I have a private MediaWiki with the MediaWiki LdapAuthentication extension and the php ldap extension installed; and the following LocalSettings.php LDAP configuration:
require_once( "$IP/extensions/LdapAuthentication/LdapAuthentication.php" );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( "MYDOMAINALIAS" ); // alias name for the domain
$wgLDAPServerNames = array( "MYDOMAINALIAS" => "192.168.1.82" ); // ldap server IP or DNS
$wgLDAPSearchStrings = array( "MYDOMAINALIAS" => "uid=USER-NAME,cn=users,dc=mydomain,dc=com" );
$wgLDAPUseLocal = true; // ldap authentication only or ldap plus local mediawiki authentication
$wgLDAPBaseDNs = array("MYDOMAINALIAS" => "dc=mydomain,dc=com"); // dn base
$wgLDAPEncryptionType = array( "MYDOMAINALIAS" => "clear" ); // type of encryption clear, tls or ssl
$wgLDAPDebug = 3; // debuggin level
$wgDebugLogGroups["ldap"] = "/volume1/web/MediaWiki/debug-wiki.log" ; // the file has to exist
when I try to log in the wiki with an LDAP user I get the following error:
Incorrect username or password entered. Please try again.
The debug-wiki.log shows the following message:
2019-10-23 15:47:56 192.168.1.79 wiki-wiki_ikb_en_: 2.1.0 Entering Connect
2019-10-23 15:47:56 192.168.1.79 wiki-wiki_ikb_en_: 2.1.0 It looks like you are missing LDAP support; please ensure you have either compiled LDAP support in, or have enabled the module. If the authentication is working for you, the plugin isn't properly detecting the LDAP module, and you can safely ignore this message.
I know that the LDAP server is working because it is also serving a PGina user authentication service which is working correctly. Any ideas?
Thanks in advance
The server had installed two versions of PHP, and the one running the webserver did not have the ldap extension active. Once it was installed, it worked as expected. I am leaving the question here in case it can be of any help to someone with a similar scenario.
Related
I need to do NTLM authentication over LDAP protocol. For this I am trying to use Unbound ID LDAP SDK and jcifs-ng together. Everything works fine if domain controllers doesn't require LDAP signing (integrity check). If LDAP signing is enabled, code fails with message
The server requires binds to turn on integrity checking if SSL\TLS are
not already active on the connection
If I use NtlmFlags.NTLMSSP_NEGOTIATE_SIGN flag for Type3Message, code fails with following message ( even if LDAP Signing is disabled in domain controller )
resultCode :: 49 (invalid credentials) resultCode :: 80090302:
LdapErr: DSID-0C090588, comment: AcceptSecurityContext error, data 1, v2580
Please point me to any other way or the mistake in my approach to construct Type3Message properly. Thanks in advance.
NTLM signing was achieved using apache httpclient library instead of using jcifs-ng
I am struggling to create a frontend login in TYPO3. I followed instructions on https://docs.typo3.org/typo3cms/EditorsTutorial/AccessControl/Login/Index.html but it is impossible to log in with the given user. It always says wrong user / password.
generated a folder for fe-users
activated module felogin
generated a fe-user in the folder for fe-users
RSA disabled and deleted
no redirect after login
TYPO3 8.7.4
Does anyone have an idea of what else could go wrong? Thank you
If You have not used rsaauth then changed loginSecurityLevel rsa to normal in LocalConfiguration.php file. Like below.
'FE' => [
'debug' => true,
'loginSecurityLevel' => 'normal',
],
Sounds like no cookies are allowed. For a login you need cookies being enabled.
And the cookies need to match the domain and protocol, (https != http)
If cookies are okay, then perhaps your TypoScript doesn't load the JavaScript file (should default to load, but you can prevent this) which is necessary for salting and/or RSA encryption.
Did you set the storage pid for your users in the constant styles.content.loginform.pid?
I have installed "Domino Sample REST Service Feature" from 901v00_11.20141217-1000 version of XPages Extension Library. OpenNtfSample service (com.ibm.domino.services.sample.service.SampleService) works as it should in general and the only problem with it that it completely ignores authentication settings of the server.
I have tried both Basic and Session Authentication as described in Authenticating Domino REST Service Requests and the result I get is the following - the service returns data always and does not ask for any user name and password.
The server is configured with Session Authentication now and I get password prompt when I try to access
{my_server}/api/data
but does not get it when I open
{my_server}/api/sample
After I had added this Web Site Rule
Description: DAS service
Type of rule: Override Session Authentication
Incoming URL pattern: /api/
the server changed password prompt for
{my_server}/api/data
but
{my_server}/api/sample
remained open.
Has anybody experienced this kind of error? Can anybody help me password protect this sample service so that I could start developing my own once based this example?
The /api/sample resource is wide open on purpose. That just returns a link to the contacts resource -- /xpagesext.nsf/api/sample/contacts.
If you really want to prevent anonymous access to the /api/sample resource, there are two possible solutions: 1) Disable anonymous access for all HTTP requests, or 2) Make a change to the RootResource class. The first solution is a server config change. I'm sure you can find details about that elsewhere. Since this is StackOverflow, I'll focus on the second solution.
As you have already noticed, we don't allow anonymous access to the /api/data resource. You can mimic that behavior in the /api/sample resource with a simple change to RootResource.getLinks(). Near the top of the method, just add these lines of code:
boolean authenticated = false;
Session session = ContextInfo.getUserSession();
if ( session != null ) {
String userName = session.getEffectiveUserName();
if ( userName != null && !userName.equals("Anonymous")) {
authenticated = true;
}
}
if ( !authenticated ) {
throw new NoAccessSignal("Need user context");
}
By the way, you won't need to make the same change to the contacts resource class (ContactsListResource.java). Because the contacts resource URL includes a database name (xpagesext.nsf), the web server will attempt to open the database before forwarding the request to the REST service. You can prevent anonymous access to the contacts resource by changing the ACL of xpagesext.nsf. Just make sure the default access is "No access".
Project which I am currently working is developed using ZF and dojo.
For our Development and Production server we have basic user authentication which is handled using apache's virtual host config file (by having users and password files).
When we type the server URL, it will pop-up the authentication window. It is working well.
We have following controllers in our project.
Index
profile
Error
Signoff
But now our client has come up with a new requirement that only for "Signoff Controller", they would like to allow access to everyone in the network without any authentication.
But if they try to access other controllers it should ask for user authentication.
Kindly let me know your thoughts about solving this issue either by using .htaccess( apache URL rewrite ) or ZF classes if any.
You should probably try to set this up in Zend as it will give you a more flexible setup.
// just a simple example to get you started
$config = array(
'accept_schemes' => 'basic digest',
'realm' => 'My Web Site',
'digest_domains' => '/members_only /my_account',
'nonce_timeout' => 3600,
);
$adapter = new Zend_Auth_Adapter_Http($config);
Check out more on the Zend Manual on different types of auth.
How can I authenticate a user with LDAP using CGI/TCL stack?
Please provide a sample code-snippet if possible.
I am using an Apache Web Server on RHEL 5.0; AD exists on a remote Win2003 server.
Here is an example that will connect to an ldap server and retrieve all of the info ldap has about an email address:
package require ldap
set sEmailAddress "user#example.com"
set handle [::ldap::connect example.com 3268]
ldap::bind $handle
set result [::ldap::search $handle "dc=example,dc=com" "(mail=$sEmailAddress)" {sAMAccountName}]
foreach {object attributes} $result {
foreach {name val} $attributes {
puts "$name\t$val"
}
}
Here's the ldap package. You first bind using some "bind user" who can see everyone. You then search for the user based on some attribute like e-mail address or sAMAccountName. If the user exists, bind again using the given password and the full path of the user.