> I am trying to implement a mediawiki for our organisation, but have hit a
> problem that I am unable (so far) to remedy. Your online documentation has
> been an absolute god send.
>
Glad to hear my documentation is kind of good :).
> I have an implementation in a Virtual Environment that has no restrictions as
> far as Firewall or Networking is concerned. Using your documentation as a
> baseline for the LDAP Plugin I have managed to get authentication working
> using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' =>
> 'clear');. However, when trying to use SSL I hit a problem.
>
> We know that LDAP works on 389 and 636 between the two servers as we have
> used "LDAP.exe" to connect and bind.
>
> At this point I should provide details on our environment:
>
[snip]
>
> Separate Domain Server
>
>
> * Windows 2003 R2 Active Directory (Root CA)
>
> My LDAPAuthentication.php file has the following settings:
>
> <?php
>
> require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php");
>
> $wgAuth = new LdapAuthenticationPlugin();
>
> $wgLDAPDomainNames = array(' vDomain ');
> $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local');
> $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME');
> $wgLDAPEncryptionType = array('vmdomain' => 'ssl');
> $wgLDAPGroupUseFullDN = array( "vmdomain"=>true );
> $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" );
> $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName");
> $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" );
> $wgLDAPGroupAttribute = array( "vmdomain"=>"member" );
> $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" );
> $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki
> users,ou=application security
> groups,ou=security,ou=groups,dc=vDomain,dc=local") );
>
>
> # Enable the "local" option on the login page. Enabled initially so we can
> use the WikiSysop user. Set to false to remove.
> $wgLDAPUseLocal = true;
>
> $wgMinimalPasswordLength = 1;
>
> # Debug options - uncomment to enable detailed debugging
> $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log";
> $wgLDAPDebug = 6;
>
> ?>
>
Your configuration is fine. You likely have an issue with PHP not
trusting the CA certificate of your AD server. It is *really* likely
since your AD is your root CA.
Create the following file:
C:\openldap\sysconf\ldap.conf
Yes, it has to be these directories and files; apparently it is hard
coded into PHP for Windows.
Put the following line into that file:
TLS_REQCERT never
Restart IIS. Is it working now? If so, you'll want to actually do this
correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP
trust the CA:
1. Get the CA certificate; if you have openssl installed, you can do
the following:
1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636
1b: Save every certificate in the chain greater than 0 (0 is your AD
server's certificate). Save the certificates by copying everything in
between and including "-----BEGIN CERTIFICATE-----" and "-----END
CERTIFICATE-----"
2. Append all certificates into one file called "certs.pem"
3. Drop "certs.pem" into C:\openldap\sysconf\
4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem"
5. Restart IIS.
BTW, you probably want to use SSL, and not TLS in your ldap extension
configuration. TLS is a little more quirky to get working.
Respectfully,
Ryan Lane
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
