LDAP Authenticator remoteUserMapping settings

bstewart · September 21, 2018, 4:28pm

Good day,

I am using Tomcat and WAFFLE (https://github.com/Waffle/waffle) to perform SSO and the LDAP Authenticator extension (https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/) with settings:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1

I’ve enabled logging in LDAP, so I know that the LDAP extension sees the remote username in the log:

2018-09-21 08:20:35,713 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - RemoteUser: domainname\username

Since remote user format is domainname\username, I am trying to use remote user mapping settings:

xwiki.authentication.ldap.remoteUserParser=(.+)\\\\(.+)
xwiki.authentication.ldap.remoteUserMapping.1=domain,ldap_server,ldap_port,ldap_base_DN,ldap_bind_DN,ldap_bind_pass
xwiki.authentication.ldap.remoteUserMapping.2=uid
xwiki.authentication.ldap.remoteUserMapping.ldap_server=domainname=ldapserverfqdn
xwiki.authentication.ldap.remoteUserMapping.ldap_port=domainname=389
xwiki.authentication.ldap.remoteUserMapping.ldap_base_DN=domainname=DC=domainname,DC=suffix
xwiki.authentication.ldap.remoteUserMapping.ldap_bind_DN=domainname=uid
xwiki.authentication.ldap.remoteUserMapping.ldap_bind_pass=domainname=password

However when I attempt to use this configuration, this is what I see in the logs:

2018-09-21 10:05:03,746 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - RemoteUser: domainname\username
2018-09-21 10:05:03,748 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: (.+)\\(.+)
2018-09-21 10:05:03,749 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,749 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,749 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,749 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,750 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,750 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,750 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - hostConvertor: {}
2018-09-21 10:05:03,766 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
2018-09-21 10:05:03,766 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
2018-09-21 10:05:03,851 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConnection - Connection to LDAP server [domainname:389]
2018-09-21 10:05:03,864 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG o.x.c.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[domainname]
2018-09-21 10:05:03,952 [https://tomcatserverfqdn/xwiki/bin/view/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.

Why is connection to LDAP server trying [domainname:389] instead of [ldapserverfqdn:389]?

Why is bind to LDAP server with credentials login=[domainname] instead of login=[username]?

Am I not understanding how to use the remoteUserMapping settings?

bstewart · September 21, 2018, 5:23pm

I have worked around this for now by specifying the ldap server, port, etc. directly instead of trying to parse them using the remoteUserMapping settings.

Even though I’ve worked around it, I still want to know the answer to this (I’m obviously not understanding something).

rbr · September 21, 2018, 10:09pm

Simple question, do you even have multiple domains? If so maybe your domains are part of the same forest, so you can use the global catalog (provided forest trust is given). So maybe you may not even need to bother with all the remoteusermapping stuff.

I have a working configuration with a few domains in a forest using apache httpd kerberos authentication as SSO solution. So maybe I’m able to help, although I don’t use WAFFLE.

bstewart · September 21, 2018, 10:20pm

When using WAFFLE, remote user mapping would seem to be needed in order to parse out the uid portion from the remote user name, at least as far as I can tell. (I’m not an expert; I’ve only been playing with XWiki and the LDAP Authenticator extension for a couple of days.)

rbr · September 21, 2018, 10:26pm

Correct, you have extract the username part, but as long you don’t have multiple domains to serve there is no need to make the ldap server depending on the user. Even if you have multiple domains it may not be necessary if they share a global catalog (GC).

rbr · September 21, 2018, 10:31pm

I have outlined a working configuration for multiple AD domains in a forest in this post: