LDAP / Active directory

LDAP / Active directory

LDAP not working at all

I am very confused as to why I cannot get LDAP auth working.

I have followed the instructions in the login config section here: http://doc.tikiwiki.org/Login+Config
I am authenticating against a Windows 2003 server, which is also running ADAM. I have successfully used LDAP authentication in dotproject, and that works perfectly. I use the same settings for tikiwiki and I get a screen telling me that my username or password is incorrect.

I have my Login settings set for tiki and PEAR::Auth, with all the recommended settings from the login config page.

I added the lines to Smarty.class.php to throw more errors but I am seeing no errors in the syslog or the pages which would indicate what is going wrong.

Would really like to get this working...


I tried that snapshot... same problem, the only difference is that when it returns 'wrong username/password' the login is shunted over to the left about half a page.

One of the problems is I have no way of getting feedback from the LDAP server (Windows... evil)

Is there some way of enabling some debugging info so that I can see what's failing?


also: not sure if this may have anything to do with it.. I am getting this notice on every page:

Notice: A session had already been started - ignoring session_start() in /usr/local/www/tikiwiki/tiki-setup_base.php on line 277

(FreeBSD system)

More information...

I added the lines that are suggested in the wiki relating to anonymous binding not working, and finally learned how to enable logging on the LDAP instance. it turned out that the binding was not using the username and password i specified. I enabled anonymous binding and now it works, so it's definitely something to do with that... not suer how to fix it so I dont have to have it be anonymous binding but any suggestions are welcome.


I just had my LDAP working on my server. Let's see if could be having the same problem as I did:

Server: Fedora Core 6
LDAP Server: Active Directory 2003

We needed to access the global catalog to allow any user from any domain to login.
The port needed by the AD to access the global catalog are 3268 for ldap and 3269 for ldaps

Here is the config I used in PEAR::Auth
LDAP URL: ldaps://myldapserver:3269 (this overide the HOST and PORT field and force ldaps)
LDAP Base DN: DC=head,DC=domain,DC=com
LDAP User Attribute: sAMAccountName
LDAP User OC: *
LDAP Group Attribute: cn
LDAP Group OC: groupOfUniqueNames
LDAP Member Attribute: uniqueMember
LDAP Member Is DN: n
LDAP Admin User: user at head.domain.com (we used an admin user, but MS docs said that you only need a valid domain account)
LDAP Admin Pwd: password

Here is where it gets tricky: On fedora core 6, SELinux is enabled. This mean that LDAP port 389 and 636 will go through without any problem in the context of HTTPD, but not 3268 and 3269. If this is the case, you should see something like this in /var/log/messages:

Jun 13 16:59:18 kusanagi kernel: audit(1181768358.219:43): avc: denied { name_connect } for pid=3925 comm="httpd" dest=3269 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To modify your SELinux, here is what you can do
Required: checkpolicy (install with "yum install checkpolicy")

Create a policy for SElinux to allow port 3269 for the HTTPd context

  1. grep audit /var/log/messages|grep httpd|grep 3269|audit2allow -M ldapads

this creates a ldapads.pp and ldapad.tp

now, load this SE module into Selinux

  1. semodule -i ldapads.pp

to check that everything is alright run

  1. semodule -l

you will see "ldapads 1.0"