Question

I've some problems configuring ldapcontrib in my environment. I'm not sure if the plugin is connecting with ldap. Is there a way to log more details? (I put on the debug in ldapcontrib and in twiki).

I've installed LdapContrib with the perl LdapContrib_installer (ok). When I try to log on with an ldap user (orcladmin)... I can't! I log in with a user from the secondaryManager.

LocalSite.cfg:

...
$TWiki::cfg{LoginManager} = 'TWiki::LoginManager::TemplateLogin';
$TWiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?~^\\$@%`"\'&;|<>\\x00-\\x1f]+$';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{MinPasswordLength} = 6;
$TWiki::cfg{Htpasswd}{FileName} = '/var/www/twiki/data/.htpasswd';
$TWiki::cfg{Ldap}{Host} = '192.168.0.22';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{BindDN} = 'cn=orcladmin';
$TWiki::cfg{Ldap}{BindPassword} = 'password';
$TWiki::cfg{Ldap}{UseSASL} = 0;
$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$TWiki::cfg{Ldap}{Debug} = 1;
$TWiki::cfg{Ldap}{UserBase} = 'cn=Users,dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=organizationalPerson';
$TWiki::cfg{Ldap}{LoginAttribute} = 'uid';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 0;
$TWiki::cfg{Ldap}{NormalizeLoginName} = 0;
$TWiki::cfg{Ldap}{AllowChangePassword} = 0;
$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser';
$TWiki::cfg{Ldap}{GroupBase} = 'cn=Groups,dc=ayi-asociados,dc=com';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=groupOfUniqueNames';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberAttribute} = 'uniquemember';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{NormalizeGroupName} = 0;
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{MaxCacheAge} = -1;
$TWiki::cfg{Ldap}{PageSize} = 500;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
...

error_log de apache

...
[Wed Feb 20 17:50:34 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] called checkPassword(orcladmin, passU), referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] dn not found, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:35 2008] [error] [client 200.89.140.188] finishing, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] constructed a new LdapContrib object, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] opening ldap cache from /var/www/twiki/working/work_areas/LdapContrib/cache.db, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] called lookupWikiName(GastonScapusio), referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
[Wed Feb 20 17:50:36 2008] [error] [client 200.89.140.188] finishing, referer: http://ayi-asociados.dyndns.org/twiki/bin/login/Main/WebHome
...

twiki.conf in httpd/conf.d

...
<Directory "/var/www/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for TWiki users
    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Require user GastonScapusio
    Satisfy Any
</FilesMatch>

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
#<FilesMatch ".*">
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
        require valid-user
</FilesMatch>

</Directory>
...

Environment

-- GastonScapusio - 20 Feb 2008

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

It looks like your inclomplete BindDN entry might be causing it. You have to supply a valid DN for the bind user, e.g.

$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=group,dc=location,dc=company,dc=local';

-- MartinKaufmann - 20 Feb 2008

Thanks, it's working now. I modified {Ldap}{BindDN} and {Ldap}{UseSASL}

-- GastonScapusio - 21 Feb 2008