[Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem

Thu Aug 13 06:44:54 UTC 2009

Ryan,

If you're using wfDebugLog (and not just wfDebug) as per
http://www.mediawiki.org/wiki/How_to_debug#Logging, then I suggest you
try changing the log file location to somewhere below htdocs as in the
example on that page - my experience in this area is limited, but I'm
not sure whether an arbitrary location is OK.

/Sam

-----Original Message-----
From: mediawiki-l-bounces at lists.wikimedia.org
[mailto:mediawiki-l-bounces at lists.wikimedia.org] On Behalf Of Lane, Ryan
Sent: 12 August 2009 18:27
To: MediaWiki announcements and site admin list
Subject: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption
problem

> I guess you are referring to the debug file. I have tried this, but 
> still no exit
> 
> -rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
> 

[snip]

> I ahve enabled LocalSettings.php in order to get debug info with:
> 
> $wgLDAPDebug=3;
> $wgDebugLogGroups["ldap"]="/tmp/debug.log";
> 
> but the debug.log file is not created

There could be a number of issues with the log not being created. I
can't really tell why without more info...

Which version of the plugin are you using? Are you adding these options
to the bottom of LocalSettings.php? When you go to the Log in page, does
it have a domain list drop down box? Does the LDAP plugin show up as an
extension in Special:Version?

> The configuration in LocalSettins.php is:
> 
> --------------------------------------------------------
> require_once(
> "$IP/extensions/LdapAuthentication/LdapAuthentication.php" ); $wgAuth 
> = new LdapAuthenticationPlugin();
> 
> 
> $wgLDAPDomainNames = array( "domain" ); $wgLDAPServerNames = array( 
> "domain" => "127.0.0.1" ); #$wgLDAPPasswordHash = array ( "domain" => 
> "ssl" ); $wgLDAPSearchStrings = array( "domain" => 
> "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org");
> $wgLDAPSearchAttributes = array( "domain" => "uid" ); $wgLDAPBaseDNs =

> array( "domain" => "dc=domain,dc=foo,dc=org" );
> 
> $wgLDAPEncryptionType = array( "domain" => "ssl" );
> ------------------------------------------------------
> 

Have you checked your directory server access logs to see if MediaWiki
is trying to connect? When you check your logs, is the system
connecting, then immediately disconnecting?

Notice you are using SSL, but you are using an IP address for the host
name of the server. This won't work by default. PHP uses the openldap
client libraries, and openldap's configuration files for settings. By
default openldap requires a full SSL trust. This means the hostname
provided needs to match the CN field of the certificate on the LDAP
server, and the DNS entry for the LDAP server. Also, openldap needs to
trust the root certificate authority of your server's certificate. You
can get around these requirements by setting "TLS_REQCERT never" in
/etc/openldap/ldap.conf (you need to restart your web server after doing
this).

I have a blog entry that goes into a bit of depth on this topic, which I
feel are out of the scope of the documentation on mediawiki.org:

http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plug
in-f
or-mediawiki-the-basics-part-2/

That article is kind of an in depth how-to for enabling this for your
kind of environment.

BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs
since you are using straight binds (using $wgLDAPSearchStrings).

V/r,

Ryan Lane

This email was sent to you by Thomson Reuters, the global news and information company.
Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Thomson Reuters.