programming php

PHP STARTTLS

Recently upgrade an existing instance to 1. 35 từ 1. 31. Had been using the original LDAPAuthentication app. Can authenticate successfully without TLS, but not after turning on. Trying to hit an AD server

When I run the debug test [php extensions/LDAPProvider/maintenance/ShowUserInfo.php --domain YourDomain --username SomeUser], I get this error stack

MWException from line 139 of /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php: Could not start TLS!

#0 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php[90]: MediaWiki\Extension\LDAPProvider\Client->maybeStartTLS[]

#1 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/src/Client.php[229]: MediaWiki\Extension\LDAPProvider\Client->init[]

#2 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php[49]: MediaWiki\Extension\LDAPProvider\Client->getUserInfo[]

#3 /var/lib/mediawiki-1.35.0/maintenance/doMaintenance.php[107]: MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute[]

#4 /var/lib/mediawiki-1.35.0/extensions/LDAPProvider/maintenance/ShowUserInfo.php[72]: require_once['/var/lib/mediaw...']

#5 {main}

Đây là ldap của tôi. json, which for now I keep in the main MediaWiki folder

{
  "lc": {
    "connection": {
      "server": "lc.luther.edu",
      "user": "CN=hdwiki,OU=Vendor,DC=lc,DC=luther,DC=edu",
      "pass": "***secret***",
      "port": 1389,
      "enctype": "tls",
      "options": {
        "LDAP_OPT_DEREF": 1
      },
    "basedn": "DC=lc, DC=luther, DC=edu",
    "userbasedn": "DC=lc, DC=luther, DC=edu",
    "groupbasedn": "OU=Groups,DC=lc, DC=luther, DC=edu",
    "searchattribute": "samaccountname",
    "usernameattribute": "samaccountname",
    "realnameattribute": "cn",
    "emailattribute": "mail",
      "grouprequest":"MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\UserMemberOf::factory",
    "presearchusernamemodifiers": [ "spacestounderscores", "lowercase" ]
    },
    "userinfo": [],
    "authorization": [],
    "groupsync": {
      "mapping": {
        "bureaucrat": "CN=Help_Desk_Managers,OU=Groups,DC=lc, DC=luther, DC=edu"
      }
    }
  }
}

Here's the relevant portion of my LocalSettings. php

error_reporting[ -1 ];  //debugging. Comment out when in production
ini_set[ 'display_errors', 1 ]; //debugging. Comment out when in production
$wgDebugLogGroups['PluggableAuth'] =
$wgDebugLogGroups['LDAP'] =
$wgDebugLogGroups['MediaWiki\\Extension\\LDAPProvider\\Client'] =
$wgDebugLogGroups['LDAPAuthentication2'] =
$wgDebugLogGroups['LDAPAuthorization'] = '/tmp/LDAP.log';

.
.
.

$wgGroupPermissions['*']['autocreateaccount'] = true; 

// Load LDAP Config from JSON
$ldapJsonFile = "$IP/ldap.json";
$ldapConfig = false;
if [is_file[$ldapJsonFile] && is_dir["$IP/extensions/LDAPProvider"]] {
  $testJson = @json_decode[file_get_contents[$ldapJsonFile],true];
  if [is_array[$testJson]] {
    $ldapConfig = true;
  } else {
   error_log["Found invalid JSON in file: $IP/ldap.json"];
  }
}

// Activate Extension
if [ $ldapConfig ] {

  wfLoadExtension[ 'PluggableAuth' ];
  wfLoadExtension[ 'LDAPProvider' ];
  wfLoadExtension[ 'LDAPAuthentication2' ];
  wfLoadExtension[ 'LDAPAuthorization' ];
  $LDAPProviderDomainConfigs = $ldapJsonFile;
  $wgPluggableAuth_ButtonLabel = "Log In";
  $LDAPAuthentication2AllowLocalLogin = true;
}

Error logs at /tmp/LDAP. nhật ký trông giống như

2020-11-24 16:51:11 wiki hdwiki_test: ldap_connect[ $hostname = 'ldap://lc.luther.edu:1389', $port = 389 ];
2020-11-24 16:51:11 wiki hdwiki_test: # __METHOD__ returns Resource id #773
2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_PROTOCOL_VERSION to 3
2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 17, $newval = 3 ];
2020-11-24 16:51:11 wiki hdwiki_test: # returns 1
2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_REFERRALS to 0
2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 8, $newval = 0 ];
2020-11-24 16:51:11 wiki hdwiki_test: # returns 1
2020-11-24 16:51:11 wiki hdwiki_test: Setting LDAP_OPT_DEREF to 1
2020-11-24 16:51:11 wiki hdwiki_test: ldap_set_option[ $linkID, $option = 2, $newval = 1 ];
2020-11-24 16:51:11 wiki hdwiki_test: # returns 1
2020-11-24 16:51:11 wiki hdwiki_test: ldap_start_tls[ $linkID ];

We thought it was odd that first line of the last error code uses one port for $hostname and then another in the $port. We tried not specifying the port in the ldap. json file, same result

Tôi có php7. Đã cài đặt 4-ldap

Thanks to anyone who read this far. . ]

Here is the requirement, when you use SSL or TLS against an LDAP server

- The Server-Cert in the LDAPS response will be verified by the php-ldap openssl library

- The Server-Cert is provided by an MS-AD DC when hitting 389 with SmartTLS enabled, or 636 SSL

- Also, your can use Global Catalog Ports 3268 with SmartTLS enabled, or 3269 SSL

PHP LDAPS

- PHP LDAPS uses openssl under the hood - e. g. the system-wide CA-Bundle, a set of trusted Cert-Authorities

- For SmartTLS or SSL methods to work, your box must trust the MS-AD CA, which signed the Server-Cert

- This means the MS-AD CA certificate needs to be merged with your system's CA bundle

- This is usually done with a tool named 'update-ca-certificates' or similar

One way of determining whether your box is verifying TLS with the DC, is to use openssl at the CLI

echo "" | openssl s_client -connect foobar-dc:389 -starttls ldap -prexit -showcerts

Firstly, look at the last line. "Verify return code" - it will be 0, when the TLS/SSL is all OK

Chứng chỉ CA [e. g. the Certificate Chain ] is included at the top of the output

You need to place the CA Cert into your system-wide CA import directory
Then run 'update-ca-certificates'
Then test again with openssl, the CA must be trusted for the TLS verify return code to be 0

Adding the Additional CA File for DC

Example dir, for placing extra CA files into. /usr/local/share/ca-certificates/

Check man update-ca-certificates to see if your directory is different

Simply copy-and-paste the Cert header, content, and footer lines, into a new file

/usr/local/share/ca-certificates/foobar-dc. ca2020. chứng chỉ

-----BEGIN CERTIFICATE-----

cert content, in base64 format

________số 8_______

And run 'update-ca-certificates'

This checks for new CA files in a location like /usr/local/share/ca-certificates/, and merges into the global bundle file, usually somewhere within /etc/ssl/

530 5 có nghĩa là gì. 7 0 must issue a STARTTLS command?

Error message. "530 5. 7. 0 Must issue a STARTTLS command first" POPcon needs to connect to the SMTP protocol in Exchange without authentication. This error indicates that Exchange was configured not to accept connections without authentication .

What is the purpose of STARTTLS?

STARTTLS is an email protocol command that tells an email server that an email client, including an email client running in a web browser, wants to turn an existing insecure connection into a secure one .

What is SMTP protocol error 530 5. 70?

In short, SMTP Error 530 is an authentication error. Usually, this error indicates an unauthenticated email client . Other reasons for this error are blacklisting of sender IP or invalid email address.

What port is STARTTLS?

Port 587 is often used to encrypt SMTP messages using STARTTLS, which allows the email client to establish secure connections by requesting that the mail server upgrade the connection through TLS. Port 465 is used for implicit TLS and can be used to facilitate secure communications for mail services.

530 5 có nghĩa là gì. 7 0 must issue a STARTTLS command?

What is the purpose of STARTTLS?

What is SMTP protocol error 530 5. 70?

What port is STARTTLS?

Bài Viết Liên Quan

Toplist mới

Bài mới nhất

Chủ Đề