Issue when authenticate with LDAP user with - character

Hello,

I have a xwiki 6.4.1 and a ldap user could not login anymore.
I activate debug mode for ldap and notice that xwiki found wrong user to authenticate on ldap server.
My user/login is “prenom.nom” but xwiki try to use “prenom.nom-smb” (this ldap user exist) and failed to authenticate.
Here the logs:

2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_classes: [posixgroup] 
2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_memberfields: [memberuid] 
2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed: LDAP not activ 
2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_classes: [posixgroup] 
2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_memberfields: [memberuid] 
2017-09-14 15:32:55,615 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Connecting to LDAP using SSL 
2017-09-14 15:32:55,616 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Connection to LDAP server [myldap:xxx] 
2017-09-14 15:33:00,641 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Binding to LDAP server with credentials login=[] 
2017-09-14 15:33:00,748 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: (&(objectClass=xxxPerson)(!(xxxZone=EXTERNE))) 
2017-09-14 15:33:00,749 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils       - Found cache entry for group [(&(objectClass=xxxPerson)(!(xxxZone=EXTERNE)))] 
2017-09-14 15:33:00,749 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils       - Found group [(&(objectClass=xxxPerson)(!(xxxZone=EXTERNE)))] members [{uid
xxxxxxx
xxxxxx, uid=prenom.nom-smb,ou=xxxxx,dc=fr=prenom.nom-smb,
, uid=prenom.nom,ou=xxxxx,dc=fr=prenom.nom, xxxxxxxx


2017-09-14 15:33:00,751 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils       - Found user dn in user group [uid=prenom.nom-smb,ou=xxxxx,dc=fr] 
2017-09-14 15:33:00,751 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Binding to LDAP server with credentials login=[uid=prenom.nom-smb,ou=xxxxx,dc=fr] 
2017-09-14 15:33:00,770 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Global LDAP authentication failed. 
com.novell.ldap.LDAPException: Invalid Credentials

2017-09-14 15:29:17,477 [https://xwiki/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [prenom.nom] 

Other users doesn’t have this issue, anyway

Ty

I know it is an old xwiki but users still use it.

Pascal B

Looks like you are hitting Loading....

According to the log you have both “prenom.nom-smb” and “prenom.nom” users in the group you indicated in xwiki.authentication.ldap.user_group and this version of the authenticator has a bug that makes it select the first user in the group starting with the provided uid.

The new LDAP extension requiring 7.4+ the only choice you have I think is to patch the 6.4.1 authenticator with what you can find in LDAP-20: LDAP substring matching · xwiki-contrib/ldap@9818aea · GitHub.

Thxs, you help me a lot! (like usual :slight_smile: )