[Moin-user] SOLVED: Active Directory authentication settings ignored

Poccecai, Davide davide.poccecai at kcl.ac.uk
Mon Jul 1 11:36:18 EDT 2013


Hi all,
I found the source of the problem: the ldap configuration settings had a wrong indentation and they were ignored.
The wiki would work without reporting the error, but the AD authentication would silently fail…
Regards,

Davide

From: <Poccecai>, Davide Poccecai <davide.poccecai at kcl.ac.uk<mailto:davide.poccecai at kcl.ac.uk>>
Date: Friday, 28 June 2013 11:20
To: "moin-user at lists.sourceforge.net<mailto:moin-user at lists.sourceforge.net>" <moin-user at lists.sourceforge.net<mailto:moin-user at lists.sourceforge.net>>
Subject: [Moin-user] Active Directory authentication settings ignored

Hi all,
I set up a moinmoin wiki on Ubuntu 12.04 server, and I wanted to configure AD authentication to a AD domain running on Win 2003 server.
Initially I used the ubuntu python-moinmoin package, and to configure AD authentication I followed the instructions to this webpage:

http://moinmo.in/HowTo/UbuntuAD

but it wouldn't work. So I removed the ubuntu package and I downloaded the latest distribution from MonMoin (1.9.7).
I looked at several other sources of info about moin+AD authentication to check if there was something different, but they were all very similar and my wiki still wouldn't authenticate with AD.
>From the same wiki server, I can successfully contact the AD domain controller using ldapsearch and I can get info about accounts, however, when using the wiki, the ldap authentication configuration in my wikiconfig.py is completely ignored.
This is confirmed by the fact that the log file for my wiki doesn't throw any message about the ldap_authentication:

2013-06-28 09:30:29,705 MoinMoin.log INFO using logging configuration read from "/usr/local/share/moin/config/logging/logfile_debug_auth"
2013-06-28 09:30:29,706 MoinMoin.log INFO Running MoinMoin 1.9.7 release code from /usr/local/lib/python2.7/dist-packages/MoinMoin
2013-06-28 09:30:51,282 MoinMoin.auth DEBUG session started for user None
2013-06-28 09:30:51,282 MoinMoin.auth DEBUG setup_suid returns None, None
2013-06-28 09:31:05,914 MoinMoin.auth DEBUG session started for user None
2013-06-28 09:31:05,915 MoinMoin.auth DEBUG setup_suid returns None, None
2013-06-28 09:31:05,916 MoinMoin.auth DEBUG moin: performing login action
2013-06-28 09:31:06,174 MoinMoin.auth DEBUG moin: could not authenticate user u'poce' (not valid)

while in the moinmoin ldap_login module ( /usr/local/lib/python2.7/dist-packages/MoinMoin/auth/ldap_login.py)  there should be some messages thrown to the log:

try:
    try:
        u = None
        dn = None
        server = self.server_uri
        coding = self.coding
        logging.debug("Setting misc. ldap options...")
        ldap.set_option(ldap.OPT_PROTOCOL_VERSION, ldap.VERSION3) # ldap v2 is outdated
        ldap.set_option(ldap.OPT_REFERRALS, self.referrals)
        ldap.set_option(ldap.OPT_NETWORK_TIMEOUT, self.timeout)
        ...


Also, running tcpdump on the wiki server I cannot see any traffic going towards the AD server, while I can see traffic when I do an ldapsearch towards the same AD server.

The wiki configuration file is reported below:

# -*- coding: iso-8859-1 -*-
# IMPORTANT! This encoding (charset) setting MUST be correct! If you live in a
# western country and you don't know that you use utf-8, you probably want to
# use iso-8859-1 (or some other iso charset). If you use utf-8 (a Unicode
# encoding) you MUST use: coding: utf-8
# That setting must match the encoding your editor uses when you modify the
# settings below. If it does not, special non-ASCII chars will be wrong.

"""
    MoinMoin - Configuration for a single wiki

    If you run a single wiki only, you can omit the farmconfig.py config
    file and just use wikiconfig.py - it will be used for every request
    we get in that case.

    Note that there are more config options than you'll find in
    the version of this file that is installed by default; see
    the module MoinMoin.config.multiconfig for a full list of names and their
    default values.

    Also, the URL http://moinmo.in/HelpOnConfiguration has
    a list of config options.

    ** Please do not use this file for a wiki farm. Use the sample file
    from the wikifarm directory instead! **
"""

import os

from MoinMoin.config import multiconfig, url_prefix_static

class Config(multiconfig.DefaultConfig):

    # Critical setup  ---------------------------------------------------

    # Directory containing THIS wikiconfig:
    wikiconfig_dir = os.path.abspath(os.path.dirname(__file__))

    # We assume that this config file is located in the instance directory, like:
    # instance_dir/
    #              wikiconfig.py
    #              data/
    #              underlay/
    # If that's not true, feel free to just set instance_dir to the real path
    # where data/ and underlay/ is located:
    #instance_dir = '/where/ever/your/instance/is'
    instance_dir = wikiconfig_dir
    #instance_dir = '/usr/share/moin'

    # Where your own wiki pages are (make regular backups of this directory):
    data_dir = os.path.join(instance_dir, 'data', '') # path with trailing /

    # Where system and help pages are (you may exclude this from backup):
    data_underlay_dir = os.path.join(instance_dir, 'underlay', '') # path with trailing /

    # The URL prefix we use to access the static stuff (img, css, js).
    # Note: moin runs a static file server at url_prefix_static path (relative
    # to the script url).
    # If you run your wiki script at the root of your site (/), just do NOT
    # use this setting and it will automatically work.
    # If you run your wiki script at /mywiki, you need to use this:
    #url_prefix_static = '/mywiki' + url_prefix_static

    # Wiki identity ----------------------------------------------------

    # Site name, used by default for wiki name-logo [Unicode]
    sitename = u'MyWiki'

    # Wiki logo. You can use an image, text or both. [Unicode]
    # For no logo or text, use '' - the default is to show the sitename.
    # See also url_prefix setting below!
    logo_string = u'<img src="%s/common/moinmoin.png" alt="MoinMoin Logo">' % url_prefix_static

    # name of entry page / front page [Unicode], choose one of those:

    # a) if most wiki content is in a single language
    #page_front_page = u"MyStartingPage"

    # b) if wiki content is maintained in many languages
    page_front_page = u"Home"

    # The interwiki name used in interwiki links
    #interwikiname = u'UntitledWiki'
    # Show the interwiki name (and link it to page_front_page) in the Theme,
    # nice for farm setups or when your logo does not show the wiki's name.
    #show_interwiki = 1


    # Security ----------------------------------------------------------

    # This is checked by some rather critical and potentially harmful actions,
    # like despam or PackageInstaller action:
    #superuser = [u"YourName", ]
    superuser = [u"WikiAdmin", ]

    # IMPORTANT: grant yourself admin rights! replace YourName with
    # your user name. See HelpOnAccessControlLists for more help.
    # All acl_rights_xxx options must use unicode [Unicode]
    acl_rights_before = u"WikiAdmin:read,write,delete,revert,admin poce:read,write,delete,revert,admin"

    # The default (ENABLED) password_checker will keep users from choosing too
    # short or too easy passwords. If you don't like this and your site has
    # rather low security requirements, feel free to DISABLE the checker by:
    #password_checker = None # None means "don't do any password strength checks"

    # Link spam protection for public wikis (Uncomment to enable)
    # Needs a reliable internet connection.
    #from MoinMoin.security.antispam import SecurityPolicy


    # Mail --------------------------------------------------------------

    # Configure to enable subscribing to pages (disabled by default)
    # or sending forgotten passwords.

    # SMTP server, e.g. "mail.provider.com" (None to disable mail)
    mail_smarthost = "my_smtp_server.mydomain.org"

    # The return address, e.g u"J<FC>rgen Wiki <noreply at mywiki.org<mailto:noreply at mywiki.org>>" [Unicode]
    mail_from = u"I<noreply at mydomain.org"

    # "user pwd" if you need to use SMTP AUTH
    #mail_login = ""

    # User interface ----------------------------------------------------

    # Add your wikis important pages at the end. It is not recommended to
    # remove the default links.  Leave room for user links - don't use
    # more than 6 short items.
    # You MUST use Unicode strings here, but you need not use localized
    # page names for system and help pages, those will be used automatically
    # according to the user selected language. [Unicode]
    navi_bar = [
        # If you want to show your page_front_page here:
        #u'%(page_front_page)s',
        u'RecentChanges',
        u'FindPage',
        u'HelpContents',
    ]

    # The default theme anonymous or new users get
    theme_default = 'modern'

    # Attachment enabled - davide 20080314
    allowed_actions = ['AttachFile']

    # Language options --------------------------------------------------

    # See http://moinmo.in/ConfigMarket for configuration in
    # YOUR language that other people contributed.

    # The main wiki language, set the direction of the wiki pages
    language_default = 'en'

    # the following regexes should match the complete name when used in free text
    # the group 'all' shall match all, while the group 'key' shall match the key only
    # e.g. CategoryFoo -> group 'all' ==  CategoryFoo, group 'key' == Foo
    # moin's code will add ^ / $ at beginning / end when needed
    # You must use Unicode strings here [Unicode]
    page_category_regex = ur'(?P<all>Category(?P<key>(?!Template)\S+))'
    page_dict_regex = ur'(?P<all>(?P<key>\S+)Dict)'
    page_group_regex = ur'(?P<all>(?P<key>\S+)Group)'
    page_template_regex = ur'(?P<all>(?P<key>\S+)Template)'

    # Content options ---------------------------------------------------

    # Show users hostnames in RecentChanges
    show_hosts = 1

    # Enable graphical charts, requires gdchart.
    #chart_options = {'width': 600, 'height': 300}

    tz_offset = 1.0 # default time zone offset in hours from UTC

# -------- LDAP authentication ------------------

from MoinMoin.auth.ldap_login import LDAPAuth
ldap_authenticator1 = LDAPAuth(
    ###server_uri='ldap://my_ad_server',  # ldap / active directory server URI - you can use the server name
    server_uri = 'ldaps://my_ad_server:636',  # ldap / active directory server URI - you can use the server name
                                    # use ldaps://server:636 url for ldaps,
                                    # use  ldap://server for ldap without tls (and set start_tls to 0),
                                    # use  ldap://server for ldap with tls (and set start_tls to 1 or 2).
    bind_dn = 'active_ad_user', # DN we use for first bind (AD)
    bind_pw = '*********', # password we use for first bind
   ###bind_dn = '%(username)s at mydomain.org<mailto:s at mydomain.org>', # DN we use for first bind (AD)
    ###bind_pw = '%(password)s', # password we use for first bind
    base_dn='CN=Users,DC=gipl',  # base DN we use for searching
    scope=2, # scope of the search we do (2 == ldap.SCOPE_SUBTREE)
    referrals=0, # LDAP REFERRALS (0 needed for AD)
    search_filter='(sAMAccountName=%(username)s)',  # ldap filter used for searching:
                                         #search_filter = '(sAMAccountName=%(username)s)' # (AD)
                                         #search_filter = '(uid=%(username)s)' # (OpenLDAP)
                                         # you can also do more complex filtering like:
                                         # "(&(cn=%(username)s)(memberOf=CN=WikiUsers,OU=Groups,DC=example,DC=org))"
    # some attribute names we use to extract information from LDAP (if not None,
    # if None, the attribute won't be extracted from LDAP):
    givenname_attribute='givenName', # often 'givenName' - ldap attribute we get the first name from
    surname_attribute='sn', # often 'sn' - ldap attribute we get the family name from
    aliasname_attribute='displayName', # often 'displayName' - ldap attribute we get the aliasname from
    email_attribute='mail', # often 'mail' - ldap attribute we get the email address from
    email_callback=None, # callback function called to make up email address
    coding='utf-8', # coding used for ldap queries and result values
    timeout=10, # how long we wait for the ldap server [s]
    start_tls=0, # usage of Transport Layer Security 0 = No, 1 = Try, 2 = Required
    tls_require_cert=0, # 0 == ldap.OPT_X_TLS_NEVER (needed for self-signed certs)
    bind_once=True, # set to True to only do one bind - useful if configured to bind as the user on the first attempt
    autocreate=True, # set to True to automatically create/update user profiles
)
auth = [ldap_authenticator1, ] # this is a list, you may have multiple ldap authenticators
                               # as well as other authenticators
# ------------------------------------- End of LDAP authentication -------------------------------


I also tried to authenticate with ldap instead of ldaps, but the result is the same, and by the way, ldaps works fine with ldapsearch…
Am I missing something? Any idea why the auth option is totally ignored?
Many thanks,

Davide


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/moin-user/attachments/20130701/14355232/attachment.html>


More information about the Moin-user mailing list