Description
Describe the bug...
Steps to reproduce
- Set up LDAP authentication
- log in to wiki using LDAP authentication
- Change password that LDAP is authenticating to
- Can't log in to wiki using LDAP(new password or old password fails)
Example
Component selection
- general
Details
MoinMoin Version |
1.7.1 |
OS and Version |
Debian GNU Linux Lenny |
Python Version |
2.5.2 |
Server Setup |
|
Server Details |
|
Language you are using the wiki in (set in the browser/UserPreferences) |
. |
Workaround
Discussion
Sounds weird. Do you have more details? Otherwise it will be a bit hard to look for the reasons.
E.g. your wiki config, a log made for MoinMoin.auth on debug level, etc.
Is your new password pure ASCII?
Here is my farmconfig.py
that file is empty
Yes, the password is pure ASCII. The LDAP authentication worked fine until I changed the password where LDAP is authenticating to. How do I get a MoinMoin.auth debug? I can see in the .../data/user/userfile that the password is empty. Is that the way it is supposed to be for the LDAP authenticated IDs since MoinMoin automatically creates a user matching the LDAP ID?
I figured out what the problem was. In order to get LDAP to work, I had to modify .../MoinMoin/auth/ldap_login.py. I had to add the following line between the bse/endbse comments:
binddn = self.bind_dn % locals() bindpw = self.bind_pw % locals() #bse binddn = l.search_s('ou=bluepages,o=ibm.com', ldap.SCOPE_SUBTREE, 'mail=%s' % username)[0][0] #endbse l.simple_bind_s(binddn.encode(coding), bindpw.encode(coding))
Of course when moinmoin was updated it overwrote my changes. Which brings me to another question? Is there a way I can get the authentication to work without having to modify ldap_login.py? Here is a sample program that shows how I have to authenticate to make it work:
import ldap from getpass import getpass,getuser import logging def bluePagesAuthenticate(intranetId): """ bluePagesAuthenticate(user_email) -> Boolean Given an intranet ID, authenticate to blue pages prompts for password returns True if authenticated False if failes to authenticate """ authenticated = False #ldap.set_option(ldap.OPT_DEBUG_LEVEL,255) bluePagesUrl = 'ldap://bluepages.ibm.com:389' bp = ldap.initialize(bluePagesUrl) bp.protocol_version = ldap.VERSION3 try: entry = bp.search_s('ou=bluepages,o=ibm.com', ldap.SCOPE_SUBTREE, 'mail=%s' % intranetId) dn = entry[0][0] bp.bind_s(dn, getpass()) bp.unbind() authenticated = True except ldap.INVALID_CREDENTIALS: logging.error('Authentication failed, invalid credentials.') except: logging.exception('Authentication failed, LDAP error.') return authenticated intranetId = "%s@us.ibm.com" % getuser() ret = bluePagesAuthenticate( intranetId ) if ret: print "authenticated" else: print "failed"
I don't want to have to hard coded id/pw in farmconfig to do the initial binding that I will have to keep changing the password for. With my farmconfig.py and one line change in ldap_login.py everything works as long as I don't forget to make the change everytime there is a moinmoin update.
Some ideas:
- in any case, if ldap_login does not work for your environment, you could just copy it to the directory where your wikiconfig lives, modify it and then import that class for your auth configuration.
- maybe you can make ldap_login work for you. the first bind it does is just to be able to access the directory at all. that should work by either using a fixed "admin" login or by using user/password of the current user. it then searches for the real dn to check against and does a 2nd bind - this is for checking the current user/password.
Plan
- Priority:
- Assigned to:
- Status: user reverted a local patch he did and therefore it stopped working