Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Mediawiki

LDAP Authentication problem with encryption method

 

 

Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded


techgeek12345 at gmail

Sep 6, 2010, 5:13 PM

Post #1 of 4 (2118 views)
Permalink
LDAP Authentication problem with encryption method

Hi,

I am using Mediawiki 1.12 on a Linux Debian system. I have installed the
LDAP_Authentication extension for medaiwiki version 1.12 [1]. The good news
is that I am able to connect and log into mediawiki using our company's
Active Directory server authentication with the following settings in
LocalSettings.php:

$wgLDAPEncryptionType = array( "mycompany.net" => "clear" );


However the bad news is that if I try to use the TLS encryption method like
this:

$wgLDAPEncryptionType = array( "mycompany.net" => "tls" );

I get the following debug messages:
**************************************************************************************
Entering validDomain
User is using a valid domain.
Setting domain as: mycompany.net
Entering getCanonicalName
Username isn't empty.
Munged username: JohnS
Entering authenticate
Entering Connect
Using TLS or not using encryption.
Using servers: ldap://ad1.mycompany.net
Using TLS<
Warning:ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS:
Decoding error in
/var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on
line 197
Failed to start TLS.Failed to connect
Entering strict.
Returning true in strict().
Entering modifyUITemplate

**************************************************************************************

with medaiwiki login page saying "Login error: Incorrect password entered.
Please try again."

How can I check if my Active Directory server uses TLS method? Is the
problem with the Active Directory or in my setup of the LDAP_Authentication
extension?

Thanks

[1]
http://upload.wikimedia.org/ext-dist/LdapAuthentication-MW1.12-r30722.tar.gz
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


techgeek12345 at gmail

Sep 9, 2010, 10:30 AM

Post #2 of 4 (2058 views)
Permalink
Re: LDAP Authentication problem with encryption method [In reply to]

Sorry to bump this thread.....

I have tried to research about this on Internet but nothing that really
stands out...

Anyone??
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


rlane32 at gmail

Sep 9, 2010, 11:46 AM

Post #3 of 4 (2105 views)
Permalink
Re: LDAP Authentication problem with encryption method [In reply to]

> I am using Mediawiki 1.12 on a Linux Debian system. I have installed the
> LDAP_Authentication extension for medaiwiki version 1.12 [1]. The good news
> is that I am able to connect and log into mediawiki using our company's
> Active Directory server authentication with the following settings in
> LocalSettings.php:
>
> $wgLDAPEncryptionType = array( "mycompany.net" => "clear" );
>
>
> However the bad news is that if I try to use the TLS encryption method like
> this:
>
>  $wgLDAPEncryptionType = array( "mycompany.net" => "tls" );
>
> I get the following debug messages:
> **************************************************************************************
> Entering validDomain
> User is using a valid domain.
> Setting domain as: mycompany.net
> Entering getCanonicalName
> Username isn't empty.
> Munged username: JohnS
> Entering authenticate
> Entering Connect
> Using TLS or not using encryption.
> Using servers:  ldap://ad1.mycompany.net
> Using TLS<
> Warning:ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS:
> Decoding error in
> /var/lib/mediawiki/extensions/LdapAuthentication/LdapAuthentication.php on
> line 197
> Failed to start TLS.Failed to connect
> Entering strict.
> Returning true in strict().
> Entering modifyUITemplate
>
> **************************************************************************************
>
> with medaiwiki login page saying "Login error: Incorrect password entered.
> Please try again."
>
> How can I check if my Active Directory server uses TLS method? Is the
> problem with the Active Directory or in my setup of the LDAP_Authentication
> extension?
>
> Thanks
>

I haven't tested recently with a version of MediaWiki that is this
old, but I doubt that is the problem.

First, I'm not sure if the default configuration of AD supports TLS.
I've never had luck with it. Try SSL (ldaps) instead:

$wgLDAPEncryptionType = array( "mycompany.net" => "ssl" );

Note that your AD server may also not support ldaps either, if the
server doesn't have an SSL certificate installed. This is fairly easy
to test using openssl:

openssl s_client -connect <yourservername>:636

After running the above command, you should get back a bunch of text,
including the server's CA certificate. If you are connected, and no
other text is returned, the problem is on the AD side.

If you do have an SSL certificate installed on the AD server, and
ldaps isn't working with the plugin, it is likely a certificate trust
issue. I have documentation for fixing this in the requirements
section: http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Certificate_trusts

Sorry about not responding sooner. I got busy and forgot about the
post (I even had it starred and everything ;) ).

Respectfully,

Ryan Lane

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


techgeek12345 at gmail

Sep 9, 2010, 1:13 PM

Post #4 of 4 (2063 views)
Permalink
Re: LDAP Authentication problem with encryption method [In reply to]

>openssl s_client -connect <yourservername>:636
I tried this and I got a bunch of text with a certificate also. But as you
mentioned in [1] that "To pull the CA certificates, you'll want to save all
certificates returned greater than 0 (as certificate 0 is the server's
certificate)". Unfortunately I just get certificate 0. I do not see
certificate 1 or anything greater.

Also towards the end of the output I get this:
SSL handshake has read 10236 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
9D140000B65ED52DB95746CE88AC59A56FFC8CB4D1B875951CE688A7521C8EAC
Session-ID-ctx:
Master-Key:
6CD5263BC398AE44253B8C9D8B49DB31879F39281A1B19DCF4A35D119DAE1F2DD4DC207DD4551ACDFA41DA9734E4A85A
Key-Arg : None
Start Time: 1284062580
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Does it mean TLS is supported by our AD server?

Would it help if I post the entire long output of the above command if there
is no sensitive information in the output from above comamnd?

[1]
http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Certificate_trusts

Thanks
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l [at] lists
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.