I have configured Deki Wiki to use LDAP via my AD server. Here are the settings I have configured:


SID: http://services.mindtouch.com/deki/stable/2007/05/ldap-authentication
userquery: samAccountName=$1
hostname: 192.168.100.1
searchbase: DC=domain,DC=com
bindingdn: $1@domain.com

When I attempt to add a user by refreshing from provider, or adding a group, I input my sam account name, and my AD password. When I do that, I receive the following error:


Error
Status:401

Viewing Details:
Invalid LDAP username or password. Login DN used: 'myuser@domain.com'

By following the troubleshooting guidelines, I tried accessing the following URL: http://mywiki.domain.com/@api/deki/services/10/users/myuser

I can correctly query AD all day long using that method. I can query any user, any group just fine. I'm authenticating using my sam account name, and password from AD. I'm using Hayes 1.8. Are there any logs which would provide any more information? Are there any more troubleshooting steps to follow?

Your settings look fine. Sounds like you're able to authenticate when connecting directly with the ldap service but not when going through the front end. It seems like the username is being sent over (myuser@domain.com) but it's not authenticating.

You're trying this from the user management screen? Try logging in with an ldap user from the login page instead.

Make sure you're using the latest C release..

We've reimplemented much of the user creation logic and that will be available in the Hayes+ release. You may want to wait until then. Otherwise you can try the httppassthrough authentication approach with mod_ldap as described here
http://forums.opengarden.org/showthread.php?t=407
or try installing from trunk in svn.

Stop by our irc channel if you want to discuss this. irc.freenode.net #opengarden

Max

I am having the same issue and my Config is set up just like the above (different for my environment). I am using the 1.8 Hayes VMWare VM. When I try to add a group, I get:

Invalid LDAP username or password. Login DN used: 'jsadmin@gilsbar.int'

When I try to use the troubleshooting tip at:

http://wiki.opengarden.org/Deki_Wiki/User_Manual/Adding_LDAP_Support

I get an xml page full of all the user's information (this is good, it means it's working).

When I try to log in from the log in page, I get:

You put in a bad username or password.

Please advise, as I would really love to use this feature! If you still suggest to wait on the Hayes+ release, then I guess I will need to wait (I'm not very good at this... :)

Alright, it's working now. The problem may have been with the user account I was trying to use to authenticate. I could use my own account to authenticate, and pull over AD information through the API, however when I was trying to add a user, it would fail. I tried authenticating using a different AD logon, and my account information pulled over. I did this while logged into the wiki with the local admin account. I could then log onto the wiki using my AD account. When I would attempt to log into the wiki using LDAP credentials, it would return a message that my account was disabled, which is different then a bad user name, or password. So, the setup could have been correct, I just needed to modify the role for my account. I hope that makes some sense to someone. I am using the VM for Deki Wiki. This is the first wiki I've ever been able to get properly using AD as an LDAP source for authentication. As difficult as it was, it was easier then getting SharePoint working properly!

Your statements could be adapted to a great testimonial. Please add it here: http://wiki.opengarden.org/Community/Testimonials , thanks!

It's the complexity of the password and/or the username/password response that AD gives.

1. I have 2 user accounts, 1 admin and 1 non-admin. Both of these accounts have complex passwords which include special characters such as &, *, (. When I log in with one of these accounts I get back "You put in a bad username or password." Password example: password!2

2. I have a few accounts that don't have special characters in the password. These accounts can log into the DekiWiki. Password example: password12

I changed the password on my user account to one without special characters and it logs in fine.

Another issue I'm having is that some of my test accounts without special characters in the passwords cannot log into Deki with the result "This user cannot login - it was probably disabled by the administrator. Please contact your administrator." These accounts are not disabled and are not locked out.

Any assistance on both of these issues would be very much appreciated. We must be able to have the special characters in the passwords as our complexity requirements are increasing all of the time.

Thanks!

It's the complexity of the password and/or the username/password response that AD gives.

1. I have 2 user accounts, 1 admin and 1 non-admin. Both of these accounts have complex passwords which include special characters such as &, *, (. When I log in with one of these accounts I get back "You put in a bad username or password." Password example: password!2

2. I have a few accounts that don't have special characters in the password. These accounts can log into the DekiWiki. Password example: password12
...

Bad news: It's a bug. (http://bugs.opengarden.org/view.php?id=2359)

Good news: It's already in the database and assigned to Max, so it should be fixed soon. Hopefully it will be in Hayes+ already.

Great! I will look forward to the Hayes+ release!

Yep, I'll be looking at the ldap service password issue shortly. I'm hoping it's an issue with the way I'm encoding vs a problem with the Ldap lib i'm using.

I'll keep this thread and the bug updated as I look at it

As far as the error "This user cannot login - it was probably disabled by the administrator. Please contact your administrator." this is due to the newly authenticated/created account not having any rights to login to the wiki (Login operation). One way to solve this is to set the role for the user in Control Panel / user management. Another way is to add a group in group management with a certain role and have any users you want on the wiki be a part of that group. This way the users inherit their permissions from their group.

Max

I took a look at authenticating when using various special symbols in the password and encountered no issues. I tried passwords like "pa%(^$$word" and authenticated just fine. I'm testing this on the source in our SVN trunk under linux as well as windows.

I did add some more logging statements which will save the username/password attempted to the trace log. Hopefully this will help us narrow down if the issue is in our code or in Novell's LDAP lib.

This will be in Friday's D release. Anyone running from svn source please give this a shot and let me know if you have any luck.

Max

Hey Max! Here are the log excerpts: (tested with r5419@tp (orig r5291))

deki-api.log:

2007-08-24 08:46:03,971 [-1235104848] WARN MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
LdapException: Matched DN:

info.log:

2007-08-24 08:46:03,971 [-1235104848] WARN MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
LdapException: Matched DN:


trace.log:

2007-08-24 08:46:03,971 [-1235104848] WARN MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
LdapException: Matched DN:


warning.log:

2007-08-24 08:46:03,971 [-1235104848] WARN MindTouch.Dream.DreamService - GetLdapConnection(Failed to bind to LDAP server: 'server.xxx.local')
LdapException: (49) Invalid Credentials
LdapException: Server Message: 80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
LdapException: Matched DN:


This was tested with the account "Administrator" with a password containing a $ in a Windows 2000 Advanced Server Active Directory Domain.

In the meantime I changed my passwords in our AD anyway to get rid of the $-problem, so that bug is of minor importance for me now (thank god there are enough other signs on the keyboard one can choose from *g*).
But I changed the Administrator password temporarily back to supply the logs for you. So the bug is not touching us anymore, but whenever you like me something to test, just shoot, that's no problem. I'm sure other users (like e.g. jspohrer) still might profit from a fix and I'm happy to contribute some feedback to this open source project.

Just to make double-sure: I even tried your test with "Administrator/pa$$word" now - same result, Deki complains about bad credentials as reported above.

One more note: I doubt that it's important to mention, but who knows. ;) It's a German W2K Advanced Server.

Ah, it's a _German_ Win2K server!!! did you try € (euro) instead of $? Maybe it's biased... :)

Ah, it's a _German_ Win2K server!!! did you try € (euro) instead of $? Maybe it's biased... :)
LOL! Nope, Deki doesn't like € either. Now come on, admit it, you coded it to behave like that cause it's open source. :p

Can you take a look at your trace.log for statements starting with "Performing LDAP lookup". This should contain your username/password handed off to the ldap library for binding. Can you make sure this is the correct value as you've typed it in?

You may need to modify your log4net settings at mindtouch.host.exe.config.. At the bottom of this file change <level value="INFO"/> to <level value="TRACE"/>

I just checked trace.log as suggested. Guess what - the $ becomes a %24, that's why it fails.

I just checked trace.log as suggested. Guess what - the $ becomes a %24, that's why it fails.

Ok at last a solid lead for this! For some reason on my system (windows and linux) it comes in just fine. Can you tell me which mono and apache versions you're using? Windows or Linux?

I checked in more logging code at an earlier stage of authentication. Please update to the deki-1.8.2 branch to get this. Look for a trace logging statements like "Authenticating" and let me know if the password is encoded here as well.

Max

Mono JIT compiler version 1.2.2.1, (C) 2002-2006 Novell, Inc and Contributors. www.mono-project.com
TLS: normal
GC: Included Boehm (with typed GC)
SIGSEGV: normal
Disabled: none

Server version: Apache/2.2.3
Server built: Jun 17 2007 20:24:06

That's all on a fully patched Debian Etch, I wouldn't wanna update to Debian Lenny yet as it's still marked as "testing" and that Debian Deki is running on is our "production Unix".

I can't find a deki-1.8.2 branch. I saw someone of the crew mentioning in another post already and checked it some days ago. I checked again now and can't find it on https://dekiwiki.svn.sourceforge.net/svnroot/dekiwiki/. Could it be that you don't mirror it to SF, only the trunk seems to be public.
The Mindtouch SVN server isn't accessible from the outside anymore either, as it seems. (svn://dev.opengarden.org/svn only contains a ReadMe.) So there's no chance to get 1.8.2 sources for "the outside".

...Or you know a public URL I don't know yet. ;-)

Mono JIT compiler version 1.2.2.1, (C) 2002-2006 Novell, Inc and Contributors. www.mono-project.com
TLS: normal
GC: Included Boehm (with typed GC)
SIGSEGV: normal
Disabled: none

Server version: Apache/2.2.3
Server built: Jun 17 2007 20:24:06

That's all on a fully patched Debian Etch, I wouldn't wanna update to Debian Lenny yet as it's still marked as "testing" and that Debian Deki is running on is our "production Unix".

I can't find a deki-1.8.2 branch. I saw someone of the crew mentioning in another post already and checked it some days ago. I checked again now and can't find it on https://dekiwiki.svn.sourceforge.net/svnroot/dekiwiki/. Could it be that you don't mirror it to SF, only the trunk seems to be public.
The Mindtouch SVN server isn't accessible from the outside anymore either, as it seems. (svn://dev.opengarden.org/svn only contains a ReadMe.) So there's no chance to get 1.8.2 sources for "the outside".

...Or you know a public URL I don't know yet. ;-)

merktnichts - We just created the 1.8.2 branch to do our development on and we haven't setup the sync to SF.net quite yet. Hopefully we'll have that branch mirrored to SF.net within the next 2 days.

Thanks,
pete

Meanwhile if you have the ability to rebuild deki using build.sh you can apply this small patch and give it a shot.



Index: D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs
================================================== =================
--- D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs (revision 5336)
+++ D:/MindTouch/branches/deki-1.8.2/src/services/Deki/Logic/AuthBL.cs (revision 5337)
@@ -94,6 +94,8 @@
// check if a username was provided
if (!string.IsNullOrEmpty(userName)) {

+ LogUtils.LogTrace(DekiContext.Current.Log, context.Feature.VerbSignature, string.Format("Authenticating ({0}) Username: '{1}' pw: '{2}'", context.Feature.VerbSignature, userName, password));
+
//Case 2: Given username + password
if (authService == null) {

Some good news on this issue.. While taking a look at http://forums.opengarden.org/showthread.php?t=594 I ran into this encoding issue. Will have a fix for it shortly

merktnichts - We just created the 1.8.2 branch to do our development on and we haven't setup the sync to SF.net quite yet. Hopefully we'll have that branch mirrored to SF.net within the next 2 days.

Thanks,
pete

merktnichts - The deki-1.8.2 (development) branch is now mirrored over to SourceForge. Here are instructions on how to switch to the dev branch

Development SVN Repository (http://wiki.opengarden.org/User:PeteE/Development_SVN_Repository)

thanks,
pete

Ok at last a solid lead for this! For some reason on my system (windows and linux) it comes in just fine. Can you tell me which mono and apache versions you're using? Windows or Linux?

I checked in more logging code at an earlier stage of authentication. Please update to the deki-1.8.2 branch to get this. Look for a trace logging statements like "Authenticating" and let me know if the password is encoded here as well.

Max

I'm running the VM, although I updated to 1.82 yesterday. I'd hoped the special characters issue would be fixed by 1.82 but it looks like it is still there.

For what it is worth, $ works fine in a password for me if it is at the end of the password, but @ does not.

If you can tell me how to get you the logs that might help I'll grab them. I'm no *nix guru but I feel comfortable ssh'ing into the VM and moving around a bit.

DekiWiki's looking awesome, btw. Just have to get the special characters issue resolved as many of my users have them in their passwords.

Just did some more testing of this to see which special characters are and aren't causing a problem.

When I try to login via AD with passwords containing the following:

@ or #

The wiki just hangs indefinitely. Quitting the browser (Safari) kills the session or I just kill the cookie in Firefox, then I can try again.

Oddly enough, passwords containing + result in a bad username or password error, but no hang.

! $ % ^ & * ( ) - _ = all work fine - for me anyway, running 1.8.2 on the VM.

Hmm glad it's working better but I'll take a look at why passwords containing @ and # aren't working.

Bug filed: http://bugs.opengarden.org/view.php?id=2707

Max

Sorry to be a pain, but I am new to DekiWiki and to this forum and I am def no *nix guru. I'm pretty sure I am having the same issues as mentioned in this post. But I want to be sure - where are the logs you talk of with the error messages kept?

Also - How will I know when this issue is resolved and how will I know how to fix it? Should I just keep checking back or is there a way I can be notified?

I am still having this issue and I cannot find where the solution is. Can someone please help me?

The last note in the bug http://bugs.opengarden.org/view.php?id=2707 says "This was resolved in Dream Trunk (r6080)"

What is Dream Trunk? How do I solve my problem?

Please help.

"Dream" is the underlying REST service-oriented engine that Deki Wiki is built on. It was not properly encoding special characters, which was causing the above issues.

If you can, it would be best if you could wait until 1.8.3 comes out, which will include the updated Dream binaries. Oterwise, someone will have to make a custom build for you.

"Dream" is the underlying REST service-oriented engine that Deki Wiki is built on. It was not properly encoding special characters, which was causing the above issues.

If you can, it would be best if you could wait until 1.8.3 comes out, which will include the updated Dream binaries. Oterwise, someone will have to make a custom build for you.

Is 1.8.3 still on track for a mid December release as stated on the Hayes++ page? Wondering because the password bug is actually preventing us from using the wiki for many of our users.

Yes, we are still targeting December 18th.