LDAP issue after upgrade to 16.10.5

jdean · April 25, 2025, 4:15pm

I went to do my usual process. Clone our org’s existing XWiki Prod server, do an upgrade, verify things work, then if it’s good upgrade Production.

I am going from 15.10.13 to 16.10.5

In testing LDAP login, that doesn’t work. It’s acting like it doesn’t even know to try to use LDAP.

I think I checked everything multiple times and things should be good config-wise. For the LDAP Authenticator extension, it shows as there. I did uninstall and reinstall it twice. I can click into it and it has all the settings and such.

But when I wanted to turn up logging, in the 16.10 environment there is nothing under logging when I search for ldap. Versus on the 15.10 Prod box, there are multiple ldap results in a search but the one I care about is org.xwiki.contrib.ldap. Either way, none of the ldap stuff under Logging in Prod is there in the 16.10 environment.

Maybe that’s the problem? LDAP isn’t really there? Or only half there enough that the extension page exists but not the necessary stuff behind it?

jdean · April 25, 2025, 4:57pm

Ok, well quick note before I go looking further. I looked in Extensions > Updater and there was an update from 9.15.6 to 9.15.7. Though why that wasn’t installed on one of the two times I did an uninstall / reinstall I dunno.

LDAP still doesn’t work but now I can at least see it in the Logging options and turn logging up. Hopefully I find a clue in that

jdean · April 25, 2025, 5:25pm

Well I now at least see some LDAP lines.

2025-04-25 12:19:34,603 [http-nio-8080-exec-16 - http://127.0.0.1:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connecting to LDAP using SSL
2025-04-25 12:19:34,603 [http-nio-8080-exec-16 - http://127.0.0.1:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: Fail to load secure ssl provider

Odd since as far as I know, I did the necessary steps for that plus doing an SSLPoke succeeds. More looking

jdean · April 23, 2026, 6:25pm

I finally got that figured out though it was a long journey ( albeit I didn’t spend hundreds of hours or anything. ) I’d give an hour or two here and there

Along the way I discovered Java 17 had a tighter requirement around certificates. I ended up re-importing our company’s root and intermediate certs separately into the Java keystore. Previously I imported them combined. That’s using the keytool -importcert command

One help was an updated LDAP extension that came out after I was trying to update.

I changed the server field from the IP address to the server name as that seemed needed.

In the xwiki.cfg file in I added this line as well, which I did not previously have:

xwiki.authentication.ldap.starttls=0

All those changes combined for me made it work.

I will note that I have no idea if it’s actually needed but I use both the LDAP Authenticator extension and put the LDAP config in xwiki.cfg. Previously to get LDAP auth to work I needed both but maybe now I don’t. I dunno - I didn’t try