Failed to bind as
Try config below: (change the "DOMAIN" sections, also in "DOMAIN\\USER-NAME" but leave "USER-NAME" intact
$wgLDAPDebug = 3; $wgDebugLogGroups["ldap"] = "C:\log\ldap.log" ;
$wgLDAPDomainNames = array('DOMAIN',);
$wgLDAPServerNames = array('DOMAIN' => 'server2.domain.local',);
$wgLDAPSearchStrings = array('DOMAIN' => 'DOMAIN\\USER-NAME',);
$wgLDAPEncryptionType = array('DOMAIN' => 'clear',);
$wgLDAPBaseDNs = array('DOMAIN' => 'ou=Users,dc=domain,dc=local');
$wgLDAPSearchAttributes = array('DOMAIN' => 'sAMAccountName');
$wgLDAPProxyAgent = array("DOMAIN"=>"*****");
$wgLDAPProxyAgentPassword = array("DOMAIN"=>"*****");
$wgLDAPUpdateLDAP = array("DOMAIN"=>false);
$wgLDAPAddLDAPUsers = array("DOMAIN"=>false);
$wgLDAPPreferences = array( 'DOMAIN' => true );
Cheers,
Lucas
Hi Lucas.
First, thanks for your config. That helped a lot! I used it and can now authenticate with AD credentials.
But connection is still in cleartext. To avoid MITM-Attacks the next step is to encrypt the connection via ssl. I changed the option:
$wgLDAPEncryptionType = array('DOMAIN' => 'ssl',);
I got the Server's Certificate using openssl (on an ubuntu machine):
openssl s_client -showcerts -connect server2.domain.local:636
I extracted the Certificate to a new file and tested with:
openssl x509 -noout -text -in certs.pem
Output was similar to the example in the documentation. So Certificatefile seems fine, no error occurred.
I placed cert-file to location: C:\openldap\sysconf\certs.pem
I created ldap.conf-file: C:\openldap\sysconf\ldap.conf containing the following line
TLS_CACERT C:\openldap\sysconf\certs.pem
Restarted Webserver.
Debuglog still gives old errormessage. Failed to bind as... something special to consider with ssl?
Sorry, that is as far as I came. I forced ssl for my website but did not succeed to get ssl working
cheers,
Lucas
Check the certificate being used. Was it signed by a CA, or signed by itself?
openssl x509 -noout -text -in C:\openldap\sysconf\certs.pem
It is signed itself. Here is the output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:03:f5:7d:00:02:00:00:00:3f
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=local, DC=domain, CN=Private Exchange Zertifizierungsstelle
Validity
Not Before: Feb 22 14:37:35 2011 GMT
Not After : Feb 22 14:37:35 2012 GMT
Subject: CN=server2.domain.local
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c6:50:[...(i've cut something)...]:60:09
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
050...*.H..
......0...*.H..
......0...+....0
..*.H..
..
X509v3 Subject Key Identifier:
BE:B0:1E:3C:BC:EE:7D:28:B6:78:F5:D1:A6:02:F3:9C:31:F9:4A:68
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Authority Key Identifier:
keyid:AE:60:A2:A5:5A:23:D8:59:9F:5C:B6:F6:CA:B1:0B:32:5B:1C:2D:C8
X509v3 CRL Distribution Points:
URI:ldap:///CN=Private%20Exchange%20Zertifizierungsstelle(1),CN=server2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://server2.domain.local/CertEnroll/Private%20Exchange%20Zertifizierungsstelle(1).crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=Private%20Exchange%20Zertifizierungsstelle,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority
CA Issuers - URI:http://server2.domain.local/CertEnroll/server2.domain.local_Private%20Exchange%20Zertifizierungsstelle(2).crt
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:server2.domain.local
Signature Algorithm: sha1WithRSAEncryption
ad:e6:46:26:98:10:1d:85:83:aa:1f:9e:77:10:9a:c3:37:be:
00:ac:b7:9e:92:81:8c:c5:50:bf:6c:dd:25:d9:84:72:01:58:
0c:93:b1:68:63:66:3d:7a:92:1d:a0:c1:3a:4e:fa:b3:0b:1c:
17:92:0c:87:53:9b:6e:ea:0a:6b:66:51:6a:58:22:9a:3f:30:
a3:41:6a:3d:88:c8:86:bc:70:35:d1:78:da:48:d0:05:9b:37:
cc:85:d5:f0:d5:6d:d3:c3:99:a5:dd:46:47:b8:bf:ad:18:ef:
56:2d:c0:b9:81:61:04:12:58:7f:77:49:4a:bc:b9:97:96:95:
14:7b:1b:02:40:e8:99:f3:b7:d5:26:4a:ae:10:d8:3d:46:ad:
e4:67:5c:60:53:f0:b2:b6:ef:f1:00:39:83:1b:c3:93:cb:0e:
4e:6d:a4:24:08:74:e6:0a:a8:0b:a4:d2:34:7b:f0:68:7a:3e:
f2:0e:9d:fb:db:c2:64:45:c6:fa:09:3e:d8:32:ce:94:ee:27:
b0:44:9c:59:f3:8c:6b:82:e2:e9:63:1c:7d:e4:e7:60:95:89:
42:73:76:ab:73:d0:c8:80:a4:ee:52:db:8e:86:b3:96:56:13:
99:d4:0e:b3:48:84:b0:eb:1c:a2:6a:58:8d:16:00:14:39:c9:
76:d2:ae:a7
-----BEGIN CERTIFICATE-----
MIIGSTCCB[...(some other stuff here)...]yXbSrqc=
-----END CERTIFICATE-----
On the Server I used the tool ldp.exe. Connection over ssl(port 636) can be established and bind is OK there. So the server seems to be configured right. It accepts ssl connections. Nevertheless php still fails to bind, when i try to log in the Wiki.
I've modified the "bindAs" method in LDAPAuthentication.php to get a more informative errormessage:
function bindAs( $userdn = null, $password = null ) {
// constant for ldap_bind() error-reporting
define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032);
// Let's see if the user can authenticate.
if ( $userdn == null || $password == null ) {
$bind = @ldap_bind( $this->ldapconn );
$this->printDebug("anonymous bind", HIGHLYSENSITIVE);
} else {
$this->printDebug("trying to bind calling:", HIGHLYSENSITIVE);
$this->PrintDebug("\tldap_bind( conn_handle=$this->ldapconn, userdn=$userdn, password=$password ).." , HIGHLYSENSITIVE);
$bind = @ldap_bind( $this->ldapconn, $userdn, $password );
}
if ( !$bind ) {
$this->printDebug("\tldap_bind(...) failed.", HIGHLYSENSITIVE);
$this->printDebug("\tLDAP_Error Code : " . ldap_errno($this->ldapconn), HIGHLYSENSITIVE);
$this->printDebug("\tLDAP Error Msg : " .ldap_error($this->ldapconn), HIGHLYSENSITIVE);
if (ldap_get_option($this->ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
$this->printDebug("\tLDAP Extended ErrorMsg: $extended_error", HIGHLYSENSITIVE );
}
$this->printDebug( "Failed to bind as $userdn", NONSENSITIVE );
$this->printDebug( "with password: $password", HIGHLYSENSITIVE );
return false;
}
return true;
results are:
2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering Connect 2011-06-30 14:22:24 wikidb-sij_: 1.2e Using SSL 2011-06-30 14:22:24 wikidb-sij_: 1.2e Using servers: ldaps://server2.domain.local 2011-06-30 14:22:24 wikidb-sij_: 1.2e Connection handle: Resource id #86 2011-06-30 14:22:24 wikidb-sij_: 1.2e Connected successfully 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering getSearchString 2011-06-30 14:22:24 wikidb-sij_: 1.2e Doing a straight bind 2011-06-30 14:22:24 wikidb-sij_: 1.2e userdn is: DOMAIN\user1 2011-06-30 14:22:24 wikidb-sij_: 1.2e 2011-06-30 14:22:24 wikidb-sij_: 1.2e Binding as the user 2011-06-30 14:22:24 wikidb-sij_: 1.2e trying to bind calling: 2011-06-30 14:22:24 wikidb-sij_: 1.2e ldap_bind( conn_handle=Resource id #86, userdn=DOMAIN\user1, password=user1pwd ).. 2011-06-30 14:22:24 wikidb-sij_: 1.2e ldap_bind(...) failed. 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP_Error Code : -1 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP Error Msg : Can't contact LDAP server 2011-06-30 14:22:24 wikidb-sij_: 1.2e LDAP Extended ErrorMsg: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 2011-06-30 14:22:24 wikidb-sij_: 1.2e Failed to bind as DOMAIN\user1 2011-06-30 14:22:24 wikidb-sij_: 1.2e with password: user1pwd 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering strict. 2011-06-30 14:22:24 wikidb-sij_: 1.2e Returning true in strict(). 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering allowPasswordChange 2011-06-30 14:22:24 wikidb-sij_: 1.2e Entering modifyUITemplate
So there must be a problem with the certificate-file. How can i test, if the certificate is valid or not?
Finally I solved my problem. Maybe the solution is interesting for someone else:
the location of ldap.conf has to be in the Path C:\ldap.conf instead of C:\openldap\sysconf/ldap.conf with that version XAMPP-compiled php-version.
While testing purposes i created that file in both locations, but only changed the one in sysconf-folder. That file was never read and pointed to a wrong certificate file. So i modified the right file and SSL-Auth runs.
- - - - - - -
Tipp:
If still problems remain maybe this really good tutorial helps:
http://greg.cathell.net/php_ldap_ssl.html
Another Tipp:
You can test the ssl connection with the following command:
openssl s_client -connect myserver.com:636 -showcerts -state -CAfile C:\openldap\sysconf\server_cert.pem
(output should be something like this: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1 )
Hello there,
I'm trying to setup for my organization LDAP authentication on a MediWiki site by using your plugin but I'm getting some problems on my attempts. Here is my configuration:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = false;
$wgLDAPDomainNames = array('organization.com');
$wgLDAPServerNames = array('organization.com' => 'ldapserver.organization.com');
$wgLDAPSearchStrings = array('organization.com' => 'sAMAccountName=USER-NAME,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com');
$wgLDAPBaseDNs = array('organization.com' => 'OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com' );
$wgLDAPEncryptionType = array('organization.com' => 'clear');
$wgLDAPRetrievePrefs = array('organization.com' => false );
$wgMinimalPasswordLength = 1;
//FOR DEBUGGING ONLY
$wgLDAPDebug = 8; //for debugging
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgDebugLogGroups["ldap"] = '/tmp/mediawiki_ldap_debug.log';
And here are my log entries:
2012-01-27 19:18:31 wiki: 1.2e Entering Connect
2012-01-27 19:18:31 wiki: 1.2e Using TLS or not using encryption.
2012-01-27 19:18:31 wiki: 1.2e Using servers: ldap://ldapserver.organization.com
2012-01-27 19:18:31 wiki: 1.2e Connected successfully
2012-01-27 19:18:31 wiki: 1.2e Entering getSearchString
2012-01-27 19:18:31 wiki: 1.2e Doing a straight bind
2012-01-27 19:18:31 wiki: 1.2e userdn is: sAMAccountName=hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com
2012-01-27 19:18:31 wiki: 1.2e
2012-01-27 19:18:31 wiki: 1.2e Binding as the user
2012-01-27 19:18:31 wiki: 1.2e trying to bind calling:
2012-01-27 19:18:31 wiki: 1.2e ldap_bind( conn_handle=Resource id #60, userdn=sAMAccountName=Hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com, password=***password*** )..
2012-01-27 19:18:31 wiki: 1.2e ldap_bind(...) failed.
2012-01-27 19:18:31 wiki: 1.2e LDAP_Error Code : 49
2012-01-27 19:18:31 wiki: 1.2e LDAP Error Msg : Invalid credentials
2012-01-27 19:18:31 wiki: 1.2e LDAP Extended ErrorMsg: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
2012-01-27 19:18:31 wiki: 1.2e Failed to bind as sAMAccountName=Hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com
2012-01-27 19:18:31 wiki: 1.2e with password: ***password***!
2012-01-27 19:18:31 wiki: 1.2e Entering allowPasswordChange
2012-01-27 19:18:31 wiki: 1.2e Entering modifyUITemplate
By checking the LDAP error code 49 it appears the user 'hugo' was not found on the AD server (Bind DN is not correct???). Could be because of the upper-case at the beginning of the username? I'm sure I'm using the correct credentials to get access into my AD account as well as the entered DN information as I use the same to get access from the command line.
Thanks in advance for any appreciated help!
Best,
-Hugo
MediWiki (1.1.18) is running on SL6.1, Apache 2.2.21 and PHP 5.3.9
