Question

I've some problems configuring ldapcontrib in my environment. I'm not sure if the plugin is connecting with ldap. Is there a way to log more details? (I put on the debug in ldapcontrib and in twiki).

I've installed LdapContrib with the perl LdapContrib_installer (ok). When I try to log on with an ldap user (orcladmin)... I can't! I log in with a user from the secondaryManager.

LocalSite.cfg:

...
$TWiki::cfg{LoginManager} = 'TWiki::LoginManager::TemplateLogin';
$TWiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?~^\\$@%`"\'&;|<>\\x00-\\x1f]+$';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{MinPasswordLength} = 6;
$TWiki::cfg{Htpasswd}{FileName} = '/var/www/twiki/data/.htpasswd';
$TWiki::cfg{Ldap}{Host} = '192.168.0.22';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{BindDN} = 'cn=orcladmin';
$TWiki::cfg{Ldap}{BindPassword} = 'password';
$TWiki::cfg{Ldap}{UseSASL} = 0;
$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$TWiki::cfg{Ldap}{Debug} = 1;
$TWiki::cfg{Ldap}{UserBase} = 'cn=Users,dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=organizationalPerson';
$TWiki::cfg{Ldap}{LoginAttribute} = 'uid';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 0;
$TWiki::cfg{Ldap}{NormalizeLoginName} = 0;
$TWiki::cfg{Ldap}{AllowChangePassword} = 0;
$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser';
$TWiki::cfg{Ldap}{GroupBase} = 'cn=Groups,dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=groupOfUniqueNames';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberAttribute} = 'uniquemember';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{NormalizeGroupName} = 0;
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{MaxCacheAge} = -1;
$TWiki::cfg{Ldap}{PageSize} = 500;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
...

error_log de apache

...
[Wed Feb 20 17:50:34 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] called checkPassword(orcladmin, passU), referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] dn not found, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] finishing, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] constructed a new LdapContrib object, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] called lookupWikiName(GastonScapusio), referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] finishing, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
...

twiki.conf in httpd/conf.d

...
<Directory "/var/www/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for TWiki users
    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Require user GastonScapusio
    Satisfy Any
</FilesMatch>

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
#<FilesMatch ".*">
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
        require valid-user
</FilesMatch>

</Directory>
...

Environment

-- GastonScapusio - 20 Feb 2008

Answer

If you answer a question - or have a question you asked answered by someone - please remember to edit the page and set the status to answered. The status is in a drop-down list below the edit box.

It looks like your inclomplete BindDN entry might be causing it. You have to supply a valid DN for the bind user, e.g.

$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=group,dc=location,dc=company,dc=local';

-- MartinKaufmann - 20 Feb 2008

Thanks, it's working now. I modified {Ldap}{BindDN} and {Ldap}{UseSASL}

-- GastonScapusio - 21 Feb 2008