Mailing List Archive: Trac: Users

[LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2)

Index | Next | Previous | View Threaded

osefattitude at gmail

Apr 24, 2008, 3:17 AM

Post #1 of 9 (244 views)
Permalink

[LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2)

On 4/17/08, Vincent H. <> wrote:
> On Thu, Apr 17, 2008 at 12:28 PM, Noah Kantrowitz <> wrote:
> > Use http://pypi.python.org/pypi/TracLDAPAuth/1.0
> >

Well I tried TracLDAPAuth for two days now and I still get the same message :

Invalid username or password

So I tried LDAPAuthStore again and managed to get it loaded in
accountmanager by installing fcrypt module for windows :
http://home.clear.net.nz/pages/c.evans/sw/
and patching ldap_store.py or ldap_store.2.py (I tried both files)

But the following message then appeared :

TracError: Unable to open LDAP cnx: Invalid credentials

So I tried to put my user and password directly into api.py of ldappluggin
(line 632)

if ( head.find('=') == -1 ):
self.bind_user = '%s=%s' % (self.uidattr, self.bind_user)
self._ds.simple_bind_s('dbagent', 'dbagent')

Then I could clic on users in the admin panel without getting an
error. But when I tried to login I have the "Invalid username or
password" message again....
And new error messages in the debug logs :
2008-04-24 12:10:46,648 Trac[main] DEBUG: 328 unreachable objects found.
2008-04-24 12:10:46,742 Trac[api] ERROR: LDAP error: Size limit exceeded
2008-04-24 12:10:47,039 Trac[api] ERROR: LDAP error: Size limit exceeded
2008-04-24 12:10:47,039 Trac[ldap_store] INFO: ldap_users: []

But this may come from the modification of ldappluggin api.py. (I just
changed the line 632 as mentioned above).

I use trac 0.11b2. Is there anybody running trac 0.11b2 with ldap?

I really don't understand what's wrong.

Is there another plugin?

I'm using tracd.exe server this way:

C:\Python25\Scripts>tracd.exe -p 8000 c:\trac

Thanks in advance for any answer.
Best regards,

--
Vincent

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

manu.blot at gmail

Apr 24, 2008, 3:27 AM

Post #2 of 9 (232 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

On Thu, Apr 24, 2008 at 12:17 PM, Vincent H. <osefattitude[at]gmail.com> wrote:
> Well I tried TracLDAPAuth for two days now and I still get the same message :
>...
> So I tried to put my user and password directly into api.py of ldappluggin
> (line 632)

TracLDAPAuth and LdapPlugin are two distinct, different plugins.

I don't understand why you changed LdapPlugin to make TracLDAPAuth to work... ?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

osefattitude at gmail

Apr 24, 2008, 3:45 AM

Post #3 of 9 (228 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

Thanks for your quick reply.

On 4/24/08, Emmanuel Blot <> wrote:
>
> TracLDAPAuth and LdapPlugin are two distinct, different plugins.
>

Yes and TracLDAPAuth doesn't require LdapPlugin as said here :
http://pypi.python.org/pypi/TracLDAPAuth/

I saw that.

> I don't understand why you changed LdapPlugin to make TracLDAPAuth to work... ?

Actually I tried LDAPAuthStore at first and couldn't manage to get it
work (crypt module is missing on windows).

Then Noah Kantrowitz told me to use TracLDAPAuth.
So I uninstalled everything and made a clean install with TracLDAPAuth
(and without LdapPlugin) but I then had the following message :

"Invalid username or password"

I tried TracLDAPAuth for two days without success. So I decided to try
again LDAPAuthStore and find a way to install crypt module for
windows. So I found fcrypt and patched ldap_store.py in order to use
fcrypt and not crypt.
This worked and LDAPAuthStore loaded at startup and was available in
the accountmanager.

But LDAPAuthStore couldn't access the ldap server and the following
message was displayed:
TracError: Unable to open LDAP cnx: Invalid credentials

After many many tries I decided to make one more test and modified
api.py in order to put my user and password directly in the source, to
see if the problem was my user/pass (I really doubt that) or
LDAPAuthStore.

Then the "Invalid credentials" disappear and I saw "Invalid username
or password" again (when trying to login).

Well I'm just looking for a ldap solution. This is what I tried. I
thought it would help in understanding my problem.

Thanks again
--
Vincent

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

manu.blot at gmail

Apr 24, 2008, 5:00 AM

Post #4 of 9 (226 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

> Well I'm just looking for a ldap solution. This is what I tried. I
> thought it would help in understanding my problem.

What you need is "ldapsearch": find the proper authentication scheme
with this tool against your LDAP server (BTW: is it a true LDAP server
or an ActiveDirectory one ?), then you'll want to the Trac plugin to
tune the configuration settings.

If you have access to your LDAP server log files, it's far easier to
understand what's wrong with the configuration settings.

HTH,
Manu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

osefattitude at gmail

Apr 24, 2008, 6:28 AM

Post #5 of 9 (225 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

Again, thanks for your quick reply!

On 4/24/08, Emmanuel Blot <manu.blot[at]gmail.com> wrote:
>
> > Well I'm just looking for a ldap solution. This is what I tried. I
> > thought it would help in understanding my problem.
>
>
> What you need is "ldapsearch": find the proper authentication scheme
> with this tool against your LDAP server (BTW: is it a true LDAP server
> or an ActiveDirectory one ?), then you'll want to the Trac plugin to
> tune the configuration settings.

It is an ActiveDirectory. Is this a problem? (maybe that could explain things)

> If you have access to your LDAP server log files, it's far easier to
> understand what's wrong with the configuration settings.
>

Good idea, mmm I don't know where ActiveDirectory stores its logs, but
I'll search that.

I didn't know ldapsearch, I'll try to understand how it works to find
the right scheme.
Thanks a lot.
--
Vincent

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

manu.blot at gmail

Apr 24, 2008, 6:53 AM

Post #6 of 9 (225 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

> It is an ActiveDirectory. Is this a problem? (maybe that could explain things)
Microsoft: never 100% compliant with standards...
However it is known to work, but hard to debug - nothing new ;-)

> I didn't know ldapsearch, I'll try to understand how it works to find
> the right scheme.
> Thanks a lot.
I think ldap tools are available from cygwin. You can find them on any
Linux distribution or on Mac as well.

HTH,
Manu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

osefattitude at gmail

Apr 24, 2008, 9:19 AM

Post #7 of 9 (225 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

On 4/24/08, Emmanuel Blot <manu.blot[at]gmail.com> wrote:
>
> > It is an ActiveDirectory. Is this a problem? (maybe that could explain things)
>
> Microsoft: never 100% compliant with standards...
> However it is known to work, but hard to debug - nothing new ;-)

I understand :)

After some tries with ldapsearch I think I've finally found the right
base_dn and bind_user.
(by the way there is another excellent tool for this : LDAPBrowser. A
free java application available here :
http://www-unix.mcs.anl.gov/~gawor/ldap/index.html)

I changed my trac.ini [ldap] section to this :

[ldap]
basedn = dc=exo,dc=com
bind_user = cn=dbagent,cn=users,dc=exo,dc=com
bind_passwd = dbagent
cache_size = 100
cache_ttl = 900
enable = true
global_perms = false
group_bind = false
group_rdn = cn=groups
groupattr = cn
groupmember = memberUid
groupmemberisdn = false
groupname = posixGroup
host = nts15
manage_groups = false
permattr = tracperm
permfilter = objectclass=*
port = 389
store_bind = true
uidattr = uid
use_tls = false
user_rdn = cn=users

Now it's seems to connect to the ldap server correctly :
I do not have this message anymore : "TracError: Unable to open LDAP
cnx: Invalid credentials" :)

One problem remains though. When I click on "users" in the admin
panel, the list is empty. And the following lines appear in the logs :

2008-04-24 17:19:30,134 Trac[api] ERROR: LDAP error: Size limit exceeded
2008-04-24 17:19:30,321 Trac[api] ERROR: LDAP error: Size limit exceeded
2008-04-24 17:19:30,321 Trac[ldap_store] INFO: ldap_users: []

And when I try to log in I still have the following message "Invalid
username or password"

(I restored the original ldapplugin)

Any hint?

Thanks again for the time you take to help me.
--
Vincent

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

manu.blot at gmail

Apr 24, 2008, 10:03 AM

Post #8 of 9 (224 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

> 2008-04-24 17:19:30,134 Trac[api] ERROR: LDAP error: Size limit exceeded
> 2008-04-24 17:19:30,321 Trac[api] ERROR: LDAP error: Size limit exceeded
> 2008-04-24 17:19:30,321 Trac[ldap_store] INFO: ldap_users: []

As far as I remember, this means that the LDAP client request leads to
a too large set of results. LDAP servers are usually configured to
limit the number of matching responses. Imagine a LDAP server with
5000 entries, there is only a few interest on producing a
godzilla-sized response: it would take bandwidth and time to obtain
and display the results.
In other words, try to shrink down the set of results, using a more
precise search filter. The key here might be to use a better
permfilter

permfilter = objectclass=*

means "entries of any class in the directory", i.e. "any object in directory"

Try to use something like
objectclass = OpenLDAPperson

the actual class depends on your directory scheme, I guess it is not
"OpenLDAPperson" on an M$ AD ;-)

Simply get a valid user entry with ldapsearch or any LDAP GUI tool you
prefer, and looks for its objectclass.

The other (but worse) solution is to tell the server to accept larger
response sets.

Cheers,
Manu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

osefattitude at gmail

May 13, 2008, 1:54 AM

Post #9 of 9 (157 views)
Permalink

Re: [LDAPAuthStore/TracLDAPAuth] Invalid username or password (trac 0.11b2) [In reply to]

Thanks for the time you take to help me.
Just to conclude this thread. (sorry for being so long to answer)

On 4/24/08, Emmanuel Blot <manu.blot[at]gmail.com> wrote:
>
> > 2008-04-24 17:19:30,134 Trac[api] ERROR: LDAP error: Size limit exceeded
> > 2008-04-24 17:19:30,321 Trac[api] ERROR: LDAP error: Size limit exceeded
> > 2008-04-24 17:19:30,321 Trac[ldap_store] INFO: ldap_users: []
>
>
> As far as I remember, this means that the LDAP client request leads to
> a too large set of results. LDAP servers are usually configured to
> limit the number of matching responses. Imagine a LDAP server with
> 5000 entries, there is only a few interest on producing a
> godzilla-sized response: it would take bandwidth and time to obtain
> and display the results.
> In other words, try to shrink down the set of results, using a more
> precise search filter. The key here might be to use a better
> permfilter
>
> permfilter = objectclass=*
>

I tried to shrink the result set with something like this :
permfilter = (&(|(objectClass=group)(objectClass=person)(objectClass=publicFolder))(mail=*))

and many other filters like having only one person in the result, but
I still have the same issue (LDAP error: Size limit exceeded), though
my LDAP query works with ldapsearch.

>
> The other (but worse) solution is to tell the server to accept larger
> response sets.
>

Well I managed to convince my boss to use HtPasswdStore for the moment :)
I'll have a look at the future versions of trac and ldap plugins,
maybe Active Directory will be better supported (or maybe, with time,
I'll better understand what's wrong with my installation).

Anyway, thank you very much for your patience.
--
Vincent

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Trac Users" group.
To post to this group, send email to trac-users[at]googlegroups.com
To unsubscribe from this group, send email to trac-users-unsubscribe[at]googlegroups.com
For more options, visit this group at http://groups.google.com/group/trac-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com