SID-02032: Apache 2.4X LDAP

Status:	Answered	TWiki version:	6.0.1	Perl version:	5.18.2
Category:	CategoryAuthentication	Server OS:	Ubuntu 14.04	Last update:	10 years ago

Hi, I have inherited this TWiki site so I am not an expert by any means. The current site is from 2003 and I have been tasked with building a new new site and transferring the data. I have got the new site up and running but I require LDAP authentication.

I can't seem to be able to find "good" instructions on how to do this. So I will post what I have done in hope that someone can help me.

Apache is 2.4.7 on Ubuntu 14.04

Here is my twiki.conf:

BrowserMatchNoCase ^$ blockAccess
<IfModule mod_perl.c>
# Mod_perl preloading
PerlSwitches -T
</IfModule>
# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed. # The first parameter will be part of the URL to your installation e.g.
# http://example.com/do/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /do "/var/www/twiki/bin"
# The Alias defines a url that points to the twiki pub directory, which
# is the root of file attachments. Alias /pub "/var/www/twiki/pub"
# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Require all granted"
# lets any IP address access this URL.
<Directory "/var/www/twiki/bin">
AllowOverride None Require all granted
# Order Allow,Deny
# Allow from all Deny from env=blockAccess
Options ExecCGI FollowSymLinks SetHandler cgi-script
# Password file for TWiki users
# LDAPVerifyServerCert off
AuthType Basic
AuthName "Wiki: Enter your AD Username/Password"
AuthBasicProvider ldap
AuthLDAPBindAuthoritative off
AuthLDAPBindDN "CN=xxx,CN=Users,DC=xxx,DC=xxx,DC=xxx"
AuthLDAPBindPassword xxx
AuthLDAPURL ldaps://xxx.xxx.xxx.xxx:636/dc=xxx,dc=xxx,dc=xxx,?sAMAccountName?sub?(objectClass=user)
# File to return on access control error (e.g. wrong password)
ErrorDocument 401 "Please use your AD username and password to login to this wiki"
# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
require valid-user
</FilesMatch>
</Directory>
<Directory "/var/www/twiki/pub">
Options None
AllowOverride None
Require all granted
# Order Allow,Deny
# Allow from all
Deny from env=blockAccess
# Disable execusion of PHP scripts php_admin_flag engine off
# This line will redefine the mime type for the most common types of scripts AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly 
#IF you can, you should enable this - it _will_ improve your twiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config 
#LoadModule expires_module libexec/httpd/mod_expires.so 
#AddModule mod_expires.c #<ifmodule mod_expires.c>
# <filesmatch "\.(jpg|gif|png|css|js)$">
# ExpiresActive on
# ExpiresDefault "access plus 11 days"
# </filesmatch> #</ifmodule>
</Directory>

Am I doing something wrong?

Do I need quotes in AuthLDAPURL?

-- TWiki Guest - 2015-03-10

Discussion and Answer

I have never used the Apache AuthLDAP approach, so I can't help with this. The LdapContrib works pretty well.

-- Peter Thoeny - 2015-03-10

I can't get the LdapContrib to install. It always gives me errors about Net::LDAP not being installed, but it is installed.

It can't find the Net::LDAP in my @inc path. I have tried many things to get this to work but nothing has solved the issue. I do not know how to add/ change what the @inc path contains.

-- TWiki Guest - 2015-03-10

It seems like the LdapContrib has half installed itself, do you know how I can remove it and start over? And fix the Net::LDAP thing?

-- TWiki Guest - 2015-03-10

Install Net::LDAP as root. See HowToInstallCpanModules.

-- Peter Thoeny - 2015-03-10

I have done that. Nothing has worked. I have tried installing it thru CPAN and as installing the specific library files.

-- TWiki Guest - 2015-03-11

You can help us by giving some detail about what you've tried and what the symptoms of "nothing has worked" actually are.

• What is the value of @INC?
• How did you install Net::LDAP? It is strange that you say it is installed but isn't in @INC.
• On a command line, what does perl -MNet::LDAP -e 'print grep { /LDAP\.pm/ } values %INC' print?

Some general hints on CPAN modules:

• For TWiki, you can set libraries as you like in .../bin/LocalLib.cfg. Have you tried to add the directory where Net::LDAP is installed?
• Don't install with CPAN if your Linux distribution has Net::LDAP as a package (all of them have, as far as I can say). Mixing different installation procedures (package manager, CPAN, "installing specific library files") is a recipe for disaster.

-- Harald Jörg - 2015-03-11

Sorry, I did not hear back from you on the e-mail I send on real name. Therefore I assume it's not, so I removed your TWiki.org account. TWiki.org has a friendly community where people know each other by their real name. We invite you to register with your real first name and last name, also for your WikiName. If you prefer to stay anonymous you can login as "TWikiGuest" with password "guest".

-- Peter Thoeny - 2015-03-12

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- Peter Thoeny - 2015-12-03

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.