LDAP login issue


No, the only officially slow thing I know during LDAP authentication is group sync (and it does not have anything to do with the database).



Are you sure that this could not be caused by an error in database (first I deleted those users)?
Now for example I can login with that user but in log file I see the “_1” user, so the ldap user is correct but has a wrong object linked (or something like that).



I never said that. I have absolutely no idea what your database would be slow, just saying that it should not have anything to do with the LDAP authenticator.

Did you look at the object ?



Yes, the situation is that the correct user has no LDAPProfileClass object, the user_1 has the LDAPProfileClass (and this one has correct data).
I think this is a database error (is there any way to safely clean users in database? In order to avoid exceptions like logSnippet2)
thank you



Did you try to delete the user ? You have data in that user profile you need to keep ?



I think that the LDAP extension that creates the user in XWiki should not create a user if this one is already present. If this one is created it means that we could intercept this code and avoid a creation of another user (this one can be a property if one will).
Now I try to delete the user, I will update you then.



And this is exactly what the authenticator is doing and to find existing user it use the object I described to you.



I deleted the user, now I’m trying to login again. I noticed two things:

  1. when I delete a user, using the users interface, it does not refresh and says no messages (I think it is a frontend issue but because of it I cannot know when a user is really deleted).
  2. Now that I waited for a longer time to login (after deletion) I can login with that user and it correctly creates it.

It seems to be a timing problem (synchronization), in production we cannot enstablish that time (and the number of retries that a user can do for the login).



I confirm that I can reproduce this bug and it is a timing problem. If I delete a user and I don’t wait an estimated time, Xwiki generates the problem (I waited about 5 min to solve the problem, why Xwiki takes so long to safely delete a user?). It is caused by the interface that does not confirm when a user is really deleted.
I think there should be a fix to avoid this issue, backend side with a synchronization between deletion and creation and frontend side with an interface update (a message that confirms the deletion).



Let’s sum up the issues that I can report:

  1. User interface has strange behaviour when deleting users (it does not refresh correctly or confirm the operation) and when creating new users (it’s very slow and sometimes it does not respond).

  2. Sometimes, I don’t know why, the LDAPProfileClass is not linked correctly to a user when a user tries the first login. Maybe it’s a latency time or another unknown reason, this problem generates the creation of a user that has not that ldap object associated. This is a issue because XWiki thinks that the user already exists and when the user tries to login, the code on XWikiLDAPUtils.java:1328 goes wrong and thinks to have to update a user that has no LDAP objects. This is the starting point for the “_1” - “_n” users that XWiki creates after the first login.

I think that we can use a workaround for the second point (manually associate the LDAP object to the right user) but this but has to be resolved soon.

Thank you



Do you mean that you are creating users from the UI ? Don’t you have only LDAP users ?



I made an automated procedure that creates users on XWiki, it works in the same way that Xwiki creates them with the UI.
I found those UI-response bugs because I used the UI for my own tests.



The LDAP authenticator link a user profile to an LDAP id only if the user profile has been created by the authenticator. If the user already exist it assume it’s a regular XWiki user and don’t overwrite it.

So if you create the XWiki user before the first authentication then indeed the authenticator will never reuse it, if you want it to reuse the user you need to add an LDAP profile object when you create the users.



This error was very annoying because neither the admin either the user knew what really happened.
Thank you for this info (maybe it is better to put an alert on ldap autenticathor page in case someone migrates and has the same errors) but there should be a prior check that avoids the creation of those n-users.
I think simply adding an if statement into ldap plugin code to check if the user found in xwiki database has the LDAP object added (if I enabled the new ldap extension and I set try-local property to false but a user inside the database has no ldap class, we should avoid any other errors adding that object or alerting the user).
Second, for the next versions there should be an UI improvement with the cases I wrote you because now it is totally not responsive.



I don’t agree with this, many XWiki instances have both LDAP users and regular XWiki users and the LDAP authenticator need to deal with collisions between the two.

I will have to reproduce and debug this, there should only be a _1 in your case. Could you tell me what you have in the LDAP profile object in _1 users ? Does the LDAP uid looks right in it ?



What kind of collisions do you mean? If a user exists in ldap and also in Xwiki and both have the same credentials (and XWiki has try-local=false, so it uses only ldap) I think it is obvious that this user is ok, no deals required. There should be no other errors, I don’t have a mixed situation, I use ldap only.
You can easily reproduce it in this way:

  • Using XWiki version 8.4.5, ldap authenticator ver. 9.2.5
  • setting try-local to false and using only ldap
  • Creating a user using the UI, that user must be in your ldap with same values
  • Trying to login with that user, if you will be able to pass you will see “_1” user, this user has the right LDAPProfileClass with right values, in this way you will enter with your id but for XWiki you are another user.


Only to help someone, if you see this error inside log:
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
java.lang.NullPointerException: null
at org.xwiki.contrib.ldap.XWikiLDAPUtils.updateUserFromLDAP(XWikiLDAPUtils.java:1328)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.syncUser(XWikiLDAPUtils.java:1105)

This error could be related to this issue.



So I tried to reproduce your isse but I only have a _1 user created, following logins are reusing _1 version of the user properly.

I did not see any answer from you about what exactly you had in the LDAP profile object in the _1 user page, that would help understand your issue. Also a complete debug log of a login that create another _N user would help too.



as I already said, the “_1” user has an object with right ldap values:

By the way this is not a problem anymore, I applied a workaround to my batch procedure in order to add also the ldap object after the user creation, it seems to work well.

Currently I have only 2 problems:

  1. If I uninstall the LDAP Application extension (http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Application/) with the extension manager, I’m not able to use the cfg properties file, it seems to see the old properties I set with the LDAP Application, how to avoid this? Do I have to delete some dirty records in database or temp files?

  2. Please add a fix for the user interface management (delete and creation) for the next version



The application is a UI to make easier to edit the general XWiki preference so uninstalling the application does not reset those and they have priority over xwiki.cfg. You can either put back the application to reset all the values or directly edit the XWikiPreferences object on http://mydomain/xwiki/bin/edit/XWiki/XWikiPreference?editor=object.

Not sure what fix you are exactly talking about here. If you have a feature request related to LDAP you can detail it on https://jira.xwiki.org/browse/LDAP. If it’s only for the standard user UI then it’s https://jira.xwiki.org/browse/XWIKI