cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
You are here: Foswiki>Support Web>SupportQuestions>Question1781 (30 Aug 2018, JanJurkus)Edit Attach
This question about LDAP: Asked

logging SSO fallback

I'm trying to setup a Foswiki, with LdapContrib doing Single Sign On. It keeps falling back to the normal login, which works like it should with the credentials of a LDAP user.
I can see in the logfiles it falls back to the normal login, but not WHY it does this. Of course I have set the Debug setting to 1.

Is there any way to get more information what it tries to use as SSO 'credentials'?

The Ldap section of Localsite.cfg:

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{Base} = 'dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=ldap,ou=users,dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindPassword} = 'stupidpassword';
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{GroupBase} = [
'ou=groups,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{Host} = 'domaincontroller1.company.local';
$Foswiki::cfg{Ldap}{IPv6} = 0;
$Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1;
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/httpd/conf.d/wiki-http.keytab';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{PageSize} = '500';
$Foswiki::cfg{Ldap}{Port} = '389';
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteLoginNames} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
'^(.*)@.*$' => '$1'
};
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{UserBase} = [
'ou=users,dc=company,dc=local'
];
$Foswiki::cfg{Ldap}{UserMappingTopic} = '';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';

-- JanJurkus - 06 Jun 2016

I do have the same problem. Ldap Auth against AD is working properly. But not the SSO side of things. Did you find a solution yet? Whats your webserver log telling about SSO? I can see KerberosLogin messages in my webserver log but then falling back to LdapAuth. But I dont see the reason why it falls back.

As per my understanding the browser will have an auth token from the authenticated computer. This is offered as a session to FosWiki. Then LdapContrib should take this information and valdate against AD if the token is still ok. In case it is, the auth should proceed and login the user.

I'm a bit puzzeld as I dont see useful error messages how to continue troubleshooting. Any thoughts are appreciated. Thanks

-- SebastianWaitz - 20 Sep 2017

No, I haven't found a solution, so I moved on...

-- JanJurkus - 30 Aug 2018
 

QuestionForm edit

Subject LDAP
Extension LdapContrib
Version Foswiki 2.1.0
Status Asked
Related Topics
Topic revision: r3 - 30 Aug 2018, JanJurkus - This page was cached on 18 Sep 2018 - 00:30.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy