Question1830 < Support

You are here: Foswiki>Support Web>SupportQuestions>Question1830 (24 Oct 2016, ToddDesmarais)Edit Attach

-- ToddDesmarais - 24 Oct 2016

I am having an issue getting LDAP authentication credentials working with FOSWIKI 2.1.2 on a RHEL 7 server. LDAP is working correctly on the OS level, just not the application.

On the server:

[root@xetc]# more krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false default_realm = XXXX.XXXXX.XXX default_ccache_name = KEYRING:persistent:%{uid}

[realms] ITSEC.SENATE.GOV = { kdc = **.****.**** admin_server = *.****.**** }

[domain_realm] .XXXX = XXXXX XXXXX = XXXXX

[root@x openldap]# more ldap.conf

TLS_CACERTDIR /etc/openldap/cacerts

# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://XXXX:389/ BASE dc=XXXX,dc=XXXX,dc=XXXXX

[root@x sssd]# more sssd.conf [domain/default] debug_level = 3 autofs_provider = ldap cache_credentials = True krb5_realm = XXXX.XXXX.XXX ldap_search_base = dc=XXXX,dc=XXXX,dc=XXX krb5_server = xxxx.xxxx.x id_provider = ldap auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://XXXX.XXXX.XXX:389 krb5_store_password_if_offline = True krb5_kpasswd = a-cyb-dc01.itsec.senate.gov

[sssd] domains = XXXX.XXXX.XXX config_file_version = 2 services = nss, pam

[domain/XXXX.XXX] ad_domain = XXXX.XXXX.XXX krb5_realm = XXXX.XXXX.XXX realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True #fallback_homedir = /home/%u@%d fallback_homedir = /home/%u access_provider = ad

[nss]

[pam]

The FOSWIKI configuration (Ldap only):

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0; $Foswiki::cfg{Ldap}{Base} = 'dc=XXX,dc=XXX,dc=XXX'; $Foswiki::cfg{Ldap}{BindDN} = 'CN=xxxx,OU=xxxx,OU=xxx,DC=xxxx,DC=xxxx,DC=xxx'; $Foswiki::cfg{Ldap}{BindPassword} = '*****'; $Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0; $Foswiki::cfg{Ldap}{CharSet} = 'utf-8'; $Foswiki::cfg{Ldap}{Debug} = 1; $Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest'; $Foswiki::cfg{Ldap}{GroupAttribute} = ''; $Foswiki::cfg{Ldap}{GroupBase} = [ 'CN=Domain Users,CN=Users,DC=XXX,DC=XXX,DC=XXX' ]; $Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group,top'; $Foswiki::cfg{Ldap}{GroupScope} = 'sub'; $Foswiki::cfg{Ldap}{Host} = 'xxx.xxx.xxx.xxx'; $Foswiki::cfg{Ldap}{IPv6} = 1; $Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1; $Foswiki::cfg{Ldap}{IgnoreReferrals} = 0; $Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid'; $Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/krb5.keytab'; $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=organization Unit,top'; $Foswiki::cfg{Ldap}{MailAttribute} = 'mail'; $Foswiki::cfg{Ldap}{MapGroups} = 1; $Foswiki::cfg{Ldap}{MaxCacheAge} = '86400'; $Foswiki::cfg{Ldap}{MemberAttribute} = 'member'; $Foswiki::cfg{Ldap}{MemberIndirection} = 0; $Foswiki::cfg{Ldap}{MergeGroups} = 0; $Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0; $Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0; $Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1; $Foswiki::cfg{Ldap}{PageSize} = '500'; $Foswiki::cfg{Ldap}{Port} = '636'; $Foswiki::cfg{Ldap}{Precache} = 1; $Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber'; $Foswiki::cfg{Ldap}{RewriteGroups} = {}; $Foswiki::cfg{Ldap}{RewriteLoginNames} = {}; $Foswiki::cfg{Ldap}{RewriteWikiNames} = { '^(.*)@.*$' => '$1' }; $Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS'; $Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser'; $Foswiki::cfg{Ldap}{TLSCAFile} = 'xxx.cer'; $Foswiki::cfg{Ldap}{TLSCAPath} = '/etc/openldap/cacerts/'; $Foswiki::cfg{Ldap}{TLSClientCert} = 'xxx.cer'; $Foswiki::cfg{Ldap}{TLSClientKey} = ''; $Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1'; $Foswiki::cfg{Ldap}{TLSVerify} = 'require'; $Foswiki::cfg{Ldap}{UseSASL} = 1; $Foswiki::cfg{Ldap}{UseTLS} = 1; $Foswiki::cfg{Ldap}{UserBase} = [ 'OU=Users,OU=XXXX,DC=XXX,DC=XXX,DC=XXX' ]; $Foswiki::cfg{Ldap}{UserMappingTopic} = ''; $Foswiki::cfg{Ldap}{UserScope} = 'sub'; $Foswiki::cfg{Ldap}{Version} = '3'; $Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1; $Foswiki::cfg{Ldap}{WikiNameAliases} = ''; $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';