Thanks for the rapid answer,
After adding TLS_REQCERT never it works! Thanks.
Just for the record.
I am using the last stable version (1.2a, I think). The
options for debug file are just beneath the <?php in
LocalSettings.php file. Defined domain ($wgLDAPDomainNames
value) appears at the login page in the drop-down menu.
I don't know how to check if the LDAP plugin shows up as an extension.
As mentioned, you need to put all configuration options at the bottom of
LocalSettings.php, for every extension, always.
You can see if the LDAP plugin is enabled by going to Special:Version, and
see if it is listed as an enabled extension.
LDAP logs gave the following output each time I try to
login to
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 ACCEPT
from IP=myip:56555 (IP=0.0.0.0:636)
Aug 13 13:01:37 localhost slapd[16162]: conn=12 fd=20 closed
(TLS negotiation failure)
ldap.conf has tls_checkpeer to no, otherwise error above is
repeated for ssh or toher client software. I think
key+Certificate are correctly setup, however, but I am probably wrong.
It is nice that it at least tells you it was a TLS negotiation failure. Lots
of directory servers won't even tell you that. Whenever you see a
connection, and an immediate disconnection, it is almost guaranteed to be an
SSL/TLS trust issue.
LDAP has two configuration files on a system. One is for pam_ldap, the other
is for openldap clients. PHP should use /etc/openldap/ldap.conf. I usually
just delete /etc/openldap/ldap.conf and link it to /etc/ldap.conf, and put
all my configuration in there though.
Did you read my blog post? You should try using openssl s_client to check
your SSL configuration for LDAP:
openssl s_client -connect localhost:636
Check the CN field of the certificate:
Certificate chain
0 s:/C=US/O=Test/OU=My department/OU=My branch/OU=My
team/CN=example.com
i:/C=US/O=Test/OU=My department/OU=My branch/OU=My
team/CN=example.com
This is what you need to put in for $wgLDAPServernames (in this case
example.com).
Now you can take the certificate from the output of s_client, and use it to
trust your LDAP server. Take everything between and including:
-----BEGIN CERTIFICATE-----
And
-----END CERTIFICATE-----
Put this into a file like (644 root:root) /etc/pki/tls/certs/example.crt.
You can check the certificate's contents with:
openssl x509 -noout -text -in /etc/pki/tls/certs/example.crt
Now edit /etc/openldap/ldap.conf, and add:
TLS_CACERTDIR /etc/pki/tls/certs
TLS_CACERT /etc/pki/tls/certs/example.crt
It is possible that PHP is reading /etc/ldap.conf (although I doubt it). So
you can put the same things in there as well.
Notice that my example uses a self signed certificate. If line 0 of the
certificate chain of the s_client command has something different for s: and
i:, your certificate isn't self signed, and you'll need to also get the
issuer's certificate, and it's root certificate, and place those in
/etc/pki/tls/certs as well.
V/r,
Ryan Lane