Question

Hi everybody,

I have two questions regarding LDAPContrib:

1) Which is the correct value for $TWiki::cfg{LoginManager} in the LocalSite.cfg? How do I log in if everything is configured correctly? (Will I be logged in automatically or do I have to fill in my ldap username into some form?)

2) The TWiki-Site loads incredibly slowly when I use the line $TWiki::cfg{Ldap}{BasePasswd}. What's going on there? Is there any option to see in some log file or debug mode which steps are made during the authentification process?

Thanks again in advance! Alex

$TWiki::cfg{MapUserToWikiName} = 0;
$TWiki::cfg{Ldap}{Host} = 'ldap-uf.server.ttt.de';
$TWiki::cfg{Ldap}{Base} = 'dc=server,dc=ttt,dc=de'; 


#$TWiki::cfg{Ldap}{BasePasswd} = 'OU=INTERN,OU=DEFAULT,OU=USER,OU=ACCOUNT,DC=server,DC=ttt,DC=de';


$TWiki::cfg{Ldap}{LoginAttribute} = 'mailNickname';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user'; 
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{WikiNameRemoveWhiteSpace} = 1;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{BindDN} = 'Meier Peter'; 
$TWiki::cfg{Ldap}{BindPassword} = 'secret';
$TWiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1;
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{LoginManager} = 'TWiki::Client::TemplateLogin';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';

Environment

-- AlexRaabe - 31 Jul 2006

Answer

The LoginManager is set correctly. To enable debugging edit the file lib/TWiki/Contrib/LdapContrib.pm and remove the comments in the function writeDebug() and in its calls, i.e. in the function connect(). Check your ldap server too. If you don't set BasePasswd the its value will default to ou=people,$Base (where $Base is the value of the Base setting), which most probably is not available in your directory.

Disable the UserMappingManager and try again. If you enable it you might want to set the BaseGroup dn too, which you haven't according to the settings above. BaseGroup then defaults to ou=group,$Base which most probably doesn't exist.

-- MichaelDaum - 31 Jul 2006

Okay, I've uncommented the writeDebug lines and can happily see now what's happening - very nice!

I tried the following things: The first error (very slow loading of the site) appeared due to a "LdapUser - 4: Sizelimit exceeded" error after the proxy bind.

LdapContrib - called LdapUser constuctor, referer: http://...
LdapContrib - called LdapUser constuctor, referer: http://...
LdapContrib - called search(objectClass=user, OU=INTERN,OU=DEFAULT,OU=USER,OU=ACCOUNT,DC=server,DC=ttt,DC=de, sub, 0, ARRAY(0xefdd4c)), http://...
LdapContrib - called connect, http://...
LdapContrib - proxy bind, http://...

LdapContrib - LdapUser - 4: Sizelimit exceeded, http://...

LdapContrib - called getGroupMembers(TWikiAdminGroup), http://...
LdapContrib - called getGroup(TWikiAdminGroup), http://...
LdapContrib - called search((&(objectClass=group)(CN=TWikiAdminGroup)), CN=Gruppenname,OU=SERVER,OU=GROUP,DC=server,DC=ttt,DC=de, sub, 0, ARRAY(0xfde7a8)), http://...
LdapContrib - called getGroupNames, referer: http://...
LdapContrib - called search(objectClass=group, CN=Gruppenname,OU=SERVER,OU=GROUP,DC=server,DC=ttt,DC=de, sub, 0, ARRAY(0xfde988)), http://...
LdapContrib - called disconnect(), http://...
LdapContrib - called disconnect(), http://...

As LDAP group records seem to be a very interesting feature, I'd be thankful for a hint why the error occurs.

Anyway, to avoid this error I used TWikiUserManager instead of LDAPUserManager as you suggested. The debugWrite command helped me to find the error in my config file. LoginAttribute was set to 'mailNickname', however, it should habe been 'CN'.

So, I could succesfully login with
login=Meier Peter
password=secret

But why has my WikiName not been removed by th whitespace although I set the flag in the config file?

$TWiki::cfg{AdminUserWikiName} = 'TWikiAdminGroup';
$TWiki::cfg{MapUserToWikiName} = 0;
$TWiki::cfg{Ldap}{Host} = 'ldap.server.ttt.de';
$TWiki::cfg{Ldap}{Base} = 'dc=server,dc=ttt,dc=de';
$TWiki::cfg{Ldap}{BasePasswd} = 'OU=INTERN,OU=DEFAULT,OU=USER,OU=ACCOUNT,DC=server,DC=ttt,DC=de';
$TWiki::cfg{Ldap}{BaseGroup} = 'CN=Gruppenname,OU=SERVER,OU=GROUP,DC=server,DC=ttt,DC=de';
$TWiki::cfg{Ldap}{LoginAttribute} = 'CN'; 
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'CN';
$TWiki::cfg{Ldap}{WikiNameRemoveWhiteSpace} = 1;
$TWiki::cfg{Ldap}{GroupAttribute} = 'CN';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group'; 
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{MemberAttribute} = 'member';
$TWiki::cfg{Ldap}{MemberIndirection} = 1;
$TWiki::cfg{Ldap}{BindDN} = 'Meier Peter';  
$TWiki::cfg{Ldap}{BindPassword} = 'secret';
$TWiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1;
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{LoginManager} = 'TWiki::Client::TemplateLogin'; 
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';

-- AlexRaabe - 01 Aug 2006

Which ldap server are you using? How may accounts and groups have you got? What's the sizelimit of the server? Can you please add more writeDebugs to nail down the exact location where there error occurs. Sizelimit exceeded should not happen during a bind but during a search where all hits are to be delivered as one result. So maybe the error happens somewhere else.

-- MichaelDaum - 01 Aug 2006

Here is again part of the error log. The numbers indicating a position in a module: 0-9 (search module), 10-19 (connect module), 20-29, 30-39, etc. belong together.

[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - called LdapUser constuctor
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - called LdapUser constuctor
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 30
... beginning of module search
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 0
... switches to module connect
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - called search(objectClass=user, OU=INTERN,OU=DEFAULT,OU=USER,OU=ACCOUNT,DC=server,DC=ttt,DC=de, sub, 0, ARRAY(0xefc360))
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 10
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - called connect
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 11
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 14
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - proxy bind
... end of module connect - back to search
[Tue Aug 01 20:09:58 2006] [error]   LdapContrib - 1
[Tue Aug 01 20:12:05 2006] [error]   LdapContrib - 2
[Tue Aug 01 20:12:05 2006] [error]   LdapContrib - LdapUser - 4: Sizelimit exceeded

That means, the search

  my $msg = $this->{ldap}->search(
    base=>$base,
    filter=>$filter,
    scope=>$scope,
    sizelimit=>$limit,
    attrs=>$attrs,
  );

with the values
$base=OU=INTERN,OU=DEFAULT,OU=USER,OU=ACCOUNT,DC=server,DC=ttt,DC=de
$filter=objectClass=user
$scope=sub
$limit=0
$attrs=ARRAY(0xefe6c0)

is responsible for the error. But why? I guess the size limit is 1000 (as it is the standard option for the Active Directory), the number of users is between 2000 and 3000.

-- AlexRaabe - 01 Aug 2006

Is there at least a chance to remove the whitespaces from my WikiName?

Otherwise the setting of groups e.g.

Member list:

• Set GROUP = TWikiAdmin, Meier Peter

won't work. (In this example is my WikiName "Meier Peter").

-- AlexRaabe - 02 Aug 2006

Alex, as my research so far showed you have no other choice but to increase the size limit of your AD. I did not figure out how to do pagedResults which is an LDAPv3 feature, as far as I know. Nor am I aware which ldap versions AD supports. I was under the impression that using $result->pop_entry() would be "paged" in a way. Now, I know that this is not the case. LDAP fetches all of the result with the first $ldap->search(...) ... what a standard.

The sideeffect of not being able to construct the user mapping is the reason that your WikiName is not reconstructed.

Btw. I uploaded a new version of the LdapContrib that adds in-memory caching. While creating a set of 2000+ dummy users I noticed that things got very slow. So now using this version + SpeedyCGI we are on track again.

-- MichaelDaum - 02 Aug 2006

First of all, thanks for you research in that issue!

Would it make any difference if I increased the size limit of my active directory? I mean, even now, wih mod_perl enabled, it takes about one minute of loading until the error occurs. If every page needs that long to load... btw, my ldap server supports V3.

Isn't there any chance my WikiName can be reconstructed like "MeierPeter" instead of "Meier Peter"? Otherwise (if user mapping also does not work correctly ) the contrib is almost worthless to me at the moment ...
Please note also, that I am using LoginAttribute='CN' ... that is why I log in as Meier Peter. Setting the LoginAttribute to 'mailNickname' (so I should log in as pmeier001) doesn't work.

That is remarkable because when I use mod_auth_ldap for authentification, it works without problems with these settings:
UID_Attr mailNickname (which is the identical setting in the .htaccess for $TWiki::cfg{Ldap}{LoginAttribute} =...)

-- AlexRaabe - 03 Aug 2006

Increasing the size limit or even removing the limit makes the big difference. TWiki must be able to fetch all users. If not the user mappings don't get constructed. When your user mappings can't be constructed your wikiname will not be processed removing the whitespaces.

Knowing that AD supports V3 is a good information! I will see what I can do to implement explicite paged results.

For now: increase the size limit. Lots of people stumbled over this problem and have no size limits even on production systems.

Using mod_perl will only be of advantage if you use the latest LdapContrib >v0.6.

-- MichaelDaum - 03 Aug 2006

Okay, for our active directory administrator assured me he wouldn't increase the size limit (which is actually 2500) and furthermore strongly recommended to use paged results instead, I will for now use again the apache-ldap variant of authentification instead of your solution.

Anyway, thanks for your help in this matter, I hope we'll soon see an updated version

-- AlexRaabe - 03 Aug 2006

---

Alex wrote:

I am using {LoginAttribute}='CN' ... that is why I log in as Meier Peter. Setting the Login Attribute to 'mailNickname' (so I should log in as pmeier001) doesn't work.

That is remarkable because when I use mod_auth_ldap for authentification, it works without problems with these settings

Alex, the same is true for us. With mod_auth_ldap, we can authenticate by just our "username" (be it mailnickname, samaccountname, or whatever your local installation of LDAP uses) and password. But with other LDAP tools like not only LdapContrib but also the PHP function ldap_bind and the Linux shell command ldapsearch, they can't bind with the username. I think this is because:

the LDAP server only binds with the password and:

1. the full DN (Distinguished Name), like "cn=Jones,\ Tom,ou=users,dc=company,dc=org"
2. the RDN (Relative Distinguished Name), which is usually the CN, like "Jones, Tom", or
3. userprincipalname, if assigned, which is our email address

It would be nice if the LDAP server allowed binding with the password and the samaccountname, or whatever LDAP attribute happens to hold the "username". This is not the fault of the LdapContrib but of the LDAP server. .

So, to make LdapContrib accept just my username and password, I hacked it. It appends '@company.com' to my username and then binds like this:

bind(me@company.com, mypassword)

instead of like this:

bind("uid=me,ou=users,dc=company,dc=com", mypassword)

(See the section authenticated bind in LdapContrib.pm.) Michael, maybe you can add more configuration attributes, like {loginSuffix}, to the ldap.cfg. You would also have to change the authenticated bind code so that it doesn't always prepend "{loginAttribute}=" and append ",{basePasswd}". Or before binding, get the full DN of the user.

-- AndrewBanks - 06 Sep 2006

The binding has been fixed in one of the latest releases of the LdapContrib to get the full DN of the user first.

-- MichaelDaum - 26 Dec 2006

I am having the problem of mapping the login-id(sAMAccountName) to that of the wiki name(firstName with LastName). I used mod_authnz_ldap first for ldap authentication and it works fine. Inorder to get the wikiname(firstName with Lastname) i went to LDAPContrib. My confusion is configuring the LDAPContrib. What should be given for the LoginManager(Template or Apache or LdapApache login) and whether i have to change anything in the twiki.conf file (What i had for the mod_authnz_ldap).

#SetHandler perl-script #PerlResponseHandler ModPerl::Registry #Options ExecCGI FollowSymLinks #PerlOptions ParseHeaders

AllowOverride none Options ExecCGI FollowSymLinks Order allow,deny Allow from all

AuthBasicProvider ldap AuthType Basic AuthName "Enter your portal id and password: For Eg: 012345 " AuthLDAPURL "ldap://124578:389/DC=my,DC=domain,DC=COM?sAMAccountName?sub?(objectClass=user)" AuthLDAPBindDN "CN=01234,OU=Employees,DC=my,DC=domain,DC=COM" AuthLDAPBindPassword blahblah require ldap-attribute objectClass=user

SetHandler cgi-script Order Deny,Allow Deny from all Satisfy Any

-- TWikiGuest - 15 May 2008

Software error: Can't call method "getWorkArea" on an undefined value at /srv/www/twiki/lib/TWiki/Contrib/LdapContrib.pm line 236, line 582.

For help, please send mail to the webmaster (webmaster@azingoPLEASENOSPAM.com), giving this error message and the time and date of the error.

I am getting above error for twiki 4.2.2 and 4.2.3 releases. I updated with LdapContrip.zip patch from google. then i am getting the above error . can you help me.

-- AnandappanChakravarthy - 18 Nov 2008

This looks like a version mismatch of TWiki and contrib. Best to open a new support question with details. See SupportGuidelines.

-- PeterThoeny - 18 Nov 2008