Dear Webwork,
We've just started up a new Webwork installation and are unable to authenticate users with Active Directory using the Webwork LDAP module. Using the same information, we can successfully query the AD server using the unix tool 'ldapsearch'. Our setup is: Webwork 2.4.9 on Ubuntu 10.04.02LTS, and the global.conf has been appropriately edited as described in the wiki.
What should we try next?
Cheers, and thanks,
Randy Cone
Hi Randy,
You should see some ldap related error messages in
webwork/courses/<course_name>/logs/login.log
What is that telling you? Also, what revision do you have of LDAP.pm?
(To find out, in webwork/webwork2/lib/WeBWorK/Authen/ do
svn info LDAP.pm | grep Revision
)
Also, can you share your ldap settings with us (sans private stuff)?
Thanks,
Jason
You should see some ldap related error messages in
webwork/courses/<course_name>/logs/login.log
What is that telling you? Also, what revision do you have of LDAP.pm?
(To find out, in webwork/webwork2/lib/WeBWorK/Authen/ do
svn info LDAP.pm | grep Revision
)
Also, can you share your ldap settings with us (sans private stuff)?
Thanks,
Jason
Jason,
Here is what it's telling me:
The revision of LDAP.pm is:
Revision: 6864
There have been very few changes to the global.conf file, w.r.t. ldap, here are some appropriate sections with private stuff edited out:
$authen{user_module} = {
sql_moodle => "WeBWorK::Authen::Moodle",
# sql_ldap => "WeBWorK::Authen::LDAP",
# "*" => "WeBWorK::Authen",
"*" => "WeBWorK::Authen::LDAP",
};
$authen{ldap_options} = {
# hosts to attempt to connect to, in order. For example:
# auth.myschool.edu -- uses LDAP scheme and port 389
# ldap://auth.myschool.edu:666 -- non-standard port
# ldaps://auth.myschool.edu -- uses LDAPS scheme and port 636
# ldaps://auth.myschool.edu:389 -- SSL on non-SSL port
# Edit the host(s) below:
net_ldap_hosts => [
"appropriateldapserver.vmi.edu",
],
# connection options
net_ldap_options => {
timeout => 30,
version => 3,
},
# base to use when searching for user's DN
# Edit the data below:
net_ldap_base => "dc=vmi,dc=edu",
# Use a Bind account if set to 1
bindAccount => 1,
searchDN => "cn=appropriateadministratoraccount,DC=vmi,DC=edu",
bindPassword => "reallytoughpasswordwithperlinterpolationaccountedfor",
# If failover = "all", then all LDAP failures will be checked
# against the WeBWorK database. If failover = "local", then only
# users who don't exist in LDAP will be checked against the WeBWorK
# database. If failover = 0, then no attempts will be checked
# against the WeBWorK database. failover = 1 is equivalent to
# failover = "all".
failover => "all",
};
Thanks for your help. We're excited at the possibility of getting a functional Webwork server up for testing this semester.
Cheers,
Randy
Here is what it's telling me:
AUTH LDAP: bind error 49: The wrong password was supplied or the SASL credentials could not be processed
The revision of LDAP.pm is:
Revision: 6864
There have been very few changes to the global.conf file, w.r.t. ldap, here are some appropriate sections with private stuff edited out:
$authen{user_module} = {
sql_moodle => "WeBWorK::Authen::Moodle",
# sql_ldap => "WeBWorK::Authen::LDAP",
# "*" => "WeBWorK::Authen",
"*" => "WeBWorK::Authen::LDAP",
};
$authen{ldap_options} = {
# hosts to attempt to connect to, in order. For example:
# auth.myschool.edu -- uses LDAP scheme and port 389
# ldap://auth.myschool.edu:666 -- non-standard port
# ldaps://auth.myschool.edu -- uses LDAPS scheme and port 636
# ldaps://auth.myschool.edu:389 -- SSL on non-SSL port
# Edit the host(s) below:
net_ldap_hosts => [
"appropriateldapserver.vmi.edu",
],
# connection options
net_ldap_options => {
timeout => 30,
version => 3,
},
# base to use when searching for user's DN
# Edit the data below:
net_ldap_base => "dc=vmi,dc=edu",
# Use a Bind account if set to 1
bindAccount => 1,
searchDN => "cn=appropriateadministratoraccount,DC=vmi,DC=edu",
bindPassword => "reallytoughpasswordwithperlinterpolationaccountedfor",
# If failover = "all", then all LDAP failures will be checked
# against the WeBWorK database. If failover = "local", then only
# users who don't exist in LDAP will be checked against the WeBWorK
# database. If failover = 0, then no attempts will be checked
# against the WeBWorK database. failover = 1 is equivalent to
# failover = "all".
failover => "all",
};
Thanks for your help. We're excited at the possibility of getting a functional Webwork server up for testing this semester.
Cheers,
Randy
That error generally means the bind account is wrong. appropriateadministratoraccount should have been AppropriateAdministratoraccount or something along those lines. We have a lot of problems every year because new student try there id as Userid instead of userid, I think capitalization applies to the bind account also.
Also, can you post your working ldapsearch command with server/pass removed?
Interesting. In verifying that I'd put the correct capitalization for the bind account name in both the ldapsearch query and the global.conf file, and they were indeed identical, I tried the following in the global.conf file:
instead of:
searchDN => "cn=AdminFoo, DC=vmi, DC=edu",
I put:
searchDN => "AdminFoo\@vmi.edu",
and voila, we have success.
instead of:
searchDN => "cn=AdminFoo, DC=vmi, DC=edu",
I put:
searchDN => "AdminFoo\@vmi.edu",
and voila, we have success.