We are trying to use LDAP for our XWiki, but we have a whitespace in our DN. How do you get XWiki to read it properly? It couldnt authorize on the LDAP server. Are you supposed to use brackets or something different?
Here is the config:
> #-# LDAP credentials, empty = anonymous access, otherwise specify full dn
> #-# {0} is replaced with the user name, {1} with the password
> xwiki.authentication.ldap.bind_DN=CN=LDAP\, xWiki,OU=Administrators Apps,OU=Users,OU=Company,DC=Company,DC=Intra
White spaces should not be a problem I think, but that CN is surprising: it’s the first time I see a comma in a value (LDAP, xWiki), but I’m hardly an expert in everything related to LDAP. In any case, that comma definitely feels like something to escape (if it’s even valid in DN syntax in the first place).
Thanks for the fast reply! Sorry the comma was escaped, I edited the question with the correct Line. Could it be that the problem is the comma instead of the whitespace? Do you need to escape it differently?
If you bump up the log level of org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl (e.g. via https://your-xwiki-instance/xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin§ion=Logging) you should see a stack trace if your DN syntax is not valid, e.g.:
2023-09-22 19:37:37,347 [qtp665372494-75 - http://xwiki:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:244)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:165)
...
Caused by: com.novell.ldap.LDAPException: Invalid DN Syntax
at com.novell.ldap.LDAPResponse.getResultException(LDAPResponse.java:407)
...
That being said, while character escaping is technically properly defined in RFC4514 it has always been notoriously iffy. Some server implementations support \,, some require \ plus two hex digits (i.e. \2C in this case).
I’ve just tried LDAP xWiki on a 389ds (xwiki 14.10.17) which worked fine, but I was unsuccessful with LDAP, xWiki, no matter how I escaped it. That might be a shortcoming of 389ds, jldap, or me not knowing what the correct syntax is. Your mileage may vary.
It was me not knowing what I’m doing. For 389ds this works:
xwiki.authentication.ldap.bind_DN=CN="LDAP, xWiki",OU=Administrators Apps,OU=Users,OU=Company,DC=Company,DC=Intra
So does this
xwiki.authentication.ldap.bind_DN=CN=LDAP\\2C xWiki,OU=Administrators Apps,OU=Users,OU=Company,DC=Company,DC=Intra
and this
xwiki.authentication.ldap.bind_DN=CN=LDAP\\, xWiki,OU=Administrators Apps,OU=Users,OU=Company,DC=Company,DC=Intra
It seems like cfgConfigurationSource is already returning the parameter without the second backslash: ldap/ldap-authenticator/src/main/java/org/xwiki/contrib/ldap/XWikiLDAPConfig.java at 7ee0a979172a3ff8547e2a9cdc6d13be7274077a · xwiki-contrib/ldap · GitHub
So this might be a good starting point to look further: xwiki-platform/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/XWikiCfgConfigurationSource.java at master · xwiki/xwiki-platform · GitHub
Yes, \ is interpreted as escaping character by Java Properties I think.
Yes, you’re spot on!
For reference, it’s this line xwiki-platform/xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/internal/XWikiCfgConfigurationSource.java at ddc61325ba827f194bd1eb31df8bbf63adfef81f · xwiki/xwiki-platform · GitHub
The behaviour is documented here: Properties (Java SE 17 & JDK 17)
Thanks for the replies! All three Options work. We have also found another way to solve this by writing:
#xwiki.authentication.ldap.bind_DN=xwiki-ldap@Company.Intra
Maybe these could be added to the documentation, as examples.