cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Using an extension, Authentication or Authorisation, LDAP: Asked

Problems setting up LDAP (LdapContrib); also Refresh Cache Button does not work

Hi all,

I have trouble setting up the authentication via LDAP (to a Windows AD) and I hope that you have some hints for me.
I have read the documentation of LdapContrib and also the support questions here but nothing fits exactly to my problem.

The configuration of my Foswiki regarding LDAP is pasted at the end.
I have also installed the LdapNgPlugin. In a test topic I wrote this LDAP query:
%LDAP{"(objectClass=posixAccount)"
  limit="10"
  cache="3600"
  header="| *Nr* | *Name* | *Mail* | *Telephone* |$n"
  format="| $index | $cn | $mail | $telephoneNumber  |"
  sort="cn"
  clear="$mail,$telephoneNumber, $cn"
}%

When I open this topic I can see in tcpdump on my Wiki server communication between my Wiki server and the Active Directory in both directions (!). So they seem to talk. The table headers from this query are displayed, but there's no data in the table. There is no error message displayed in this topic (there was an error message first but when I changed the BindDN and BindPasswort to my own AD account it didn't show anymore).

I also included the "Refresh Cache"-Button in the same topic (copied the short string from the plugin topic). When I click on the button nothing visible happens and tcpdump also shows no communication attempt to the AD server.
Why is that? I checked the Debug option in the LDAP configuration but there are no entries in error.log.

When I login to the Foswiki the tcpdump also shows no communication to the AD server; no matter if I type in my local credentials or my domain credentials; even when the SecondaryPasswordManager is set to "None".

For figuring out my problem I also have some pretty basic questions about the Foswiki-LDAP-function: Is it essential to first build the LDAP cache in the wiki? Does Foswiki always query this cache or does it query the LDAP server directly each time someone logs in? (I'm trying to make sense of the behavior described above)

My Foswiki was used in the past time only with local users. How does the login via LDAP works, do I just have to type in my domain user name and password in the login fields? Or do I have to first create extra accounts for the LDAP registration? That confuses me.

I would really appreciate it if someone has an idea what's wrong with my setup or where I'm wrong in my thinking.

Configuration lines regarding LDAP (due to data privacy reasons I replaced some strings: IP, Base-Strings, password):
$Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::TemplateLogin';
$Foswiki::cfg{AuthScripts} = 'attach,compareauth,edit,manage,previewauth,rdiffauth,rename,rest,restauth,save,statistics,upload,viewauth,viewfileauth';
$Foswiki::cfg{TemplateLogin}{PreventBrowserRememberingPassword} = 0;
$Foswiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?^\\$@%`"\'&;|<>\\x00-\\x1f]+$';
$Foswiki::cfg{DefaultUserLogin} = 'guest';
$Foswiki::cfg{DefaultUserWikiName} = 'WikiGuest';
$Foswiki::cfg{AdminUserLogin} = 'admin';
$Foswiki::cfg{AdminUserWikiName} = 'AdminUser';
$Foswiki::cfg{SuperAdminGroup} = 'AdminGroup';
$Foswiki::cfg{UsersTopicName} = 'WikiUsers';
$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';

$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
$Foswiki::cfg{MinPasswordLength} = 7;
$Foswiki::cfg{Htpasswd}{FileName} = '$Foswiki::cfg{DataDir}/.htpasswd';
$Foswiki::cfg{Htpasswd}{Encoding} = 'apache-md5';
$Foswiki::cfg{Htpasswd}{AutoDetect} = 1;

$Foswiki::cfg{Register}{AllowLoginName} = 0;
$Foswiki::cfg{Register}{EnableNewUserRegistration} = 1;
$Foswiki::cfg{Register}{NeedVerification} = 0;
$Foswiki::cfg{Register}{DisablePasswordConfirmation} = 0;
$Foswiki::cfg{Register}{HidePasswd} = 1;
$Foswiki::cfg{Register}{RegistrationAgentWikiName} = 'RegistrationAgent';

$Foswiki::cfg{Ldap}{PersonDataForm} = 'UserForm';
$Foswiki::cfg{Ldap}{PersonAttribures} = {
         'c' => 'Country',
         'company' => 'OrganisationName',
         'department' => 'Department',
         'division' => 'Division',
         'facsimileTelephoneNumber' => 'Telefax',
         'givenName' => 'FirstName',
         'l' => 'Location',
         'mail' => 'Email',
         'manager' => 'Manager',
         'mobile' => 'Mobile',
         'physicalDeliveryOfficeName' => 'Address',
         'postalAddress' => 'Address',
         'sAMAccountName' => 'LoginName',
         'sn' => 'LastName',
         'streetAddress' => 'Address',
         'telephoneNumber' => 'Telephone',
         'title' => 'Title',
         'uid' => 'LoginName'
       };
$Foswiki::cfg{Ldap}{IndexEmails} = 1;
$Foswiki::cfg{Ldap}{PreferLocalSettings} = 1;
$Foswiki::cfg{Ldap}{DefaultCacheExpire} = '';

$Foswiki::cfg{Ldap}{Host} = '10.1.2.3';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'DC=STRING1,DC=STRING2,DC=DE';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=Maren Sxxx,OU=ABC,OU=allusers,DC=STRING1,DC=STRING2,DC=DE';
$Foswiki::cfg{Ldap}{BindPassword} = 'removed';
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 1;

$Foswiki::cfg{Ldap}{UserBase} = [
         'OU=ABC,OU=allusers,DC=STRING1,DC=STRING2,DC=DE'
       ];
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
         '^(.*)@.*$' => '$1'
       };
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
$Foswiki::cfg{Ldap}{GroupBase} = [
         'ou=group,dc=my,dc=domain,dc=com'
       ];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;

$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PageSize} = 500;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';

Thank you

Regards

Maren

Does anyone have any suggestions on my problem? I wasn't able to solve it yet... Thank You!

-- MarenS - 25 Aug 2015

Hi MarenS, i know this is old, but i ran into the same problem while implementing MS AD in my new and first foswiki installation. My test macro is the same like yours with two different things. 1. You forgot the base attribut. 2. I used as objectClass: user

Here the macro:

%LDAP{"(objectClass=user)" base="(ou=Your,ou=PathTo,ou=YourUsers)" limit="100" cache="3600" header="| Nr | LoginName | Name | Mail | Telephone |$n" format="| $index | $sAMAccountName | $cn | $mail | $telephoneNumber |" sort="cn" clear="$mail,$telephoneNumber, $cn" }%

I changed the following things towards to all docs i could find, because their examples did not work for me! $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user'; $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'sAMAccountName';

Here is my Ldap config: $Foswiki::cfg{Ldap}{AllowChangePassword} = 0; $Foswiki::cfg{Ldap}{Base} = 'dc=Your,dc=Own,dc=Domain'; $Foswiki::cfg{Ldap}{BindDN} = 'YourMSADUserWhoAreAllowedToSearchTheMSAD'; $Foswiki::cfg{Ldap}{BindPassword} = 'YourPasswordForTheBindDN'; $Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0; $Foswiki::cfg{Ldap}{CharSet} = 'utf-8'; $Foswiki::cfg{Ldap}{Debug} = 1; $Foswiki::cfg{Ldap}{DefaultCacheExpire} = '0'; $Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest'; $Foswiki::cfg{Ldap}{GroupAttribute} = 'cn'; $Foswiki::cfg{Ldap}{GroupBase} = [ $Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup'; $Foswiki::cfg{Ldap}{GroupScope} = 'sub'; $Foswiki::cfg{Ldap}{Host} = 'TheNameOfYourDomainController'; $Foswiki::cfg{Ldap}{IPv6} = 0; $Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1; $Foswiki::cfg{Ldap}{IgnoreReferrals} = 0; $Foswiki::cfg{Ldap}{IgnoreViewRightsInSearch} = 0; $Foswiki::cfg{Ldap}{IndexEmails} = 1; $Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid'; $Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/krb5.keytab'; $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user'; $Foswiki::cfg{Ldap}{MailAttribute} = 'mail'; $Foswiki::cfg{Ldap}{MapGroups} = 1; $Foswiki::cfg{Ldap}{MaxCacheAge} = '0'; $Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid'; $Foswiki::cfg{Ldap}{MemberIndirection} = 0; $Foswiki::cfg{Ldap}{MergeGroups} = 0; $Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0; $Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1; $Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1; $Foswiki::cfg{Ldap}{PageSize} = '500'; $Foswiki::cfg{Ldap}{PersonAttribures} = { $Foswiki::cfg{Ldap}{PersonDataForm} = 'UserForm'; $Foswiki::cfg{Ldap}{Port} = '389'; $Foswiki::cfg{Ldap}{Precache} = 1; $Foswiki::cfg{Ldap}{PreferLocalSettings} = 1; $Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber'; $Foswiki::cfg{Ldap}{RewriteGroups} = {}; $Foswiki::cfg{Ldap}{RewriteLoginNames} = {}; $Foswiki::cfg{Ldap}{RewriteWikiNames} = { $Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS'; $Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser'; $Foswiki::cfg{Ldap}{TLSCAFile} = ''; $Foswiki::cfg{Ldap}{TLSCAPath} = ''; $Foswiki::cfg{Ldap}{TLSClientCert} = ''; $Foswiki::cfg{Ldap}{TLSClientKey} = ''; $Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1'; $Foswiki::cfg{Ldap}{TLSVerify} = 'require'; $Foswiki::cfg{Ldap}{UseSASL} = 0; $Foswiki::cfg{Ldap}{UseTLS} = 0; $Foswiki::cfg{Ldap}{UserBase} = [ $Foswiki::cfg{Ldap}{UserMappingTopic} = ''; $Foswiki::cfg{Ldap}{UserScope} = 'sub'; $Foswiki::cfg{Ldap}{Version} = '3'; $Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1; $Foswiki::cfg{Ldap}{WikiNameAliases} = ''; $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'sAMAccountName'; $Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser'; $Foswiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1; $Foswiki::cfg{Plugins}{LdapNgPlugin}{Module} = 'Foswiki::Plugins::LdapNgPlugin'; $Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';

Maybe this helps others running into LDAP troubles.

Regards, David Fritsch

-- DavidFritsch - 26 Aug 2016
 

QuestionForm edit

Subject Using an extension, Authentication or Authorisation, LDAP
Extension LdapContrib
Version Foswiki 1.1.9
Status Asked
Related Topics
Topic revision: r3 - 26 Aug 2016, DavidFritsch - This page was cached on 22 Jun 2018 - 11:58.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy