I am trying to get LDAP authenticationt o Active Directory working but when I sign in to XWiki I get 403 - Forbidden. The server understood the request but refuses to authorize it.
I followed the Bill Stewart YouTube video to set it up on WIndows https://www.youtube.com/watch?v=EuoorWJ-IdE
I have configured logging and it states that the admin domain user I authenticated with logged in succesfully.
Anyone have any ideas what I am missing?
Many thanks
Keith
OK so I have progressed with this and it no longer gives the 403 error.
When I enable debug logging I am seeing that there are error messages about:
The provided user is NULL. We don’t try to authenticate, it probably means the use is in non logged mode.
Local LDAP authentication failed
LDAP bin failed with LDAPException.
The user I am connecting to Active Directory with is a domain admin (for testing)
Does anyone have any idea what would cause this?
You should past the exact debug log you have since “LDAP bin failed with LDAPException” does not give much information about the cause (which you can generally find in the details of the error).
Thanks for the reply. This is the log after that entry:
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:239)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:166)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:557)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuthSSOSync(XWikiLDAPAuthServiceImpl.java:246)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuthSSO(XWikiLDAPAuthServiceImpl.java:211)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4336)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4359)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5880)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:501)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:292)
at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:115)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:660)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:360)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:399)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:890)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2138)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: com.novell.ldap.LDAPException: Strong Authentication Required
at com.novell.ldap.LDAPResponse.getResultException(LDAPResponse.java:407)
at com.novell.ldap.LDAPResponse.chkResultCode(LDAPResponse.java:370)
at com.novell.ldap.LDAPConnection.chkResultCode(LDAPConnection.java:3959)
at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1408)
at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1361)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:429)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:235)
… 55 common frames omitted
2023-01-18 14:04:28,992 [https-openssl-apr-443-exec-4 - https://xwiki.ois/xwiki/bin/login/XWiki/XWikiLogin?srid=Oz2hAyxK&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DOz2hAyxK] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2023-01-18 14:04:28,992 [https-openssl-apr-443-exec-4 - https://xwiki.ois/xwiki/bin/login/XWiki/XWikiLogin?srid=Oz2hAyxK&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DOz2hAyxK] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2023-01-18 14:04:28,992 [https-openssl-apr-443-exec-4 - https://xwiki.ois/xwiki/bin/login/XWiki/XWikiLogin?srid=Oz2hAyxK&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DOz2hAyxK] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2023-01-18 14:04:32,443 [extension.index job group daemon thread - org.xwiki.extension.index.internal.job.ExtensionIndexJob@19b32a94([extension, index])] WARN o.x.e.i.i.j.ExtensionIndexJob - Failed to get remote extension from repository [store.xwiki.com:xwiki:https://store.xwiki.com/xwiki/rest]: UnknownHostException: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server (store.xwiki.com)
2023-01-18 14:04:37,870 [extension.index job group daemon thread - org.xwiki.extension.index.internal.job.ExtensionIndexJob@19b32a94([extension, index])] WARN o.x.e.i.i.j.ExtensionIndexJob - Failed to get remote extension from repository [extensions.xwiki.org:xwiki:https://extensions.xwiki.org/xwiki/rest]: UnknownHostException: This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server (extensions.xwiki.org)
Could you paste the entire debug log of the LDAP from when you “Log-in”.
The above line pointed me to the issue. It is because our Windows Domain Controllers require signing on LDAP connections. If I turn that off xwiki authenticates the user correctly. This is not possible to leave turned off in our production environment. Do you know if there is a configuration option in the ldap authenticator which can prevent his problem?
Hard to tell without knowing your configuration.
Most of the time, the authenticator does use a user/pass to access the LDAP server (that’s what the bind_DN
and bind_pass
are for). If this error is not related to standard LDAP bind but to some special Microsoft thing which is not part of the LDAP protocol I’m afraid it’s not going to be easy.
I managed to figure it out by using the ssl configuration options and a trusted root cert for the domain controllers.
Thanks for your assistance