cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Configuration: More info required

Hi

I've installed Foswiki 2 weeks ago on a debian jessie server. I want connect Foswiki to my active directory server and use ldapcontrib

Everything seems to be OK (no error in /var/www/Foswiki/working/logs/error.log when i activate usermapping Foswiki::Users::LdapUserMapping)

But none of my domain users can log to the Foswiki Server

This is a part of my /var/www/Foswiki/lib/LocalSite.cfg

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{Base} = 'DC=mydomain,DC=lan';
$Foswiki::cfg{Ldap}{BindDN} = 'foswiki@mydomain.lan';
$Foswiki::cfg{Ldap}{BindPassword} = '.@foswiki!.!';
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{GroupBase} = ['dc=mydomain,dc=lan'];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{Host} = '172.16.0.5';
$Foswiki::cfg{Ldap}{IPv6} = 0;
$Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1;
$Foswiki::cfg{Ldap}{IgnoreReferrals} = 0;
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';
$Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/krb5.keytab';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'cn';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=person';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{PageSize} = '500';
$Foswiki::cfg{Ldap}{Port} = '389';
$Foswiki::cfg{Ldap}{Precache} = 0;
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'memberOf';
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteLoginNames} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
'^(.*)@.*$' => '$1'
};
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSCAPath} = '/etc/ssl/certs/';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{UseCanonicalUserIDs} = 0;
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{UseTLS} = 1;
$Foswiki::cfg{Ldap}{UserBase} = [',dc=mydomain,dc=lan'];
$Foswiki::cfg{Ldap}{UserMappingTopic} = '';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'displayName,cn';

The only errors i've found in /var/log/apache2/error.log when i am log as local foswiki admin:

[Mon Feb 06 15:07:22.385285 2017] [cgi:error] [pid 847:tid 139837491312384] [client 172.16.0.141:52850] AH01215: - LdapContrib - cacheAge=2681, maxCacheAge=86400, lastUpdate=1486387361, refresh=0, referer: http://intranet.mydomain.lan/bin/configure

and the error when i'm trying to log to FOSWIKI with my active directory user named usertest

[Mon Feb 06 15:20:55.883635 2017] [cgi:error] [pid 848:tid 139837482919680] [client 172.16.0.141:52929] AH01215: - LdapContrib - called checkCacheForLoginName(usertest), referer: http://intranet.mydomain.lan/bin/login/Main/WebHome?foswiki_origin=GET%2cview%2c/Main/WebHome

Many thanks for your help

-- FredMinus - 06 Feb 2017

On all LdapContrib problems, the first question I ask is whether you've confirmed that 1) your Foswiki server can successfully communicate with your AD server and 2) your {BindDN} and {BindPassword} are correct. I've found it useful to use a command-line tool such as ldapsearch to test this.

You could also check if your ldap user cache file is being created and populated. You can click on the "Refresh Cache" button near top of System.LdapContrib page and look at apache log for any errors and also just check if the user cache was created. I believe it's located in foswiki_root/working/work_areas/LdapContrib.

Once we can confirm that this basic connectivity is happening, then we can look at other possible issues.

-- LynnwoodBrown - 06 Feb 2017

Thank you for your help

1/ For connecting my server to the AD domain, i'm using OPENPBIS.

My server can find without any problem my AD server. For exemple with my BindDN user:

root@intranet:/home/adm4me# id foswiki
uid=1657284978(foswiki) gid=1657274881(utilisa.^du^domaine) groupes=1657274881(utilisa.^du^domaine)

Or my temporary AD user named "usertest"
uid=1657281198(usertest) gid=1657274881(utilisa.^du^domaine) groupes=1657274881(utilisa.^du^domaine),1657275993(personnel)

2/ i refresh the cache
/var/www/Foswiki/working/work_areas/LdapContrib/cache.db is created with the right date and hour

but when i'm refresh the cache i have this error in apache2/error.log
[Tue Feb 07 10:18:51.560932 2017] [cgi:error] [pid 4633:tid 139758671968000] [client 172.16.0.141:50593] AH01215: - LdapContrib - cacheAge=279, maxCacheAge=86400, lastUpdate=1486458852, refresh=1, referer: http://intranet.mydomain.lan/System/LdapContrib

This is my /etc/apache2/sites-avalaible/intranet.conf file

# Autogenerated httpd.conf file for Foswiki.
# Generated at https://foswiki.org/Support/ApacheConfigGenerator?vhost=172.16.0.75;port=80;dir=/var/www/Foswiki;symlink=;pathurl=/;shorterurls=enabled;engine=CGI;fastcgimodule=fcgid;fcgidreqlen=;apver=2;confighost=;configip=;configuser=;loginmanager=Template;htpath=;errordocument=UserRegistration;errorcustom=;disablephp=on;blockpubhtml=;blocktrashpub=on;controlattach=;blockspiders=on;foswikiversion=2.0;apacheversion=2.4;timeout=;ssl=;sslcert=/etc/ssl/apache2/yourservercert.pem;sslchain=/etc/ssl/apache2/sub.class1.server.ca.pem;sslkey=/etc/ssl/apache2/yourservercertkey.pem

# For Foswiki version 2.0, Apache 2.4

<VirtualHost :80>
ServerAdmin webmaster@intranet
DocumentRoot "/var/www/Foswiki"
ServerName 172.16.0.75
ServerName intranet.domain.lan

# The Alias defines a url that points to the root of the Foswiki installation.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.

ScriptAlias /bin "/var/www/Foswiki/bin"

# The following Alias is used to access files in the pub directory (attachments etc)
# It must come after the ScriptAlias.
# If short URLs are enabled, and any other local directories or files need to be accessed directly, they
# must also be specified in an Alias statement, and must not conflict with a web name.

Alias /pub "/var/www/Foswiki/pub"
Alias /robots.txt "/var/www/Foswiki/robots.txt"
# Add aliases for any other files that must be read at the root level. eg.
# Alias /google[somehashkey].html "/var/www/Foswiki/google[somehashkey].html"

# Rewriting is required for Short URLs, and Attachment redirecting to viewfile
RewriteEngine on
#RewriteLog "/var/log/apache/rewrite.log"
#RewriteLogLevel 0

# short urls
Alias / "/var/www/Foswiki/bin/view/"
RewriteRule ^/+bin/+view/+(.
) /$1 [L,NE,R]
RewriteRule ^/+bin/+view$ / [L,NE,R]

# This enables access to the documents in the Foswiki root directory

<Directory "/var/www/Foswiki">
<RequireAll>
Require all granted
Require not env blockAccess
</RequireAll>
</Directory>

# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
# Note: If you use SELinux, you also have to "Allow httpd cgi support" in your SELinux policies

<Directory "/var/www/Foswiki/bin">
AllowOverride None

<RequireAll>
Require all granted
Require not env blockAccess
</RequireAll>

Options +ExecCGI -FollowSymLinks
SetHandler cgi-script

# Password file for Foswiki users
AuthUserFile "/var/www/Foswiki/data/.htpasswd"
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic

# File to return on access control error (e.g. wrong password)
ErrorDocument 401 /System/UserRegistration

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are not protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/Foswiki/pub">
Options None
Options -FollowSymLinks
AllowOverride None

<RequireAll>
Require all granted
Require not env blockAccess
</RequireAll>
ErrorDocument 404 /bin/viewfile
# If you have PHP installed as Apache module, one of the below directives will ensure
# that it is disabled. The "ifmodule" statements should prevent this from causing
# errors if php is not installed.

<ifmodule mod_php3.c>
php3_engine off
</ifmodule>
<ifmodule mod_php4.c>
php_admin_flag engine off
</ifmodule>
<ifmodule mod_php5.c>
php_admin_flag engine off
</ifmodule>

# This line will redefine the mime type for the most common types of scripts
AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#
# add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
# IF you can, you should enable this - it will improve your Foswiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#<ifmodule mod_expires.c>
# <filesmatch "\.(jpe?g|gif|png|css(\.gz)?|js(\.gz)?|ico)$">
# ExpiresActive on
# ExpiresDefault "access plus 11 days"
# </filesmatch>
#</ifmodule>
#
# Serve pre-compressed versions of .js and .css files, if they exist
# Some browsers do not handle this correctly, which is why it is disabled by default
# <FilesMatch "\.(js|css)$">
# RewriteEngine on
# RewriteCond %{HTTP:Accept-encoding} gzip
# RewriteCond %{REQUEST_FILENAME}.gz -f
# RewriteRule ^(.*)$ %{REQUEST_URI}.gz [L,QSA]
# </FilesMatch>
# <FilesMatch "\.(js|css)\?.*$">
# RewriteEngine on
# RewriteCond %{HTTP:Accept-encoding} gzip
# RewriteCond %{REQUEST_FILENAME}.gz -f
# RewriteRule ^([^?]*)\?(.*)$ $1.gz?$2 [L]
# </FilesMatch>
# <FilesMatch "\.js\.gz(\?.*)?$">
# AddEncoding x-gzip .gz
# AddType application/x-javascript .gz
# </FilesMatch>
# <FilesMatch "\.css\.gz(\?.*)?$">
# AddEncoding x-gzip .gz

# AddType text/css .gz
# </FilesMatch>

</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/var/www/Foswiki/pub/Trash">
Require all denied
</Directory>

# Security note: All other directories should be set so
# that they are not visible as URLs, so we set them as deny from all.
<Directory "/var/www/Foswiki/data">
Require all denied
</Directory>

<Directory "/var/www/Foswiki/templates">
Require all denied
</Directory>

<Directory "/var/www/Foswiki/lib">
Require all denied
</Directory>

<Directory "/var/www/Foswiki/locale">
Require all denied
</Directory>

<Directory "/var/www/Foswiki/tools">
Require all denied
</Directory>

<Directory "/var/www/Foswiki/working">
Require all denied
</Directory>

# We set an environment variable called blockAccess.
#
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying to crawl your Foswiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess

BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess

# Setting the NO_FOSWIKI_SESSION environment variable prevents a
# session being created for the Google Search Appliance bot. This
# is useful if you have the Google Search Appliance installed on
# your intranet, as they can be very aggressive when indexing, creating
# a lot of session files and slowing Foswiki down.
# You can also set this environment variable for public sites, to
# prevent Google and other search engines' bots. However, these tend
# to index your site a lot less often than the Google Search Appliance.
# *Works on Foswiki 1.1 and later only*
BrowserMatch "^gsa-crawler" NO_FOSWIKI_SESSION

BrowserMatchNoCase ^$ blockAccess

</VirtualHost>

Thank you

-- FredMinus - 07 Feb 2017

up

Need help please

-- FredMinus - 09 Feb 2017

OK

I give up my Foswiki project and see if the ldap integration is better with dokuwiki, tikiwiki or mediawiki

-- FredMinus - 10 Feb 2017
 

QuestionForm edit

Subject Configuration
Extension What is extension, ldapcontrib
Version Foswiki 2.1.2
Status More info required
Related Topics
Topic revision: r5 - 10 Feb 2017, FredMinus - This page was cached on 23 Mar 2018 - 03:45.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License