This question about LDAP: Asked

logging SSO fallback

I'm trying to setup a Foswiki, with LdapContrib doing Single Sign On. It keeps falling back to the normal login, which works like it should with the credentials of a LDAP user.
I can see in the logfiles it falls back to the normal login, but not WHY it does this. Of course I have set the Debug setting to 1.

Is there any way to get more information what it tries to use as SSO 'credentials'?

The Ldap section of Localsite.cfg:

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{Base} = 'dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=ldap,ou=users,dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindPassword} = 'stupidpassword';
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{GroupBase} = [
'ou=groups,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{Host} = 'domaincontroller1.company.local';
$Foswiki::cfg{Ldap}{IPv6} = 0;
$Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1;
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/httpd/conf.d/wiki-http.keytab';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{PageSize} = '500';
$Foswiki::cfg{Ldap}{Port} = '389';
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteLoginNames} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
'^(.*)@.*$' => '$1'
};
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{UserBase} = [
'ou=users,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{UserMappingTopic} = '';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';

-- JanJurkus - 06 Jun 2016

I do have the same problem. Ldap Auth against AD is working properly. But not the SSO side of things. Did you find a solution yet? Whats your webserver log telling about SSO? I can see KerberosLogin messages in my webserver log but then falling back to LdapAuth. But I dont see the reason why it falls back.

As per my understanding the browser will have an auth token from the authenticated computer. This is offered as a session to FosWiki. Then LdapContrib should take this information and valdate against AD if the token is still ok. In case it is, the auth should proceed and login the user.

I'm a bit puzzeld as I dont see useful error messages how to continue troubleshooting. Any thoughts are appreciated. Thanks

-- SebastianWaitz - 20 Sep 2017
 

QuestionForm edit

Subject LDAP
Extension LdapContrib
Version Foswiki 2.1.0
Status Asked
Related Topics
Topic revision: r2 - 20 Sep 2017, SebastianWaitz - This page was cached on 12 Jan 2018 - 15:16.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License