Question
To the esteemed TWiki gurus:
How do we use LDAPContrib with TWiki for basic LDAP authentication? We are newbies to this. We have tried to set up the LDAPContrib Plugin, but it does not work.
We were easily able to setup the LDAPPlugin to display data from our LDAP server, onto our TWiki page. Our TWiki is set up with the Oracle HTTP Server from the Oracle Application Server Suite.
Our LDAP server is on a different box and we are using Oracle’s OID server. Our objective is to set up the TWiki system so that it authenticates via this LDAP server for employee authentication.
Our settings are as below :
$TWiki::cfg{PasswordManager} = 'TWiki::Users::LdapUser';
$TWiki::cfg{UserMappingManager} = 'TWiki::Users::LdapUserMapping';
$TWiki::cfg{Ldap}{Host} = 'ldap://devlogin.mickey.net';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'cn=users, dc= mickey,dc=net';
$TWiki::cfg{Ldap}{BindDN} = 'cn=superadmin’;
$TWiki::cfg{Ldap}{BindPassword} = 'secret';
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{UseSASL} = 0;
$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$TWiki::cfg{Ldap}{Debug} = 1;
$TWiki::cfg{Ldap}{UserBase} = 'cn=users, dc= mickey,dc=net';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=inetOrgPerson';
$TWiki::cfg{Ldap}{LoginAttribute} = 'displayname';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{NormalizeLoginName} = 1;
$TWiki::cfg{Ldap}{AllowChangePassword} = 0;
$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser';
$TWiki::cfg{Ldap}{GroupBase} = 'cn=Groups, dc= mickey, dc=net';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';
$TWiki::cfg{Ldap}{MemberIndirection} = 0;
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{NormalizeGroupName} = 0;
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{MaxCacheAge} = 86400;
$TWiki::cfg{Ldap}{PageSize} = 500;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Plugins}{LdapPlugin}{Enabled} = 1;
Environment
Any insight on the matter is greatly appreciated.
--
ShivaGoudarzi - 10 Jan 2008
Answer
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
Please be a bit more specific how you failed. Unfortunately, I haven't been able to test against OID. I hope its principals wrt user accounts and groups aren't diverging substantially from OpenLDAP or Active Directory, which LdapContrib has been use with in various settings.
But let me comment on your current
LdapContrib settings above:
-
$TWiki::cfg{Ldap}{BindDN} = 'cn=superadmin';
: this must be the full DN, e.g. cn=superadmin,dc=mickey,dc=net
- Try enabling SASL:
$TWiki::cfg{Ldap}{UseSASL} = 1;
it is switched off in your current setting
That's all I can say so far.
--
MichaelDaum - 10 Jan 2008
Hi Michael,
Sorry for the delay in response. We had investigated the issue further and found that what we mistakenly thought was a failure was actually the session timing out because the cache interval was set less than the time needed to cache all the records from OID. After testing it with a smaller group, the process was successful.
Now our question has evolved: What is the name and path of the file that stores cache values?
We want to manually enter data (over 100K names) into the file to avoid the 400+ minutes it takes to pull cn records, but we can't find the file that stores the cached values.
Thank you for your help.
--
ShivaGoudarzi - 23 Jan 2008
Should I post that as a new question?
--
ShivaGoudarzi - 23 Jan 2008
WAIT! We found the file, but it is a .db file. What can we use to edit and save this?
--
ShivaGoudarzi - 23 Jan 2008
DON'T edit this file.
If you want to update the cache offline, use a cronjob:
This is done like this:
--
MichaelDaum - 24 Jan 2008
Thanks; we followed your suggestion and were successful.
--
ShivaGoudarzi - 24 Jan 2008
Michael, we have a follow-up question about manually disabling the
LdapContrib's building of its own cache; we'd appreciate any insight:
DisableLdapContribBuildingOfOwnCache.
--
ShivaGoudarzi - 08 Feb 2008