[Mediawiki-l] FW: LDAP-Error: Can't contact LDAP server
Russell, Elizabeth
earussell at tva.gov
Wed Mar 26 15:11:49 UTC 2008
Ryan,
A co-worker who had problems with a different box trying to authenticate
via this AD server also pointed out to me that the new certifcate from
the AD server does not have the fully-qualified domain name in it.
I used the x509 command to get info on the certficates. On the old one
I see:
Subject: CN=chaent3b.main.foo.com [name has been changed]
On the new one I see:
Subject: DC=com, DC=foo, DC=main, OU=Domain Controllers, CN=CHAENT3B
He also suggested I might just want to turn off SSL encryption for
authentication. I tried commenting out the line that specifies ssl but
got errors from TLS with that configuration.
If the right thing to do is to go up to the CA Cert, which PEM do I
specify? I can use x509 to find the correct one probably, but not sure
that certificate hasn't changed either since it was first loaded on my
host.
The two certificates I have looked at so far with x509 (the AD server
pem from a year ago and the one changed 2 days ago) have different CA
Issuers listed:
OLD: RI:http://foochaeca.foo.com/CertEnroll/longxxx.crt
NEW: URI:http://multi.foo.com/ca/xxx.crt
Thanks much for your help. I'm so confused right now that my head is
spinning!
- Beth
-----Original Message-----
From: Russell, Elizabeth
Sent: Wednesday, March 26, 2008 10:44 AM
To: 'MediaWiki announcements and site admin list'
Subject: RE: [Mediawiki-l] LDAP-Error: Can't contact LDAP server
My predecessor had commneted out the TLS_CACERT line:
#TLS_CACERT /usr/share/ssl/certs/tva_ad.pem
TLS_CACERTDIR /usr/share/ssl/certs
I think he had also converted the AD server's certificate to PEM format,
since I see about 5 .pem files in the ./certs directory
I should add.... We are authenticating via Active Directory server, and
I am on Linux.
I've tried taking the certificate I downloaded from the AD server named
in LocalSettings.php and just renaming as .pem, but I get the same
errors.
Will the TSL_CACERT work with Active Directory configuration?
-----Original Message-----
From: mediawiki-l-bounces at lists.wikimedia.org
[mailto:mediawiki-l-bounces at lists.wikimedia.org] On Behalf Of Lane, Ryan
Sent: Wednesday, March 26, 2008 10:29 AM
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] LDAP-Error: Can't contact LDAP server
> The LDAP server where we are doing our authentication had to change
> certificate, and now when user attempts to login for edit
> purposes they
> get Login error: Incorrect password entered. Please try again.
You should trust the CA certificate, not the server certificate; if you
do so, you won't have this problem next time.
If you are on a Linux system, the file you need to modify is going to be
/etc/openldap/ldap.conf. You need to add the following options:
TLS_CACERT <path to the CA certificate that signed your server
certificate>
TLS_CACERTDIR <same as above, minus the filename>
I believe the ca cert file needs to be in PEM format (base64). If the CA
certificate is in DER format for some reason (unlikely), you can convert
to PEM with openssl:
openssl x509 -inform DER -outform PEM -in cacertinderformat.cer
-out cacertinpemformat.cer
You can check the certificate information as well:
openssl x509 -noout -text -in cacert.cer
V/r,
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l at lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
More information about the MediaWiki-l
mailing list