Description

LDAP authentication fails with Moin 1.5.8 on CentOS 4.5 with a TLS error indicating an incompatability with the default RH python-ldap module (RH's module is old).

Should Moin code to address this or should documentation be added telling RH/CentOS users how to work around this?

Steps to reproduce

Install Moin 1.5.8 on RHEL 4 Update 5 or CentOS 4.5
Configure for LDAP authentication
Attempt to login
Login fails

Example

Relevant wikiconfig.py portions:

    # LDAP options added in 1.5.8
    ldap_start_tls = 0 # 0 = No, 1 = Try, 2 = Required
    ldap_tls_cacertdir = ''
    ldap_tls_cacertfile = ''
    ldap_tls_certfile = ''
    ldap_tls_keyfile = ''
    ldap_tls_require_cert = ldap.OPT_X_TLS_NEVER

    # For debugging.
    ldap_verbose = True

    ldap_uri = 'ldap://odin:3268'
    ldap_binddn = 'cn=Me,cn=Users,dc=esri,dc=com'
    ldap_bindpw = 'pass'
    ldap_base = 'DC=domain,DC=com'
    ldap_scope = ldap.SCOPE_SUBTREE

    # Removed per CHANGES in 1.5.8 added ldap_filter.  We should do our group
    # filters here.

    #ldap_name_attribute = 'sAMAccountName'
    ldap_filter = "(sAMAccountName=%(username)s)"

    ldap_email_attribute = 'mail'
    ldap_given_attribute = 'givenName'
    ldap_surname_attribute = 'sn'
    ldap_aliasname_attribute = 'displayName'

    ldap_coding = 'utf-8'
    ldap_timeout = 10
    ldap_group_attr = 'memberOf'

Erorr output when trying to log in:

[Mon Jun 11 16:40:04 2007] got name=ray5147 login=True logout=False
[Mon Jun 11 16:40:04 2007] LDAP: Setting misc. options...
[Mon Jun 11 16:40:04 2007] LDAP: caught an exception, traceback follows...
[Mon Jun 11 16:40:04 2007] Traceback (most recent call last):
  File "/usr/lib/python2.3/site-packages/MoinMoin/auth.py", line 365, in ldap_login
    if ldap.TLS_AVAIL:
AttributeError: 'module' object has no attribute 'TLS_AVAIL'

Component selection

auth

Details

MoinMoin Version	1.5.8
OS and Version	CentOS 4.5
Python Version	2.3.4
Server Setup	?
Server Details	python-ldap 2.0.1 (RPM 2.0.1-2)
Language you are using the wiki in (set in the browser/UserPreferences)	English

Workaround

So far no workaround, but going to attempt a try: except: block in auth.py.

Discussion

2007-06-11 #1

CentOS and RHEL 4 both include the python-ldap RPM v2.0.1. MoinMoin code v1.5.8 in auth.py references ldap.TLS_AVAIL. This environment variable was not added until v2.0.3 of python-ldap:

http://mail.python.org/pipermail/python-announce-list/2004-October/003471.html

This is quite old of course, but LDAP authentication will not work on RHEL4 or !CentOS 4 as a result.

I'm not sure if the best way to deal with this is for Moin to code around the issue or for me to attempt to get RH to update their python-ldap module version (unlikely?)

At the very least, perhaps a mention could be made of this and whatever manual workaround or fix is found in the documentation.

2007-06-11 #2

This patch fixes the issue for me:

ldap_tls_rhel4.patch

2007-06-11 #3

It was also pointed out here, that I could set ldap.TLS_AVAIL = 0 in my wikiconfig.py file. This also works, but perhaps should be documented somewhere?

Plan

Priority:
Assigned to:
Status: not a moin bug, just the ldap python binding was too old. even with that, you can use the workaround (see end of discussion).

CategoryMoinMoinNoBug

MoinMoin: MoinMoinBugs/LDAPAuthWithOldPythonLdapLibrary (last edited 2007-11-15 22:35:26 by ThomasWaldmann)