Installation

Webwork ldap - active directory settings

Webwork ldap - active directory settings

by Andrew Calcutt -
Number of replies: 2
Hi,

I am trying to set up webwork ldap settings and I can't seem to get it working. Looking in the login.txt I am getting the following error
-------------------------------------------------------------
"[Tue Nov 01 16:05:03 2011] LOGIN FAILED user unknown user_id=acalcutt login_type=normal credential_source=params host=10.55.1.41 port=64789 UA=Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1"
-------------------------------------------------------------
The error doesn't seem to helpful and it doesn't seem to be giving me any ldap errors.


My ldap settings in global.conf are are as follows
-------------------------------------------------------------
$authen{user_module} = {
# sql_moodle => "WeBWorK::Authen::Moodle",
sql_ldap => "WeBWorK::Authen::LDAP",
"*" => "WeBWorK::Authen",
};

$authen{ldap_options} = {
# Edit the host(s) below:
net_ldap_hosts => [
"ldap://worcester.local:3268"
],
# connection options
net_ldap_options => {
timeout => 30,
version => 3,
},
# base to use when searching for user's DN
# Edit the data below:
net_ldap_base => "NULL",

# Use a Bind account if set to 1
bindAccount => 1,

searchDN => "CN=service_webwork,CN=Users,DC=worcester,DC=local",
bindPassword => "fakepassword",

# The LDAP module searches for a DN whose RDN matches the username
# entered by the user. The net_ldap_rdn setting tells the LDAP
# backend what part of your LDAP schema you want to use as the RDN.
# The correct value for net_ldap_rdn will depend on your LDAP setup.
#
# Uncomment this line if you use Active Directory.
net_ldap_rdn => "sAMAccountName",
#
# Uncomment this line if your schema uses uid as an RDN.
#net_ldap_rdn => "uid",
#
# By default, net_ldap_rdn is set to "sAMAccountName".

# If failover = "all", then all LDAP failures will be checked
# against the WeBWorK database. If failover = "local", then only
# users who don't exist in LDAP will be checked against the WeBWorK
# database. If failover = 0, then no attempts will be checked
# against the WeBWorK database. failover = 1 is equivalent to
# failover = "all".
failover => 0,
};
-------------------------------------------------------------


If i try to do an ldapsearch on the same machine with the same information it seems to work properly

-------------------------------------------------------------
root@wscvwebwork:/opt/webwork/webwork2/conf# ldapsearch -LLL -H ldap://worcester.local:3268 -b 'dc=worcester,dc=local' -D 'CN=service_webwork,CN=Users,DC=worcester,DC=local' -w 'fakepassword' '(sAMAccountName=acalcutt)'
dn: CN=Calcutt\, Andrew,OU=InfoTech,DC=wsc_domain,DC=worcester,DC=local
-snip-
department: Info Technologies
name: Calcutt, Andrew
objectGUID:: g5jDrg79rkidooklbKYBUw==
userAccountControl: 544
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAADHzrJVV9ETFocv4kriUAAA==
sAMAccountName: acalcutt
sAMAccountType: 805306368
legacyExchangeDN: ADCDisabledMail
userPrincipalName: acalcutt@worcester.edu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=worcester,DC=local
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129641427713460582
mail: acalcutt@worcester.edu
msExchUserAccountControl: 0
-------------------------------------------------------------

I thought maybe it was failing because I was using the global catalog port (3268), but i tried changing using port 389 and a correct net_ldap_base and got the same results.

Does Anyone have any suggestions?


EDIT: just to note. In my global.conf settings above I have "net_ldap_base => "NULL"". This was based on (http://technet.microsoft.com/en-us/library/cc978012.aspx) which states the search dn can be anything (even NULL) if you are searching the global catalog

In reply to Andrew Calcutt

Re: Webwork ldap - active directory settings

by Mark Hamrick -
Just did a log scan, the only time I get this error is when the user is not in the course.

The usual problems are either the student has not been added yet, or the login name was added to the course with capitilazation. For instance, Acalcutt instead of acalcutt. I also have seen where the email was used for the id. I don't think it matters, but as a rule I also make the login name and the student id match. Our security team asks that we treat the numerical student id like a SSN.


In reply to Mark Hamrick

Re: Webwork ldap - active directory settings

by Andrew Calcutt -
You seem to be correct. My main issue was I did not add this user to the course.

However my ldap config did need to be changed a little


(it didn't seem to want to use ldap, but based on an error message I made this change)
sql_ldap => "WeBWorK::Authen::LDAP"
has been changed to
sql_single => "WeBWorK::Authen::LDAP",

Once I did that it also complained about that "NULL" i added... so I changed that from
net_ldap_base => "NULL",
to
net_ldap_base => "",


Once I did that it is now authenticating. Thanks for the help