Hey again, I tried a few things and was able to narrow down the error messages a bit.
I have created the new group “GRP-BZU-WIKISEK-AUTH” in our AD. The members of this group are the three groups “GRP-BZU-WIKISEK-ADMINS”, “GRP-BZU-WIKISEK-USERS” and “GRP-BZU-WIKISEK-TEST”. Members of these three groups are groups where members of different departments are located and should have access to them. So far so good.
Then I have made the following changes in the config file:
xwiki.authentication.ldap.user_group=CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
xwiki.authentication.ldap.group_mapping=XWiki.BZUGRP-Admins=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads|\
XWiki.BZUGRP-SekBFSU_User=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads|\
XWiki.BZUGRP-Testuser=CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
so in other words, deleted the second user_group group I had before and added it to the AUTH group, aswell as mapping the AD groups to the local xWiki groups. So far so good.
Restarted xWiki, then tried to log in on the xwiki login page with the username and password of the AD user, which failed. Now comes the part that my brain can’t comprehend. Maybe you can see it directly with the logs:
TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
DEBUG o.x.c.l.XWikiLDAPConnection - No SRV record for _ldap._tcp.bzu-dcs-20.bzu.ads found.
DEBUG o.x.c.l.XWikiLDAPConnection - Connection to LDAP server [bzu-dcs-20.bzu.ads:389]
DEBUG o.x.c.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=sa-ldap,OU=01_ServiceAccInt,OU=01_ServiceAcc,OU=02_SpecialAcc,OU=Users,OU=BZU,DC=bzu,DC=ads]
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads
DEBUG o.x.c.l.XWikiLDAPUtils - Retrieving Members of the group [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads]
DEBUG o.x.c.l.XWikiLDAPUtils - [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry.
DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, sAMAccountName]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null]
DEBUG o.x.c.l.XWikiLDAPUtils - [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a group
DEBUG o.x.c.l.XWikiLDAPUtils - |- Member value [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] found. Trying to resolve it.
DEBUG o.x.c.l.XWikiLDAPUtils - [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] is a valid DN, lets try to get corresponding entry.
DEBUG o.x.c.l.XWikiLDAPUtils - Group members resolve is disabled to add [CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] as group member directly
then the other 2 groups which are members of the AUTH group get the same
then this is next:
DEBUG o.x.c.l.XWikiLDAPUtils - Found group [CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads] members [{cn=grp-bzu-wikisek-admins,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-ADMINS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads, cn=grp-bzu-wikisek-test,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-TEST,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads, cn=grp-bzu-wikisek-users,ou=wiki_groups,ou=account_groups,ou=groups,ou=bzu,dc=bzu,dc=ads=CN=GRP-BZU-WIKISEK-USERS,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads}]
DEBUG o.x.c.l.XWikiLDAPUtils - Found user dn in user group [null]
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user its.testuser does not belong to LDAP group CN=GRP-BZU-WIKISEK-AUTH,OU=Wiki_Groups,OU=Account_Groups,OU=Groups,OU=BZU,DC=bzu,DC=ads.
Just so that there is no confusion, I have added the test user its.testuser to the GRP-BZU-WIKISEK-TEST group in our AD. This is also the user I tried to login with on the login page. I don’t understand why it fails tho, as the user is indeed member of the group, which is member of the WIKI AUTH group…
Any ideas?