> Thanks for the rapid answer,
> After adding TLS_REQCERT never it works! Thanks.
>
> Just for the record.
> I am using the last stable version (1.2a, I think). The
> options for debug file are just beneath the <?php in
> LocalSettings.php file. Defined domain ($wgLDAPDomainNames
> value) appears at the login page in the drop-down menu.
> I don't know how to check if the LDAP plugin shows up as an extension.
>
As mentioned, you need to put all configuration options at the bottom of
LocalSettings.php, for every extension, always.
You can see if the LDAP plugin is enabled by going to Special:Version, and
see if it is listed as an enabled extension.
> LDAP logs gave the following output each time I try to login to
>
> Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT
> from IP=myip:56555 (IP=0.0.0.0:636)
> Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed
> (TLS negotiation failure)
>
> ldap.conf has tls_checkpeer to no, otherwise error above is
> repeated for ssh or toher client software. I think
> key+Certificate are correctly setup, however, but I am probably wrong.
>
It is nice that it at least tells you it was a TLS negotiation failure. Lots
of directory servers won't even tell you that. Whenever you see a
connection, and an immediate disconnection, it is almost guaranteed to be an
SSL/TLS trust issue.
LDAP has two configuration files on a system. One is for pam_ldap, the other
is for openldap clients. PHP should use /etc/openldap/ldap.conf. I usually
just delete /etc/openldap/ldap.conf and link it to /etc/ldap.conf, and put
all my configuration in there though.
Did you read my blog post? You should try using openssl s_client to check
your SSL configuration for LDAP:
openssl s_client -connect localhost:636
Check the CN field of the certificate:
Certificate chain
0 s:/C=US/O=Test/OU=My department/OU=My branch/OU=My team/CN=example.com
i:/C=US/O=Test/OU=My department/OU=My branch/OU=My team/CN=example.com
This is what you need to put in for $wgLDAPServernames (in this case
example.com).
Now you can take the certificate from the output of s_client, and use it to
trust your LDAP server. Take everything between and including:
-----BEGIN CERTIFICATE-----
And
-----END CERTIFICATE-----
Put this into a file like (644 root:root) /etc/pki/tls/certs/example.crt.
You can check the certificate's contents with:
openssl x509 -noout -text -in /etc/pki/tls/certs/example.crt
Now edit /etc/openldap/ldap.conf, and add:
TLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/certs/example.crt
It is possible that PHP is reading /etc/ldap.conf (although I doubt it). So
you can put the same things in there as well.
Notice that my example uses a self signed certificate. If line 0 of the
certificate chain of the s_client command has something different for s: and
i:, your certificate isn't self signed, and you'll need to also get the
issuer's certificate, and it's root certificate, and place those in
/etc/pki/tls/certs as well.
V/r,
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
