LDAP unable to access the LDAP-UI and problems with user_group, group_mapping, fields_mapping config

Hi there,

I’m working on a PoC migrationg from confluence to xWiki using the offical docker image (xWiki vs. 15.1 postre flavour using LDAP Authenticator
9.11.0).

Right now I’m trying to configure the LDAP extension and have troubles with (my LDAP knowhow is also very low, sorry):

  1. can’t find the LDAP UI in xWiki, but succeeded configuring the xwiki.cfg (low prio problem)
  2. fields_mapping does work, can on assign multiple values to 1 field eg: address=street|postalCode|city? additionally having whitespaces inbetween
  3. user_group does not work if I’m using a filter like this:

(&(|(businessCategory=Bedienstet)(businessCategory=Projekt)(businessCategory=Student)))

there are about 50.000 entries and I’m getting a “Failed to get group members, com.novell.ldap.LDAPException: Sizelimit Exceeded”

  1. xwiki.authentication.ldap.group_mapping=XWiki.zbg_bedienstete=ou=staff,ou=employee,ou=users,o=data|
    XWiki.zbg_projektkonten=ou=project,ou=employee,ou=users,o=data|
    XWiki.zbg_studenten=ou=active,ou=student,ou=users,o=data
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,389 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - remoteUserParser: null
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,390 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connecting to LDAP using SSL
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,519 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - No SRV record for _ldaps._tcp.edir.edvz.sbg.ac.at found.
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,520 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [edir.edvz.sbg.ac.at:636]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,535 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[cn=svc_confluence,ou=sa,o=data]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,576 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Getting the list of user fields to synchronize
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,576 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- LDAP avatar photo synchronisation is disabled
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,577 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- LDAP user fields to synchronize: [sn, givenName, mail, cn]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,577 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Searching for the user in LDAP: user [baerthlein] base [ou=users,o=data] query [(cn=baerthlein)] uid [cn]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,577 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[ou=users,o=data] query=[(cn=baerthlein)] attrs=[[sn, givenName, mail, cn]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [mail]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [Stefan.Baerthlein@plus.ac.at]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [cn]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [baerthlein]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [sn]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [Bärthlein]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -   - values for attribute [givenName]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,587 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    -     |- [Stefan]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,588 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - LDAP search found attributes [[{name=dn value=cn=baerthlein,ou=staff,ou=employee,ou=users,o=data}, {name=mail value=Stefan.Baerthlein@plus.ac.at}, {name=cn value=baerthlein}, {name=sn value=Bärthlein}, {name=givenName value=Stefan}]]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,588 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[cn=baerthlein,ou=staff,ou=employee,ou=users,o=data]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,606 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[cn=svc_confluence,ou=sa,o=data]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,630 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- LDAP attributes will be used to update XWiki attributes.
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,630 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Updating existing user with LDAP attribues located at [cn=baerthlein,ou=staff,ou=employee,ou=users,o=data]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,631 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Start synchronization of LDAP profile [[{name=dn value=cn=baerthlein,ou=staff,ou=employee,ou=users,o=data}, {name=mail value=Stefan.Baerthlein@plus.ac.at}, {name=cn value=baerthlein}, {name=sn value=Bärthlein}, {name=givenName value=Stefan}]] with existing user profile based on mapping [{mail=email, givenname=first_name, sn=last_name}]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,633 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig        - Groupmapping found [XWiki.zbg_bedienstete] [[ou=staff,ou=employee,ou=users,o=data]]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,633 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Updating group membership for the user [XWiki.baerthlein_1]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,637 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- The user belongs to following XWiki groups:
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,637 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- XWiki.XWikiAllGroup
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,646 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- Retrieving Members of the group [ou=staff,ou=employee,ou=users,o=data]
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,651 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPUtils
- [ou=staff,ou=employee,ou=users,o=data] is a valid DN, lets try to get corresponding entry.
xwiki-postgres-tomcat-web  | 2023-05-16 07:45:27,652 [http-nio-8080-exec-3 - http://localhost:8080/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.PagedLDAPSearchResults - LDAP pagined search: base=[ou=staff,ou=employee,ou=users,o=data] query=[null] attrs=[[objectClass, uniquemember, memberuid, member, cn]] scope=[2] typesOnly=[false] pageSize=[500], cookie=[null]

the user “baerthlein” is NOT assigned to “zbg_bedienstete” - probably related problem to the limit / size?

Any hints on that?
Thanks a lot, Stefan.