[Mediawiki-l] LDAP Authentication problem with encryption method

Thu Sep 9 18:46:52 UTC 2010

> I am using Mediawiki 1.12 on a Linux Debian system. I have installed the
> LDAP_Authentication extension for medaiwiki version 1.12 [1]. The good news
> is that I am able to connect and log into mediawiki using our company's
> Active Directory server authentication with the following settings in
> LocalSettings.php:
>
> $wgLDAPEncryptionType = array( "mycompany.net" => "clear" );
>
>
> However the bad news is that if I try to use the TLS encryption method like
> this:
>
>  $wgLDAPEncryptionType = array( "mycompany.net" => "tls" );
>
> I get the following debug messages:
> **************************************************************************************
> Entering validDomain
> User is using a valid domain.
> Setting domain as: mycompany.net
> Entering getCanonicalName
> Username isn't empty.
> Munged username: JohnS
> Entering authenticate
> Entering Connect
> Using TLS or not using encryption.
> Using servers:  ldap://ad1.mycompany.net
> Using TLS<
> Warning:ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS:
> Decoding error in
> /var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on
> line 197
> Failed to start TLS.Failed to connect
> Entering strict.
> Returning true in strict().
> Entering modifyUITemplate
>
> **************************************************************************************
>
> with medaiwiki login page saying "Login error: Incorrect password entered.
> Please try again."
>
> How can I check if my Active Directory server uses TLS method? Is the
> problem with the Active Directory or in my setup of the LDAP_Authentication
> extension?
>
> Thanks
>

I haven't tested recently with a version of MediaWiki that is this
old, but I doubt that is the problem.

First, I'm not sure if the default configuration of AD supports TLS.
I've never had luck with it. Try SSL (ldaps) instead:

$wgLDAPEncryptionType = array( "mycompany.net" => "ssl" );

Note that your AD server may also not support ldaps either, if the
server doesn't have an SSL certificate installed. This is fairly easy
to test using openssl:

openssl s_client -connect <yourservername>:636

After running the above command, you should get back a bunch of text,
including the server's CA certificate. If you are connected, and no
other text is returned, the problem is on the AD side.

If you do have an SSL certificate installed on the AD server, and
ldaps isn't working with the plugin, it is likely a certificate trust
issue. I have documentation for fixing this in the requirements
section: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Certificate_trusts

Sorry about not responding sooner. I got busy and forgot about the
post (I even had it starred and everything ;) ).

Respectfully,

Ryan Lane