Hi
I am trying to implement a mediawiki for our organisation, but have hit a problem that I am unable (so far) to remedy. Your online documentation has been an absolute god send.
I have an implementation in a Virtual Environment that has no restrictions as far as Firewall or Networking is concerned. Using your documentation as a baseline for the LDAP Plugin I have managed to get authentication working using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' => 'clear');. However, when trying to use SSL I hit a problem.
We know that LDAP works on 389 and 636 between the two servers as we have used "LDAP.exe" to connect and bind.
At this point I should provide details on our environment:
DMZ Server
* Windows 2003 R2 32bit
* IIS6.0
* fcgisetup_1.5_rtw_x86.msi
* mysql-essential-5.1.44-win32.msi
* php-5.2.12-nts-win32-installer.msi
* MediaWiki 1.15.2
* LDAPAuthentication Plugin 1.2b
* Root Certificate installed and trusted on the Server
Separate Domain Server
* Windows 2003 R2 Active Directory (Root CA)
My LDAPAuthentication.php file has the following settings:
<?php
require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(' vDomain '); $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local'); $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\USER-NAME'); $wgLDAPEncryptionType = array('vmdomain' => 'ssl'); $wgLDAPGroupUseFullDN = array( "vmdomain"=>true ); $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" ); $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName"); $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" ); $wgLDAPGroupAttribute = array( "vmdomain"=>"member" ); $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" ); $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local") );
# Enable the "local" option on the login page. Enabled initially so we can use the WikiSysop user. Set to false to remove. $wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
# Debug options - uncomment to enable detailed debugging $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log"; $wgLDAPDebug = 6;
?>
These are the results that I get when I try and authenticate.
Clear
2010-05-12 04:08:17 mediawiki: Entering validDomain 2010-05-12 04:08:17 mediawiki: User is using a valid domain. 2010-05-12 04:08:17 mediawiki: Setting domain as: vDomain 2010-05-12 04:08:17 mediawiki: Entering getCanonicalName 2010-05-12 04:08:17 mediawiki: Username isn't empty. 2010-05-12 04:08:17 mediawiki: Munged username: Aadams 2010-05-12 04:08:17 mediawiki: Entering authenticate 2010-05-12 04:08:17 mediawiki: 2010-05-12 04:08:17 mediawiki: Entering Connect 2010-05-12 04:08:17 mediawiki: Using TLS or not using encryption. 2010-05-12 04:08:17 mediawiki: Using servers: ldap://vmad.vDomain.local 2010-05-12 04:08:17 mediawiki: Connected successfully 2010-05-12 04:08:17 mediawiki: Entering getSearchString 2010-05-12 04:08:17 mediawiki: Doing a straight bind 2010-05-12 04:08:17 mediawiki: userdn is: vDomain\Aadams 2010-05-12 04:08:17 mediawiki: 2010-05-12 04:08:17 mediawiki: Binding as the user 2010-05-12 04:08:17 mediawiki: Bound successfully 2010-05-12 04:08:17 mediawiki: Entering getUserDN 2010-05-12 04:08:17 mediawiki: Created a regular filter: (sAMAccountName=Aadams) 2010-05-12 04:08:17 mediawiki: Entering getBaseDN 2010-05-12 04:08:17 mediawiki: basedn is not set for this type of entry, trying to get the default basedn. 2010-05-12 04:08:17 mediawiki: Entering getBaseDN 2010-05-12 04:08:17 mediawiki: basedn is dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Using base: dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Fetched username is not a string (check your hook code...). This message can be safely ignored if you do not have the SetUsernameAttributeFromLDAP hook defined. 2010-05-12 04:08:17 mediawiki: Pulled the user's DN: CN=aadams,OU=External,DC=vDomain,DC=local 2010-05-12 04:08:17 mediawiki: Entering getGroups 2010-05-12 04:08:17 mediawiki: Retrieving LDAP group membership 2010-05-12 04:08:17 mediawiki: Searching for the groups 2010-05-12 04:08:17 mediawiki: Entering searchGroups 2010-05-12 04:08:17 mediawiki: Entering getBaseDN 2010-05-12 04:08:17 mediawiki: basedn is not set for this type of entry, trying to get the default basedn. 2010-05-12 04:08:17 mediawiki: Entering getBaseDN 2010-05-12 04:08:17 mediawiki: basedn is dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Search string: (&(member=CN=aadams,OU=External,DC=vDomain,DC=local)(objectclass=group)) 2010-05-12 04:08:17 mediawiki: Returned groups: cn=Appl-sec,ou=citrix security groups,ou=security,ou=groups,dc=vDomain,dc=local::cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Entering checkGroups 2010-05-12 04:08:17 mediawiki: Checking for (new style) group membership 2010-05-12 04:08:17 mediawiki: Required groups: cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Checking against: cn=Appl-sec,ou=citrix security groups,ou=security,ou=groups,dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Checking against: cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local 2010-05-12 04:08:17 mediawiki: Found user in a group. 2010-05-12 04:08:17 mediawiki: Entering getPreferences 2010-05-12 04:08:17 mediawiki: Entering synchUsername 2010-05-12 04:08:17 mediawiki: Authentication passed 2010-05-12 04:08:17 mediawiki: Entering updateUser
SSL
2010-05-12 04:09:42 mediawiki: Entering validDomain 2010-05-12 04:09:42 mediawiki: User is not using a valid domain. 2010-05-12 04:09:42 mediawiki: Setting domain as: invaliddomain 2010-05-12 04:09:42 mediawiki: Entering allowPasswordChange 2010-05-12 04:09:42 mediawiki: Entering modifyUITemplate 2010-05-12 04:09:42 mediawiki: Allowing the local domain, adding it to the list. 2010-05-12 04:09:47 mediawiki: Entering validDomain 2010-05-12 04:09:47 mediawiki: User is using a valid domain. 2010-05-12 04:09:47 mediawiki: Setting domain as: vDomain 2010-05-12 04:09:47 mediawiki: Entering getCanonicalName 2010-05-12 04:09:47 mediawiki: Username isn't empty. 2010-05-12 04:09:47 mediawiki: Munged username: Aadams 2010-05-12 04:09:47 mediawiki: Entering authenticate 2010-05-12 04:09:47 mediawiki: 2010-05-12 04:09:47 mediawiki: Entering Connect 2010-05-12 04:09:47 mediawiki: Using SSL 2010-05-12 04:09:47 mediawiki: Using servers: ldaps://vmAD.vDomain.local 2010-05-12 04:09:47 mediawiki: Connected successfully 2010-05-12 04:09:47 mediawiki: Entering getSearchString 2010-05-12 04:09:47 mediawiki: Doing a straight bind 2010-05-12 04:09:47 mediawiki: userdn is: vDomain\Aadams002 2010-05-12 04:09:47 mediawiki: 2010-05-12 04:09:47 mediawiki: Binding as the user 2010-05-12 04:09:47 mediawiki: Failed to bind as vDomain\Aadams 2010-05-12 04:09:47 mediawiki: Entering strict. 2010-05-12 04:09:47 mediawiki: Returning false in strict(). 2010-05-12 04:09:47 mediawiki: Entering allowPasswordChange 2010-05-12 04:09:47 mediawiki: Entering modifyUITemplate 2010-05-12 04:09:47 mediawiki: Allowing the local domain, adding it to the list.
Any help that you can provide would be greatly appreciated
Ian Diston
idiston@linz.govt.nz
______________________________________________________________________________________________________
This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.
Thank you. ______________________________________________________________________________________________________
I am trying to implement a mediawiki for our organisation, but have hit a problem that I am unable (so far) to remedy. Your online documentation has been an absolute god send.
Glad to hear my documentation is kind of good :).
I have an implementation in a Virtual Environment that has no restrictions as far as Firewall or Networking is concerned. Using your documentation as a baseline for the LDAP Plugin I have managed to get authentication working using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' => 'clear');. However, when trying to use SSL I hit a problem.
We know that LDAP works on 389 and 636 between the two servers as we have used "LDAP.exe" to connect and bind.
At this point I should provide details on our environment:
[snip]
Separate Domain Server
- Windows 2003 R2 Active Directory (Root CA)
My LDAPAuthentication.php file has the following settings:
<?php require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array(' vDomain '); $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local'); $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME'); $wgLDAPEncryptionType = array('vmdomain' => 'ssl'); $wgLDAPGroupUseFullDN = array( "vmdomain"=>true ); $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" ); $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName"); $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" ); $wgLDAPGroupAttribute = array( "vmdomain"=>"member" ); $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" ); $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local") ); # Enable the "local" option on the login page. Enabled initially so we can use the WikiSysop user. Set to false to remove. $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1; # Debug options - uncomment to enable detailed debugging $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log"; $wgLDAPDebug = 6; ?>
Your configuration is fine. You likely have an issue with PHP not trusting the CA certificate of your AD server. It is *really* likely since your AD is your root CA.
Create the following file:
C:\openldap\sysconf\ldap.conf
Yes, it has to be these directories and files; apparently it is hard coded into PHP for Windows.
Put the following line into that file:
TLS_REQCERT never
Restart IIS. Is it working now? If so, you'll want to actually do this correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP trust the CA:
1. Get the CA certificate; if you have openssl installed, you can do the following: 1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636 1b: Save every certificate in the chain greater than 0 (0 is your AD server's certificate). Save the certificates by copying everything in between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 2. Append all certificates into one file called "certs.pem" 3. Drop "certs.pem" into C:\openldap\sysconf\ 4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem" 5. Restart IIS.
BTW, you probably want to use SSL, and not TLS in your ldap extension configuration. TLS is a little more quirky to get working.
Respectfully,
Ryan Lane
Ryan
Thanks very much for that. I now have the Mediawiki working with SSL.
Thanks very much
Ian
-----Original Message----- From: mediawiki-l-bounces@lists.wikimedia.org [mailto:mediawiki-l-bounces@lists.wikimedia.org] On Behalf Of Ryan Lane Sent: Thursday, 13 May 2010 12:11 p.m. To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] FW: Help Appreciated
I am trying to implement a mediawiki for our organisation, but have hit a problem that I am unable (so far) to remedy. Your online documentation has been an absolute god send.
Glad to hear my documentation is kind of good :).
I have an implementation in a Virtual Environment that has no restrictions as far as Firewall or Networking is concerned. Using your documentation as a baseline for the LDAP Plugin I have managed to get authentication working using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' => 'clear');. However, when trying to use SSL I hit a problem.
We know that LDAP works on 389 and 636 between the two servers as we have used "LDAP.exe" to connect and bind.
At this point I should provide details on our environment:
[snip]
Separate Domain Server
- Windows 2003 R2 Active Directory (Root CA)
My LDAPAuthentication.php file has the following settings:
<?php require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array(' vDomain '); $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local'); $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME'); $wgLDAPEncryptionType = array('vmdomain' => 'ssl'); $wgLDAPGroupUseFullDN = array( "vmdomain"=>true ); $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" ); $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName"); $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" ); $wgLDAPGroupAttribute = array( "vmdomain"=>"member" ); $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" ); $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local") ); # Enable the "local" option on the login page. Enabled initially so we can use the WikiSysop user. Set to false to remove. $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1; # Debug options - uncomment to enable detailed debugging $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log"; $wgLDAPDebug = 6; ?>
Your configuration is fine. You likely have an issue with PHP not trusting the CA certificate of your AD server. It is *really* likely since your AD is your root CA.
Create the following file:
C:\openldap\sysconf\ldap.conf
Yes, it has to be these directories and files; apparently it is hard coded into PHP for Windows.
Put the following line into that file:
TLS_REQCERT never
Restart IIS. Is it working now? If so, you'll want to actually do this correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP trust the CA:
1. Get the CA certificate; if you have openssl installed, you can do the following: 1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636 1b: Save every certificate in the chain greater than 0 (0 is your AD server's certificate). Save the certificates by copying everything in between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 2. Append all certificates into one file called "certs.pem" 3. Drop "certs.pem" into C:\openldap\sysconf\ 4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem" 5. Restart IIS.
BTW, you probably want to use SSL, and not TLS in your ldap extension configuration. TLS is a little more quirky to get working.
Respectfully,
Ryan Lane
_______________________________________________ MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l ______________________________________________________________________________________________________
This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or info@linz.govt.nz) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ.
Thank you. ______________________________________________________________________________________________________
mediawiki-l@lists.wikimedia.org