LDAP wrong configuration

Help / Discuss
#1

Hi
I’m trying to setup the LDAP. My configuration file looks

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=172.3.20.1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=DC=Domain,DC=INTERNAL
xwiki.authentication.ldap.bind_DN=CN=wiki,OU=Virtual Users,DC=Domain,DC=INTERNAL
xwiki.authentication.ldap.bind_pass=Password
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=GivenName,email=mail,name=sAMAccountName,ldap_dn=dn

loggin to xwiki from LDAP works fine.
I don’t want have user and password in file so I change
xwiki.authentication.ldap.bind_DN=CN={0},OU=Virtual Users,DC=Domain,DC=INTERNAL
xwiki.authentication.ldap.bind_pass={1}
but this configuration doesn’t work :frowning:

log:
2022-08-11 08:10:02,329 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
2022-08-11 08:10:02,330 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Connection to LDAP server [172.3.20.1:389]
2022-08-11 08:10:02,337 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=domain\user,OU=Virtual Users,DC=domain,DC=INTERNAL]
2022-08-11 08:10:02,353 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:557)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:297)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:208)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:190)
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4336)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4359)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5880)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:502)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:292)
at com.xpn.xwiki.web.LegacyActionServlet.service(LegacyActionServlet.java:115)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:764)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:227)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:122)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.wysiwyg.filter.ConversionFilter.doFilter(ConversionFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:132)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1732)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.novell.ldap.LDAPException: Invalid Credentials
at com.novell.ldap.LDAPResponse.getResultException(LDAPResponse.java:407)
at com.novell.ldap.LDAPResponse.chkResultCode(LDAPResponse.java:370)
at com.novell.ldap.LDAPConnection.chkResultCode(LDAPConnection.java:3959)
at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1408)
at com.novell.ldap.LDAPConnection.bind(LDAPConnection.java:1361)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:261)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:223)
… 58 common frames omitted
2022-08-11 08:10:02,357 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2022-08-11 08:10:02,358 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [user]
2022-08-11 08:10:02,358 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] WARN nticationFailureLoggerListener - Authentication failure with login [user]
2022-08-11 08:10:02,359 [http-nio-8182-exec-3 - http://localhost:8182/xWiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2022-08-11 08:10:02,629 [http-nio-8182-exec-8 - http://localhost:8182/xWiki/bin/download/FlamingoThemes/Iceberg/Capture.PNG?rev=1.1] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2022-08-11 08:10:02,632 [http-nio-8182-exec-8 - http://localhost:8182/xWiki/bin/download/FlamingoThemes/Iceberg/Capture.PNG?rev=1.1] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null

I was looking for a solution on the forum, but did not find it. Please help me. what I am doing wrong

#2

Hi @ewa

Xwiki needs credentials to connect to ldap server, so you have to put it in file. You can create domain credentials specially to xwiki authentication with minimum rights is you want to minimize credentials leak harm.

#3

Hi,

Have you tried this approach? Does it assist you? Let me know.

1 Like
#4

From what I understand of your log, looks like the authenticator is not given the LDAP UID value (“user”) that your configuration expect as input but the AD style full reference domain\uid (domain\user) that can be used directly as bind DN usually (so xwiki.authentication.ldap.bind_DN={0}).