Tags:
create new tag
, view all tags

Question

I am trying to connect to my LDAP (AD) server to authenticate twiki user.

I have used both the LdapContrib extension and Apache mod_ldap but they both seem to fail on me.

The exact error is as follows:

For mod_ldap 

[Tue Oct 02 09:39:39 2007] [warn] [client 10.224.102.162] [25295] auth_ldap authenticate: user dtolj authentication failed; URI /twiki/bin/configure.pl [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Tue Oct 02 09:39:39 2007] [error] [client 10.224.102.162] user dtolj: authentication failure for "/twiki/bin/configure.pl": Password Mismatch

[Wed Oct 03 03:41:46 2007] [warn] [client 10.224.102.162] [31139] auth_ldap authenticate: user dtolj authentication failed; URI /twiki/bin/view/TWiki/TWikiRegistration [LDAP: ldap_simple_bind_s() failed][Invalid credentials], referer: http://IP/twiki/
[Wed Oct 03 03:41:46 2007] [error] [client 10.224.102.162] user dtolj: authentication failure for "/twiki/bin/view/TWiki/TWikiRegistration": Password Mismatch, referer: http://IP/twiki/

and for LdapContrib extension: 

constructed a new LdapContrib object
Ldap::Contrib - loading ldap cache from /var/www/html/twiki2/pub/_work_areas/LdapContrib/LdapCache
Ldap::Contrib - cacheHits=15
Ldap::Contrib - cacheAge=463
called checkPassword(dtolj, passU)
called getAccount(dtolj)
called search(filter=(&(objectClass=*)(sAMAccountName=dtolj)), base=cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local, scope=sub, limit=0, $
called connect
proxy bind
49: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece^@
failed to bind
1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@
error in search: 1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., da$
no such account
called isGroup(TWikiAdminGroup)
called groupMembers(TWikiAdminGroup)
called getGroupMembers(TWikiAdminGroup)
called isGroup(ATWikiUser)
isGroup{ATWikiUser}=0
called lookupLoginName(ATWikiUser)
found loginName in cache
called isGroup(ATWikiUser)
isGroup{ATWikiUser}=0
Ldap::Contrib - writing ldap cache to file
Ldap::Contrib - done

For more information here is my LocalSite.cfg 

$TWiki::cfg{Ldap}{Host} = '10.224.*.*';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=otn,dc=local';
$TWiki::cfg{Ldap}{BindDN} = '';
$TWiki::cfg{Ldap}{BindPassword} = 'psw';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UserBase} = 'cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local';
$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{LoginFilter} = 'objectclass=group';
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{GroupBase} = 'cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local';
$TWiki::cfg{Ldap}{GroupAttribute} = 'member';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectclass=group';
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{MemberAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberIndirection} = 1;
$TWiki::cfg{Ldap}{MaxCacheHits} = -1;
$TWiki::cfg{Ldap}{MaxCacheAge} = 600;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Ldap}{PageSize} = 200;
$TWiki::cfg{Ldap}{Debug} = 1;

Furthermore I was able to connect to ldap using mediawiki's Ldap extension and it worked fine.

Here is the Config file for mediawiki Ldap that works with LDAP: 

#Beginning of LDAP settings======================================
require_once( "includes/LdapAuthentication.php" ); 
$wgAuth = new LdapAuthenticationPlugin(); 
$wgLDAPDomainNames = array( "OTN" ); 
$wgLDAPServerNames = array( "OTN"=>"10.224.*.*" ); 
$wgLDAPSearchStrings = array("OTN"=>"OTN\\USER-NAME" ); #("OTN"=>"cn=USER-NAME,ou=users,o=otn"
#$wgLDAPUseSSL = false; 
$wgLDAPEncryptionType = array( "OTN"=>"false" ); 
$wgLDAPUseLocal = true;         //allow use of local user DB + LDAP Auth 

$wgMinimalPasswordLength = 1; 
$wgLDAPRetrievePrefs = array( "OTN"=>"true" );

$wgLDAPDebug=3;


#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPBaseDNs = array( "OTN"=>"dc=otn,dc=local"  );      #UPDATE! $wgLDAPBaseDNs
$wgLDAPSearchAttributes = array( "OTN"=>"sAMAccountName" );

#$wgLDAPRequiredGroups = array( "OTN"=>array("cn=it group,ou=technical team,ou=users,ou=staff,ou=otn,dc=otn,dc=local") );
$wgLDAPRequiredGroups = array( 
  "OTN"=>array("cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=nagios,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=hr_team,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=web_admin,ou=global security groups,ou=otn,dc=otn,dc=local" 
         ) );

$wgLDAPGroupUseFullDN = array( "OTN"=>true );
$wgLDAPGroupObjectclass = array( "OTN"=>"group" );
$wgLDAPGroupAttribute = array( "OTN"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "OTN"=>true );
//Pull LDAP groups a user is in, and update local wiki security group.
$wgLDAPUseLDAPGroups = array( "OTN"=>"true"); 
$wgLDAPGroupNameAttribute = array( "OTN"=>"cn" );

I tried entering the same settings from MW to Twiki ldap with no success.

Can somebody shine some light on this subject since I tried everything I know.

Environment

TWiki version: TWikiRelease04x01x02
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: RHEL5
Web server: Apache 2.2.3
Perl version: 5.8.8
Client OS: WinXP
Web Browser: IE7, Firefox2
Categories: Plugins

-- DejanTolj - 04 Oct 2007

Answer

ALERT! If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

In the case of LdapContrib, I guess bind fails because you left the BindDN entry empty. You have to supply a valid DN for the bind user, e.g. 

$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=group,dc=location,dc=company,dc=local';

-- MartinKaufmann - 05 Oct 2007

Thanks for your response. I dont really care what I use to authenticate users, mod_ldap or ldapContrib, whatever works i will use.

Ok this is what i have now: 

{Ldap}{Base} =OU=otn,DC=otn,DC=local 
{Ldap}{BindDN}=CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
{Ldap}{UserBase} = cn=users,ou=staff,ou=otn,dc=otn,dc=local
{Ldap}{LoginAttribute} = sAMAccountName
{Ldap}{WikiNameAttribute} =cn
{Ldap}{LoginFilter} = objectclass=group
{Ldap}{MapGroups} = 0
I disabled group option for now since i just want to see a basic connection. Also note that I am using MS Active Directory 2003

I also tried again with mod_ldap and I got something new this time.

Here is my twiki.conf called from http.conf file. 

#for LDAP password support uncomment the following (and fix up the paths)
AuthBasicProvider ldap
AuthLDAPURL ldap://10.224.*.*:389/ou=otn,dc=otn,dc=local?sAMAccountName??(objectClass=*)
AuthLDAPGroupAttribute memberOf
AuthLDAPGroupAttributeIsDN off
AuthzLDAPAuthoritative off
AuthLDAPBindDN "CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local"
AuthLDAPBindPassword "psw"

<Limit GET POST PUT>
    #require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
    require group cn=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
</Limit>
AuthName 'LOGIN'
AuthType Basic
require valid-user

This setting logs me into a twiki page without even asking for login. How is that? I have set $TWiki::cfg{LoginManager} = 'none'; Is it not suppost to give me a dialog login prompt?

-- DejanTolj - 05 Oct 2007

OK I fixed it! somewhat, using mod_ldap

I changed the {LoginManager} = ApacheLogin and now I see the login prompt

This is my twiki.conf 

 # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

#for LDAP password support uncomment the following (and fix up the paths)
AuthBasicProvider ldap
AuthLDAPURL ldap://10.224.*.*:389/ou=otn,dc=otn,dc=local?sAMAccountName??(objectClass=*)
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
AuthzLDAPAuthoritative off
AuthLDAPBindDN "CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local"
AuthLDAPBindPassword psw

<Limit GET POST PUT>
    #require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
    require group cn=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
    require group cn=hr_team,ou=global security groups,ou=otn,dc=otn,dc=local
</Limit>
AuthName 'Member Login'
AuthType Basic
require valid-user

The question I have now is why are the users who log in not stored in .htpasswd and it would be nice If LDAP groups would be mapped to twiki. Do I have to manually create them?

Is this pobbible with mod_ldap even?

-- DejanTolj - 05 Oct 2007

Sorry, closing this after more than 30 days of inactivity. Please feel free to re-open if needed.

-- PeterThoeny - 03 Dec 2007

 
Change status to:
WebForm
SupportStatus ClosedUnanswered
Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-12-03 - PeterThoeny
 

Twitter Delicious Facebook Digg Google Bookmarks E-mail LinkedIn Reddit StumbleUpon    
  • Download TWiki
TWiki logo Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.