Topic on Extension talk:LDAPAuthentication2

Intermittent Login Failures via LDAP

8
Nwroble (talkcontribs)

I have been trying to get LDAP Authentication configured on our MediaWiki installation I am bringing up on our network. We are confguring with enctype = ssl in our ldap.json file over port 636. Have tried other combinations, but this seems to get me closest to fully functional. I am using LDAPAuthentication2/PluggableAuth and all the other required extensions in the LDAP stack.


I can sometimes log in properly, but will almost immediately get the following error if I try again with another browser after logging out, or even with the same browser in a subsequent attempt.

"MWException from line 169 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server”

It will work intermittently, but then fail. We believe the issue may have to do with a load balanced LDAP server. Not sure if anyone else has had either success or intermittent failures with hitting a load balanced Ldap server for authentication.

Would like to know if there is anything I need to set to possibly accommodate this if this is the issue. I have been told by our System Administrators that their load balancer is configured properly and has the proper Persistence, etc.. settings set properly, and that other applications that hit it work fine.

Has anyone had any similar issue or could offer any advice?

Thank you.

Osnard (talkcontribs)
Nwroble (talkcontribs)

Osnard, no, nothing compelling. And as an update to this, what is strange it seems that i can most of the time hit the Refresh on the browser, and then i get it in. There just doesnt seem to be any predictability to when it will fail or not.

Osnard (talkcontribs)

Can you try to set $LDAPProviderCacheType = CACHE_NONE; and tell me if it occurs more frequently.

Nwroble (talkcontribs)

I have added the $LDAPProviderCacheType = CACHE_NONE; into my LocalSettings.php file and tried a bunch of times. I'd say at least it is probably about the same number of intermittent failures as prior to doing so. Behavior is still the same following the error. Clicking refresh on browser then gets me in.

Nwroble (talkcontribs)

Also, just to let you know. I have changed my configuration in my ldap.json file to use tls/port 389 instead of ssl/port 636. Also I am now hitting a domain controller directly instead of the load balancer. At this point none of those variables seem to matter. I just get the intermittent failures and hitting the browser refresh gets me in. Also, an FYI, the error message is slightly different, for TLS, but I think that is just because it is going down a different code path for TLS vs SSL. Error message is now this: "MWException from line 141 of /var/www/mediawiki-1.34.2/extensions/LDAPProvider/src/Client.php: Could not start TLS!"

Nwroble (talkcontribs)

@Osnard, a follow up to this. I have now eliminated the intermittent LDAP login behavior. It ended up being that I needed to restart the php-fpm service (# systemctl restart php-fpm on RH 8). When I was making all my various changes in combination between servers/protocols/ports in the ldap.json and cert changes in ldap.conf, I was doing update.php everytime, but I never restarted php-fpm. I just happened to stumble upon this when trying to track down whether I had proper packages installed and was researching. Unfortunately, I am new to Linux and web servers in general. Thank for your help and taking interest.

Osnard (talkcontribs)

Sorry, I have no idea. If connection works once in a web request context it should work always. Also if the "CheckLogin.php" maintenance script works, we can assume that the LDAP configuration in general is okay. Could you please share the debug log, maybe I can spot something you didn't notice?

Reply to "Intermittent Login Failures via LDAP"