LDAP Authentication Failure

[bwatland]

I have configured Deki Wiki to use LDAP via my AD server. Here are the settings I have configured:

SID: http://services.mindtouch.com/deki/s...authentication
userquery: samAccountName=$1
hostname: 192.168.100.1
searchbase: DC=domain,DC=com
bindingdn: $1@domain.com

When I attempt to add a user by refreshing from provider, or adding a group, I input my sam account name, and my AD password. When I do that, I receive the following error:

Error
Status:401

Viewing Details:
Invalid LDAP username or password. Login DN used: 'myuser@domain.com'

By following the troubleshooting guidelines, I tried accessing the following URL: http://mywiki.domain.com/@api/deki/s...0/users/myuser

I can correctly query AD all day long using that method. I can query any user, any group just fine. I'm authenticating using my sam account name, and password from AD. I'm using Hayes 1.8. Are there any logs which would provide any more information? Are there any more troubleshooting steps to follow?

[MaxM]

Your settings look fine. Sounds like you're able to authenticate when connecting directly with the ldap service but not when going through the front end. It seems like the username is being sent over (myuser@domain.com) but it's not authenticating.

You're trying this from the user management screen? Try logging in with an ldap user from the login page instead.

Make sure you're using the latest C release..

We've reimplemented much of the user creation logic and that will be available in the Hayes+ release. You may want to wait until then. Otherwise you can try the httppassthrough authentication approach with mod_ldap as described here
http://forums.opengarden.org/showthread.php?t=407
or try installing from trunk in svn.

Stop by our irc channel if you want to discuss this. irc.freenode.net #opengarden

Max

[jspohrer]

I am having the same issue and my Config is set up just like the above (different for my environment). I am using the 1.8 Hayes VMWare VM. When I try to add a group, I get:

Invalid LDAP username or password. Login DN used: 'jsadmin@gilsbar.int'

When I try to use the troubleshooting tip at:

http://wiki.opengarden.org/Deki_Wiki...g_LDAP_Support

I get an xml page full of all the user's information (this is good, it means it's working).

When I try to log in from the log in page, I get:

You put in a bad username or password.

Please advise, as I would really love to use this feature! If you still suggest to wait on the Hayes+ release, then I guess I will need to wait (I'm not very good at this...

[bwatland]

Alright, it's working now. The problem may have been with the user account I was trying to use to authenticate. I could use my own account to authenticate, and pull over AD information through the API, however when I was trying to add a user, it would fail. I tried authenticating using a different AD logon, and my account information pulled over. I did this while logged into the wiki with the local admin account. I could then log onto the wiki using my AD account. When I would attempt to log into the wiki using LDAP credentials, it would return a message that my account was disabled, which is different then a bad user name, or password. So, the setup could have been correct, I just needed to modify the role for my account. I hope that makes some sense to someone. I am using the VM for Deki Wiki. This is the first wiki I've ever been able to get properly using AD as an LDAP source for authentication. As difficult as it was, it was easier then getting SharePoint working properly!

[AaronF]

Your statements could be adapted to a great testimonial. Please add it here: http://wiki.opengarden.org/Community/Testimonials , thanks!

[jspohrer]

It's the complexity of the password and/or the username/password response that AD gives.

1. I have 2 user accounts, 1 admin and 1 non-admin. Both of these accounts have complex passwords which include special characters such as &, *, (. When I log in with one of these accounts I get back "You put in a bad username or password." Password example: password!2

2. I have a few accounts that don't have special characters in the password. These accounts can log into the DekiWiki. Password example: password12

I changed the password on my user account to one without special characters and it logs in fine.

Another issue I'm having is that some of my test accounts without special characters in the passwords cannot log into Deki with the result "This user cannot login - it was probably disabled by the administrator. Please contact your administrator." These accounts are not disabled and are not locked out.

Any assistance on both of these issues would be very much appreciated. We must be able to have the special characters in the passwords as our complexity requirements are increasing all of the time.

Thanks!

[merktnichts]

It's the complexity of the password and/or the username/password response that AD gives.

1. I have 2 user accounts, 1 admin and 1 non-admin. Both of these accounts have complex passwords which include special characters such as &, *, (. When I log in with one of these accounts I get back "You put in a bad username or password." Password example: password!2

2. I have a few accounts that don't have special characters in the password. These accounts can log into the DekiWiki. Password example: password12
...

Bad news: It's a bug. (http://bugs.opengarden.org/view.php?id=2359)

Good news: It's already in the database and assigned to Max, so it should be fixed soon. Hopefully it will be in Hayes+ already.

[jspohrer]

Great! I will look forward to the Hayes+ release!

[MaxM]

Yep, I'll be looking at the ldap service password issue shortly. I'm hoping it's an issue with the way I'm encoding vs a problem with the Ldap lib i'm using.

I'll keep this thread and the bug updated as I look at it

As far as the error "This user cannot login - it was probably disabled by the administrator. Please contact your administrator." this is due to the newly authenticated/created account not having any rights to login to the wiki (Login operation). One way to solve this is to set the role for the user in Control Panel / user management. Another way is to add a group in group management with a certain role and have any users you want on the wiki be a part of that group. This way the users inherit their permissions from their group.

Max

[MaxM]

I took a look at authenticating when using various special symbols in the password and encountered no issues. I tried passwords like "pa%(^$$word" and authenticated just fine. I'm testing this on the source in our SVN trunk under linux as well as windows.

I did add some more logging statements which will save the username/password attempted to the trace log. Hopefully this will help us narrow down if the issue is in our code or in Novell's LDAP lib.

This will be in Friday's D release. Anyone running from svn source please give this a shot and let me know if you have any luck.

Max