is a certificate issue, just don't know how it's resolved.
You put that setting into /etc/openldap/ldap.conf right? /etc/ldap.conf is for pam/nss, /etc/openldap/ldap.conf is for openldap clients (like PHP).
The NetWare server has a certificate that's issued from eDirectory. I see lots of stuff about putting the certs in the /ect/pki directory on Red Hat, but nothing about where they should go on Suse Linux, and what configuration files need to be modified to make them recognized.
From what I've seen online, your CA certs go into /etc/ssl.
V/r,
Ryan Lane
Hi,
Herb Parsons schrieb:
Well, I've tried changing that setting, and still get the same error message.
That was: "[Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning: ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in /srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentication.php on line 213, referer: https://192.168.1 .130/w/index.php5?title=Special:UserLogin&returnto=Main_Page" Right?
If the error message is true, MW tries STARTTLS.
Also you stated: "I also show on the NetWare server that it is listening on port 636"
This is (in most cases) so called LDAPs (LDAP over SSL) on a - from the connection on - secure Port. Which is different from LDAP with TLS (started by STARTTLS), here TLS starts later on on an unencrypted connection.
From the blog: "Specifically, the plugin defaults to tls using LDAP (port 389)"
So this is what we see. The plugin tries TLS not SSL. You may check the plugin config to make the SSL setting work.
Marc
If the error message is true, MW tries STARTTLS.
It does indeed. That's the default (since clear text is insecure, and LDAPS is deprecated).
Also you stated: "I also show on the NetWare server that it is listening on port 636"
This is (in most cases) so called LDAPs (LDAP over SSL) on a - from the connection on - secure Port. Which is different from LDAP with TLS (started by STARTTLS), here TLS starts later on on an unencrypted connection.
From the blog: "Specifically, the plugin defaults to tls using LDAP (port 389)"
So this is what we see. The plugin tries TLS not SSL. You may check the plugin config to make the SSL setting work.
He did have that line set incorrectly. I sent him the right setting. Not sure if he applied it though.
V/r,
Ryan Lane
mediawiki-l@lists.wikimedia.org