Can't get LDAP Authenticator to work

MagaZne · April 17, 2024, 9:18am

Hey y’all!
I need help configuring LDAP in my xWiki environment as I really can’t get it to work. This is my current configuration:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=bzu-dcs-20.bzu.ads
xwiki.authentication.ldap.bind_DN=CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.bind_pass=<password of sa-ldap user>
xwiki.authentication.ldap.base_DN=DC=bzu,DC=ads
xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.group_mapping=XWiki.BZUGRP-Admins=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads|\
                                        XWiki.BZUGRP-SekBFSU_User=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.groupcache_expiration=21600
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.group_sync_resolve_subgroups=0

The rest is on default settings. I plan to enable SSL after I get LDAP unencrypted to work.

I restarted xwiki after saving my configuration, but it doesn’t work. I enabled debugging in the WEB-INF/classes/logback.xml file, but I can’t find the problem. This is the output of the debug log:

TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG o.x.c.l.XWikiLDAPConfig        - remoteUserParser: null 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member] 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member] 
DEBUG o.x.c.l.XWikiLDAPConnection    - No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found. 
DEBUG o.x.c.l.XWikiLDAPConnection    - No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found.
DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [bzu-dcs-20.bzu.ads:389] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [bzu-dcs-20.bzu.ads:389] 
DEBUG o.x.c.l.XWikiLDAPConnection    - No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found. 
DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [bzu-dcs-20.bzu.ads:389] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads 
DEBUG o.x.c.l.XWikiLDAPUtils         - Retrieving Members of the group [CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] 
2024
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads 
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry. 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads 
DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, sAMAccountName]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null] 
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a group 
DEBUG o.x.c.l.XWikiLDAPUtils         -   |- Member value [CN=<our employee>,OU=03_IT,OU=01_NormalAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] found. Trying to resolve it. 
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=<account from us>,OU=03_IT,OU=01_NormalAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry. 
DEBUG o.x.c.l.XWikiLDAPUtils         - Group members resolve is disabled to add [CN=<account from us>,OU=03_IT,OU=01_NormalAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] as group member directly 

This happens to every user of the group GRP-BZU-WIKISEK-ADMINS, not going to post every debug of every user here, all the same.
It then continues with this:

DEBUG o.x.c.l.XWikiLDAPUtils         - Found cache entry for group [CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] 
2024
DEBUG o.x.c.l.XWikiLDAPUtils         - Found group [CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] members [{<cns of all members>}]
DEBUG o.x.c.l.XWikiLDAPUtils         - Found user dn in user group [null] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. 
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user adminits does not belong to LDAP group CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads.
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:603)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
	at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
...
...
... and more stuff

The only thing I seem is a bit odd is No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found, but that’s our LDAP server. I also did a traceroute from my windows machine and got the following:

_ldap._tcp.dc._msdcs.bzu.ads    SRV service location:
          priority       = 0
          weight         = 100
          port           = 389
          svr hostname   = bzu-dcs-20.bzu.ads

so LDAP is indeed available.

Anyone here seeing what I’m missing?

tmortagne · April 17, 2024, 9:45am

This does not mean it cannot access your server (there is plenty of log indicating it can access it fine and retrieve stuff from it). It just means there is no SRV record (which can be used to find alternative servers basically) associated to it.

MagaZne:

xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads

Note that user_group only support one group.

Well, seems to be your problem. From what I understand the user you are testing with (the log indicated adminits, as uid I assume) is apparently not a member of the group you indicated in xwiki.authentication.ldap.user_group. Maybe your problem is just the fact that it’s in the other group you tried to put in xwiki.authentication.ldap.user_group ?

MagaZne · April 17, 2024, 9:50am

Note that user_group only support one group.

Didn’t know that, thanks! How do I allow multiple groups to access xWiki and get into the right group?
(so GRP-BZU-WIKISEK-USERS get the BZUGRP-SekBFSU_User group and GRP-BZU-WIKISEK-ADMINS get the BZUGRP-Admins in xwiki?

Maybe your problem is just the fact that it’s in the other group you tried to put in xwiki.authentication.ldap.user_group ?

the user adminits is a local xwiki admin, the one I created while installing xwiki

tmortagne · April 17, 2024, 10:03am

This feature does not exist right now, you would need to put your groups in a another one on LDAP side and reference that group of groups.

MagaZne · April 17, 2024, 11:09am

Okay, will change that then, thanks!

Maybe your problem is just the fact that it’s in the other group you tried to put in xwiki.authentication.ldap.user_group ?

the user adminits is a local xwiki admin, the one I created while installing xwiki

But why does xwiki complain about a local xwiki user not being part of a group in AD? This doesn’t make sense to me, if thats why LDAP’s not working…

tmortagne · April 17, 2024, 11:22am

Not sure I understand what you mean. You gave the LDAP authenticator a uid and a password, it tried it. If it’s expected for this user to not be part of that LDAP group then this error is expected. Keep in mind that this is just debug log printed only because you asked for it, and when the LDAP auth fail, then it fallback on XWiki standard (local) authentication.

MagaZne · April 17, 2024, 11:48am

Could be that I didn’t quite get that; for the LDAP credentials I configured the following:

xwiki.authentication.ldap.bind_DN=CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.bind_pass=<password sa-ldap>

Further down (I didn’t paste that debug log into the original request) I found the following logs:

DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [<member of the AD Admin group] 
WARN  nticationFailureLoggerListener - Authentication failure with login [member of the AD Admin group] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.adminits 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.adminits 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: XWiki.adminits 
and that about 20 times

I can’t quite follow xwiki trying to login with the local xwiki account, when using the sa-ldap credentials worked already.

Sorry if I’m being really dumb right now

tmortagne · April 17, 2024, 12:17pm

When you enable xwiki.authentication.ldap.trylocal (which you did according to the configuration you pasted) and use the login form where you enter a login and a password, the following is supposed to happen:

it tries LDAP authentication on current wiki
- this expectedly fail, so you get “Local LDAP authentication failed.” (“Local” here is referring to the current wiki)
it tries LDAP authentication on main wiki (if it was not already on the main wiki)
- you are already in the main wiki, I assume, so nothing there
it tries XWiki authentication (you get “Trying authentication against XWiki DB” in your log so apparently it did try that)
- it fails so you get LDAP authentication failed for user [<ldapuid>]

So according to your log the login/pass you entered did not work with XWiki authentication either.

MagaZne · April 19, 2024, 7:03am

Hey again, I tried a few things and was able to narrow down the error messages a bit.

I have created the new group “GRP-BZU-WIKISEK-AUTH” in our AD. The members of this group are the three groups “GRP-BZU-WIKISEK-ADMINS”, “GRP-BZU-WIKISEK-USERS” and “GRP-BZU-WIKISEK-TEST”. Members of these three groups are groups where members of different departments are located and should have access to them. So far so good.

Then I have made the following changes in the config file:

xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads

xwiki.authentication.ldap.group_mapping=XWiki.BZUGRP-Admins=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads|\
                                        XWiki.BZUGRP-SekBFSU_User=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads|\
                                        XWiki.BZUGRP-Testuser=CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads

so in other words, deleted the second user_group group I had before and added it to the AUTH group, aswell as mapping the AD groups to the local xWiki groups. So far so good.

Restarted xWiki, then tried to log in on the xwiki login page with the username and password of the AD user, which failed. Now comes the part that my brain can’t comprehend. Maybe you can see it directly with the logs:

TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 
DEBUG o.x.c.l.XWikiLDAPConfig        - remoteUserParser: null 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux] 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member] 
DEBUG o.x.c.l.XWikiLDAPConnection    - No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found. 
DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [bzu-dcs-20.bzu.ads:389] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
DEBUG o.x.c.l.XWikiLDAPUtils         - Retrieving Members of the group [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] 
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry. 
DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, sAMAccountName]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null]
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a group 
DEBUG o.x.c.l.XWikiLDAPUtils         -   |- Member value [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] found. Trying to resolve it. 
DEBUG o.x.c.l.XWikiLDAPUtils         - [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry. 
DEBUG o.x.c.l.XWikiLDAPUtils         - Group members resolve is disabled to add [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] as group member directly 

then the other 2 groups which are members of the AUTH group get the same
then this is next:

DEBUG o.x.c.l.XWikiLDAPUtils         - Found group [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] members [{cn=grp-bzu-wikisek-admins,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads, cn=grp-bzu-wikisek-test,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads, cn=grp-bzu-wikisek-users,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads}]
DEBUG o.x.c.l.XWikiLDAPUtils         - Found user dn in user group [null] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. 
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user its.testuser does not belong to LDAP group CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads.

Just so that there is no confusion, I have added the test user its.testuser to the GRP-BZU-WIKISEK-TEST group in our AD. This is also the user I tried to login with on the login page. I don’t understand why it fails tho, as the user is indeed member of the group, which is member of the WIKI AUTH group…

Any ideas?

MagaZne · April 23, 2024, 8:51am

anyone else maybe?

Wardenburg · April 26, 2024, 8:06am

What mod and version do you have installed @MagaZne ?
Could you post a screenshot of your AD structure?

the error; “AD group members resolve is disabled to add as group member directly” seems to be the issue… but thats just my take

MagaZne · April 26, 2024, 8:43am

Hey @Wardenburg

I’m currently on version XWiki Debian 16.2.0 and installed xwiki with jetty instead of tomcat.

Here’s a screenshot of the AD-structure:

The OU “Wiki_Sekretariat” isn’t in the configs I originally posted, but I changed it in the file.

EDIT:
Forgot to mention, someone in DMs told me to try it without the xwiki.authentication.ldap.user_group configuration. This allowed me to login and the group mapping also worked, the problem now is that every user in our AD can login which will create a User in XWiki.AllGroup (or similar, i forgot the name). Yes, we can disable all permissions to read content on the wiki, but it’s still not best practice in my opinion.

Any ideas?

Wardenburg · April 26, 2024, 9:47am

Well the group member resolve disabled error was due to the OU=Wiki_Sekretariat missing, see the error generating part of the code

if xwiki.authentication.ldap.user_group configuration turning off is working then we have to look at the syntax of the group mapping. Honestly I had the same issue when setting up a wiki and solved it by using the LDAP Authenticator (XWiki.org) . It gives a wiki interface for configuring this.

MagaZne · April 26, 2024, 11:22am

Hey again!
As I said in my reply above:

I created that OU wednesday to test something with Bind_DN, but it also didn’t work before I created that OU. After I created that OU, I changed the attribute in the xwiki.cfg of course. Error message was the same.

This is the extention I have installed and I used the documentation for my own setup. There isn’t a wiki interface tho?

Wardenburg · April 26, 2024, 11:40am

I have settings under ‘Other’ > Ldap, could you check what you have there?

–

also if you still have the same error then it’s trying to look into a group under the one it found… could you give the error and the settings… because very often the error is a missing comma or capital somewhere - so it’s important to have errors and configurations that match

MagaZne · April 26, 2024, 11:56am

I don’t have that tab:

Extension is installed tho:

You’ll find the error logs a few post up in this thread:

Wardenburg · April 26, 2024, 12:47pm

Oh sorry you have to uncheck the ‘recommended applications’ and get the LDAP Application module that provides the interface LDAP Application (XWiki.org)

I did notice you have 2 xwiki.authentication.ldap.user_group= entries in your config, perhaps that is causing issues? (It could be that you have to add multiple like you add multiple group_mappings)