Confluence LDAP config to LDAP Authenticator - missing counterparts

Dear Forum,
did anyone try to map the Confluence “User Directory” settings from a running instance to the LDAP Authenticator?

The Configuration of our running Confluence includes the following fields:

Name:AnyName
Directory Type:Microsoft Active Directory
Hostname:adserver.some.domain.de
Port:3666
Use SSL: Yes
Username:ldap_user
Password:-password-
LDAP Schema
Base DN:DC=some,DC=domain,DC=de
Additional User DN:
Additional Group DN:cn=G-Intranet,ou=Benutzer

Read-Only with local Groups:Yes
Secure SSL:Yes
Filter out expired users:Yes
Use Paged Results:50
(?) Follow Referrals:Yes
(?) Naive DN matching:Yes

User Schema Settings:

User Object Class:user
(???) User Object Filter:(&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=G-Intranet,ou=Benutzer,DC=some,DC=domain,DC=de))
User Name Attribute:sAMAccountName
(?) User Name RDN Attribute:cn
User First Name Attribute:givenName
User Last Name Attribute:sn
(?) User Display Name Attribute:displayName
User Email Attribute:mail
(???) User Password Attribute:unicodePwd
(???) User Unique ID Attribute:objectGUID —The attribute field to use for tracking user identity across user renames.

Group Schema Settings

Group Object Class:group
Group Object Filter:(objectCategory=Group)
Group Name Attribute:cn
Group Description Attribute:description

Membership Schema Settings

Group Members Attribute:member
User Membership Attribute:memberOf

ldapsearch on the commandline works perfectly, listing our servers as a test:

TLS_CACERT /etc/ssl/certs/certificates.crt
TLS_REQCERT ALLOW
HOST adserver.some.domain.de
PORT 3666

$ ldapsearch -D “cn=ldap_user,OU=Server,DC=some,DC=domain,DC=de” -b “OU=Server,DC=some,DC=domain,DC=de” -H ldaps://adserver.some.domain.de -w -password-

I tried to find the counterparts in the documentation of the LDAP Authenticator and this is my current xorg.cfg part for it. The ones with (?) and importantly (???) I did not find any equivalent. Login is not working. Even on DEBUG I only get a 403 error and not much more information.

xwiki.cfg:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.port=3666
xwiki.authentication.ldap=1
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
xwiki.authentication.ldap.server=adserver.some.domain.de
xwiki.authentication.ldap.base_DN=dc=some,dc=domain,dc=de
xwiki.authentication.ldap.bind_DN=ldap_user
xwiki.authentication.ldap.bind_pass=-password-
xwiki.authentication.ldap.trylocal=1
(???) xwiki.authentication.ldap.user_search_fmt=({0}={1})
xwiki.authentication.ldap.user_group=cn=G-Intranet,ou=Benutzer
xwiki.authentication.ldap.exclude_group=
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.group_mapping=XWiki.XWikiADGroup=ou=Benutzer
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.maxresults=1000
xwiki.authentication.ldap.searchPageSize=50

Any ideas? Anyone tried this in the past?

Note: I tried the xWiki SAS Active Directory Extension but it keeps changing the configuration on pressing the SAVE-button and once it says OK to the “Connection Test” button, the next time it will fail again. There seem to be some bugs in that one, so I am not going further with that one.

Thanks in advance. Any help appreciated!

For Active Directory you might want to take a look at Use cases of configuration to authenticate users with LDAP (XWiki.org).

Thanks. I looked at the ‘Use cases of configuration to authenticate users with LDAP’ and tried different approaches to no avail. I can connect to the same LDAP with Redmine, Confluence and some more applications without any problem. xWiki, however, won’t work.

I am now in the process of trying to connect to one of our Test-LDAP-Servers that is not using SSL. Funny enough, I changed xwiki.authentication.ldap.server to =testserver.local but when trying to log in the journalctl -u tomcat9.service still displays LDAP error, can’t connect to liveserver.live instead of the testserver. And yes, I did systemctl restart tomcat9.service

Is there some cache where old configurations are saved? I did try the xwikisas AD connector, which is terrible, and also tried the LDAP Application for setting up LDAP, which does not have enough options to get an SSL LDAP-Server with Login going.

ldapsearch -D “cn=ldapuser,OU=Unix-Server,DC=liveserver,DC=live” -b “OU=Unix-Server,DC=liveserver,DC=live” -H ldaps://liveserver.live:3666 -w livepass

from commandline works without any problem.

I read in https://forum.xwiki.org/t/ldap-ad-configuration-problem-provided-user-is-null-ldap-not-active/3185 that a complete re-install might help.

Has anyone any other suggestions? Any hint / recommendation / tipp appreciated.

This is just a helper to set LDAP configuration at wiki level but if you don’t reset that configuration, it remains, even after you uninstall the application, and it has priority over what’s in xwiki.cfg.

Thanks Now I know. So a re-install it is?

You don’t need to reinstall XWiki if that’s your question, but you can install again the LDAP Application and reset each property (usually by emptying the input field) you had previously set. The alternative is to edit the page XWiki.XWikiPreferences with the object editor and reset each LDAP field.

Thanks a lot. Reinstalling the LDAP Application and resetting all fields helped. I now can connect to the not secured internal AD (not over LDAP but standard 389). Will have to find out, how to configure it for the SSL one. But at least not starting from zero now. Thanks again!

If you have time you could report the issue on Issues · xwikisas/application-activedirectory · GitHub . I couldn’t find an existing issue matching your description.

Thanks,
Marius