Good day all. I am having an issue setting up my LDAP, I followed the step by step processes and have viewed the other threads regarding it, and by all that I have read it should be working (at least according to my limited knowledge). I enabled logging, kindly the output below, as well as the general setting I am using in the LDAP Auth app. Any help is greatly appreciated as always. I have changed the ip and loging details to XXXXXX for security reasons, otherwise they contain the standard details such as ip address and login name etc.
That’s all I am getting when I run the “tail -f /var/log/tomcat7/catalina.out” command. Unless theres a way to get more details, that’s all its showing me.
Heres a more detailed look at the log, hope this helps.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPExcept$
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAu$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthService$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.jav$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.ja$
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3812)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(X$
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiC$
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3830)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4894)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:364)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:210)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:$
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:112)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHead$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(Save$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetC$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:134)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java$
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol$
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.novell.ldap.LDAPException: Invalid Credentials
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:261)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:223)
Yes better But still missing some stuff, you should have a log right before this error indicating what DN it’s trying to bind with.
So as far as I can see here your issues is that you entered wrong uid/password in the login form or the pattern you used to generate the DN in your configuration is wrong.
So according to the log XWiki tried to authenticate on the LDAP server with the DN cn=firstname.lastname,dc=company,dc=co,dc=zm and the password you gave it in the login form and the server answered that this those credentials are wrong (so either the DN does not exist or the password is wrong).
So as I suggested in the previous message either the pattern you indicated in the configuration is wrong or you simply made a mistake when you entered the uid/password in the login form.
Thanks for link. I have since tweaked my config file since then, and obtained the correct DN’s using the clients, but sadly still stumped. Even though I am able to use said clients with virtually the same parameters. Kindly look through my config text, maybe I am messing up there in the format I am using. I should mention I am using active directory ldap if that changes anything
Ps. I also tried changing the bind to this but still no avail:
with groupings following this format:
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAllGroup=CN=DL-MIS,OU=IT,OU=group,DC=domain,DC=co,DC=zm|
XWiki.LDAPusers=OU=IT,OU=group,DC=domain,DC=co,DC=zm
I have this as my current setup, used it yesterday, unless I was using the bind wrongly:
xwiki.authentication.ldap.bind_DN=subdomain\{0}
Can anyone show me a more practical example of the above bind… eg if companies name is subdomain is “ocelot” and base DN is dc=ocelot, dc=co,dc=zm, would that mean the link would be : xwiki.authentication.ldap.bind_DN=ocelot{0}??
Oh and yes, I am still getting the credentials error in the log.
We use a functional user “wiki_bind” to perform the LDAP bind as our users are in different OUs. Even if that’s not the case in your environment, do you get the same error when trying to use a specific user for the bind?
Our config looks quite similar to yours, I just removed the SSL and SSO bits that are not needed, especially when debugging.
Good morning all, thanks to both your tips @tmortagne and @Johannes, I managed to link ldap. It was due the binding I was using not having the appropriate permissions. I used Johannes example and we created an account specifically for binding. Still have an issue with the permissions and grouping. Can I use the same binding for group mapping as well if I simply want to have them all fall under a general login?? Eg:
Because users can login in well and good, but I cant seem to assign them to groups(and they have full admin rights). They exists in the xiwikiall group, but they don’t seem to be bound to whatever group class I state when placing the settings.
Ahhhhhh, corrected and they are being assigned to the correct groups. Now I am still stuck with the permissions issue. I have set the permissions for the set group to ONLY view and comment, and set the edit and delete sections to be set to none accessible. It works just fine when I use the wiki login, but when I login in with the ldap login, they still have all their permissions. Have you ever experienced this?