SID-02149: LDAP Authentication stopped working

Status:	Asked	TWiki version:	5.1.1	Perl version:	5.014002
Category:	LdapContrib	Server OS:	Ubuntu Linux 2.6.42-37	Last update:	10 years ago

Hello,

I inherited a Twiki setup that has no documentation and has not been maintained. Recently it has decided to stop authenticating via LDAP and I am unable to figure out why.

I did not have the admin password, but I was able to reset it via instructions I found about removing a line in a config file, than setting it via the configure script. I can now access the site via this account only.

I have reviewed the LDAP settings in the configure page, and they are correct. I have even corrected the credentials to another set of credentials that I use for other LDAP lookups. I have tested and verified these credentials via the ldaptest script located in /var/www/twiki/tools .

I am at a loss at this point. Nothing has changed about our AD servers in a long time, so I am not sure what else to do.

-- Chris Huff - 2016-02-02

Discussion and Answer

Not sure since your ldaptest is working. Do you use a Perl accelerator such as FastCGI? If so, did you restart the accelerator or Apache?

-- Peter Thoeny - 2016-02-02

I have restarted Apache several times, yes. As well as reboots of the entire server. I don't know much about FastCGI, but it does not appear to be a part of the equation.

-- Chris Huff - 2016-02-02

so, I have continued to search.. my logs called twiki-error.log in /var/log/apache2 are full of the following messages:

[Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapContrib - cacheAge=36206849, maxCacheAge=300, lastUpdate=1418243962, refresh=1 [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapContrib - WARNING: already refreshing cache [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapUserMapping - called eachGroupMember(TWikiAdminGroup) [Tue Feb 02 16:06:51 2016] [error] [client 10.4.2.53] - LdapUserMapping - called eachGroupMember(Administrators)

and then it goes on listing a bunch of other groups. so, obviously the cache is way too old and it seems to be unable to update it. Any idea how I might fix this?

-- Chris Huff - 2016-02-02

Check if the twiki/working directory and recursively below is all owned by the webserver user.

-- Peter Thoeny - 2016-02-03

Yes, everything appears to be owned by the web server user.

-- Chris Huff - 2016-02-04

I am running out of ideas since you stated that the ldaptest script works as expected.

Possibly still a file ownership issue? Check if twiki/working/work_areas/LdapContrib/cache.db exists and is writable by the webserver user.

Turn on the $TWiki::cfg{Ldap}{Debug} flag in twiki/lib/LocalSite.cfg and watch twiki/data/debug.txt

Add additional debug statements in the code if needed.

-- Peter Thoeny - 2016-02-14

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.