This question about Configuration: Answered

Active Directory Authentication

I can't seem to find any directions on how to configure a simple pass-through authentication using LDAP.

I'm not going to ask our admins (different department) to run ktpass and hook it in to Kerberos. Mediawiki is configured and working using their LDAP/AD plugin without touching the AD server, how can I do the same with Foswiki?

-- DanR - 26 Oct 2009

> I'm not going to ask our admins (different department) to run ktpass

In most enterprises, you are unlikely to get write access to Active Directory. Fortunately you don't need it.

mod_auth_sspi worked for me. See TWiki:Codev.WindowsInstallModNTLM, including my comments in the section entitled, "mod_auth_sspi (> Apache 2.0)".

-- SeanMorgan - 27 Oct 2009

I agree that I don't need write access to AD, especially since it meets the LDAP specification, there's no reason we shouldn't be able to pass through authentication like mediawiki did. Unfortunately this looks like it's simply restricting access to the webserver, which is not what I'm looking for. We need to be able to assign permissions to users, this isn't going to give us user accounts we can modify permissions in Foswiki..

I'm specifically looking for the config information for the LDAP plugin... a LOT of config options...

-- DanR - 27 Oct 2009

We're using LdapContrib to allow our users to log in to Foswiki. All user information is stored in an AD database. What we had to do initially (or at least that's what I thought at the time I set it up) was to create a user with read access to AD. The configuration of LdapPlugin depends a lot on your setup. I used a AD browser tool (I think it's called ADExplorer) to find out all the details about our setup. If you've got any specific questions, I might be able to help.

-- MartinKaufmann - 27 Oct 2009

mod_auth_sspi is sufficient for authentication (the subject line of your question). It seems you are actually looking to use AD for authorization. So yes, my answer is irrelevant.

-- SeanMorgan - 27 Oct 2009

Martin - Our AD has public Read access as long as you are inside the corporate lan. I understand the ldap configuration will depend on how the AD is configured, however, I'm looking at the list of config options and only really see 4-5 options that would vary from config to config, I need to know what do I do with the rest?

-- DanR - 27 Oct 2009

OK, below is my LDAP config from lib/LocalSite.cfg. Note: I've never used the group mapping feature, so all group settings are untested (and most likely wrong).
$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';
$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
$Foswiki::cfg{Ldap}{Host} = 'exchange';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=binduser,ou=users,ou=group,dc=company,dc=local';
$Foswiki::cfg{Ldap}{BindPassword} = 'passwd123';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 0;
$Foswiki::cfg{Ldap}{UserBase} = 'dc=company,dc=local';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'givenName, sn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{GroupBase} = 'ou=group,dc=my,dc=domain,dc=com';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 0;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{PageSize} = 500;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';

-- MartinKaufmann - 28 Oct 2009

Ok, the biggest issue was that I missed the UserMappingManager and Password Manager, I've changed those drop downs and 2 other settings in LDAP and foswiki blew up. Apparantly it didn't install the LdapContrib.pm plugin correctly. Does the automatic install provided in the foswiki configure page not work? I recall seeing a couple errors when I had installed the plugin followed by "Install successful" so I ignored it..

-- DanR - 28 Oct 2009

IIRC, the automatic install worked for me. What do mean by blew up? Is there anything in your apache error.log?

-- MartinKaufmann - 28 Oct 2009

OK, tried installing again, same errors (Yes the LDAP.pm is missing) I downloaded the tarball directly and it wasn't in there! Googled it, found that the LDAP.pm is actually a perl module, so I downloaded it, and copied it into the perl directory. Now I get an error that ASN1.pm doesn't exist... Ok, this leads me to beleive the last stable installer of foswiki (which includes the strawberry release of PERL) is not complete. Can someone point me in the right direction?

-- DanR - 28 Oct 2009

Yes, LdapContrib has a series of dependencies (which aren't listed on the plugin topic). These were probably the errors during automatic install you mentioned. You have to install the following CPAN packages first:
  • Authen::SASL
  • DB_File
  • Digest::MD5
  • Net::LDAP
  • IO::Socket::SSL
  • Unicode::MapUTF8
Depending on your server OS there are different possibilities to install these packages.

-- MartinKaufmann - 28 Oct 2009

Ok, now that we're passed that, all modules installed, following the configuration options you've mentioned, I enabled debug by uncommenting 4 lines in the UI.pm module, here's the error in var/log/apache2/error.log:
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] 'username' => [, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] 'danr', referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] ],, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] 'validation_key' => [, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] '9cc6eb286d92cc828e14f086adaece40', referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] ], referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] }, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] }, 'Foswiki::Request' );, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] - LdapContrib - called search(filter=objectClass=user, base=ou=usergroup,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountNam,mail,gidNumber,givenName,sn), referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] [Wed Oct 28 10:20:59 2009] login: Use of uninitialized value in substitution (s///) at /var/lib/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 926, <DATA> line 582., referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] [Wed Oct 28 10:20:59 2009] login: Use of uninitialized value in substitution (s///) at /var/lib/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 927, <DATA> line 582., referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] [Wed Oct 28 10:20:59 2009] login: Use of uninitialized value in substitution (s///) at /var/lib/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 926, <DATA> line 582., referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
[Wed Oct 28 10:20:59 2009] [error] [client 172.16.5.135] [Wed Oct 28 10:20:59 2009] login: Use of uninitialized value in substitution (s///) at /var/lib/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 927, <DATA> line 582., referer: [[http://172.16.36.51/foswiki/bin/login/Main/WebHome][http://172.16.36.51/foswiki/bin/login/Main/WebHome]]
 

etc.. There's 900 lines of that last error...

Also, I tried to use anonymous binding, but it gives the error:
LdapContrib - 1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome
LdapContrib - error in search: 1: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece, referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome

So it's not even trying to bind anonymously...

-- DanR - 28 Oct 2009

I'm not an expert but I don't think there is actually a fatal error in the first case. Use of uninitialized value in substitution is quite a common non-fatal error message in Perl. And I guess you got it 900 times because that's the number of entries in your AD database. I guess this happened when you first tried to login. Did the login procedure fail? Did you get any error messages in Foswiki?

-- MartinKaufmann - 28 Oct 2009

Yes, login failed "Oops: we could not recognize you"

I've enabled all 52 debug lines in the ldapcontrib plugin, and all the only output it's giving me 4 lines of nothing, doesn't even look like it's trying.

Now that you mention "that's the number of entries in your AD database".... I changed the cache to refresh every 30 seconds, and I got a completely different set of errors. It actually found (and gave me the correct name) for every single user in our AD.

900 lines of "LdapContrib - no loginName for CN=..."

LdapContrib - called cacheUserFromEntry()

login: Use of uninitialized value in substitution (s///) at /var/lib/foswiki/lib/Foswiki/Contrib/LdapContrib.pm line 926, <DATA> line 582., referer: http://172.16.36.51/foswiki/bin/login/Main/WebHome

Will debug a little more after lunch and let you know. Thanks a ton for keeping up with me!

After looking through perl code, trying to understand what could be wrong with the regexp used on line 926 that results in an empty username.... oh wait... username IS empty... every line said it couldn't find the attribute....

I had fat fingered: $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountNam';

Forgot the 'e'

Now it works.

QuestionForm edit

Subject Configuration
Extension LdapContrib
Version Foswiki 1.0.7
Status Answered
Topic revision: r17 - 30 Oct 2009, MartinKaufmann
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy