Ryan Thanks very much for that. I now have the Mediawiki working with SSL.
Thanks very much Ian -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ryan Lane Sent: Thursday, 13 May 2010 12:11 p.m. To: MediaWiki announcements and site admin list Subject: Re: [Mediawiki-l] FW: Help Appreciated > I am trying to implement a mediawiki for our organisation, but have hit a > problem that I am unable (so far) to remedy. Your online documentation has > been an absolute god send. > Glad to hear my documentation is kind of good :). > I have an implementation in a Virtual Environment that has no restrictions as > far as Firewall or Networking is concerned. Using your documentation as a > baseline for the LDAP Plugin I have managed to get authentication working > using LDAP when setting $wgLDAPEncryptionType = array('internalwiki' => > 'clear');. However, when trying to use SSL I hit a problem. > > We know that LDAP works on 389 and 636 between the two servers as we have > used "LDAP.exe" to connect and bind. > > At this point I should provide details on our environment: > [snip] > > Separate Domain Server > > > * Windows 2003 R2 Active Directory (Root CA) > > My LDAPAuthentication.php file has the following settings: > > <?php > > require_once("$IP/extensions/LdapAuthentication/LdapAuthentication.php"); > > $wgAuth = new LdapAuthenticationPlugin(); > > $wgLDAPDomainNames = array(' vDomain '); > $wgLDAPServerNames = array('vmdomain' => 'vmad.vDomain.local'); > $wgLDAPSearchStrings = array('vmdomain' => 'vmDomain\\USER-NAME'); > $wgLDAPEncryptionType = array('vmdomain' => 'ssl'); > $wgLDAPGroupUseFullDN = array( "vmdomain"=>true ); > $wgLDAPBaseDNs = array( "vmdomain"=>"dc=vmDomain,dc=local" ); > $wgLDAPSearchAttributes = array( "vmdomain" => "sAMAccountName"); > $wgLDAPGroupObjectclass = array( "vmdomain"=>"group" ); > $wgLDAPGroupAttribute = array( "vmdomain"=>"member" ); > $wgLDAPGroupNameAttribute = array( "vmdomain"=>"cn" ); > $wgLDAPRequiredGroups = array( "vmdomain"=>array("cn=wiki > users,ou=application security > groups,ou=security,ou=groups,dc=vDomain,dc=local") ); > > > # Enable the "local" option on the login page. Enabled initially so we can > use the WikiSysop user. Set to false to remove. > $wgLDAPUseLocal = true; > > $wgMinimalPasswordLength = 1; > > # Debug options - uncomment to enable detailed debugging > $wgDebugLogGroups["ldap"] = "D:\Logfile\LDAP.log"; > $wgLDAPDebug = 6; > > ?> > Your configuration is fine. You likely have an issue with PHP not trusting the CA certificate of your AD server. It is *really* likely since your AD is your root CA. Create the following file: C:\openldap\sysconf\ldap.conf Yes, it has to be these directories and files; apparently it is hard coded into PHP for Windows. Put the following line into that file: TLS_REQCERT never Restart IIS. Is it working now? If so, you'll want to actually do this correctly now. Instead of "TLS_REQCERT never", you'll want to make PHP trust the CA: 1. Get the CA certificate; if you have openssl installed, you can do the following: 1a. Run: openssl s_client -showcerts -connect vmad.vDomain.local:636 1b: Save every certificate in the chain greater than 0 (0 is your AD server's certificate). Save the certificates by copying everything in between and including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" 2. Append all certificates into one file called "certs.pem" 3. Drop "certs.pem" into C:\openldap\sysconf\ 4. Edit ldap.conf, and add "TLS_CACERT C:\openldap\sysconf\certs.pem" 5. Restart IIS. BTW, you probably want to use SSL, and not TLS in your ldap extension configuration. TLS is a little more quirky to get working. Respectfully, Ryan Lane _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l ______________________________________________________________________________________________________ This message contains information, which is confidential and may be subject to legal privilege. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify us immediately (Phone 0800 665 463 or [email protected]) and destroy the original message. LINZ accepts no responsibility for changes to this email, or for any attachments, after its transmission from LINZ. Thank you. ______________________________________________________________________________________________________ _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
