How to resolve "returns Can't contact LDAP server" with MediaWiki LDAPS?

Question

I keep getting this error below when authenticating via LDAPS with port 636 and encytpe set to SSL.

2021-08-17 13:47:40 myApp testApp-mediawiki: # returns false 2021-08-17 13:47:40 myApp testApp-mediawiki: ldap_error( $linkID ); 2021-08-17 13:47:40 myApp testApp-mediawiki: # returns Can't contact LDAP server 2021-08-17 13:47:40 myApp testApp-mediawiki: ldap_errno( $linkID ); 2021-08-17 13:47:40 myApp testApp-mediawiki: # returns -1

This error comes from the LDAP.log file. The error on the page shows this:

[8455eaa1ff08ab61643bd17d] /index.php?title=Special:PluggableAuthLogin MWException: Could not bind to LDAP: (-1) Can't contact LDAP server

In Command prompt, I tried:

php ShowUserInfo.php --domain "domain.com" --username "username"

And it shows similar error.

MWException from line 194 of C:\inetpub\testAppMediwiki.apps.mydomain.com\extensions\LDAPProvider\src\Client.php: Could not bind to LDAP: (-1) Can't contact LDAP server #0 C:\inetpub\testAppMediwiki.apps.mydomain.com\extensions\LDAPProvider\src\Client.php(117): MediaWiki\Extension\LDAPProvider\Client->establishBinding() #1 C:\inetpub\testAppMediwiki.apps.mydomain.com\extensions\LDAPProvider\src\Client.php(255): MediaWiki\Extension\LDAPProvider\Client->init() #2 C:\inetpub\testAppMediwiki.apps.mydomain.com\extensions\LDAPProvider\maintenance\ShowUserInfo.php(49): MediaWiki\Extension\LDAPProvider\Client->getUserInfo() #3 C:\inetpub\testAppMediwiki.apps.mydomain.com\maintenance\doMaintenance.php(112): MediaWiki\Extension\LDAPProvider\Maintenance\ShowUserInfo->execute() #4 C:\inetpub\testAppMediwiki.apps.mydomain.com\extensions\LDAPProvider\maintenance\ShowUserInfo.php(72): require_once('C:\inetpub\help...')

If I use port 389 and not LDAP secure, it works fine.

Answer 1

Here's what works for me. I followed this article but on step 5, instead of: TLS_CACERT c:\openldap\sysconf\webcert.crt try: TLS_CACERTDIR "C:/openldap/sysconf/" Specifying a cert file is what keeps giving the error. Using the author's sample code in that article but placing this line of code at the beginning will generate more useful error message. I hope this help someone in the future.

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);