Topic on Extension talk:LDAPProvider

I have seen the same issue where my TLS fails. I have done a lot of configuration and been running mediawiki since 1.26 in production. I can test PHP client program from my linux server to the LDAP/AD server just fine; bind and connect.

Note I have written brief php test programs to run ldap bind, ldap connect, ldaps, and ldap starttls. I test them against our AD servers fine and the only one the fails is the STARTTLS test from port 389.

Maybe the mediawiki PHP code uses STARTTLS by default and fails there?

I would like to just use port 636 and TLS and not bother with 389 or StartTLS . How do we do that?

We have legacy apps that use clear 389 and we cannot setup StartTLS on that port for a while yet. We do support TLS/636 and can use that, but mediawiki needs to support that as a unique option; more than just StartTLS.

I have ran my own php tests the same, and also the extensions/LDAPProvider/maintenance/ShowUserInfo.php and extensions/LDAPProvider/maintenance/ShowUserGroups.php and they throw the same errors.

I can run PHP tests with 'clear'/389 and TLS/636 which work , but even those fail when I try a 'StartTLS' connection.

What setting can we change to just set it at 636/TLS?

The server fails every login and gives the same odd message of port configuration error it looks like:

2020-11-25 01:15:56 wikidb: In execute()

2020-11-25 01:15:56 wikidb: Getting PluggableAuth singleton

2020-11-25 01:15:56 wikidb: Class name: MediaWiki\Extension\LDAPAuthentication2\PluggableAuth

2020-11-25 01:15:56 wikidb: ldap_connect( $hostname = 'ldap://addc02.mydomain.com:636', $port = 389 );

2020-11-25 01:15:56 wikidb: # __METHOD__ returns Resource id #893

2020-11-25 01:15:56 wikidb: Setting LDAP_OPT_PROTOCOL_VERSION to 3

2020-11-25 01:15:56 wikidb: ldap_set_option( $linkID, $option = 17, $newval = 3 );

2020-11-25 01:15:56 wikidb: # returns 1

2020-11-25 01:15:56 wikidb: Setting LDAP_OPT_REFERRALS to 0

2020-11-25 01:15:56 wikidb: ldap_set_option( $linkID, $option = 8, $newval = 0 );

2020-11-25 01:15:56 wikidb: # returns 1

2020-11-25 01:15:56 wikidb: Setting LDAP_OPT_DEREF to 1

2020-11-25 01:15:56 wikidb: ldap_set_option( $linkID, $option = 2, $newval = 1 );

2020-11-25 01:15:56 wikidb: # returns 1

2020-11-25 01:15:56 wikidb: ldap_start_tls( $linkID );

2020-11-25 01:15:56 wikidb: # returns

Have you tried something like this in the "connection"-section of your domain config?

...
"port": 636,
"enctype": "clear",
...

If this does not work, you may need to modify files in the LDAPProvider extension [1-4]. Once you get it to work, please share the config you have used, or provide me with the changes on the codebase you have made so I can add them to the regular codebase and make sure future updates won't break you usecase.

[1] https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.4/src/Client.php#L100

[2] https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.4/src/Client.php#L134-L144

[3] https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.4/src/PlatformFunctionWrapper.php#L257-L265

[4] https://github.com/wikimedia/mediawiki-extensions-LDAPProvider/blob/1.0.4/src/PlatformFunctionWrapper.php#L237-L247

I have not tried that combination of port and 'clear' I can give it a shot.

I can confirm that "implicit TLS" (i.e. skipping STARTTLS, no 389 port open) works fine. I plan on posting a docker compose of the configuration soon.

Edit: Here it is: https://github.com/createyourpersonalaccount/openldap-mediawiki/