Basics about LDAP (SOLVED)

barmeier · December 3, 2018, 11:46am

Hi out there,

I am preparing to migrate a xwiki 8.3 instance to 10.10. During my preparation I tested LDAP authentication on 10.10.

It doesn’t work and leads me to some questions.

My first question is where does xwiki store the LDAP settings configured via the LDAP GUI ? They were not stored in xwiki.cfg.

I used this settings successfully in 8.3:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=ldap.mycompany.local
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=uid=xwiki,ou=Machines,dc=pamuser,dc=mycompany,dc=de
xwiki.authentication.ldap.bind_pass=
xwiki.authentication.ldap.base_DN=dc=pamuser,dc=mycompany,dc=de
xwiki.authentication.ldap.user_search_fmt=(&({0}={1})(|(objectClass=posixAccount)(objectClass=account)))
xwiki.authentication.ldap.user_group=ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de
xwiki.authentication.ldap.UID_attr=uid
xwiki.authentication.ldap.group_classes=groupOfUniqueNames
xwiki.authentication.ldap.group_memberfields=uniqueMember
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=email
xwiki.authentication.ldap.update_user=1

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admins,ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de|
xwiki.authentication.ldap.groupcache_expiration=60
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.trylocal=1

In xwiki 10.10 the authentication hangs when trying to use this configuration.

What can I do to get more diagnostic information ?

tmortagne · December 3, 2018, 12:47pm

The LDAP authenticator is an extension and the version of XWiki in which you are using it should not have much impact on its behavior.

The best usually is to enable debug log, see https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HEnableLDAPdebuglog.

It’s stored in an object of the wiki page XWiki.XWikiPreferences.

barmeier · December 3, 2018, 1:46pm

After Reading the log that were very helpful, I changed my settings, and now xwiki binds the user correctly that logs in.

But when xwiki tries to get the groups it seems to fall in an endless loop.

2018-12-03 13:30:11,511 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member] 
2018-12-03 13:30:11,515 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [ldap.mycompany.local:389] 
2018-12-03 13:30:11,538 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[cn=myuser,ou=People,dc=pamuser,d
c=mycompany,dc=de] 
2018-12-03 13:30:11,777 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - LDAP attributes will be used to update XWiki attributes. 
2018-12-03 13:30:11,777 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - Getting the list of user fields to synchronize 
2018-12-03 13:30:11,778 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - LDAP avatar photo synchronisation is disabled 
2018-12-03 13:30:11,778 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - LDAP user fields to synchronize: [sn, givenName, email] 
2018-12-03 13:30:11,827 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=myuser,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[sn, givenName, email]] scope=[0] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:11,905 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [sn] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [myuser] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [email] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [firstname.myuser@mycompany.de] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [givenName] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [firstname] 
2018-12-03 13:30:11,908 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - LDAP search found attributes [[{name=dn value=cn=myuser,ou=People,dc=pamuser,dc=mycompany,dc=de}, {name=sn value=myuser}, {name=email value=firstname.myuser@mycompany.de}, {name=givenName value=firstname}]] 
2018-12-03 13:30:11,937 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - UserPageName: myuser 
2018-12-03 13:30:11,942 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - Creating new XWiki user based on LDAP attribues located at [cn=myuser,ou=People,dc=pamuser,dc=mycompany,dc=de] 
2018-12-03 13:30:11,942 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - Start first synchronization of LDAP profile [[{name=dn value=cn=myuser,ou=People,dc=pamuser,dc=mycompany,dc=de}, {name=sn value=myuser}, {name=email value=firstname.myuser@mycompany.de}, {name=givenName value=firstname}]] with new user profile based on mapping [{givenname=first_name, sn=last_name, email=email}] 
2018-12-03 13:30:12,708 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - New XWiki user created: [xwiki:XWiki.myuser] 
2018-12-03 13:30:12,708 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - Groupmapping found [XWiki.XWikiAdminGroup] [[cn=admins,ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de]] 
2018-12-03 13:30:12,709 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - Updating group membership for the user [XWiki.myuser] 
2018-12-03 13:30:12,713 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - The user belongs to following XWiki groups:  
2018-12-03 13:30:12,713 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - XWiki.XWikiAllGroup 
2018-12-03 13:30:12,742 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - Retrieving Members of the group [cn=admins,ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de] 
2018-12-03 13:30:12,743 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - [cn=admins,ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de] is a valid DN, lets try to get corresponding entry. 
2018-12-03 13:30:12,744 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=admins,ou=xwiki,ou=authGroups,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,788 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         -   |- Member value [cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] found. Trying to resolve it. 
2018-12-03 13:30:12,789 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils         - [cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] is a valid DN, lets try to get corresponding entry. 
2018-12-03 13:30:12,789 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,795 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,804 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,807 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,812 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
2018-12-03 13:30:12,819 [http://xwiki-upgrade:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[cn=user1,ou=People,dc=pamuser,dc=mycompany,dc=de] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, uid]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
:

The last message repeats at max speed and does not stop repeating for a minutes.

tmortagne · December 3, 2018, 4:18pm

Might be a regression caused by Loading.... Trying something and releasing a 9.3.2 to test.

tmortagne · December 3, 2018, 4:28pm

9.3.2 ready for test

barmeier · December 3, 2018, 4:31pm

Sorry, for being that inexperienced but where can I get the 9.3.2 ?

evalica · December 3, 2018, 4:40pm

9.3.2 it’s the version of “LDAP Authenticator”. Go into Extension Manager and upgrade the extension to the new version.

reighnman · December 3, 2018, 4:45pm

LDAP was down for us after upgrading to 9.3.1 over the weekend and services restarted during the Sunday maint window. Upgrade to 9.3.2 LDAP appears to be working again.

barmeier · December 3, 2018, 4:56pm

Thanks for pointing me to the right 9.3.2.

I upgraded the extension and tried to login again, but the endless loop is still there. The admins group does not contain more than seven users.
The LDAP server I am using is OpenLDAP on debian 8.

Do I need to restart xwiki after extension upgrade ?

tmortagne · December 3, 2018, 4:58pm

Usually no but if you can it worth testing.

barmeier · December 3, 2018, 4:58pm

After restarting Xwiki everything works as expected !

Thanks a lot !!

tmortagne · December 3, 2018, 4:59pm

Actually this is not need for an extension in general but because of the way authenticators are handled right now restart is indeed required.

barmeier · December 3, 2018, 5:00pm

Works like a charm !
I will set the thread to solved.
Thanks again !