Tags:
authentication1Add my vote for this tag caching1Add my vote for this tag ldap1Add my vote for this tag create new tag
view all tags

Question

To the esteemed TWiki gurus:

How do we use LDAPContrib with TWiki for basic LDAP authentication? We are newbies to this. We have tried to set up the LDAPContrib Plugin, but it does not work. We were easily able to setup the LDAPPlugin to display data from our LDAP server, onto our TWiki page. Our TWiki is set up with the Oracle HTTP Server from the Oracle Application Server Suite. Our LDAP server is on a different box and we are using Oracle’s OID server. Our objective is to set up the TWiki system so that it authenticates via this LDAP server for employee authentication.

Our settings are as below :

$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser'; 
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';

$TWiki::cfg{Ldap}{Host} = 'ldap://devlogin.mickey.net';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'cn=users, dc= mickey,dc=net';
$TWiki::cfg{Ldap}{BindDN} = 'cn=superadmin’;
$TWiki::cfg{Ldap}{BindPassword} = 'secret';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UseSASL} = 0;
$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$TWiki::cfg{Ldap}{Debug} = 1;
$TWiki::cfg{Ldap}{UserBase} = 'cn=users, dc= mickey,dc=net';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=inetOrgPerson';
$TWiki::cfg{Ldap}{LoginAttribute} = 'displayname';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{NormalizeLoginName} = 1;
$TWiki::cfg{Ldap}{AllowChangePassword} = 0;
$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser'; 
$TWiki::cfg{Ldap}{GroupBase} = 'cn=Groups, dc= mickey, dc=net';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{NormalizeGroupName} = 0;
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{MaxCacheAge} = 86400;
$TWiki::cfg{Ldap}{PageSize} = 500;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Plugins}{LdapPlugin}{Enabled} = 1;

Environment

TWiki version: TWikiRelease04x01x02
TWiki plugins: LdapContrib, LdapPlugin
Server OS: RedHat Linux (RHEL) 4.0
Web server: Apache 3
Perl version: 5.0XXX
Client OS: MS Windows XP
Web Browser: IE
Categories: Authentication

Any insight on the matter is greatly appreciated.

-- ShivaGoudarzi - 10 Jan 2008

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Please be a bit more specific how you failed. Unfortunately, I haven't been able to test against OID. I hope its principals wrt user accounts and groups aren't diverging substantially from OpenLDAP or Active Directory, which LdapContrib has been use with in various settings.

But let me comment on your current LdapContrib settings above:

  • $TWiki::cfg{Ldap}{BindDN} = 'cn=superadmin';: this must be the full DN, e.g. cn=superadmin,dc=mickey,dc=net
  • Try enabling SASL: $TWiki::cfg{Ldap}{UseSASL} = 1; it is switched off in your current setting

That's all I can say so far.

-- MichaelDaum - 10 Jan 2008

Hi Michael,

Sorry for the delay in response. We had investigated the issue further and found that what we mistakenly thought was a failure was actually the session timing out because the cache interval was set less than the time needed to cache all the records from OID. After testing it with a smaller group, the process was successful.

Now our question has evolved: What is the name and path of the file that stores cache values?

We want to manually enter data (over 100K names) into the file to avoid the 400+ minutes it takes to pull cn records, but we can't find the file that stores the cached values.

Thank you for your help.

-- ShivaGoudarzi - 23 Jan 2008

Should I post that as a new question?

-- ShivaGoudarzi - 23 Jan 2008

WAIT! We found the file, but it is a .db file. What can we use to edit and save this?

-- ShivaGoudarzi - 23 Jan 2008

DON'T edit this file.

If you want to update the cache offline, use a cronjob:

This is done like this:

  • disable automatic cache aging:
    $TWiki::cfg{Ldap}{MaxCacheAge} = 0; 

  • add a cronjob that updates the LDAP cache 0:05 every day:
    5 0 * * * cd <twiki-install-path>/bin && ./view refreshcache=on Main/WebHome >/dev/null 

-- MichaelDaum - 24 Jan 2008

Thanks; we followed your suggestion and were successful.

-- ShivaGoudarzi - 24 Jan 2008

Michael, we have a follow-up question about manually disabling the LdapContrib's building of its own cache; we'd appreciate any insight: DisableLdapContribBuildingOfOwnCache.

-- ShivaGoudarzi - 08 Feb 2008

Change status to:
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2008-02-08 - ShivaGoudarzi
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.