[Mediawiki-l] LDAP & Windows AD Authentication

shane shanep at sydneygang.com
Tue Oct 24 03:00:10 UTC 2006 

Ryan,

Thanks for the response and your fresh pair of eyes. 

I'll try and answer your questions.

Are you using SSL/TLS?  - According to our System Admins, no SSL certificate
is in place on the Active directory and SSL isn't being used!

What do your AD logs show? - Its a windows 2003 Server so checking the windows
Event Viewer -> Directory Services events shows no errors or issues 

Is the user failing to bind, or is the bind failing because the SSL connection
is failing? If AD doesn't show a bind failure, it is likely that it is the SSL
connection failing (as AD doesn't log very much). This is pretty common when
using AD.  -  

I have no idea how to further diagnose the problem to understand why it is
failing to bind. I was able to use another PHP script I found to find out if I
could connect to the AD and search for data within the AD structure. This php
script as able to return a list of users in a (ou=Sydney, dc=Planit,dc=Local)
baseDN. I have also tried using the tool LDP.exe, a windows AD connection and
search tool

Does your AD even have an SSL cert in place?  - I believe not

AD doesn't use SSL by default, only Kerberos? - Kererbos is being used not SSL

Are you using IIS or apache? – I’m running IIS6

-- 
Date: Mon, 23 Oct 2006 08:53:03 -0500
From: "Lane, Ryan" <Ryan.Lane at ocean.navo.navy.mil>
Subject: Re: [Mediawiki-l] LDAP & Windows AD Authentication
To: "MediaWiki announcements and site admin list"
	<mediawiki-l at Wikimedia.org>
Message-ID:
	<FC45D28A421D8F42A3F422E99521E6621A2D73 at navo2.ocean.navo.navy.mil>
Content-Type: text/plain;	charset="us-ascii"

> Entering validDomain<br>
> 
> User is using a valid domain<br>
> 
> Entering getCanonicalName<br>
> 
> Munged username: Administrator<br>
> 
> Entering userExists<br>
> 
> Entering Connect<br>
> 
> Entering Connect<br>
> 
> Using servers:  ldap://Home.Local<br>
> 
> Connected successfully<br>
> 
> Entering getSearchString<br>
> 
> Doing a straight bind<br>
> 
> userdn is: Home\Administrator<br>
> 
> Binding as the user<br>
> 
> Failed to bind as Home\Administrator<br>

Set debug to 4 instead of 3, and if you send the info back, make sure
you snip anything sensitive out...

[snip]
 
> Can anybody assist with what I'm missing here and apply a fresh pair
of
> eyes
> to this problem?

Looks like you got past the blank page problem, so I'll ignore that
email.

Are you using SSL/TLS? What do your AD logs show? Is the user failing to
bind, or is the bind failing because the SSL connection is failing? If
AD doesn't show a bind failure, it is likely that it is the SSL
connection failing (as AD doesn't log very much). This is pretty common
when using AD. Does your AD even have an SSL cert in place? AD doesn't
use SSL by default, only Kerberos.

For more info on setting up SSL with AD read this section and its links:
http://meta.wikimedia.org/wiki/LDAP_Authentication#Trusting_self-signed_
SSL_certificates

Are you using IIS or apache?

By the way, the way you had the configuration set up in your first email
should work fine.

V/r,

Ryan Lane

More information about the MediaWiki-l mailing list