Access rights on subwikis stop working after a while

emil · November 2, 2023, 4:12pm

Hello everyone,

I have an auth issue with multiple subwikis and LDAP, and I’ve been searching for a solution to this for a while now. Unfortunately, so far nothing I tried has worked, and I haven’t found a similar problem described anywhere, so I’m posting here hoping that someone with more knowledge can give me a nudge in the right direction.

We have an XWiki installation with a number of subwikis. We also have LDAP authentication enabled in xwiki.cfg (xwiki.authentication.ldap=1 and xwiki.authentication.ldap.trylocal=0). We want to use only LDAP authentication on the main wiki, and permissions for the main wiki and subwikis to be handled by group mapping from LDAP.

On the administration pages of the subwikis, there is no option to enable or disable LDAP. The following message appears there:

The current authentication service cannot be modified because it’s controlled by the xwiki.cfg configuration file.

I believe this is a fairly standard setup, and it works correctly most of the time.

The problem is that it suddenly stops working after not accessing the main wiki for a while. Occasionally, users start getting permissions errors (403) on the main wiki. When that happens, the log contains entries like these (I have replaced the URL and the subwiki name with <xwiki-URL> and subwikiname, respectively, and the username with myusername):

[2023-11-02 12:20:02] [info] 2023-11-02 12:20:02,573 [http-nio-127.0.0.1-8080-exec-13 - https://<xwiki-URL>/wiki/subwikiname/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.myusername
[2023-11-02 12:20:24] [info] 2023-11-02 12:20:24,703 [http-nio-127.0.0.1-8080-exec-4 - https://<xwiki-URL>/Main] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: subwikiname:XWiki.myusername

In that case, the main wiki denies access to subwikiname:XWiki.myusername. It appears that this happens after not visiting the main wiki for a while, so I’m guessing some session or cache expires. The session cookie is still there, though.

In contrast, when authentication works correctly on all wikis, the respective log entries look like this:

[2023-11-02 12:22:22] [info] 2023-11-02 12:22:22,748 [http-nio-127.0.0.1-8080-exec-13 - https://<xwiki-URL>/wiki/subwikiname/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: xwiki:XWiki.myusername
[2023-11-02 12:22:39] [info] 2023-11-02 12:22:39,973 [http-nio-127.0.0.1-8080-exec-4 - https://<xwiki-URL>/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.myusername

This is usually the case right after authenticating on the main wiki.

After the browser remains open on a subwiki for a while, the username starts getting listed as subwikiname:XWiki.myusername in the log again and going to the main wiki yields permission denied.

The part that bothers me is that there is no such username in the subwiki in question, I checked. I also didn’t find any information on the subwiki prefix or how I can force only main wiki usernames to be used across all subwikis, although I get the impression that this should be the behavior with the LDAP setup from reading the documentation.

How can I prevent this issue from happening?

Thanks in advance for any advice or directions!

acotiuga · November 3, 2023, 7:13am

Hi @emil,

It looks like you need LDAP to be enabled only in the main wiki + global users with access in subwikis. This means all mappings (user fields and groups) will be handling only in the main wiki.
In order to achieve this, you should disable the LDAP authentication from xwiki.cfg (xwiki.authentication.ldap=1) and enable it back in the main wiki, in the object mode of the XWiki.XWikiPreferences (<xwiki-URL>/xwiki/bin/edit/XWiki/XWikiPreferences?editor=object)).
The authenticator always fallback on main wiki when LDAP is disabled or does not work on subwiki.

Hope it helps,
Alex

emil · November 13, 2023, 1:41pm

Yes, this fixed it. Thank you!

Here are some details on what I changed, in case it can help someone else.

I commented out the following settings:

#xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
#xwiki.authentication.ldap=1
#xwiki.authentication.ldap.trylocal=0
#xwiki.authentication.ldap.fields_mapping=[...]
#xwiki.authentication.ldap.UID_attr

These are needed for LDAP authentication, but they can be configured explicitly for the main wiki so that subwikis can be left unconfigured. Besides, being able to change these settings without restarting is pretty neat, particularly the groups mapping.

I used the object editor to configure these settings instead, and I enabled the LDAP Authenticator on the Authentication page in the Administration application of each subwiki, replacing the local one.

Basically, if I’m understanding this correctly, these settings cause the LDAP Authenticator of each subwiki to always fail (because LDAP is not configured for the subwiki itself), causing the subwiki to default to the main wiki for authentication, where LDAP is properly configured.