Mailing List Archive: Wikipedia: Mediawiki

LDAP Authentication to Novell eDirectory

Index | Next | Previous | View Threaded

hparsons56 at gmail

Sep 21, 2009, 7:23 AM

Post #1 of 12 (1543 views)
Permalink

LDAP Authentication to Novell eDirectory

I'm setting up a MediaWiki system, and am trying to get the system to
authenticate to eDirectory. The MediaWiki server is running on a Suse Linux
Enterprise 11 server (Novell), and authenticating against a Novell Netware
6.5 server. The Linux server is NOT running eDirectory, but needs to
authenticate against another server.

I've run a DSTRACE on the Novell server, and don't even see the MW system
trying to authenticate. I cannot find the proper settings to turn on
debugging tools on the MW system to see what the problem might be.

Any suggestions would be greatly appreciated.
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Sep 21, 2009, 2:23 PM

Post #2 of 12 (1467 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

> I'm setting up a MediaWiki system, and am trying to get the system to
> authenticate to eDirectory. The MediaWiki server is running
> on a Suse Linux
> Enterprise 11 server (Novell), and authenticating against a
> Novell Netware
> 6.5 server. The Linux server is NOT running eDirectory, but needs to
> authenticate against another server.
>
> I've run a DSTRACE on the Novell server, and don't even see
> the MW system
> trying to authenticate. I cannot find the proper settings to turn on
> debugging tools on the MW system to see what the problem might be.
>
> Any suggestions would be greatly appreciated.

* What versions of MediaWiki and the LDAP plugin are you using?
* Is LDAP support for PHP available?
* Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
* Is the client connecting to the eDirectory server at all? Check netstat,
and check your logs for connections. If it is connecting, and immediately
disconnecting, you have an SSL/TLS trust issue.
* Turn on debugging on the plugin [1]

I'm betting LDAP support isn't available in PHP.

V/r,

Ryan Lane

[1]
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin
g_options

hparsons56 at gmail

Sep 21, 2009, 3:02 PM

Post #3 of 12 (1475 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

Thanks for your response! I had tried leaving a message on your blog, good
to find you here! I'll do my best on answering:

1) Versions
Product Version MediaWiki <http://www.mediawiki.org/> 1.15.1
PHP<http://www.php.net/> 5.2.6
(apache2handler) MySQL <http://www.mysql.com/> 5.0.67
Product Version MediaWiki <http://www.mediawiki.org/> 1.15.1
PHP<http://www.php.net/> 5.2.6
(apache2handler) MySQL <http://www.mysql.com/> 5.0.67
Product Version MediaWiki <http://www.mediawiki.org/> 1.15.1
PHP<http://www.php.net/> 5.2.6
(apache2handler) MySQL <http://www.mysql.com/> 5.0.67
Product Version MediaWiki <http://www.mediawiki.org/> 1.15.1
PHP<http://www.php.net/> 5.2.6
(apache2handler) MySQL <http://www.mysql.com/> 5.0.67
MediaWiki 1.15.1
LDAP Plugin 1.2a (beta)
2) LDAP support for PHP
I THINK so. I was under the impression that the SLES 11 server has this
built in. How do I confirm (especially since you think this is the issue)

3) LDAP enabled - Yes, I've tried several different configurations, here is
the most current (sorry, I have to hide actual container names, but I think
you'll get the idea):

#LDAP Authentication
Require_once( 'extensions/LDAPAuthentication/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "FOSAWiki" );
$wgLDAPServerNames = array( "FOSAWiki"=>"172.28.xxx.xxx" );
$wgLDAPSearchStrings = array(
"FOSAWiki"=>"cn=USER-NAME,ou=SecondLevel,ou=FirstLevel,o=ORGANIZATION" );
$wgLDAPSearchAttributes = array( "FOSAWiki"=>"uid" );
$wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

4) I have to apologize on this one. I'm not familiar enough with Linux to
know where to look in the log files. Issuing a netstat from the Linux box
running the MW system just gives me a screen shot of current activity.
Running it on the NetWare server (that has eDirectory/LDAP services) gave
me a prompt for additional swtiches (I was surprised, I didn't realize there
was a netstat nlm for NetWare).

Usage: netstat [-aLn] [-f address_family]
netstat [-rn] [-f address_family]
netstat [-bdi] [-I interface] -w wait
netstat [-s] [-p protocol]
netstat [-s] [-f address_family] [-i] [-I interface]
netstat -help

List of possible address families:
inet (DARPA Internet)
5) I tried turning on debugging, but am not 100% sure I placed the /tmp
directory correctly. On my server, apache2 runs out of /srv/www/ with the
default docs directory /srv/www/htdocs I have MediaWiki running out of
/srv/www/htdocs/w I added the following tmp directories /srv/www/htdocs/tmp
and /srv/www/htdocs/w/tmp with debug.log in both, and both set to 666 (for
now) on rights. I added the following to the local configuration file, but
both debug.log files remain unchanged when enabling the LDAP module:

$wgLDAPDebug = 1;
$wgDebugLogGroups["ldap"] = "/tmp/debug.log" ;

===
Again, thanks for your response, and sorry for being such a noob to Linux.

On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan
<Ryan.Lane [at] ocean>wrote:

> * What versions of MediaWiki and the LDAP plugin are you using?
> * Is LDAP support for PHP available?
> * Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
> * Is the client connecting to the eDirectory server at all? Check netstat,
> and check your logs for connections. If it is connecting, and immediately
> disconnecting, you have an SSL/TLS trust issue.
> * Turn on debugging on the plugin [1]
>
> I'm betting LDAP support isn't available in PHP.
>
> V/r,
>
> Ryan Lane
>
> [1]
>
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin
> g_options
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

hparsons56 at gmail

Sep 22, 2009, 7:44 AM

Post #4 of 12 (1454 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

OK, I did some more research, and found how to check whether LDAP was
enabled, it wasn't. I added that, and rebooted. Now I show this:

LDAP Support enabled
RCS Version $Id: ldap.c,v 1.161.2.3.2.12 2007/12/31 07:20:07 sebastian Exp
$
Total Links 0/unlimited
API Version 3001
Vendor Name OpenLDAP
Vendor Version 20412
SASL Support Enabled

I also show on the NetWare server that it is listening on port 636

I'm still getting the same results though. Nothing on the DSTrace screen on
the NetWare server, and no debugging information.

On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan
<Ryan.Lane [at] ocean>wrote:

> > I'm setting up a MediaWiki system, and am trying to get the system to
> > authenticate to eDirectory. The MediaWiki server is running
> > on a Suse Linux
> > Enterprise 11 server (Novell), and authenticating against a
> > Novell Netware
> > 6.5 server. The Linux server is NOT running eDirectory, but needs to
> > authenticate against another server.
> >
> > I've run a DSTRACE on the Novell server, and don't even see
> > the MW system
> > trying to authenticate. I cannot find the proper settings to turn on
> > debugging tools on the MW system to see what the problem might be.
> >
> > Any suggestions would be greatly appreciated.
>
> * What versions of MediaWiki and the LDAP plugin are you using?
> * Is LDAP support for PHP available?
> * Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
> * Is the client connecting to the eDirectory server at all? Check netstat,
> and check your logs for connections. If it is connecting, and immediately
> disconnecting, you have an SSL/TLS trust issue.
> * Turn on debugging on the plugin [1]
>
> I'm betting LDAP support isn't available in PHP.
>
> V/r,
>
> Ryan Lane
>
> [1]
>
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin
> g_options
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

hparsons56 at gmail

Sep 22, 2009, 8:27 AM

Post #5 of 12 (1451 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

I have some further information.

After properly setting up LDAP in PHP, I now get error messages in the
apache error log. Here's what I show:

[Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning:
ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in
/srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentication.php on
line 213, referer: https://192.168.1
.130/w/index.php5?title=Special:UserLogin&returnto=Main_Page

.240 is the workstation I'm on
.130 is the server MediWiki is running on
.5 is the LDAP server

Here are the settings I'm using in the LocalSettings.php file:

#LDAP Authentication
Require_once( 'extensions/LDAPAuthentication/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "FOSAWiki" );
$wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" );
$wgLDAPSearchStrings = array(
"FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" );
$wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );
$wgMinimalPasswordLength = 1;

On Mon, Sep 21, 2009 at 4:23 PM, Lane, Ryan
<Ryan.Lane [at] ocean>wrote:

>
> * What versions of MediaWiki and the LDAP plugin are you using?
> * Is LDAP support for PHP available?
> * Do you have the LDAP plugin enabled at the bottom of LocalSettings.php?
> * Is the client connecting to the eDirectory server at all? Check netstat,
> and check your logs for connections. If it is connecting, and immediately
> disconnecting, you have an SSL/TLS trust issue.
> * Turn on debugging on the plugin [1]
>
> I'm betting LDAP support isn't available in PHP.
>
> V/r,
>
> Ryan Lane
>
> [1]
>
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debuggin
> g_options
>
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Sep 22, 2009, 2:12 PM

Post #6 of 12 (1441 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

> I have some further information.
>
> After properly setting up LDAP in PHP, I now get error messages in the
> apache error log. Here's what I show:
>
> [Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning:
> ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in
> /srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentica
> tion.php on
> line 213, referer: https://192.168.1
> .130/w/index.php5?title=Special:UserLogin&returnto=Main_Page
>
> .240 is the workstation I'm on
> .130 is the server MediWiki is running on
> .5 is the LDAP server
>
> Here are the settings I'm using in the LocalSettings.php file:
>
> #LDAP Authentication
> Require_once(
> 'extensions/LDAPAuthentication/LdapAuthentication.php' );
> $wgAuth = new LdapAuthenticationPlugin();
> $wgLDAPDomainNames = array( "FOSAWiki" );
> $wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" );

This needs to be the fully qualified domain name of the LDAP server, not the
IP address.

> $wgLDAPSearchStrings = array(
> "FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" );
> $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );

This should be:

$wgLDAPUseSSL = array( "FOSAWiki"=>"ssl" );

Notice that even after setting this, you may still have SSL issues. If you
have SSL issues, see:

http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f
or-mediawiki-the-basics-part-2/#configuring-the-ssl-trust

(http://bit.ly/2JMbDy)

V/r,

Ryan Lane

hparsons56 at gmail

Sep 22, 2009, 2:59 PM

Post #7 of 12 (1460 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

I'll hit up on the FQDN issue. I don't think though, that the LDAP server
has a DNS entry. I'm assuming that if they don't, I can do it with a host
entry.

On your second correction, the corrected version is what I had at one time,
I dropped it attempting things.

However, I think your last recommendation is the correct one. I had pretty
much decided that it was a cert issue, but couldn't get the exact
information on what I needed to do to correct it. Your blog looks like it
had it all along. Will try that this evening or tomorrow, and see what I
get.

On Tue, Sep 22, 2009 at 4:12 PM, Lane, Ryan
<Ryan.Lane [at] ocean>wrote:

> > $wgLDAPServerNames = array( "FOSAWiki"=>"192.168.1.5" );
>
> This needs to be the fully qualified domain name of the LDAP server, not
> the
> IP address.
>
> > $wgLDAPSearchStrings = array(
> > "FOSAWiki"=>"cn=USER-NAME,ou=LEVEL2,ou=LEVEL1,o=ORGANIZATION" );
> > $wgLDAPUseSSL = array( "{Wiki Identity variable}"=>"ssl" );
>
> This should be:
>
> $wgLDAPUseSSL = array( "FOSAWiki"=>"ssl" );
>
> Notice that even after setting this, you may still have SSL issues. If you
> have SSL issues, see:
>
>
> http://ryandlane.com/wprdl/2009/06/16/using-the-ldap-authentication-plugin-f
> or-mediawiki-the-basics-part-2/#configuring-the-ssl-trust
>
> (http://bit.ly/2JMbDy)
>
> V/r,
>
> Ryan Lane
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Sep 22, 2009, 3:25 PM

Post #8 of 12 (1441 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

> I'll hit up on the FQDN issue. I don't think though, that the
> LDAP server
> has a DNS entry. I'm assuming that if they don't, I can do it
> with a host
> entry.
>
> On your second correction, the corrected version is what I
> had at one time,
> I dropped it attempting things.
>
> However, I think your last recommendation is the correct one.
> I had pretty
> much decided that it was a cert issue, but couldn't get the exact
> information on what I needed to do to correct it. Your blog
> looks like it
> had it all along. Will try that this evening or tomorrow, and
> see what I
> get.
>

If your server doesn't have a DNS entry, then it probably has a self-signed
certificate too. If this is the case, you'll have to put the following into
your ldap.conf:

TLS_REQCERT never

V/r,

Ryan Lane

hparsons56 at gmail

Sep 24, 2009, 8:24 AM

Post #9 of 12 (1414 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

Well, I've tried changing that setting, and still get the same error
message. I'm pretty sure this is a certificate issue, just don't know how
it's resolved.

The NetWare server has a certificate that's issued from eDirectory. I see
lots of stuff about putting the certs in the /ect/pki directory on Red Hat,
but nothing about where they should go on Suse Linux, and what configuration
files need to be modified to make them recognized.

I've been able to successfully LDAP to the NetWare server using another LDAP
utility, and it prompts me to accept the certificate, this is why I'm pretty
sure it's a cert problem.

At this point, I'm stumped.

If any of you know of anyone that is successfully using a similar setup,
running MW on a Linux box authenticating to an eDirectory system, I'd sure
appreciate any insight.

On Tue, Sep 22, 2009 at 5:25 PM, Lane, Ryan
<Ryan.Lane [at] ocean>wrote:

> > I'll hit up on the FQDN issue. I don't think though, that the
> > LDAP server
> > has a DNS entry. I'm assuming that if they don't, I can do it
> > with a host
> > entry.
> >
> > On your second correction, the corrected version is what I
> > had at one time,
> > I dropped it attempting things.
> >
> > However, I think your last recommendation is the correct one.
> > I had pretty
> > much decided that it was a cert issue, but couldn't get the exact
> > information on what I needed to do to correct it. Your blog
> > looks like it
> > had it all along. Will try that this evening or tomorrow, and
> > see what I
> > get.
> >
>
> If your server doesn't have a DNS entry, then it probably has a self-signed
> certificate too. If this is the case, you'll have to put the following into
> your ldap.conf:
>
> TLS_REQCERT never
>
> V/r,
>
> Ryan Lane
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l [at] lists
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>
>
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Ryan.Lane at ocean

Sep 24, 2009, 1:31 PM

Post #10 of 12 (1405 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

> Well, I've tried changing that setting, and still get the same error
> message. I'm pretty sure this is a certificate issue, just
> don't know how
> it's resolved.
>

You put that setting into /etc/openldap/ldap.conf right? /etc/ldap.conf is
for pam/nss, /etc/openldap/ldap.conf is for openldap clients (like PHP).

> The NetWare server has a certificate that's issued from
> eDirectory. I see
> lots of stuff about putting the certs in the /ect/pki
> directory on Red Hat,
> but nothing about where they should go on Suse Linux, and
> what configuration
> files need to be modified to make them recognized.
>

From what I've seen online, your CA certs go into /etc/ssl.

V/r,

Ryan Lane

hans.moser at ofd-sth

Sep 25, 2009, 4:45 AM

Post #11 of 12 (1415 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

Hi,

Herb Parsons schrieb:
> Well, I've tried changing that setting, and still get the same error
> message.
That was:
"[Tue Sep 22 10:21:54 2009] [error] [client 192.168.1.240] PHP Warning:
ldap_start_tls(): Unable to start TLS: Can't contact LDAP server in
/srv/www/htdocs/w/extensions/LDAPAuthentication/LdapAuthentication.php on
line 213, referer: https://192.168.1
.130/w/index.php5?title=Special:UserLogin&returnto=Main_Page"
Right?

If the error message is true, MW tries STARTTLS.

Also you stated:
"I also show on the NetWare server that it is listening on port 636"

This is (in most cases) so called LDAPs (LDAP over SSL) on a - from the
connection on - secure Port. Which is different from LDAP with TLS
(started by STARTTLS), here TLS starts later on on an unencrypted
connection.

From the blog:
"Specifically, the plugin defaults to tls using LDAP (port 389)"

So this is what we see. The plugin tries TLS not SSL. You may check the
plugin config to make the SSL setting work.

Marc

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

rlane32 at gmail

Sep 25, 2009, 9:56 AM

Post #12 of 12 (1397 views)
Permalink

Re: LDAP Authentication to Novell eDirectory [In reply to]

> If the error message is true, MW tries STARTTLS.
>

It does indeed. That's the default (since clear text is insecure, and
LDAPS is deprecated).

> Also you stated:
> "I also show on the NetWare server that it is listening on port 636"
>
> This is (in most cases) so called LDAPs (LDAP over SSL) on a - from the
> connection on - secure Port. Which is different from LDAP with TLS
> (started by STARTTLS), here TLS starts later on on an unencrypted
> connection.
>
> �From the blog:
> "Specifically, the plugin defaults to tls using LDAP (port 389)"
>
> So this is what we see. The plugin tries TLS not SSL. You may check the
> plugin config to make the SSL setting work.
>

He did have that line set incorrectly. I sent him the right setting.
Not sure if he applied it though.

V/r,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads