Recently upgrade an existing instance to 1. 35 từ 1. 31. Had been using the original LDAPAuthentication app. Can authenticate successfully without TLS, but not after turning on. Trying to hit an AD server
When I run the debug test [php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser
], I get this error stack
MWException from line 139 of /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php: Could not start TLS! #0 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php[90]: MediaWiki\Extension\LDAPProvider\Client->maybeStartTLS[] #1 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php[229]: MediaWiki\Extension\LDAPProvider\Client->init[] #2 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php[49]: MediaWiki\Extension\LDAPProvider\Client->getUserInfo[] #3 /var/lib/mediawiki-1.35.0/maintenance/doMaintenance.php[107]: MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute[] #4 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php[72]: require_once['/var/lib/mediaw...'] #5 {main}
Đây là ldap của tôi. json, which for now I keep in the main MediaWiki folder
{ "lc": { "connection": { "server": "lc.luther.edu", "user": "CN=hdwiki,OU=Vendor,DC=lc,DC=luther,DC=edu", "pass": "***secret***", "port": 1389, "enctype": "tls", "options": { "LDAP_OPT_DEREF": 1 }, "basedn": "DC=lc, DC=luther, DC=edu", "userbasedn": "DC=lc, DC=luther, DC=edu", "groupbasedn": "OU=Groups,DC=lc, DC=luther, DC=edu", "searchattribute": "samaccountname", "usernameattribute": "samaccountname", "realnameattribute": "cn", "emailattribute": "mail", "grouprequest":"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory", "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ] }, "userinfo": [], "authorization": [], "groupsync": { "mapping": { "bureaucrat": "CN=Help_Desk_Managers,OU=Groups,DC=lc, DC=luther, DC=edu" } } } }
Here's the relevant portion of my LocalSettings. php
error_reporting[ -1 ]; //debugging. Comment out when in production ini_set[ 'display_errors', 1 ]; //debugging. Comment out when in production $wgDebugLogGroups['PluggableAuth'] = $wgDebugLogGroups['LDAP'] = $wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] = $wgDebugLogGroups['LDAPAuthentication2'] = $wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log'; . . . $wgGroupPermissions['*']['autocreateaccount'] = true; // Load LDAP Config from JSON $ldapJsonFile = "$IP/ldap.json"; $ldapConfig = false; if [is_file[$ldapJsonFile] && is_dir["$IP/extensions/LDAPProvider"]] { $testJson = @json_decode[file_get_contents[$ldapJsonFile],true]; if [is_array[$testJson]] { $ldapConfig = true; } else { error_log["Found invalid JSON in file: $IP/ldap.json"]; } } // Activate Extension if [ $ldapConfig ] { wfLoadExtension[ 'PluggableAuth' ]; wfLoadExtension[ 'LDAPProvider' ]; wfLoadExtension[ 'LDAPAuthentication2' ]; wfLoadExtension[ 'LDAPAuthorization' ]; $LDAPProviderDomainConfigs = $ldapJsonFile; $wgPluggableAuth_ButtonLabel = "Log In"; $LDAPAuthentication2AllowLocalLogin = true; }
Error logs at /tmp/LDAP. nhật ký trông giống như
2020-11-24 16:51:11 wiki hdwiki_test: ldap_connect[ $hostname = 'ldap://lc.luther.edu:1389', $port = 389 ]; 2020-11-24 16:51:11 wiki hdwiki_test: # __METHOD__ returns Resource id #773 2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_PROTOCOL_VERSION to 3 2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 17, $newval = 3 ]; 2020-11-24 16:51:11 wiki hdwiki_test: # returns 1 2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_REFERRALS to 0 2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 8, $newval = 0 ]; 2020-11-24 16:51:11 wiki hdwiki_test: # returns 1 2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_DEREF to 1 2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 2, $newval = 1 ]; 2020-11-24 16:51:11 wiki hdwiki_test: # returns 1 2020-11-24 16:51:11 wiki hdwiki_test: ldap_start_tls[ $linkID ];
We thought it was odd that first line of the last error code uses one port for $hostname and then another in the $port. We tried not specifying the port in the ldap. json file, same result
Tôi có php7. Đã cài đặt 4-ldap
Thanks to anyone who read this far. . ]
Here is the requirement, when you use SSL or TLS against an LDAP server
- The Server-Cert in the LDAPS response will be verified by the php-ldap openssl library
- The Server-Cert is provided by an MS-AD DC when hitting 389 with SmartTLS enabled, or 636 SSL
- Also, your can use Global Catalog Ports 3268 with SmartTLS enabled, or 3269 SSL
PHP LDAPS
- PHP LDAPS uses openssl under the hood - e. g. the system-wide CA-Bundle, a set of trusted Cert-Authorities
- For SmartTLS or SSL methods to work, your box must trust the MS-AD CA, which signed the Server-Cert
- This means the MS-AD CA certificate needs to be merged with your system's CA bundle
- This is usually done with a tool named 'update-ca-certificates' or similar
One way of determining whether your box is verifying TLS with the DC, is to use openssl at the CLI
echo "" | openssl s_client -connect foobar-dc:389 -starttls ldap -prexit -showcerts
Firstly, look at the last line. "Verify return code" - it will be 0, when the TLS/SSL is all OK
Chứng chỉ CA [e. g. the Certificate Chain ] is included at the top of the output
- You need to place the CA Cert into your system-wide CA import directory
- Then run 'update-ca-certificates'
- Then test again with openssl, the CA must be trusted for the TLS verify return code to be 0
Adding the Additional CA File for DC
Example dir, for placing extra CA files into. /usr/local/share/ca-certificates/
Check man update-ca-certificates to see if your directory is different
Simply copy-and-paste the Cert header, content, and footer lines, into a new file
/usr/local/share/ca-certificates/foobar-dc. ca2020. chứng chỉ
-----BEGIN CERTIFICATE-----
cert content, in base64 format
________số 8_______
And run 'update-ca-certificates'
This checks for new CA files in a location like /usr/local/share/ca-certificates/, and merges into the global bundle file, usually somewhere within /etc/ssl/