Thread:Extension talk:LDAP Authentication/Changed from self signed to 3rd party certifcate....

My team recently made some hardware and software updates. Now our longtime stable server won't run correctly.

We run an apache server for the purposes of hosting a Wiki.
 * Apache: 2.0
 * PHP: 5.2.5 (apache2handler)
 * Mediawiki: 1.16.1
 * MySQL 	5.0.45-community-nt-log
 * LDAP Authentication Plugin (Version 1.2a (beta))

We upgraded from an old XP box to a rackmount server running Windows Server 2008. We took the migration opportunity to update from WebDev1 to WebDev2. We also went through the process of giving up our self-signed certificate and are now using a signed 3rd part cert.

So here's the problem: We can't bind users to our LDAP server from inside the wiki. We can authenticate, but the bind fails.

Now, we can authenticate AND bind using tester programs, such as Softerra or ldp.exe. But when trying to log-in through the wiki, we get the following error reported to the wiki:


 * (I've blanked out the actual server and user entries for privacy purposes)

Entering validDomain User is using a valid domain. Setting domain as: XXX Entering getCanonicalName Username isn't empty. Munged username: Xxxxxxxx Entering authenticate

Entering Connect Using SSL Using servers: ldaps://xxxxxxx.xxx.xxx.xxx Connected successfully Entering getSearchString Doing a straight bind userdn is: XXX\Xxxxxxx

Binding as the user Failed to bind as XXX\Xxxxxxx Entering strict. Returning true in strict. Entering allowPasswordChange Entering modifyUITemplate

The 'error.log' is as follows:

[Tue Jul 05 09:08:01 2011] [info] mod_unique_id: using ip addr xxx.xx.xxx.xxx [Tue Jul 05 09:08:02 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Jul 05 09:08:02 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Jul 05 09:08:02 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Jul 05 09:08:02 2011] [info] Init: Initializing (virtual) servers for SSL [Tue Jul 05 09:08:02 2011] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8g [Tue Jul 05 09:08:02 2011] [notice] ModSecurity for Apache 2.1.3 configured [Tue Jul 05 09:08:02 2011] [warn] module auth_basic_module is already loaded, skipping [Tue Jul 05 09:08:02 2011] [warn] module authz_user_module is already loaded, skipping [Tue Jul 05 09:08:02 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it verlaps an earlier Alias. [Tue Jul 05 09:08:02 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it overlaps an earlier Alias. [Tue Jul 05 09:08:02 2011] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK [Tue Jul 05 09:08:02 2011] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. [Tue Jul 05 09:08:02 2011] [info] mod_unique_id: using ip addr xxx.xx.xxx.xxx [Tue Jul 05 09:08:03 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Jul 05 09:08:04 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Jul 05 09:08:04 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Jul 05 09:08:04 2011] [info] Shared memory session cache initialised [Tue Jul 05 09:08:04 2011] [info] Init: Initializing (virtual) servers for SSL [Tue Jul 05 09:08:04 2011] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8g [Tue Jul 05 09:08:04 2011] [notice] Apache/2.2.6 (Win32) PHP/5.2.5 mod_ssl/2.2.6 OpenSSL/0.9.8g configured -- resuming normal operations [Tue Jul 05 09:08:04 2011] [notice] Server built: Sep 20 2007 14:13:35 [Tue Jul 05 09:08:04 2011] [notice] Parent: Created child process 3496 [Tue Jul 05 09:08:04 2011] [warn] module auth_basic_module is already loaded, skipping [Tue Jul 05 09:08:04 2011] [warn] module authz_user_module is already loaded, skipping [Tue Jul 05 09:08:04 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it overlaps an earlier Alias. [Tue Jul 05 09:08:04 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it overlaps an earlier Alias. [Tue Jul 05 09:08:04 2011] [info] mod_unique_id: using ip addr xxx.xx.xxx.xxx [Tue Jul 05 09:08:05 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Jul 05 09:08:05 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Jul 05 09:08:05 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Jul 05 09:08:05 2011] [info] Init: Initializing (virtual) servers for SSL [Tue Jul 05 09:08:05 2011] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8g [Tue Jul 05 09:08:05 2011] [notice] ModSecurity for Apache 2.1.3 configured [Tue Jul 05 09:08:05 2011] [warn] module auth_basic_module is already loaded, skipping [Tue Jul 05 09:08:05 2011] [warn] module authz_user_module is already loaded, skipping [Tue Jul 05 09:08:05 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it overlaps an earlier Alias. [Tue Jul 05 09:08:05 2011] [warn] The Alias directive in C:/www/Apache22/conf/extra/vhosts/localhost/suite-wordpress.conf at line 11 will probably never match because it overlaps an earlier Alias. [Tue Jul 05 09:08:05 2011] [info] APR LDAP: Built with Microsoft Corporation. LDAP SDK [Tue Jul 05 09:08:05 2011] [info] LDAP: SSL support unavailable: LDAP: CA certificates cannot be set using this method, as they are stored in the registry instead. [Tue Jul 05 09:08:05 2011] [info] mod_unique_id: using ip addr xxx.xx.xxx.xxx [Tue Jul 05 09:08:06 2011] [info] Init: Seeding PRNG with 136 bytes of entropy [Tue Jul 05 09:08:07 2011] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Tue Jul 05 09:08:07 2011] [info] Init: Generating temporary DH parameters (512/1024 bits) [Tue Jul 05 09:08:07 2011] [info] Shared memory session cache initialised [Tue Jul 05 09:08:07 2011] [info] Init: Initializing (virtual) servers for SSL [Tue Jul 05 09:08:07 2011] [info] mod_ssl/2.2.6 compiled against Server: Apache/2.2.6, Library: OpenSSL/0.9.8g [Tue Jul 05 09:08:07 2011] [notice] Child 3496: Child process is running [Tue Jul 05 09:08:07 2011] [info] Parent: Duplicating socket 412 and sending it to child process 3496 [Tue Jul 05 09:08:07 2011] [info] Parent: Duplicating socket 364 and sending it to child process 3496 [Tue Jul 05 09:08:07 2011] [notice] Child 3496: Acquired the start mutex. [Tue Jul 05 09:08:07 2011] [notice] Child 3496: Starting 250 worker threads. [Tue Jul 05 09:08:07 2011] [notice] Child 3496: Starting thread to listen on port 443. [Tue Jul 05 09:08:07 2011] [notice] Child 3496: Starting thread to listen on port 80.

I have the 3rd party certificate imported through mmc.exe into the cert store as a Computer Account in the Trusted Root Cert Auth.

I've also found that if I edit my Local Settings.php and change:

$wgLDAPEncryptionType = array('DOMAIN' => 'ssl') -to- $wgLDAPEncryptionType = array('DOMAIN' => 'clear')

then I can connect. So it will bind, just not as ssl.

Can someone help?