[Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem

Thu Aug 13 15:57:39 UTC 2009

Thanks for the rapid answer,
After adding TLS_REQCERT never it works! Thanks. 

Just for the record.
I am using the last stable version (1.2a, I think). The options for debug file are just beneath the <?php in LocalSettings.php file. Defined domain ($wgLDAPDomainNames value) appears at the login page in the drop-down menu.
I don't know how to check if the LDAP plugin shows up as an extension.

LDAP logs gave the following output each time I try to login to

Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT from IP=myip:56555 (IP=0.0.0.0:636)
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed (TLS negotiation failure)

ldap.conf has tls_checkpeer to no, otherwise error above is repeated for ssh or toher client software. I think key+Certificate are correctly setup, however, but I am probably wrong.

Thanks again
Marc

________________________________________
De: mediawiki-l-bounces at lists.wikimedia.org [mediawiki-l-bounces at lists.wikimedia.org] En nom de Lane, Ryan [Ryan.Lane at ocean.navo.navy.mil]
Enviat el: dimecres, 12 / agost / 2009 19:27
Per a: MediaWiki announcements and site admin list
Tema: Re: [Mediawiki-l] MediaWiki/LDAP Authentication/encryption problem

> I guess you are referring to the debug file. I have tried
> this, but still no exit
>
> -rw-rw-r-- 1 apache apache 0 2009-08-12 17:43 debug.log
>

[snip]

> I ahve enabled LocalSettings.php in order to get debug info with:
>
> $wgLDAPDebug=3;
> $wgDebugLogGroups["ldap"]="/tmp/debug.log";
>
> but the debug.log file is not created

There could be a number of issues with the log not being created. I can't
really tell why without more info...

Which version of the plugin are you using? Are you adding these options to
the bottom of LocalSettings.php? When you go to the Log in page, does it
have a domain list drop down box? Does the LDAP plugin show up as an
extension in Special:Version?

> The configuration in LocalSettins.php is:
>
> --------------------------------------------------------
> require_once(
> "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
> $wgAuth = new LdapAuthenticationPlugin();
>
>
> $wgLDAPDomainNames = array( "domain" );
> $wgLDAPServerNames = array( "domain" => "127.0.0.1" );
> #$wgLDAPPasswordHash = array ( "domain" => "ssl" );
> $wgLDAPSearchStrings = array( "domain" =>
> "uid=USER-NAME,ou=People,dc=genomica,dc=imppc,dc=org");
> $wgLDAPSearchAttributes = array( "domain" => "uid" );
> $wgLDAPBaseDNs = array( "domain" => "dc=domain,dc=foo,dc=org" );
>
> $wgLDAPEncryptionType = array( "domain" => "ssl" );
> ------------------------------------------------------
>

Have you checked your directory server access logs to see if MediaWiki is
trying to connect? When you check your logs, is the system connecting, then
immediately disconnecting?

Notice you are using SSL, but you are using an IP address for the host name
of the server. This won't work by default. PHP uses the openldap client
libraries, and openldap's configuration files for settings. By default
openldap requires a full SSL trust. This means the hostname provided needs
to match the CN field of the certificate on the LDAP server, and the DNS
entry for the LDAP server. Also, openldap needs to trust the root
certificate authority of your server's certificate. You can get around these
requirements by setting "TLS_REQCERT never" in /etc/openldap/ldap.conf (you
need to restart your web server after doing this).

I have a blog entry that goes into a bit of depth on this topic, which I
feel are out of the scope of the documentation on mediawiki.org:

http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f
or-mediawiki-the-basics-part-2/

That article is kind of an in depth how-to for enabling this for your kind
of environment.

BTW, you don't need to set $wgLDAPSearchAttributes or $wgLDAPBaseDNs since
you are using straight binds (using $wgLDAPSearchStrings).

V/r,

Ryan Lane