Cannot authenticate using LdapContrib

Hi,

I installed Foswiki this week in my new company after using it for 5+ years in my previous one. I decided to use LDAP to authenticate users with our AD (WinSvr 2003 R2) as a lot of users may potentially use it. So I installed ldapcontrib, together with all its CPAN dependencies. Configured the plugin as follows (only showing the important bits related to LDAP):

• $Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::TemplateLogin';
• $Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
• $Foswiki::cfg{Ldap}{Host} = 'sasdc01.karbochem.co.za';
• $Foswiki::cfg{Ldap}{Port} = 389;
• $Foswiki::cfg{Ldap}{Version} = '3';
• $Foswiki::cfg{Ldap}{Base} = 'DC=karbochem,DC=co,DC=za';
• $Foswiki::cfg{Ldap}{BindDN} = 'mailNickname=U579314,OU=Users,OU=Sasolburg,DC=karbochem,DC=co,DC=za';
• $Foswiki::cfg{Ldap}{BindPassword} = 'xxxxxx';
• $Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
• $Foswiki::cfg{Ldap}{UseSASL} = 1;
• $Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
• $Foswiki::cfg{Ldap}{UseTLS} = 0;
• $Foswiki::cfg{Ldap}{TLSSSLVersion} = '';
• $Foswiki::cfg{Ldap}{TLSVerify} = '';
• $Foswiki::cfg{Ldap}{TLSCAPath} = '';
• $Foswiki::cfg{Ldap}{TLSCAFile} = '';
• $Foswiki::cfg{Ldap}{TLSClientCert} = '';
• $Foswiki::cfg{Ldap}{TLSClientKey} = '';
• $Foswiki::cfg{Ldap}{Debug} = 1;
• $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
• $Foswiki::cfg{Ldap}{UserScope} = 'sub';
• $Foswiki::cfg{Ldap}{LoginAttribute} = 'mailNickname';
• $Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
• $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'mailNickname';
• $Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
• $Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
• $Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
• $Foswiki::cfg{Ldap}{WikiNameAliases} = '';
• $Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
• $Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
• $Foswiki::cfg{Ldap}{GroupBase} = [ 'ou=group,dc=my,dc=domain,dc=com' ];
• $Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
• $Foswiki::cfg{Ldap}{GroupScope} = 'sub';
• $Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
• $Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
• $Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
• $Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
• $Foswiki::cfg{Ldap}{MemberIndirection} = 0;
• $Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
• $Foswiki::cfg{Ldap}{NormalizeGroupNames} = 1;
• $Foswiki::cfg{Ldap}{MapGroups} = 1;
• $Foswiki::cfg{Ldap}{RewriteGroups} = {};
• $Foswiki::cfg{Ldap}{MergeGroups} = 0;
• $Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
• $Foswiki::cfg{Ldap}{Precache} = 1;
• $Foswiki::cfg{Ldap}{PageSize} = 500;
• $Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest, wikiadmin';
• $Foswiki::cfg{Ldap}{UserBase} = [ 'OU=Users,OU=Sasolburg,DC=karbochem,DC=co,DC=za' ];

Now I tested LDAP to the AD using LDAP Admin tool using the following details:

• Same server (sasdc01) using port 389
• LDAP version 3
• Base DC=karbochem,DC=co,DC=za
• GSS-API with SASL
• Same username (U579314) and password

This works like a charm and I can see the whole AD. I deleted the cache DB file and refreshed the cache - it recreates the cache file (it takes very little time and the file it only 12kb, it does not seem to contain all the ad data...). The symptom is that I cannot log in using credentials from the AD.

What am I missing in setting up my LDAP-AD authentication?
Heinrich

So I saw that I did not use the correct LoginManager, so I changed to LdapApacheLogin. Then when trying to log in it tells me that Access is denied with reason 'Access check on Main failed. Action "viewauth": viewauth requires authentication.' The configuration also gives me a warning stating that 'You've specified an alternative login manager. It is critical that this list of scripts be consistent with the scripts protected by the Web Server. Verify that this setting is consistent with the Apache FilesMatch or LocationMatch or other configuration used by Foswiki::LoginManager::LdapApacheLogin.'

What now? Please help! Heinrich

-- HeinrichVermeulen - 17 Sep 2013

I managed to figure it out and got it working. I played around with ldapsearch until I got it working there and then just used the same values in ldapcontrib.

The key to the problem was the 'BindDN' attribute which did not include the domain as in 'karbochem\U579314' as opposed to 'U579314'. Also did not require SASL or any mechanisms.

I also changed the LoginManager back to 'Foswiki::LoginManager::TemplateLogin'

Thanks for helping me figure it out for myself!

-- HeinrichVermeulen - 18 Sep 2013

Y.W.

-- MichaelDaum - 18 Sep 2013

Hi, i´m totally new to foswiki and had trouble to successful implement Microsoft Active Directory Login to it. After struggling around all the docs and questions here i could do a LDAP search in a new topic (site) successful and was wondering why this works but i can not login. Here is the content of my test page: ################################################### %LDAP{"(objectClass=user)" base="(ou=Mitarbeiter)" limit="100" cache="3600" header="| Nr | LoginName | Name | Mail | Telephone |$n" format="| $index | $sAMAccountName | $cn | $mail | $telephoneNumber |" sort="cn" clear="$mail,$telephoneNumber, $cn" }% ################################################### The solution for my problem was found in @HeinrichVermeulen ´s question above. The $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; and the $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'sAMAccountName '; attributes must be the same. We wanted to login with our MS AD Username for example "MMustermann" and so we had to change this to "sAMAccountName". May be there could be a more detailed description in the docs for beginners. Or i have completly over read it....

Regards, David

-- DavidFritsch - 27 Jul 2016

Commenting is disabled while not logged in