SID-00543: LDAP login failure for only one person

Status:	Unanswered	TWiki version:	4.2.4	Perl version:	5.8.5
Category:	LdapContrib	Server OS:	Red Hat Linux 4.8 Ker. 2.6.9	Last update:	16 years ago

I'm using LDAP to authenticate users and it all works fine except for one guy. After he registers he can login ok but the overnight cron job that updates the cache seems to damage his record somehow. He can't log in the next day. As far as I know he's the only one.

I see in the warn200909.log file a zillion entries similar to: LdapContrib - cn=BILL576,ou=People,o=X. BLANKED Bureau,c=US clashes with wikiName cn=BILL598,ou=People,o=X. BLANKED Bureau,c=US on BILLJohnson

The above mentioned entries all have different names in them. We use a naming convention of 5 letters and 3 numbers for accounts so there will be a smith001 and smith020. This seems to generate these warning messages. But I can't tell if this is the problem. Maybe it's unrelated completely.

There are errors in the apache logfile referencing his failure. They look like this:

[error] [client 123.456.789.131] called checkPassword(BILL576, passU), referer: https://MY.TWIKI.HOST.gov:8443/twiki/bin/login/FTD/WebHome
[error] [client 123.456.789..131] dn not found, referer: https://MY.TWIKI.HOST.gov:8443/twiki/bin/login/FTD/WebHome
[Mon Sep 14 10:06:45 2009] [error] [client 123.456.789.131] finishing, referer: https://MY.TWIKI.HOST.gov:8443/twiki/bin/login/FTD/WebHome
[Mon Sep 14 10:06:50 2009] [error] [client 123.456.789.131] constructed a new LdapContrib object, referer: https://twiki.econ.census.gov:8443/twiki/bin/login/FTD/WebHome
[Mon Sep 14 10:06:50 2009] [error] [client 123.456.789.131] called initCache, referer: https://MY.TWIKI.HOST.gov:8443/twiki/bin/login/FTD/WebHome
[Mon Sep 14 10:06:50 2009] [error] [client 123.456.789.131] cacheAge=17306, maxCacheAge=86400, lastUpdate=1252919904, refresh=0, referer: https://MY.TWIKI.HOST.gov:8443/twiki/bin/login/FTD/WebHome

It SEEMS like the system is having trouble distinguishing between 2 similarly named users. The the similarity is in LDAP because there is only one guy with this name registered.

Is there any way to see into the cache.db file to see what this guy's record looks like?

Anything else you can think of that I can look at?

Thanks so much!

glenn

-- GlennStasse - 2009-09-25

Discussion and Answer

Not sure if related, we had a case where a password with an @ character caused a problem.

To debug you could examine the cache.db file. Here is an untested script to dump cached ldap content. Modify the path to the cache file is needed.

#!/usr/bin/perl -w
use DB_File;
use Data::Dumper;
my $cacheFile = '/var/www/twiki/working/work_areas/LdapContrib/cache.db';
my %data;
tie %data, 'DB_File', $cacheFile, O_RDONLY, 0664
  or die "Cannot open file $cacheFile: $!";
print Dumper( \%data );

-- PeterThoeny - 2009-09-28

The problem seems to be something to do with mapping login names to wiki names. Here's one of 170 similar lines from the warnings file:

| 28 Sep 2009 - 05:18 | LdapContrib - cn=johns576,ou=People,o=U.S. Our Division ,c=US clashes with wikiName cn=johns598,ou=People,o=U.S. Our Division,c=US on DavidJohnson

Apparently the name DavidJohnson shows up more than once causing trouble. By grepping and awking in the file created by the dumper from above (THANKS!!) I have been able to find all these in just the Johnsons alone:

CMdev004 wikiName johns485 on EmilyJohnson johns021 wikiName johns541 on MichaelJohnson Johns030 wikiName johns031 on RuthJohnson johns037 wikiName johns429 on WilliamJohnson johns171 wikiName johns589 on KevinJohnson johns576 wikiName johns598 on DavidJohnson johns658 wikiName johns032 on SandraJohnson Johns670 wikiName johns301 on KennethJohnson johns709 wikiName Johns043 on TimothyJohnson johns724 wikiName johns504 on SharonJohnson

johnsnnn is the actual username we use for uniqueness. None of the people in the leftmost column have an entry in the datafile while all of the people in the righmost column do. It seems like the first DavidJohnson wins and the second one can't get an entry.

Only one of these people is a registered TWIKI user (johns576) and he has no entry in the database after the updater runs. Does the updater have to dump the WHOLE LDAP database? Is there no way to just dump the TWIKI users, a small subset of the whole LDAP database?

-- GlennStasse - 2009-09-28

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2009-11-23

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.