LDAP mapping of fields / access rights

Hello,

As I was able to configure the use of LDAPS in the meantime I’m now struggling with the configuration of the mapping.

What I have:

  • serveral AD groups with permission in XWiki groups
  • XWiki groups in the wiki

What does not work:

  • mapping between AD Group and xwiki group, every user is ending up in the same group
  • mapping of AD attributes to users

My configuration in xwiki.cfg:

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=$WikiSD_Administrators,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Backend=CN=$WikiSD_Backend,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Fieldservice=CN=$WikiSD_Fieldservice,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Hotline=CN=$WikiSD_Hotline,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Moderators=CN=$WikiSD_Moderators,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Projekt=CN=$WikiSD_Projekt,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Softwareverteilung=CN=$WikiSD_SoftwareverteilungOU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.Steuerung=CN=$WikiSD_Steuerung,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|
XWiki.ServicePoint=CN=$WikiSD_ServicePoint,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|\

xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail,company=company,Department=department,address=physicalDeliveryOfficeName

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

xwiki.authentication.ldap.user_group=CN=$WikiSD_Access,OU=$Administration,OU=xyz,OU=#AB,DC=xyz,DC=xyz,DC=xyz,DC=com|\

xwiki.authentication.ldap.mode_group_sync=always

xwiki.authentication.ldap.group_sync_resolve_subgroups=1

Thank you for your help and let me know if there’s something unclear.

Hi, we had one issue in the past, perhaps it’s the same here: You have to escape the special characters. It looks like this in our current mappings:
CN=Whatever,OU=Xwiki,OU=\\+XYZ-Group,DC=abc,DC=com

See the double(!) Backslash before the +, in our AD, the group is named “+XYZ-Group”.

We’ve done the mapping in the UI, perhaps there are more differences because of this, too…

regards
Gerd

I am affraid to say but that didn’t work out. Any other ideas? Maybe it is important to say that we use nested groups like:

To access the wiki we use: LDAP: WikiSD_Access the members are $WikiSD_Administrators, $WikiSD_Backend and so on.

The actual Rights within the wiki is set with the same groups and behind this we have the users.

Nothing else? I still couldn’t manage to get it work :frowning:

I had a look into the catalina.out file but this dooes not really help me out:

[2020-12-02 09:56:07] [info] 2020-12-02 09:56:07,401 [https-openssl-nio-8443-exec-10 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN nticationFailureLoggerListener - Authentication failure with login [samaccountname]

EDIT:
Started a debug log for org.xwiki.contrib.ldap:

DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
[2020-12-02 10:50:51] [info] 2020-12-02 10:50:51,832 [https-openssl-nio-8443-exec-1 - https://URL:8443/xwiki/bin/login/XWiki/XWikiLogin?srid=dwMxygcq&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DdwMxygcq] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,905 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,905 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,938 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,939 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,970 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Connection to LDAP server [DC.xyz.com:636]
[2020-12-02 10:50:56] [info] 2020-12-02 10:50:56,979 [https-openssl-nio-8443-exec-4 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=sakbsd0,OU=Konten,OU=Services,OU=#Administration,DC=xyz,DC=xyz,DC=xyz,DC=com]

Literally I am still getting error on the binding:

[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,298 [https-openssl-nio-8443-exec-3 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,417 [https-openssl-nio-8443-exec-3 - https://URL:8443/xwiki/bin/skin/skins/flamingo/flamingo$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,417 [https-openssl-nio-8443-exec-3 - https://URL:8443/xwiki/bin/skin/skins/flamingo/flamingo$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,418 [https-openssl-nio-8443-exec-2 - https://URL:8443/xwiki/bin/skin/skins/flamingo/style.cs$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,418 [https-openssl-nio-8443-exec-2 - https://URL:8443/xwiki/bin/skin/skins/flamingo/style.cs$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,420 [https-openssl-nio-8443-exec-7 - https://URL:8443/xwiki/bin/skin/skins/flamingo/print.cs$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,420 [https-openssl-nio-8443-exec-7 - https://URL:8443/xwiki/bin/skin/skins/flamingo/print.cs$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,536 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,536 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,537 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,537 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,537 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,543 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] 2020-12-30 15:44:45,545 [https-openssl-nio-8443-exec-8 - https://URL:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin$
[2020-12-30 15:44:45] [info] org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.

Theres also no log entry on the DC. :confused: