Hello.
I have next scheme: nginx+kerberos_auth_module (GitHub - stnoonan/spnego-http-auth-nginx-module: SPNEGO HTTP Authentication Module for nginx) proxied to xwiki. On xwiki enabled ldap auth (via xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl). nginx success give auth username (it doesn’t provide user password) to xwiki and I see username in xwiki logs.
I use a system ldap user (CN=xwiki-ldap,… below in configuration) to retrieve ldap info from AD. As I see in tcpdump, the first bind connection to AD perform from system ldap user (success), retrieve success user’s attrs (name, mail,…), but then xwiki perform a second bind connection to AD with real user login, but without pass (because user’s password doesn’t provide via kerberos auth). And, of course this bind fail. How to disable a second bind trying with real user credentials?
I tried xwiki 15.0, 15.3 (latest) and LDAP Authenticator version 9.10, 9.11.0 (latest). Behaviour the same
I have tried a lot of configurations. Below is my current:
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.remoteUserParser=(.+)
#xwiki.authentication.ldap.remoteUserMapping.1=domain
xwiki.authentication.ldap.remoteUserMapping.1=uid
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=dc.domain.local
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=domain,dc=local
xwiki.authentication.ldap.bind_DN={0}@domain.local
#xwiki.authentication.ldap.bind_DN=CN=xwiki-ldap...,DC=domain,DC=local
xwiki.authentication.ldap.bind_pass=<password>
xwiki.authentication.ldap.UID_attr=sAMAccountName
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.mode_group_sync=always
#xwiki.authentication.ldap.user_search_fmt=(sAMAccountName={1})
xwiki.authentication.ldap.user_search_fmt=({0}={1})
xwiki.authentication.ldap.group_memberfields=member,uniqueMember