Tags:
create new tag
, view all tags

SID-02149: LDAP Authentication stopped working

Status: Asked Asked TWiki version: 5.1.1 Perl version: 5.014002
Category: LdapContrib Server OS: Ubuntu Linux 2.6.42-37 Last update: 1 year ago

Hello,

I inherited a Twiki setup that has no documentation and has not been maintained. Recently it has decided to stop authenticating via LDAP and I am unable to figure out why.

I did not have the admin password, but I was able to reset it via instructions I found about removing a line in a config file, than setting it via the configure script. I can now access the site via this account only.

I have reviewed the LDAP settings in the configure page, and they are correct. I have even corrected the credentials to another set of credentials that I use for other LDAP lookups. I have tested and verified these credentials via the ldaptest script located in /var/www/twiki/tools .

I am at a loss at this point. Nothing has changed about our AD servers in a long time, so I am not sure what else to do.

-- Chris Huff - 2016-02-02

Discussion and Answer

Not sure since your ldaptest is working. Do you use a Perl accelerator such as FastCGI? If so, did you restart the accelerator or Apache?

-- Peter Thoeny - 2016-02-02

I have restarted Apache several times, yes. As well as reboots of the entire server. I don't know much about FastCGI, but it does not appear to be a part of the equation.

-- Chris Huff - 2016-02-02

so, I have continued to search.. my logs called twiki-error.log in /var/log/apache2 are full of the following messages:

[Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapContrib - cacheAge=36206849, maxCacheAge=300, lastUpdate=1418243962, refresh=1 [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapContrib - WARNING: already refreshing cache [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapUserMapping - called eachGroupMember(TWikiAdminGroup) [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapUserMapping - called eachGroupMember(Administrators)

and then it goes on listing a bunch of other groups. so, obviously the cache is way too old and it seems to be unable to update it. Any idea how I might fix this?

-- Chris Huff - 2016-02-02

Check if the twiki/working directory and recursively below is all owned by the webserver user.

-- Peter Thoeny - 2016-02-03

Yes, everything appears to be owned by the web server user.

-- Chris Huff - 2016-02-04

I am running out of ideas since you stated that the ldaptest script works as expected.

Possibly still a file ownership issue? Check if twiki/working/work_areas/LdapContrib/cache.db exists and is writable by the webserver user.

Turn on the $TWiki::cfg{Ldap}{Debug} flag in twiki/lib/LocalSite.cfg and watch twiki/data/debug.txt

Add additional debug statements in the code if needed.

-- Peter Thoeny - 2016-02-14

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Asked
Title LDAP Authentication stopped working
SupportCategory LdapContrib
TWiki version 5.1.1
Server OS Ubuntu Linux 2.6.42-37
Web server Apache 2.2.22
Perl version 5.014002
Browser & version any browser
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r7 - 2016-02-14 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.