I am trying to implement a mediawiki for our organisation, but have hit a problem that I am unable (so far) to remedy. Your online documentation has been an absolute god send.
Glad to hear my documentation is kind of good :).
I have an implementation in a Virtual Environment that has no restrictions as far as Firewall or Networking is concerned. Using your documentation as a baseline for the LDAP Plugin I have managed to get authentication working using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' => 'clear');. However, when trying to use SSL I hit a problem.
We know that LDAP works on 389 and 636 between the two servers as we have used "LDAP.exe" to connect and bind.
At this point I should provide details on our environment:
[snip]
Separate Domain Server
- Windows 2003 R2 Active Directory (Root CA)
My LDAPAuthentication.php file has the following settings:
<?php require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); $wgAuth = new LdapAuthenticationPlugin(); $wgLDAPDomainNames = array(' vDomain '); $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local'); $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME'); $wgLDAPEncryptionType = array('vmdomain' => 'ssl'); $wgLDAPGroupUseFullDN = array( "vmdomain"=>true ); $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" ); $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName"); $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" ); $wgLDAPGroupAttribute = array( "vmdomain"=>"member" ); $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" ); $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki users,ou=application security groups,ou=security,ou=groups,dc=vDomain,dc=local") ); # Enable the "local" option on the login page. Enabled initially so we can use the WikiSysop user. Set to false to remove. $wgLDAPUseLocal = true; $wgMinimalPasswordLength = 1; # Debug options - uncomment to enable detailed debugging $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log"; $wgLDAPDebug = 6; ?>
Your configuration is fine. You likely have an issue with PHP not trusting the CA certificate of your AD server. It is *really* likely since your AD is your root CA.
Create the following file:
C:\openldap\sysconf\ldap.conf
Yes, it has to be these directories and files; apparently it is hard coded into PHP for Windows.
Put the following line into that file:
TLS_REQCERT never
Restart IIS. Is it working now? If so, you'll want to actually do this correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP trust the CA:
1. Get the CA certificate; if you have openssl installed, you can do the following: 1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636 1b: Save every certificate in the chain greater than 0 (0 is your AD server's certificate). Save the certificates by copying everything in between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 2. Append all certificates into one file called "certs.pem" 3. Drop "certs.pem" into C:\openldap\sysconf\ 4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem" 5. Restart IIS.
BTW, you probably want to use SSL, and not TLS in your ldap extension configuration. TLS is a little more quirky to get working.
Respectfully,
Ryan Lane