Tags:
create new tag
view all tags

Question

I am trying to connect to my LDAP (AD) server to authenticate twiki user.

I have used both the LdapContrib extension and Apache mod_ldap but they both seem to fail on me.

The exact error is as follows:

For mod_ldap 

[Tue Oct 02 09:39:39 2007] [warn] [client 10.224.102.162] [25295] auth_ldap authenticate: user dtolj authentication failed; URI /twiki/bin/configure.pl [LDAP: ldap_simple_bind_s() failed][Invalid credentials]
[Tue Oct 02 09:39:39 2007] [error] [client 10.224.102.162] user dtolj: authentication failure for "/twiki/bin/configure.pl": Password Mismatch

[Wed Oct 03 03:41:46 2007] [warn] [client 10.224.102.162] [31139] auth_ldap authenticate: user dtolj authentication failed; URI /twiki/bin/view/TWiki/TWikiRegistration [LDAP: ldap_simple_bind_s() failed][Invalid credentials], referer: http://IP/twiki/
[Wed Oct 03 03:41:46 2007] [error] [client 10.224.102.162] user dtolj: authentication failure for "/twiki/bin/view/TWiki/TWikiRegistration": Password Mismatch, referer: http://IP/twiki/

and for LdapContrib extension: 

constructed a new LdapContrib object
Ldap::Contrib - loading ldap cache from /var/www/html/twiki2/pub/_work_areas/LdapContrib/LdapCache
Ldap::Contrib - cacheHits=15
Ldap::Contrib - cacheAge=463
called checkPassword(dtolj, passU)
called getAccount(dtolj)
called search(filter=(&(objectClass=*)(sAMAccountName=dtolj)), base=cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local, scope=sub, limit=0, $
called connect
proxy bind
49: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece^@
failed to bind
1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece^@
error in search: 1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., da$
no such account
called isGroup(TWikiAdminGroup)
called groupMembers(TWikiAdminGroup)
called getGroupMembers(TWikiAdminGroup)
called isGroup(ATWikiUser)
isGroup{ATWikiUser}=0
called lookupLoginName(ATWikiUser)
found loginName in cache
called isGroup(ATWikiUser)
isGroup{ATWikiUser}=0
Ldap::Contrib - writing ldap cache to file
Ldap::Contrib - done

For more information here is my LocalSite.cfg 

$TWiki::cfg{Ldap}{Host} = '10.224.*.*';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=otn,dc=local';
$TWiki::cfg{Ldap}{BindDN} = '';
$TWiki::cfg{Ldap}{BindPassword} = 'psw';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UserBase} = 'cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local';
$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{LoginFilter} = 'objectclass=group';
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{GroupBase} = 'cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local';
$TWiki::cfg{Ldap}{GroupAttribute} = 'member';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectclass=group';
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{MemberAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberIndirection} = 1;
$TWiki::cfg{Ldap}{MaxCacheHits} = -1;
$TWiki::cfg{Ldap}{MaxCacheAge} = 600;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Ldap}{PageSize} = 200;
$TWiki::cfg{Ldap}{Debug} = 1;

Furthermore I was able to connect to ldap using mediawiki's Ldap extension and it worked fine.

Here is the Config file for mediawiki Ldap that works with LDAP: 

#Beginning of LDAP settings======================================
require_once( "includes/LdapAuthentication.php" ); 
$wgAuth = new LdapAuthenticationPlugin(); 
$wgLDAPDomainNames = array( "OTN" ); 
$wgLDAPServerNames = array( "OTN"=>"10.224.*.*" ); 
$wgLDAPSearchStrings = array("OTN"=>"OTN\\USER-NAME" ); #("OTN"=>"cn=USER-NAME,ou=users,o=otn"
#$wgLDAPUseSSL = false; 
$wgLDAPEncryptionType = array( "OTN"=>"false" ); 
$wgLDAPUseLocal = true;         //allow use of local user DB + LDAP Auth 

$wgMinimalPasswordLength = 1; 
$wgLDAPRetrievePrefs = array( "OTN"=>"true" );

$wgLDAPDebug=3;


#DNs in $wgLDAPRequiredGroups must be lowercase, as search result attribute values are...
$wgLDAPBaseDNs = array( "OTN"=>"dc=otn,dc=local"  );      #UPDATE! $wgLDAPBaseDNs
$wgLDAPSearchAttributes = array( "OTN"=>"sAMAccountName" );

#$wgLDAPRequiredGroups = array( "OTN"=>array("cn=it group,ou=technical team,ou=users,ou=staff,ou=otn,dc=otn,dc=local") );
$wgLDAPRequiredGroups = array( 
  "OTN"=>array("cn=technical_team,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=nagios,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=hr_team,ou=global security groups,ou=otn,dc=otn,dc=local",
               "cn=web_admin,ou=global security groups,ou=otn,dc=otn,dc=local" 
         ) );

$wgLDAPGroupUseFullDN = array( "OTN"=>true );
$wgLDAPGroupObjectclass = array( "OTN"=>"group" );
$wgLDAPGroupAttribute = array( "OTN"=>"member" );
$wgLDAPGroupSearchNestedGroups = array( "OTN"=>true );
//Pull LDAP groups a user is in, and update local wiki security group.
$wgLDAPUseLDAPGroups = array( "OTN"=>"true"); 
$wgLDAPGroupNameAttribute = array( "OTN"=>"cn" );

I tried entering the same settings from MW to Twiki ldap with no success.

Can somebody shine some light on this subject since I tried everything I know.

Environment

TWiki version: TWikiRelease04x01x02
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: RHEL5
Web server: Apache 2.2.3
Perl version: 5.8.8
Client OS: WinXP
Web Browser: IE7, Firefox2
Categories: Plugins

-- DejanTolj - 04 Oct 2007

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

In the case of LdapContrib, I guess bind fails because you left the BindDN entry empty. You have to supply a valid DN for the bind user, e.g. 

$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=group,dc=location,dc=company,dc=local';

-- MartinKaufmann - 05 Oct 2007

Thanks for your response. I dont really care what I use to authenticate users, mod_ldap or ldapContrib, whatever works i will use.

Ok this is what i have now: 

{Ldap}{Base} =OU=otn,DC=otn,DC=local 
{Ldap}{BindDN}=CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
{Ldap}{UserBase} = cn=users,ou=staff,ou=otn,dc=otn,dc=local
{Ldap}{LoginAttribute} = sAMAccountName
{Ldap}{WikiNameAttribute} =cn
{Ldap}{LoginFilter} = objectclass=group
{Ldap}{MapGroups} = 0
I disabled group option for now since i just want to see a basic connection. Also note that I am using MS Active Directory 2003

I also tried again with mod_ldap and I got something new this time.

Here is my twiki.conf called from http.conf file. 

#for LDAP password support uncomment the following (and fix up the paths)
AuthBasicProvider ldap
AuthLDAPURL ldap://10.224.*.*:389/ou=otn,dc=otn,dc=local?sAMAccountName??(objectClass=*)
AuthLDAPGroupAttribute memberOf
AuthLDAPGroupAttributeIsDN off
AuthzLDAPAuthoritative off
AuthLDAPBindDN "CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local"
AuthLDAPBindPassword "psw"

<Limit GET POST PUT>
    #require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
    require group cn=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
</Limit>
AuthName 'LOGIN'
AuthType Basic
require valid-user

This setting logs me into a twiki page without even asking for login. How is that? I have set $TWiki::cfg{LoginManager} = 'none'; Is it not suppost to give me a dialog login prompt?

-- DejanTolj - 05 Oct 2007

OK I fixed it! somewhat, using mod_ldap

I changed the {LoginManager} = ApacheLogin and now I see the login prompt

This is my twiki.conf 

 # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

#for LDAP password support uncomment the following (and fix up the paths)
AuthBasicProvider ldap
AuthLDAPURL ldap://10.224.*.*:389/ou=otn,dc=otn,dc=local?sAMAccountName??(objectClass=*)
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
AuthzLDAPAuthoritative off
AuthLDAPBindDN "CN=Dejan Tolj,OU=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local"
AuthLDAPBindPassword psw

<Limit GET POST PUT>
    #require group cn=mygroup,ou=groups,dc=yourldapserver,dc=com
    require group cn=IT Group,OU=Technical Team,OU=Users,OU=Staff,OU=OTN,DC=otn,DC=local
    require group cn=hr_team,ou=global security groups,ou=otn,dc=otn,dc=local
</Limit>
AuthName 'Member Login'
AuthType Basic
require valid-user

The question I have now is why are the users who log in not stored in .htpasswd and it would be nice If LDAP groups would be mapped to twiki. Do I have to manually create them?

Is this pobbible with mod_ldap even?

-- DejanTolj - 05 Oct 2007

Sorry, closing this after more than 30 days of inactivity. Please feel free to re-open if needed.

-- PeterThoeny - 03 Dec 2007

Change status to:
WebForm
SupportStatus ClosedUnanswered
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2007-12-03 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.