AuthenticationWithApacheAndLDAP < Support

Question

How do you get LDAP Authentication working on Apache?

1. You need to load the following modules in Apache httpd.conf

LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so

2. Your httpd.conf also needs to look something like:

<Directory  "C:/twiki/bin/">
    # RD: Changed None to All in next line, to enable .htaccess
    AllowOverride All
    Allow From All
    Options  ExecCGI
    SetHandler cgi-script
    AuthBasicProvider ldap
#  LDAP Authentication & Authorization is final; do not check other databases
  AuthzLDAPAuthoritative off

#  Do basic password authentication in the clear
   AuthType Basic
#  The name of the protected area or "realm"
   AuthName "Wiki: Enter Your Network Username/Password"
#  Active Directory requires an authenticating DN to access records
   AuthLDAPBindDN "CN=My Name,OU=Users,OU=People,OU=Regions,DC=ZA,DC=Company,DC=net"
#  This is the password for the AuthLDAPBindDN user in Active Directory
   AuthLDAPBindPassword Mypass
#  The LDAP query URL (This wont work if you point to the root i.e just DC=ZA,DC=Company,DC=net?sAMAccountName?sub?(objectClass=user)
   AuthLDAPURL ldap://ms-m-dc:389/OU=Region,DC=ZA,DC=Company,DC=net?sAMAccountName?sub?(objectClass=user)
   AuthLDAPGroupAttribute department
   AuthLDAPGroupAttributeIsDN off
   require valid-user
</Directory>

There are a few problems with this

1. If you users are split into multiple OU's you are limiting the logons to OU's from 1 OU, This is the case in my environment where users are split into the different regions does anyone know how to get around this?

Environment

TWiki version:	TWikiRelease04x00x04
TWiki plugins:	DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS:	Windows
Web server:	Apache 2.2.3
Perl version:	5.8.7-5
Client OS:	Windows
Web Browser:	Mozilla
Categories:	Registration, Authentication

-- LarreDo - 07 Sep 2006

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

also if you enable AuthLDAPRemoteUserIsDN Apache Sets the Remote_user variable to CN=Larre Do, Maybe we can investigate using this and strip out the CN=? and the Spaces or . ... does anyone have any ideas on how to do this?

-- LarreDo - 07 Sep 2006

From the example above, this appears to be the LDAP interface to a Microsoft Active Directory...

If this is the case, the way to get around the multiple OU issue is to use the Global Catalog Server portion of AD. The GCS is basically a "flattened" tree which allows searching for a user without knowing to which OU they belong.

AuthLDAPURL "ldap://adserver.company.com:3268/DC=ad,DC=company,DC=com?cn"

Notice the port is 3268, not the normal LDAP 389.

-- CrisRhea - 04 Oct 2006

Hi I get the error [LDAP: ldap_simple_bind_s() failed][Invalid Credentials]

-- SibiJoseph - 13 Mar 2007

Sorry got it right

my .htaccess file has following-------------------

AuthBasicProvider ldap

AuthzLDAPAuthoritative off #user twiki is in OU named "mybranch" with password "twikipassword"

AuthLDAPBindDN CN=twiki,OU=mybranch,DC=atinav,DC=net AuthLDAPBindPassword twikipassword

AuthName "Identify: Enter your Domain user name/password"

AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=net?sAMAccountName?sub?(objectClass=*) AuthType Basic

AuthLDAPGroupAttributeIsDN off

-- SibiJoseph - 13 Mar 2007

One of the things I've been looking for, but have not found in these discussions is mapping login name (REMOTE_USER from Apache) to an LDAP looked-up WikiName (e.g., mapping "crhea" (my login) to "CrisRhea".

At my site, network logins are obnoxious (e.g., m0345634) and we'd like an automated way to register a user's WikiName (and deal with name collisions, etc.).

Anybody have any pointers to doing this?? We already have Apache Auth working with TWiki, but we need this extra step to make it more user-friendly.

-- CrisRhea - 04 Apr 2007

When first accessing the Wiki, Apache will now prompt for and accept Active Directory credentials. However, the login page is still tied to the initial .htaccess usernames. What am I missing?

-- BenjaminJacobson - 06 Feb 2008

Is your PasswordManager set to TWiki::Users::LdapUser?

-- MartinKaufmann - 06 Feb 2008

Thanks, but trying to get there revealed another issue. I can't seem to authenticate within TWiki at all now. Can I edit the PasswordManager setting from the filesystem?

-- BenjaminJacobson - 06 Feb 2008

All the settings are stored in lib/LocalSite.cfg. For local authentication there is also the user admin (assuming you're using TWiki 4.2) which should work independent of LDAP.

-- MartinKaufmann - 07 Feb 2008

Yep. All settings are simple perl code in lib/LocalSite.cfg. If you are unsure about your previous value, look at data/configurationlog.txt where all changes made via configure are logged.

-- HaraldJoerg - 07 Feb 2008

Things seem to be getting worse!

I edited the lib/LocalSite.cfg and changed the PasswordManager setting from: TWiki::cfg{PasswordManager} = 'TWiki::Users::HtPasswdUser'; to $TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';

Restarted apache, and tried to log in using my AD cred's - ad, the following error resulted.

I did a find on that file, and it's not on the system. So, I guess I need help finding that pm?

Software error:

Can't locate TWiki/Users/LdapUser.pm in @INC (@INC contains: /opt/twiki/lib . /usr/lib/perl5/site_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl/5.8.6 /usr/lib/perl5/site_perl/5.8.5 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.5/i386-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.8/i386-linux-thread-multi /usr/lib/perl5/5.8.8 /opt/twiki/lib/CPAN/lib//arch /opt/twiki/lib/CPAN/lib//5.8.8/i386-linux-thread-multi /opt/twiki/lib/CPAN/lib//5.8.8 /opt/twiki/lib/CPAN/lib/) at (eval 44) line 3.

-- BenjaminJacobson - 07 Feb 2008

It might be worth starting a new support topic where you could let us know about your system details (you could also do that here of course). Which TWiki version are you using? Are you trying to use LdapContrib (that's where LdapUsers.pm is from) or mod_authnz_ldap (which I've never used so far)?

-- MartinKaufmann - 07 Feb 2008

AuthzLDAPAuthoritative off Great question - I added the above line, as instructed

-- BenjaminJacobson - 07 Feb 2008

Sorry, closing this after more than 30 days of inactivity. Best to open a new question with details.

-- PeterThoeny - 03 Apr 2008

This configuration needs adjustment for Apache 2.2 since the module mod_ldap has been deprecated in favour of authnz_ldap.

The syntax has changed a lot, specially for the require valid-user, now you need to put: require ldap-user and a list of users, which makes things it a bit complicated.

-- RudyGodoy - 08 Apr 2008

WebForm
SupportStatus	AnsweredQuestions

Topic revision: r19 - 2009-03-15 - VimalGNathan

Account
- Log In
- Register User

Edit
Attach

Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.