LDAP isn't working with a Docker Compose installation

Wotan · November 24, 2025, 6:55am

I installed an Xwiki for testing purposes.
The latest Docker Compose version is installed.
I’ve been trying to get LDAP working for two days now. Our LDAP cluster is a 389 DS.

As administrator, I installed LDAP Authenticator 9.16.1 and LDAP Application 9.16.1.
I read that LDAP needs to be enabled in the xwiki.cfg file.

With

“docker exec -it xwiki-mariadb-tomcat-web sh”

I have the
/webapps/ROOT/WEB-INF/xwiki.cfg
added:

#-# LDAP authentication service
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1

#-# Enable local accounts in addition to LDAP.
#-# Without this setting you will be unable to log into XWiki with local accounts.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1

#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
xwiki.authentication.ldap.ssl=1

I added the LDAP CA to the keystore:

keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts

(jssecacerts didn’t exist yet)

Afterwards, I read that the xwiki.cfg file will no longer be supported in the future, so I copied everything into xwiki.properties again.

It’s not working.
I’m getting an error message that the username and password are incorrect.
In the log I see:

DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
WARN nticationFailureLoggerListener - Authentication failure with login
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
/wikis/xwiki/localization/translations?locale=de-AT&prefix=&key=url.api.followLinkConfirmationText\] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
\[/rest/wikis/xwiki/localization/translations?locale=de-AT&prefix=&key=url.api.followLinkConfirmationText\] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null

I’ve also read that the settings in xwiki.cfg are overridden by the UI (LDAP), but I can’t find any LDAP configurations in either the .cfg or the properties file (apart from the ones I copied in myself).

I think I’m missing something obvious! If I configure LDAP via the UI, I don’t see it in xwiki.cfg?
I’ve also read that there should be a button in the UI to test the LDAP connection. I don’t have that either.

Does anyone have any idea where I could start looking?

Wotan · December 1, 2025, 7:51am

Does no one have an idea where to start? You can’t really see much in the log and there is contradictory information in the forum…

vmassol · December 1, 2025, 7:56am

I don’t see where you’ve opened the LDAP port in your docker command line… Please paste your full docker command line for starting XWiki.

Wotan · December 6, 2025, 8:53am

LDAP is running on a different server in our setup!

I’m using the original docker-compose.yml file, then I enabled LDAP in the xwiki.cfg file and

configured it via the LDAP application.

wget https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/mariadb/init.sql
wget -O docker-compose.yml https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/docker-compose.yml
wget https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/.env
docker compose up

I’ll also try writing the entire configuration directly into the xwiki.cfg file…

Wotan · December 12, 2025, 1:46pm

1.567 / 5.000

After three weeks of repeatedly trying to find a solution for the non-functional XWiki authentication against LDAP, we have to acknowledge that, at least in the Docker Compose version, XWiki is not suitable for enterprise environments. Our team worked intensively on this today and reviewed the documentation multiple times. In the end, all that remains is this:

We have placed a minimal LDAP configuration in the container ( webapps/ROOT/WEB-INF/xwiki.cfg)

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.trylocal=1 xwiki.authentication.ldap.server=IP of LDAP Server xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP xwiki.authentication.ldap.bind_pass={1}

Even if the bind DN and password are incorrect, Xwiki should attempt authentication. In other words, packets should be arriving at the LDAP server. We ran `tcpdump` on the LDAP server, but nothing is coming through!

To ensure that the connection is working in principle (from within the container), we tried the following:

docker exec -it xwiki-mariadb-tomcat-web nc -vz IP_of_LDAP-server 389

According to `tcpdump`, seven packets are arriving. The container is therefore reaching the LDAP server on port 389. However, we cannot understand why no packet is reaching the LDAP server when attempting to log in, and this can only be related to internal processes at XWIKI. Since we cannot manually create and manage over 300 accounts, we have to end the evaluation.

We tried it with versions 16.10 and 17.10.

tmortagne · December 12, 2025, 1:56pm

Wotan:

It’s not working.
I’m getting an error message that the username and password are incorrect.
In the log I see:

DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
WARN nticationFailureLoggerListener - Authentication failure with login
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
/wikis/xwiki/localization/translations?locale=de-AT&prefix=&key=url.api.followLinkConfirmationText\] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
\[/rest/wikis/xwiki/localization/translations?locale=de-AT&prefix=&key=url.api.followLinkConfirmationText\] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null

Do you have more log ? Because all the log you pasted indicates is that the authentication failed (I don’t see anything related to a “incorrect username and password”), but if you enabled debug log for org.xwiki.contrib.ldap., you should have a lot more details.

spike77453 · December 12, 2025, 2:20pm

Just one more data point for your consideration:

Wotan:

configured it via the LDAP application.

wget https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/mariadb/init.sql
wget -O docker-compose.yml https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/docker-compose.yml
wget https://raw.githubusercontent.com/xwiki-contrib/docker-xwiki/master/16/mariadb-tomcat/.env
docker compose up

This worked for me. LDAP server tested was 389ds 2.7.0 (the current version straight from the RHEL 9.7 rpm repositories).
The only configuration changes were:

# diff -u /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg.orig /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg
--- /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg.orig       2025-12-12 13:56:18.681938543 +0000
+++ /usr/local/tomcat/webapps/ROOT/WEB-INF/xwiki.cfg    2025-12-12 14:17:14.215318224 +0000
@@ -536,3 +536,12 @@
 # xwiki.action.export.xar.attachment.jrcs=1

+xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
+xwiki.authentication.ldap=1
+xwiki.authentication.ldap.trylocal=1
+xwiki.authentication.ldap.server=
+xwiki.authentication.ldap.bind_DN=uid={0},cn=users,cn=accounts,dc=example,dc=com
+xwiki.authentication.ldap.bind_pass={1}
+xwiki.authentication.ldap.base_DN=cn=users,cn=accounts,dc=example,dc=com
+xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
+xwiki.authentication.ldap.update_user=1