SID-00665: Active Directory LdapContrib Authentication Problem

Status:	Unanswered	TWiki version:	4.3.1	Perl version:	5.8.8
Category:	CategoryAuthentication	Server OS:	CentOS 5.4	Last update:	15 years ago

I am attempting to get authentication with Active Directory working on my twiki using the latest version of LdapContrib and TWiki 4.3.1

After configuring everything, TWiki seems to find my username upon login, but reject the password:

[Fri Dec 11 15:26:57 2009] [error] [client yyy] - LdapContrib - called search(filter=(&(objectClass=organizationalPerson)(saMAccountName=myusername)), base=mybase, scope=sub, limit=0, attrs=*), referer: http://xxxxx/twiki/bin/login/Main/WebHome
[Fri Dec 11 15:26:57 2009] [error] [client 1yyy] - LdapContrib - called connect, referer: http://xxxxx/twiki/bin/login/Main/WebHome
[Fri Dec 11 15:26:57 2009] [error] [client yyy] - LdapContrib - proxy bind, referer: http://xxxxx/twiki/bin/login/Main/WebHome
[Fri Dec 11 15:26:57 2009] [error] [client yyy] - LdapContrib - found 1 entries, referer: http://xxxxx/twiki/bin/login/Main/WebHome
[Fri Dec 11 15:26:57 2009] [error] [client yyy] - LdapContrib - finishing, referer: http://xxxxx/twiki/bin/login/Main/WebHome
[Fri Dec 11 15:26:57 2009] [error] [client yyy] - LdapContrib - called disconnect(), referer: http://xxxxx/twiki/bin/login/Main/WebHome

What am I doing wrong here?

The important parts of my config are as follows:

$TWiki::cfg{Ldap}{Base} = 'DC=our,DC=org';
$TWiki::cfg{Ldap}{UserBase} = 'OU=HQ,OU=Users,OU=DNC,DC=work,DC=org';
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=organizationalPerson';
$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'givenName,sn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$TWiki::cfg{Ldap}{WikiNameAliases} = '';

-- LeoZhadanovsky - 2009-12-11

Discussion and Answer

Getting all the settings right on LDAP/AD can be challenging. Enable debug in the LdapContrib (and uncomment some debug statements).

See related ProblemwithLDAPContrib and other LDAP questions.

-- PeterThoeny - 2009-12-14

I have enabled writeDebug but it is not being any more verbose than it was before.

I have also noticed that all of the error output goes to my apache error_log and nothing goes in debug.txt

-- LeoZhadanovsky - 2009-12-15

I now have this working.

However, this is the problem I am having:

I am logging in through authnz_ldap and using the group mapping feature of LdapContrib. This is setup against active directory.

The problem I am having is that if I login with all lower case levels, everything is ok. If I login with mixed case letters, it logs me in properly, but does not allow me into groups that I am a part of.

How would I go about fixing this?

-- LeoZhadanovsky - 2009-12-18

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2010-02-02

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.