Question

Related modules (installed):

• LdapContrib
  • v0.91
• LdapNgPlugin
  • v0.20
• NewUserPlugin
  • v0.11

There are times when I will attempt to login (LDAP) and it will work, and other times the login page acts like I hit the refresh button. It just empties the fields. I will reenter the information and perhaps it will work, perhaps not.

I had previously thought that logins for the Sandbox web were exempt from this problem but that is not the case.

I'm not as much worried about using LDAP groups for authorization purposes as using TWiki groups will give the authorization controls that I want. So if stability can be gained by disabling group lookups, I am all for it.

Help is very much appreciated!

Notes:

• LDAP server is a Windows 2003 Standard server
• Bugzilla installation on the same server as TWiki using LDAP authentication (only) has been working fine for several months now.
• Apache mod_auth_ldap works great (Subversion setup uses this for authentication).

Environment

-- DeorenMoor - 29 Mar 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

MichaelDaum:

I spoke with you briefly about two weeks ago on this issue and you mentioned enabling debug output for the scripts.

LdapUserMapping - adding wikiName=FirstLast, loginName=first.last

It shows the mappings working (substitution above).

Anybody see anything wrong with my settings?

I know queries work because I can use ldapsearch and the Bugzilla installation on this same server works just fine (which only allows LDAP logins).

-- DeorenMoor - 10 Apr 2007

The "spotty" nature of the problem may point towards a mod_perl issue together with LdapUserMapping (though I don't know of any issue there). Could you try whether the bug persists if you run all scripts with SetHandler cgi-script ?

-- HaraldJoerg - 11 Apr 2007

From the chat I had today on IRC:

IRC chat log where HaraldJoerg and Lavr helped out

-- DeorenMoor - 11 Apr 2007

To make it easier to find for others, changing:

        <FilesMatch "(attach|edit|manage|rename|save|upload|view|.*auth).*">
            SetHandler cgi-script
             PerlResponseHandler ModPerl::Registry
             PerlSendHeader On
             PerlOptions +ParseHeaders
        </FilesMatch>

to

        <FilesMatch "(attach|edit|manage|rename|save|upload|view|.*auth).*">
            SetHandler cgi-script
#             PerlResponseHandler ModPerl::Registry
#             PerlSendHeader On
#             PerlOptions +ParseHeaders
        </FilesMatch>

disabled mod_perl and logins seemed to be reliable then.

Anybody see anything wrong with the mod_perl configuration?

Thanks for reading this!

-- DeorenMoor - 11 Apr 2007

Whoops! The last part was a bad copy/paste. The line in the first block that reads:

SetHandler cgi-script

was actually

SetHandler perl-script

By changing the perl-script part to cgi-script and commenting out the Perl* parts, mod_perl was disabled and the scripts are executed as cgi.

-- DeorenMoor - 11 Apr 2007

added link in LdapContribDev

-- SvenDowideit - 30 Apr 2007

Please upgrade to the latest LdapContrib v1.0.1 and try again, please.

-- MichaelDaum - 01 May 2007

Closing this after more than 30 days inactivity; re-open if needed...

-- PeterThoeny - 02 Jun 2007

I recently upgraded to the latest versions of LdapContrib and LdapNgPlugin (1.11 and 1.01 respectively). I'm also using mod_perl.

It seems that even mid session for some users, their TWiki name reverts to their LDAP login name (uid) and the mapping is lost. This means users aren't part of groups, etc.

I've just disabled mod_perl again to see if this correct the problem. However, it seems that restarting the web server (Apache 2.0) usually works, so I figure it must be mod_perl related?

Once it happens for one user, it seems to occur for anyone logging in (ie: the user name mapping no longer occurs for anyone).

If anyone has any idea how this can be corrected, I would appreciate any input. Please let me know which configuration files, etc, might be useful. This did seem to occur occasionally, if rarely, in older versions, but is definitely more common since the upgrade (perhaps more people are just using our Wiki than before).

-- JohnTobin - 13 Aug 2007

Sorry, closing this after more than 30 days of inactivity. Please feel free to reopen a new question.

-- PeterThoeny - 03 Oct 2007

This was a problem of the LDAP caching. Please try the latest release of the LdapContrib.

-- MichaelDaum - 11 Oct 2007

• LocalSite.cfg: LocalSite.cfg

• error_log.submitted: Apache2 error log showing failed login

• twiki_successful_bind.submitted: Debug output showing successful login

• configure.html: Output from configure script

• wiki.conf: Apache2 vhost file included by main httpd.conf

• 75_mod_perl.conf: Gentoo specific mod_perl config

• apache2-mod_perl-startup.pl.txt: Included by 75_mod_perl.conf