Tags: view all tags

SID-02416: AD Authentication not working 6.1.0 on Debian 10

Status:	Asked	TWiki version:	6.1.0	Perl version:	5.30
Category:	LdapContrib	Server OS:	Debian 10	Last update:	5 years ago

I have set up TWiki according to the guide and it seems to be working. I need now to set TWiki to work with our AD server (Windows Server). So I installed LdapContrib using the built in extension installer (I installed all the cpan modules previously manually) and every time I attempt to login using my AD credentials I get this error message;

TWiki detected an internal error - please check your TWiki logs and webserver logs for more information.

Can't locate object method "LdapContrib=HASH(0x55866ff9a2d8)" via package "TWiki::Contrib"

The debug.txt says this;

2019-10-18 - 15:32:02	cacheAge=9999999999, maxCacheAge=86400, LASTUPDATED=0, refresh=1 (::1/ssoid/web.topic/callerFile:callerLine)
2019-10-18 - 15:32:02	called refreshCache with mode 1, preserveTWikiUserMapping: 0 (::1/ssoid/web.topic/callerFile:callerLine)
2019-10-18 - 15:32:02	tieing cache with mode read (::1/ssoid/web.topic/LdapContrib.pm:891)
2019-10-18 - 15:32:02	called isGroup(tmarinescu) (::1/ssoid/Main.WebHome/callerFile:callerLine)
2019-10-18 - 15:32:02	called checkCacheForGroupName(tmarinescu) (::1/ssoid/Main.WebHome/LdapContrib.pm:2184)
2019-10-18 - 15:32:02	called getGroupNames() (::1/ssoid/Main.WebHome/callerFile:callerLine)
2019-10-18 - 15:32:02	called isIgnoredGroup(tmarinescu) (::1/ssoid/Main.WebHome/LdapContrib.pm:3405)
2019-10-18 - 15:32:02	called getAllIgnoredGroups() (::1/ssoid/Main.WebHome/callerFile:callerLine)
2019-10-18 - 15:32:02	group tmarinescu is unknown, need to refresh part of the ldap cache (::1/ssoid/Main.WebHome/callerFile:callerLine)
2019-10-18 - 15:32:02	called getGroup(tmarinescu) (::1/ssoid/Main.WebHome/callerFile:callerLine)
2019-10-18 - 15:32:02	called untieCache () (::1/ssoid/Main.WebHome/LdapContrib.pm:521)

This is my LocalSite.cfg for the ldap module;

Wiki::cfg{Ldap}{Debug} = 1;

$TWiki::cfg{Ldap}{Host} = 'host.ad.server.com';

$TWiki::cfg{Ldap}{Port} = 389;

$TWiki::cfg{Ldap}{Version} = '3';

$TWiki::cfg{Ldap}{Base} = 'dc=ad,dc=server,dc=com';

$TWiki::cfg{Ldap}{BindDN} = 'cn=specialuser,ou=accounts,ou=other,ou=users,dc=ad,dc=server,dc=com';

$TWiki::cfg{Ldap}{BindPassword} = 'secret';

$TWiki::cfg{Ldap}{UseSASL} = 0;

$TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';

$TWiki::cfg{Ldap}{GSSAPIuser} = '';

$TWiki::cfg{Ldap}{UseTLS} = 0;

$TWiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';

$TWiki::cfg{Ldap}{TLSVerify} = 'require';

$TWiki::cfg{Ldap}{TLSCAPath} = '';

$TWiki::cfg{Ldap}{TLSCAFile} = '';

$TWiki::cfg{Ldap}{TLSClientCert} = '';

$TWiki::cfg{Ldap}{TLSClientKey} = '';

$TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';

$TWiki::cfg{Ldap}{UserScope} = 'sub';

$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';

$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';

$TWiki::cfg{Ldap}{LoginPattern} = '^.+$';

$TWiki::cfg{Ldap}{MailAttribute} = 'mail';

$TWiki::cfg{Ldap}{WikiNameAttributes} = 'cn';

$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;

$TWiki::cfg{Ldap}{NormalizeLoginNames} = 0;

$TWiki::cfg{Ldap}{CaseSensitiveLogin} = 0;

$TWiki::cfg{Ldap}{WikiNameAliases} = '';

$TWiki::cfg{Ldap}{AllowChangePassword} = 0;

$TWiki::cfg{Ldap}{PreserveTWikiUserMapping} = 0;

$TWiki::cfg{Ldap}{PreserveWikiNames} = 0;

$TWiki::cfg{Ldap}{MapGroups} = 1;

$TWiki::cfg{Ldap}{GroupScope} = 'sub';

$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';

$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';

$TWiki::cfg{Ldap}{GroupPattern} = '^.+$';

$TWiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';

$TWiki::cfg{Ldap}{MemberAttribute} = 'memberUid';

$TWiki::cfg{Ldap}{InnerGroupAttribute} = 'memberUid';

$TWiki::cfg{Ldap}{MemberIndirection} = 0;

$TWiki::cfg{Ldap}{WikiGroupsBackoff} = 1;

$TWiki::cfg{Ldap}{NormalizeGroupNames} = 0;

$TWiki::cfg{Ldap}{CaseSensitiveGroup} = 0;

$TWiki::cfg{Ldap}{RewriteGroups} = {};

$TWiki::cfg{Ldap}{MergeGroups} = 0;

$TWiki::cfg{Ldap}{GroupBase} = ['ou=group,dc=ad,dc=server,dc=com'];

$TWiki::cfg{Ldap}{UserBase} = ['ou=users,dc=ad,dc=server,dc=com'];

$TWiki::cfg{Ldap}{BaseGroup} = 'dc=ad,dc=server,dc=com';

$TWiki::cfg{Ldap}{Precache} = 'all';

$TWiki::cfg{Ldap}{MaxCacheAge} = 86400;

$TWiki::cfg{Ldap}{CLIOnlyRefresh} = 0;

$TWiki::cfg{Ldap}{PageSize} = 500;

$TWiki::cfg{Ldap}{BackupCacheFile} = 0;

$TWiki::cfg{Ldap}{BackupFileAge} = 0;

$TWiki::cfg{Ldap}{Exclude} = 'TWikiAdminGroup,TWikiGuest,TWikiContributor,RegistrationAgent,UnknownUser,AdminGroup,NobodyGroup,AdminUser,admin,guest';

$TWiki::cfg{Plugins}{NewUserPlugin}{Enabled} = 1;

So I disabled "MapGroups" and the error goes away however it refuses to let me login saying "Oops: we could not recognize you".

No user gets created or anything. I had the exact same issue with OpenSUSE distro. I manually deleted the cache.db and cache.db.lock files in case it cached wrong but nothing. On OpenSUSE I successfully ran the ldaptest tool and it properly fetched the AD data so the connections are correct.

Forgot to mention, the user mapping and password manager are both set to their Ldap versions and the login manager is set to TemplateLogin. I changed nothing about them.

-- Tudor Marinescu - 2019-10-18

Discussion and Answer

Hello,

Were you able to get this working? I have the same issue with 6.1 on CentOS.

Thanks, Kevin

-- Kevin Kastensmidt - 2020-05-22

Getting LDAP working on AD can be tricky. I recommend to start with the tools/ldaptest tool, found in the LdapContrib, to confirm that the bind user is working, and the protocol and port etc are correct. Some AD servers are configured to require ldaps with a proper cert.

One the connection is confirmed you can try the auth in TWiki.

If needed you can hire one of the TWikiConsultants to help you out.

-- Peter Thoeny - 2020-05-23

Thanks for the update! I was able to test ok with the ldaptest tool. I started over with version 6.0.2 and was able to get it working. After upgrading to 6.1, it won't work again. I've got a third installation going now which is acting like the original. The cache.db file won't update. I've tried the refresh but it's just not taking it.

-- Kevin Kastensmidt - 2020-05-28

Can something be corrupting the perl net:ldap module? The original 6.1 installation of LdapContrib ran fine with the below output from the installer:

### LdapContrib Installer ###

This installer must be run from the root directory of your TWiki installation. * You can abort the script at any point and re-run it later * If you answer 'no' to any questions you can always re-run the script again later ########################################################## Checking dependency on Authen::SASL.... ########################################################## Checking dependency on DB_File::Lock.... ########################################################## Checking dependency on DB_File.... ########################################################## Checking dependency on Digest::MD5.... ########################################################## Checking dependency on Net::LDAP.... ########################################################## Checking dependency on IO::Socket::SSL.... ########################################################## Checking dependency on Unicode::MapUTF8.... ##########################################################

After configuring like my working 6.0.2 version, I ran tcpdump to our domain controller watching for port 389. The ldaptest tool shows the communication between our twiki server and the domain controller. But doing the ldap refresh (ie ?refreshldap=force or ?refreshldap=on) doesn't show any traffic. Trying to login doesn't show any traffic.

I decided to reinstall LdapContrib doing it as an upgrade. The installer this time shows the following with an error on net:ldap.

### LdapContrib Installer ###

This installer must be run from the root directory of your TWiki installation. * You can abort the script at any point and re-run it later * If you answer 'no' to any questions you can always re-run the script again later ########################################################## Checking dependency on Authen::SASL.... ########################################################## Checking dependency on DB_File::Lock.... ########################################################## Checking dependency on DB_File.... ########################################################## Checking dependency on Digest::MD5.... ########################################################## Checking dependency on Net::LDAP.... * LdapContrib depends on cpan package Net::LDAP >=0.33 which is described as "Required" But when I tried to find it I got this error:

Attempt to reload Net/LDAP.pm aborted. Compilation failed

########################################################## Checking dependency on IO::Socket::SSL.... ########################################################## Checking dependency on Unicode::MapUTF8.... ##########################################################

However, that does exist:

[root@twiki LdapContrib]# perl -MNet::LDAP -e 'print Net::LDAP->VERSION."\n";' 0.56 [root@twiki LdapContrib]#

I tried to reinstall the perl ldap module but that didn't help either.

-- Kevin Kastensmidt - 2020-05-28

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

SupportForm
Status	Asked
Title	AD Authentication not working 6.1.0 on Debian 10
SupportCategory	LdapContrib
TWiki version	6.1.0
Server OS	Debian 10
Web server	Apache 2.4
Perl version	5.30
Browser & version

Topic revision: r5 - 2020-05-28 - KevinKastensmidt

Account
- Log In
- Register User

Edit
Attach

Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2025 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.