Question

I've setup Fedora Directory Server (Fedora-ds-1.0.4) on my Red Hat Box and am trying to get TWiki to authenticate using it. I've also installed LdapNgPlugin and have been trying to access this LDAP server with but to no avail. This concerns me I suspect that my inability to get anything out of the LDAP server using LdapNgPlugin indicates something is wrong in the LdapContrib configuration, given that LdapNgPlugin uses the config info from LdapConfig stored in LocalSite.cfg. The appropriate parts from LocalSite.cfg are included below.

When I execute the simple LDAP search based on this configuration:

LDAP{filter="(objectclass=*)" host="lupsca.arc.ab.ca" port="389" base="(ou=People,DC=lupsca,dc=arc,dc=ca,dc=ca)"}

I get: ERROR: 32: No such object

In Apache's error log, we just see:

[Tue Nov 13 17:16:14 2007] [error] [client ::1] proxy bind, referer: http://lupsca.arc.ab.ca/twiki/bin/edit/Main/CraigAumann?t=1194999359
[Tue Nov 13 17:16:14 2007] [error] [client ::1] 32: No such object, referer: http://lupsca.arc.ab.ca/twiki/bin/edit/Main/CraigAumann?t=1194999359
[Tue Nov 13 17:16:14 2007] [error] [client ::1] failed to bind, referer: http://lupsca.arc.ab.ca/twiki/bin/edit/Main/CraigAumann?t=1194999359

Any thoughts on what is wrong or ways to figure out what is wrong are appreciated.

$TWiki::cfg{Ldap}{Host} = 'lupsca.arc.ab.ca';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=lupsca,dc=arc,dc=ab,dc=ca';
$TWiki::cfg{Ldap}{BindDN} = 'TWiki LdapUser'; 
$TWiki::cfg{Ldap}{BindPassword} = 'somepass';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UseSASL} = 0;
$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$TWiki::cfg{Ldap}{Debug} = 1;
$TWiki::cfg{Ldap}{UserBase} = 'ou=People,dc=lupsca,dc=arc,dc=ab,dc=ca';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$TWiki::cfg{Ldap}{LoginAttribute} = 'cn';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{NormalizeLoginName} = 1;
$TWiki::cfg{Ldap}{AllowChangePassword} = 1;
$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser';
$TWiki::cfg{Ldap}{GroupBase} = 'ou=TWikiGroups,dc=lupsca,dc=arc,dc=ab,dc=ca';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{NormalizeGroupName} = 1;
$TWiki::cfg{Ldap}{MapGroups} = 1;

Environment

-- CraigAumann - 14 Nov 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Do you have a proper BindDN entry? You have to supply a valid DN for the bind user, e.g.

$TWiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=group,dc=location,dc=company,dc=local';

-- MartinKaufmann - 14 Nov 2007

Most probably the BindDN TWiki LdapUser is wrong. It has to be a full distinguished name of the format as Martin already outlined. The base attribute in your %LDAP query above has got brackets (...). Try removing them. Try without any other parameters but a plain

%LDAP{"(objectClass=*)" limit="1"}%

-- MichaelDaum - 14 Nov 2007

Ok, made those changes, but the errors still persists for both queries.

Some more info:

./ldapsearch -x -b 'dc=lupsca,dc=arc,dc=ab,dc=ca' '(objectclass=*)'

Does work, and returns:

...

dn: uid=TWikiLdapUser,ou=Special Users,dc=lupsca,dc=arc,dc=ab,dc=ca

uid: TWikiLdapUser

givenName: TWiki

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetorgperson

sn: LDAPUser

cn: TWiki LdapUser

$TWiki::cfg{Ldap}{Base} = 'dc=lupsca,dc=arc,dc=ab,dc=ca';

$TWiki::cfg{Ldap}{BindDN} = 'cn=TWiki LdapUser,ou=Special Users,dc=lupsca,dc=arc ,dc=ab,dc=ca';

$TWiki::cfg{Ldap}{BindPassword} = 'passwd';

Suggestions on other ways to test or figure out what is wrong are appreciated.

-- CraigAumann - 14 Nov 2007

Some other questions:

To what extent does LdapNgPlugin use the Apache setup of LdapContrib? I suspect I have some probs in the httpd/conf.d/twiki.conf file.

Does ldapsearch (or other such programs) need to be in the path for LdapNgPlugin to work?

Also, when I look at the LdapNgPlugin page on my local installation the variables are just listed as:

• $TWiki::cfg{Ldap}{Host} (overridable per query)
• $TWiki::cfg{Ldap}{Port} (overridable per query)
• $TWiki::cfg{Ldap}{Base} (overridable per query)
• $TWiki::cfg{Ldap}{Version} (overridable per query)
• $TWiki::cfg{Ldap}{SSL} (overridable per query)
• $TWiki::cfg{Ldap}{BindDN}
• $TWiki::cfg{Ldap}{BindPasswd

Shouldn't it display the actual values from the LocalSite.cfg file?

-- CraigAumann - 15 Nov 2007

There is no "Apache setup of LdapContrib". It does not depend on any setup you did to Apache. Most probably you mean the TWiki setup of LdapContrib. In that case the answer is: yes, LdapNgPlugin will default to the values you configured LdapContrib to. And yes, you can override them in an %LDAP query.

If you still can't contact your LDAP directory, then it might be restricted to something like SASL authentication, blocking any other type of access ...

-- MichaelDaum - 17 Nov 2007

Thanks Michael! I think the problem is on the Directory Server side. As I'm not an expert with Directory server, I'll have to learn a bit more about it to ensure I've set-up BindDN User correctly, etc.

-- CraigAumann - 21 Nov 2007