This question about Using an extension, Authentication or Authorisation, LDAP: Answered

Problems setting up LDAP (LdapContrib); also Refresh Cache Button does not work

Hi all,

I have trouble setting up the authentication via LDAP (to a Windows AD) and I hope that you have some hints for me.
I have read the documentation of LdapContrib and also the support questions here but nothing fits exactly to my problem.

The configuration of my Foswiki regarding LDAP is pasted at the end.
I have also installed the LdapNgPlugin. In a test topic I wrote this LDAP query:
%LDAP{"(objectClass=posixAccount)"
  limit="10"
  cache="3600"
  header="| *Nr* | *Name* | *Mail* | *Telephone* |$n"
  format="| $index | $cn | $mail | $telephoneNumber  |"
  sort="cn"
  clear="$mail,$telephoneNumber, $cn"
}%

When I open this topic I can see in tcpdump on my Wiki server communication between my Wiki server and the Active Directory in both directions (!). So they seem to talk. The table headers from this query are displayed, but there's no data in the table. There is no error message displayed in this topic (there was an error message first but when I changed the BindDN and BindPasswort to my own AD account it didn't show anymore).

I also included the "Refresh Cache"-Button in the same topic (copied the short string from the plugin topic). When I click on the button nothing visible happens and tcpdump also shows no communication attempt to the AD server.
Why is that? I checked the Debug option in the LDAP configuration but there are no entries in error.log.

When I login to the Foswiki the tcpdump also shows no communication to the AD server; no matter if I type in my local credentials or my domain credentials; even when the SecondaryPasswordManager is set to "None".

For figuring out my problem I also have some pretty basic questions about the Foswiki-LDAP-function: Is it essential to first build the LDAP cache in the wiki? Does Foswiki always query this cache or does it query the LDAP server directly each time someone logs in? (I'm trying to make sense of the behavior described above)

My Foswiki was used in the past time only with local users. How does the login via LDAP works, do I just have to type in my domain user name and password in the login fields? Or do I have to first create extra accounts for the LDAP registration? That confuses me.

I would really appreciate it if someone has an idea what's wrong with my setup or where I'm wrong in my thinking.

Configuration lines regarding LDAP (due to data privacy reasons I replaced some strings: IP, Base-Strings, password):
$Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::TemplateLogin';
$Foswiki::cfg{AuthScripts} = 'attach,compareauth,edit,manage,previewauth,rdiffauth,rename,rest,restauth,save,statistics,upload,viewauth,viewfileauth';
$Foswiki::cfg{TemplateLogin}{PreventBrowserRememberingPassword} = 0;
$Foswiki::cfg{LoginNameFilterIn} = '^[^\\s\\*?^\\$@%`"\'&;|<>\\x00-\\x1f]+$';
$Foswiki::cfg{DefaultUserLogin} = 'guest';
$Foswiki::cfg{DefaultUserWikiName} = 'WikiGuest';
$Foswiki::cfg{AdminUserLogin} = 'admin';
$Foswiki::cfg{AdminUserWikiName} = 'AdminUser';
$Foswiki::cfg{SuperAdminGroup} = 'AdminGroup';
$Foswiki::cfg{UsersTopicName} = 'WikiUsers';
$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';

$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
$Foswiki::cfg{MinPasswordLength} = 7;
$Foswiki::cfg{Htpasswd}{FileName} = '$Foswiki::cfg{DataDir}/.htpasswd';
$Foswiki::cfg{Htpasswd}{Encoding} = 'apache-md5';
$Foswiki::cfg{Htpasswd}{AutoDetect} = 1;

$Foswiki::cfg{Register}{AllowLoginName} = 0;
$Foswiki::cfg{Register}{EnableNewUserRegistration} = 1;
$Foswiki::cfg{Register}{NeedVerification} = 0;
$Foswiki::cfg{Register}{DisablePasswordConfirmation} = 0;
$Foswiki::cfg{Register}{HidePasswd} = 1;
$Foswiki::cfg{Register}{RegistrationAgentWikiName} = 'RegistrationAgent';

$Foswiki::cfg{Ldap}{PersonDataForm} = 'UserForm';
$Foswiki::cfg{Ldap}{PersonAttribures} = {
         'c' => 'Country',
         'company' => 'OrganisationName',
         'department' => 'Department',
         'division' => 'Division',
         'facsimileTelephoneNumber' => 'Telefax',
         'givenName' => 'FirstName',
         'l' => 'Location',
         'mail' => 'Email',
         'manager' => 'Manager',
         'mobile' => 'Mobile',
         'physicalDeliveryOfficeName' => 'Address',
         'postalAddress' => 'Address',
         'sAMAccountName' => 'LoginName',
         'sn' => 'LastName',
         'streetAddress' => 'Address',
         'telephoneNumber' => 'Telephone',
         'title' => 'Title',
         'uid' => 'LoginName'
       };
$Foswiki::cfg{Ldap}{IndexEmails} = 1;
$Foswiki::cfg{Ldap}{PreferLocalSettings} = 1;
$Foswiki::cfg{Ldap}{DefaultCacheExpire} = '';

$Foswiki::cfg{Ldap}{Host} = '10.1.2.3';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'DC=STRING1,DC=STRING2,DC=DE';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=Maren Sxxx,OU=ABC,OU=allusers,DC=STRING1,DC=STRING2,DC=DE';
$Foswiki::cfg{Ldap}{BindPassword} = 'removed';
$Foswiki::cfg{Ldap}{CharSet} = 'utf-8';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 1;

$Foswiki::cfg{Ldap}{UserBase} = [
         'OU=ABC,OU=allusers,DC=STRING1,DC=STRING2,DC=DE'
       ];
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
         '^(.*)@.*$' => '$1'
       };
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
$Foswiki::cfg{Ldap}{GroupBase} = [
         'ou=group,dc=my,dc=domain,dc=com'
       ];
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';
$Foswiki::cfg{Ldap}{MemberIndirection} = 0;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;

$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PageSize} = 500;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';

Thank you

Regards

Maren

Does anyone have any suggestions on my problem? I wasn't able to solve it yet... Thank You!

-- MarenS - 25 Aug 2015

Hi MarenS, i know this is old, but i ran into the same problem while implementing MS AD in my new and first foswiki installation. My test macro is the same like yours with two different things. 1. You forgot the base attribut. 2. I used as objectClass: user

Here the macro:

%LDAP{"(objectClass=user)" base="(ou=Your,ou=PathTo,ou=YourUsers)" limit="100" cache="3600" header="| Nr | LoginName | Name | Mail | Telephone |$n" format="| $index | $sAMAccountName | $cn | $mail | $telephoneNumber |" sort="cn" clear="$mail,$telephoneNumber, $cn" }%

I changed the following things towards to all docs i could find, because their examples did not work for me! $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user'; $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'sAMAccountName';

Here is my Ldap config: $Foswiki::cfg{Ldap}{AllowChangePassword} = 0; $Foswiki::cfg{Ldap}{Base} = 'dc=Your,dc=Own,dc=Domain'; $Foswiki::cfg{Ldap}{BindDN} = 'YourMSADUserWhoAreAllowedToSearchTheMSAD'; $Foswiki::cfg{Ldap}{BindPassword} = 'YourPasswordForTheBindDN'; $Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0; $Foswiki::cfg{Ldap}{CharSet} = 'utf-8'; $Foswiki::cfg{Ldap}{Debug} = 1; $Foswiki::cfg{Ldap}{DefaultCacheExpire} = '0'; $Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest'; $Foswiki::cfg{Ldap}{GroupAttribute} = 'cn'; $Foswiki::cfg{Ldap}{GroupBase} = [ $Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup'; $Foswiki::cfg{Ldap}{GroupScope} = 'sub'; $Foswiki::cfg{Ldap}{Host} = 'TheNameOfYourDomainController'; $Foswiki::cfg{Ldap}{IPv6} = 0; $Foswiki::cfg{Ldap}{IgnorePrivateGroups} = 1; $Foswiki::cfg{Ldap}{IgnoreReferrals} = 0; $Foswiki::cfg{Ldap}{IgnoreViewRightsInSearch} = 0; $Foswiki::cfg{Ldap}{IndexEmails} = 1; $Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid'; $Foswiki::cfg{Ldap}{KerberosKeyTab} = '/etc/krb5.keytab'; $Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName'; $Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=user'; $Foswiki::cfg{Ldap}{MailAttribute} = 'mail'; $Foswiki::cfg{Ldap}{MapGroups} = 1; $Foswiki::cfg{Ldap}{MaxCacheAge} = '0'; $Foswiki::cfg{Ldap}{MemberAttribute} = 'memberUid'; $Foswiki::cfg{Ldap}{MemberIndirection} = 0; $Foswiki::cfg{Ldap}{MergeGroups} = 0; $Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0; $Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1; $Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1; $Foswiki::cfg{Ldap}{PageSize} = '500'; $Foswiki::cfg{Ldap}{PersonAttribures} = { $Foswiki::cfg{Ldap}{PersonDataForm} = 'UserForm'; $Foswiki::cfg{Ldap}{Port} = '389'; $Foswiki::cfg{Ldap}{Precache} = 1; $Foswiki::cfg{Ldap}{PreferLocalSettings} = 1; $Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber'; $Foswiki::cfg{Ldap}{RewriteGroups} = {}; $Foswiki::cfg{Ldap}{RewriteLoginNames} = {}; $Foswiki::cfg{Ldap}{RewriteWikiNames} = { $Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS'; $Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser'; $Foswiki::cfg{Ldap}{TLSCAFile} = ''; $Foswiki::cfg{Ldap}{TLSCAPath} = ''; $Foswiki::cfg{Ldap}{TLSClientCert} = ''; $Foswiki::cfg{Ldap}{TLSClientKey} = ''; $Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1'; $Foswiki::cfg{Ldap}{TLSVerify} = 'require'; $Foswiki::cfg{Ldap}{UseSASL} = 0; $Foswiki::cfg{Ldap}{UseTLS} = 0; $Foswiki::cfg{Ldap}{UserBase} = [ $Foswiki::cfg{Ldap}{UserMappingTopic} = ''; $Foswiki::cfg{Ldap}{UserScope} = 'sub'; $Foswiki::cfg{Ldap}{Version} = '3'; $Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1; $Foswiki::cfg{Ldap}{WikiNameAliases} = ''; $Foswiki::cfg{Ldap}{WikiNameAttributes} = 'sAMAccountName'; $Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser'; $Foswiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1; $Foswiki::cfg{Plugins}{LdapNgPlugin}{Module} = 'Foswiki::Plugins::LdapNgPlugin'; $Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';

Maybe this helps others running into LDAP troubles.

Regards, David Fritsch

-- DavidFritsch - 26 Aug 2016

I had the problem that my LDAP cache.db would never refresh.

I solved it by making sure that i don't have any other files in the DB folder. i had made a copy of the cache.db in the same folder /var/www/foswiki/working/work_areas/LdapContrib

This second file caused the cache.db to stop fonctionning. I deleted every files in the folder than restarted the "Refresh Cache" button that is in the LdapContrib topic.

-- BenoitSavard - 05 Jul 2018

From the above config the following settings are missing:

$Foswiki::cfg{LoginManager} = 'Foswiki::LoginManager::LdapTemplateLogin';
$Foswiki::cfg{Register}{AllowLoginName} = 1;

-- MichaelDaum - 09 Jul 2018
 

QuestionForm edit

Subject Using an extension, Authentication or Authorisation, LDAP
Extension LdapContrib
Version Foswiki 1.1.9
Status Answered
Related Topics
Topic revision: r6 - 09 Jul 2018, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy