Question

Going bonkers soon. The problem is I cannot login with ldap authentication. Have tried every variant thinkable to me and from others support cases. The plugin seem to work as groups get listed in TWikiGroups. I also put %LDAP{ "(uid=test*)" }% in a topic and it gets accounts from ldap. We use Novell eDirectory 8.7.

The entry not found in "No such entry" from writeDebug is listed when I put %LDAP{"(uid=test*)"}% in a topic. I also registered a user and was then logged in. After logout and a new broser session I cannot log in again.

So for now we have se loginmanager to none to get things done. I should mention that I have removed .htaccess from bin. I have also tried AuthLDAPUrl and those options but to no luck either. This LdapContrib would save the day.

LocalSite.cfg is like this, as of now but I have tried a gzillion variants of ldap parameters:

$TWiki::cfg{DataDir} = '/opt/twiki/data';
$TWiki::cfg{Password} = 'cT1AOVjSf6.io';
$TWiki::cfg{Site}{Lang} = 'en';
$TWiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1;
$TWiki::cfg{LocalesDir} = '/opt/twiki/locale';
$TWiki::cfg{ScriptUrlPath} = '/twiki/bin';
$TWiki::cfg{DefaultUrlHost} = 'http://10.5.48.5';
$TWiki::cfg{Site}{FullLang} = 'en-us';
$TWiki::cfg{PubUrlPath} = '/twiki/pub';
$TWiki::cfg{PubDir} = '/opt/twiki/pub';
$TWiki::cfg{TemplateDir} = '/opt/twiki/templates';
$TWiki::cfg{Site}{CharSet} = 'iso-8859-15';
$TWiki::cfg{Plugins}{WysiwygPlugin}{Enabled} = 1;
$TWiki::cfg{Ldap}{Host} = '10.5.48.12';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'o=VESTFOLD';
$TWiki::cfg{Ldap}{BasePasswd} = 'ou=Tonsberg,o=VESTFOLD';
$TWiki::cfg{Ldap}{BaseGroup} = 'ou=Felles,o=VESTFOLD';
$TWiki::cfg{Ldap}{LoginAttribute} = 'uid';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{WikiNameRemoveWhiteSpace} = 0;
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=account';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{MaxCacheHits} = -1;
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{Register}{AllowLoginName} = 1;
$TWiki::cfg{Register}{NeedVerification} = 0;
$TWiki::cfg{Sessions}{IDsInURLs} = 0;
$TWiki::cfg{LoginManager} = 'TWiki::Client::TemplateLogin';
$TWiki::cfg{MapUserToWikiName} = 0;

I have enabled writeDebug in LdapContrib.pm and the output says the following:

[Fri Aug 18 10:32:13 2006] [error] [client 10.5.48.5] LdapContrib - called LdapContrib constuctor, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - called connect, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - bind for LEk, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - LdapContrib - 32: NDS error: no such entry (-601), referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - called search(objectClass=account, ou=Tonsberg,o=VESTFOLD, sub, 0, ARRAY(0x8d79d98)), referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - called connect, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - anonymous bind, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view
[Fri Aug 18 10:32:14 2006] [error] [client 10.5.48.5] LdapContrib - done search, referer: http://10.5.48.5/twiki/bin/login/Main/WebHome?origurl=/twiki/bin/view

Environment

-- LarsEik - 18 Aug 2006

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Lars, I have the same problem. Today I think I found out why: Our LDAP server can bind only with a full Distinguished Name (DN), not a Relative Distinguished Name (RDN).

When you try to log in, LdapContrib checks your login and password like this: It tries to bind to the LDAP directory with it, in the following format:

' {Ldap}{LoginAttribute} = what_you_typed_for_login', 'what_you_typed_for_password'.

So, in your case, it tries to bind with uid=LEk and your password. As you can see in your error log, this fails: LdapContrib - 32: NDS error: no such entry (-601). I think this is because:

the LDAP server only binds with the password and:

1. the full DN (Distinguished Name), like "cn=Jones,\ Tom,ou=users,dc=company,dc=org"
2. the RDN (Relative Distinguished Name), which is usually the CN, like "Jones, Tom", or
3. userprincipalname, if assigned, which is our email address

It would be nice if the LDAP server allowed binding with the password and the samaccountname, or whatever LDAP attribute happens to hold the "username". This is not the fault of the LdapContrib but of the LDAP server.

When you sign into LDAP in other cases, like to log into your email, I guess that there is some intermediate mechanism that finds the DN from your UID, or maybe it checks your username and password some way other than binding (like NTLM?). Maybe LdapContrib needs an intermediate subroutine that gets the full DN from what you put for {Ldap}{LoginAttribute} and then tries to bind with that.

-- AndrewBanks - 05 Sep 2006

Closing after 30 days, try asking in the LdapContribDev topic.

-- PeterThoeny - 14 Oct 2006