CentralAuth - no errors, but cannot log in

wdmartin · February 6, 2020, 6:12pm

I’m setting up a new instance of Omeka classic, and I can’t seem to get the CentralAuth plugin to work.

My central_auth.ini looks like this:

[ldap]
mode="optional"
host="ad.und.edu"
port="389"
useStartTls=true
useSsl=false
username="redacted"
password="redacted"
bindRequiresDn=false
baseDn="OU=Users1,DC=ad,DC=und,DC=edu"
accountCanonicalForm=3
accountDomainName="ad.und.edu"
accountDomainNameShort="AD"
accountFilterFormat="(&(objectClass=person)(sAMAccountName=%s))"

When I enter my user name and password, Omeka says “Login information incorrect. Please try again.”

I did in fact enter the correct user name and password, and verified that I had them correct by typing both in a text file and copy-pasting them into a different campus service that talks to the same Active Directory server. It let me in fine. But copy-pasting the same user name and password into Omeka yielded a failure.

I checked errors.log, but it’s empty.

So it’s not working, but it’s also not giving me any useful error messages, as far as I can tell. I could crack open the source code and start throwing var_dump calls around in an effort to get it to cough up some useful debug info, but I thought I’d ask here first.

Am I missing anything obvious?

kloor · February 11, 2020, 7:56pm

Hello @wdmartin, I’m the author of the CentralAuth plugin. Sorry for not getting back to you sooner, I only check the forums about once a week.

If there is an LDAP error, it should appear in the application/logs/errors.log file. Omeka does require configuration to enable that file. Has Omeka written anything to it?

If that fails, the actual LDAP error messages, if any, are obtained by the plugin in Line 83 of adapters/LdapAdapter.php.

Another issue could be that matching the LDAP account to the Omeka account is failing. I’m not certain if you are using the same username for Omeka and LDAP, but if not, the email address username does have to match the LDAP username, and the domain must be configured in the plugin control panel.

Outside of that, I’m not certain what may be going wrong. When you have the plugin enabled, are you still able to log in using the Omeka username and password?

wdmartin · February 11, 2020, 8:40pm

@kloor – thanks for getting back to me. I completely missed the part about having to manually create an omeka user whose user name matches the one from the LDAP server. That was my problem: CentralAuth was successfully authenticating me, and not finding anyone in Omeka by that name.

Once I added my user name to Omeka (setting an appropriate role and checking the “active” box) I was able to log in immediately using my standard institutional password.

May I suggest that it would be useful to write a message to errors.log when an authentication is successful but no matching Omeka user is found? My errors.log is correctly configured and writable, and was very helpful when I was figuring out the correct settings for central_auth.ini. A message something like “%timestamp% - LDAP authentication for %username% succeeded, but no matching Omeka account found” would probably have set me on the right track to fixing it immediately.

kloor · February 14, 2020, 2:08pm

I’ve opened an issue to add the error message, though I wont be able to get to implementing it immediately. Thanks for the suggestion!