I am trying to implement a mediawiki for our
organisation, but have hit a problem that I am unable (so far) to remedy. Your online
documentation has been an absolute god send.
Glad to hear my documentation is kind of good :).
I have an implementation in a Virtual Environment that
has no restrictions as far as Firewall or Networking is concerned. Using your
documentation as a baseline for the LDAP Plugin I have managed to get authentication
working using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' =>
'clear');. However, when trying to use SSL I hit a problem.
We know that LDAP works on 389 and 636 between the two servers as we have used
"LDAP.exe" to connect and bind.
At this point I should provide details on our environment:
[snip]
Separate Domain Server
* Windows 2003 R2 Active Directory (Root CA)
My LDAPAuthentication.php file has the following settings:
<?php
require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array(' vDomain ');
$wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local');
$wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME');
$wgLDAPEncryptionType = array('vmdomain' => 'ssl');
$wgLDAPGroupUseFullDN = array( "vmdomain"=>true );
$wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" );
$wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName");
$wgLDAPGroupObjectclass = array( "vmdomain"=>"group" );
$wgLDAPGroupAttribute = array( "vmdomain"=>"member" );
$wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" );
$wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki
users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local") );
# Enable the "local" option on the login page. Enabled initially so we can use
the WikiSysop user. Set to false to remove.
$wgLDAPUseLocal = true;
$wgMinimalPasswordLength = 1;
# Debug options - uncomment to enable detailed debugging
$wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log";
$wgLDAPDebug = 6;
?>
Your configuration is fine. You likely have an issue with PHP not
trusting the CA certificate of your AD server. It is *really* likely
since your AD is your root CA.
Create the following file:
C:\openldap\sysconf\ldap.conf
Yes, it has to be these directories and files; apparently it is hard
coded into PHP for Windows.
Put the following line into that file:
TLS_REQCERT never
Restart IIS. Is it working now? If so, you'll want to actually do this
correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP
trust the CA:
1. Get the CA certificate; if you have openssl installed, you can do
the following:
1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636
1b: Save every certificate in the chain greater than 0 (0 is your AD
server's certificate). Save the certificates by copying everything in
between and including "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"
2. Append all certificates into one file called "certs.pem"
3. Drop "certs.pem" into C:\openldap\sysconf\
4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem"
5. Restart IIS.
BTW, you probably want to use SSL, and not TLS in your ldap extension
configuration. TLS is a little more quirky to get working.
Respectfully,
Ryan Lane