#foswiki 2017-06-12,Mon

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***ChanServ sets mode: +o Lynnwood__ [03:32]
ChanServ sets mode: +o Lynnwood [03:41]
ChanServ sets mode: +o Lynnwood [03:48]
............................................................................................... (idle for 7h54mn)
ChanServ sets mode: +o Lynnwood [11:42]
...... (idle for 29mn)
ChanServ sets mode: +o gac410 [12:11]
.......... (idle for 49mn)
gac410Release meeting starting in #foswiki-release [13:00]
.... (idle for 16mn)
foswiki_irc8Hello Everyone! [13:16]
gac410hello [13:17]
foswiki_irc8I was hoping to get a little better understanding of the compatibility between LDAPContrib and Active Directory [13:18]
gac410It definitely is compatible. But I'm not all that familiar with the details. It can be complicated. [13:19]
foswiki_irc8My first problem is getting TLS to work.. I can't seem to figure out which certs and formats it is demanding [13:19]
gac410Unfortunately I have no idea. Hopefully someone else is lurking with knowledge ... anyone? [13:20]
jtremblayI changed to a full client: looking for LDAPContrib insights.... Anyone? [13:28]
gac410There are quite a few support questions related to ActiveDirectory. You might find some answers there.
http://foswiki.org/Support/WebSearch?tab=searchadvanced&search=Active%5Cs%3FDirectory&scope=all&order=topic&type=regex&limit=
[13:31]
jtremblayThank You
My biggest problem seems to be with TLS configuration. I can't seem to find a format that it likes.
[13:32]
gac410jtremblay: what sort of errors do you get when attempting the TLS connection? [13:40]
jtremblayAH01215: - LdapContrib - WARNING: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, referer: http://acs-wiki.corp.internap.com/wiki/bin/login [13:43]
gac410okay. Do you know if your ldap server is using self signed certificates? I think that this *might* be related to changes in the underlying IO::Socket::SSL support where it now defaults to requiring a signed certificate.
That is... when the server presents it's certificate, the local TLS code attempts to verify the signature of the "Certificate Authority" that released the certificate.
(generally if you are not validating the CA signatures, it's possible for someone to spoof the server identity. So IO::Socket::SSL has made CA signature validation a default.
So the settings of $Foswiki::cfg{Ldap}{TLSCAPath} or {Ldap}{TLSCAFile} need to point to the certificates of the "Certificate Authority" who issued the certificate.
The underlying OS generally installs the CA Certificates in the TLSCAPath. Typically somewhere in /etc. for ex. on Ubuntu, it's in /etc/ssl/certs
If your cert was not issued by a public / well known authority. Then you need to get the CA Cert from the signer, and point to it with the {Ldap}{TLSCAFile}
At least that's my understanding of all this based on struggles with Email TLS connections. I don't have LDAP available to fiddle with, but the underlying concepts are the same.
Ah... if you do NOT want verification, try setting $Foswiki::cfg{Ldap}{TLSVerify} to 'none'
[13:45]
.... (idle for 16mn)
jtremblayThanks, I will look into this deeper/. [14:10]
gac410okay good luck. I need to step away soon. Note that the docs on the {Ldap}{TLSVerify} are wrong. They fail to mention the "none" option. Simple typo, as the parameter is passed to Net::LDAP.
Specify how to verify the servers certificate. Possible values are: 'require', 'optional' or 'require'. should read values are: 'require', 'optional' or 'none'.
the default is 'require'
[14:11]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)