Failed to bind as

Jump to: navigation, search

I've modified the "bindAs" method in LDAPAuthentication.php to get a more informative errormessage:

        function bindAs( $userdn = null, $password = null ) {
                // constant for ldap_bind() error-reporting
                define("LDAP_OPT_DIAGNOSTIC_MESSAGE", 0x0032);
 
                // Let's see if the user can authenticate.
                if ( $userdn == null || $password == null ) {
                        $bind = @ldap_bind( $this->ldapconn );
                        $this->printDebug("anonymous bind", HIGHLYSENSITIVE);
                } else {
                        $this->printDebug("trying to bind calling:", HIGHLYSENSITIVE);
                        $this->PrintDebug("\tldap_bind( conn_handle=$this->ldapconn, userdn=$userdn, password=$password ).." , HIGHLYSENSITIVE);
                        $bind = @ldap_bind( $this->ldapconn, $userdn, $password );
                }               
                if ( !$bind ) {
                        $this->printDebug("\tldap_bind(...) failed.", HIGHLYSENSITIVE);
                        $this->printDebug("\tLDAP_Error Code       : " . ldap_errno($this->ldapconn), HIGHLYSENSITIVE);
                        $this->printDebug("\tLDAP Error Msg        : " .ldap_error($this->ldapconn), HIGHLYSENSITIVE);
                        if (ldap_get_option($this->ldapconn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error)) {
                                $this->printDebug("\tLDAP Extended ErrorMsg: $extended_error", HIGHLYSENSITIVE );
                        }
                        $this->printDebug( "Failed to bind as $userdn", NONSENSITIVE );
                        $this->printDebug( "with password: $password", HIGHLYSENSITIVE );
                        return false;
                }
                return true;

results are:

2011-06-30 14:22:24  wikidb-sij_: 1.2e Entering Connect
2011-06-30 14:22:24  wikidb-sij_: 1.2e Using SSL
2011-06-30 14:22:24  wikidb-sij_: 1.2e Using servers:  ldaps://server2.domain.local
2011-06-30 14:22:24  wikidb-sij_: 1.2e Connection handle: Resource id #86
2011-06-30 14:22:24  wikidb-sij_: 1.2e Connected successfully
2011-06-30 14:22:24  wikidb-sij_: 1.2e Entering getSearchString
2011-06-30 14:22:24  wikidb-sij_: 1.2e Doing a straight bind
2011-06-30 14:22:24  wikidb-sij_: 1.2e userdn is: DOMAIN\user1
2011-06-30 14:22:24  wikidb-sij_: 1.2e
2011-06-30 14:22:24  wikidb-sij_: 1.2e Binding as the user
2011-06-30 14:22:24  wikidb-sij_: 1.2e trying to bind calling:
2011-06-30 14:22:24  wikidb-sij_: 1.2e  ldap_bind( conn_handle=Resource id #86, userdn=DOMAIN\user1, password=user1pwd )..
2011-06-30 14:22:24  wikidb-sij_: 1.2e  ldap_bind(...) failed.
2011-06-30 14:22:24  wikidb-sij_: 1.2e  LDAP_Error Code       : -1
2011-06-30 14:22:24  wikidb-sij_: 1.2e  LDAP Error Msg        : Can't contact LDAP server
2011-06-30 14:22:24  wikidb-sij_: 1.2e  LDAP Extended ErrorMsg: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2011-06-30 14:22:24  wikidb-sij_: 1.2e Failed to bind as DOMAIN\user1
2011-06-30 14:22:24  wikidb-sij_: 1.2e with password: user1pwd
2011-06-30 14:22:24  wikidb-sij_: 1.2e Entering strict.
2011-06-30 14:22:24  wikidb-sij_: 1.2e Returning true in strict().
2011-06-30 14:22:24  wikidb-sij_: 1.2e Entering allowPasswordChange
2011-06-30 14:22:24  wikidb-sij_: 1.2e Entering modifyUITemplate

So there must be a problem with the certificate-file. How can i test, if the certificate is valid or not?

149.201.207.23914:34, 30 June 2011

Finally I solved my problem. Maybe the solution is interesting for someone else:

the location of ldap.conf has to be in the Path C:\ldap.conf instead of C:\openldap\sysconf/ldap.conf with that version XAMPP-compiled php-version.

While testing purposes i created that file in both locations, but only changed the one in sysconf-folder. That file was never read and pointed to a wrong certificate file. So i modified the right file and SSL-Auth runs.

- - - - - - -

Tipp:
If still problems remain maybe this really good tutorial helps:

http://greg.cathell.net/php_ldap_ssl.html

Another Tipp:
You can test the ssl connection with the following command:

openssl s_client -connect myserver.com:636 -showcerts -state -CAfile C:\openldap\sysconf\server_cert.pem

(output should be something like this: http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#6.1 )

149.201.207.23915:03, 6 July 2011

Can you update the requirements documentation with this information? Thanks!

Ryan lane19:55, 11 July 2011
 

Hello there,
I'm trying to setup for my organization LDAP authentication on a MediWiki site by using your plugin but I'm getting some problems on my attempts. Here is my configuration:

require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPUseLocal = false;

$wgLDAPDomainNames = array('organization.com');
$wgLDAPServerNames = array('organization.com' => 'ldapserver.organization.com');
$wgLDAPSearchStrings = array('organization.com' => 'sAMAccountName=USER-NAME,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com');
$wgLDAPBaseDNs = array('organization.com' => 'OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com' );
$wgLDAPEncryptionType = array('organization.com' => 'clear');
$wgLDAPRetrievePrefs = array('organization.com' => false );
$wgMinimalPasswordLength = 1;

//FOR DEBUGGING ONLY
$wgLDAPDebug = 8; //for debugging
$wgShowExceptionDetails = true; //for debugging MediaWiki
$wgDebugLogGroups["ldap"] = '/tmp/mediawiki_ldap_debug.log';

And here are my log entries:

2012-01-27 19:18:31 wiki: 1.2e Entering Connect
2012-01-27 19:18:31 wiki: 1.2e Using TLS or not using encryption.
2012-01-27 19:18:31 wiki: 1.2e Using servers: ldap://ldapserver.organization.com
2012-01-27 19:18:31 wiki: 1.2e Connected successfully
2012-01-27 19:18:31 wiki: 1.2e Entering getSearchString
2012-01-27 19:18:31 wiki: 1.2e Doing a straight bind
2012-01-27 19:18:31 wiki: 1.2e userdn is: sAMAccountName=hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com
2012-01-27 19:18:31 wiki: 1.2e
2012-01-27 19:18:31 wiki: 1.2e Binding as the user
2012-01-27 19:18:31 wiki: 1.2e trying to bind calling:
2012-01-27 19:18:31 wiki: 1.2e ldap_bind( conn_handle=Resource id #60, userdn=sAMAccountName=Hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com, password=***password*** )..
2012-01-27 19:18:31 wiki: 1.2e ldap_bind(...) failed.
2012-01-27 19:18:31 wiki: 1.2e LDAP_Error Code  : 49
2012-01-27 19:18:31 wiki: 1.2e LDAP Error Msg  : Invalid credentials
2012-01-27 19:18:31 wiki: 1.2e LDAP Extended ErrorMsg: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772
2012-01-27 19:18:31 wiki: 1.2e Failed to bind as sAMAccountName=Hugo,OU=Users,OU=Div,OU=ORGANIZATION,OU=AD,DC=organization,DC=com
2012-01-27 19:18:31 wiki: 1.2e with password: ***password***!
2012-01-27 19:18:31 wiki: 1.2e Entering allowPasswordChange
2012-01-27 19:18:31 wiki: 1.2e Entering modifyUITemplate

By checking the LDAP error code 49 it appears the user 'hugo' was not found on the AD server (Bind DN is not correct???). Could be because of the upper-case at the beginning of the username? I'm sure I'm using the correct credentials to get access into my AD account as well as the entered DN information as I use the same to get access from the command line.

Thanks in advance for any appreciated help!

Best,
-Hugo

MediWiki (1.1.18) is running on SL6.1, Apache 2.2.21 and PHP 5.3.9

137.187.241.719:43, 27 January 2012
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:Extension_talk:LDAP_Authentication/Failed_to_bind_as/reply_(6)#Failed_to_bind_as_11442"
Personal tools

Variants
Actions
Navigation
Support
Download
Development
Communication
Toolbox