I have an auth issue with multiple subwikis and LDAP, and I’ve been searching for a solution to this for a while now. Unfortunately, so far nothing I tried has worked, and I haven’t found a similar problem described anywhere, so I’m posting here hoping that someone with more knowledge can give me a nudge in the right direction.
We have an XWiki installation with a number of subwikis. We also have LDAP authentication enabled in xwiki.cfg (
xwiki.authentication.ldap.trylocal=0). We want to use only LDAP authentication on the main wiki, and permissions for the main wiki and subwikis to be handled by group mapping from LDAP.
On the administration pages of the subwikis, there is no option to enable or disable LDAP. The following message appears there:
The current authentication service cannot be modified because it’s controlled by the xwiki.cfg configuration file.
I believe this is a fairly standard setup, and it works correctly most of the time.
The problem is that it suddenly stops working after not accessing the main wiki for a while. Occasionally, users start getting permissions errors (403) on the main wiki. When that happens, the log contains entries like these (I have replaced the URL and the subwiki name with
subwikiname, respectively, and the username with
[2023-11-02 12:20:02] [info] 2023-11-02 12:20:02,573 [http-nio-127.0.0.1-8080-exec-13 - https://<xwiki-URL>/wiki/subwikiname/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.myusername [2023-11-02 12:20:24] [info] 2023-11-02 12:20:24,703 [http-nio-127.0.0.1-8080-exec-4 - https://<xwiki-URL>/Main] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: subwikiname:XWiki.myusername
In that case, the main wiki denies access to
subwikiname:XWiki.myusername. It appears that this happens after not visiting the main wiki for a while, so I’m guessing some session or cache expires. The session cookie is still there, though.
In contrast, when authentication works correctly on all wikis, the respective log entries look like this:
[2023-11-02 12:22:22] [info] 2023-11-02 12:22:22,748 [http-nio-127.0.0.1-8080-exec-13 - https://<xwiki-URL>/wiki/subwikiname/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: xwiki:XWiki.myusername [2023-11-02 12:22:39] [info] 2023-11-02 12:22:39,973 [http-nio-127.0.0.1-8080-exec-4 - https://<xwiki-URL>/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.myusername
This is usually the case right after authenticating on the main wiki.
After the browser remains open on a subwiki for a while, the username starts getting listed as
subwikiname:XWiki.myusername in the log again and going to the main wiki yields permission denied.
The part that bothers me is that there is no such username in the subwiki in question, I checked. I also didn’t find any information on the subwiki prefix or how I can force only main wiki usernames to be used across all subwikis, although I get the impression that this should be the behavior with the LDAP setup from reading the documentation.
How can I prevent this issue from happening?
Thanks in advance for any advice or directions!