LDAPs not working

Knight01 · October 30, 2020, 10:02am

Hi Guys,

iám trying since 7 Weeks to migrate the LDAP Authentication to LDAPs --> BUT IT DON´T WILL WORK.

For any Help i would be very thankful:

if i set the following Parameters in my xwiki.cfg (LDAP) all work fine:

#LDAP
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap=1

if i change the Configuration to this --> Active Directory LDAP don´t work anymore:
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.ssl.keystore=/data/xwiki/DC.keystore

In the Keystore (without a password) is the Certificate of the Domain Controller to which i want to connect.

Unfortunatelly i see no error in the tomcat Log so i have no clue where i have to search.

My other Applications works fine with LDAPS, so i can exclude a Problem with the Windows Domaincontrollers.

For any Help --> THANK YOU VERY MUCH!!!

mdc_xwiki · October 30, 2020, 10:17am

I use also ldaps against an ad, but I don’t set any special ssl settings.
here is my sample config:

xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.server=<don’t use an ad controller here, use the domain name, so dns will do the rest>
to check the ldaps connection you can use openssl:

openssl s_client -connect “Your domain”:636 -showcerts

When the last line is:

Verify return code: 0 (ok)

Then the ldaps connection is fine.

Knight01 · October 30, 2020, 1:32pm

Hi mdc_xwiki,

thank you for your answer.

i tried the openssl test. and it worked. It made a connections but as Returncoe i became: Verify return code: 20 (unable to get local issuer certificate).

Which is OK, the Openssl don´t know that it can trust the Certificate. This is while i set the Parameter “xwiki.authentication.ldap.ssl.keystore” in which the DC Certificate is present.

It tested it with the Dubug Level on “Trace” in the Config File. Same as before i became only the following related information in the Log:

The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode
XWikiUser: null
Starting LDAP authentication
LDAP authentication failed: LDAP not activ
LDAP authentication failed for user [xwikiadtestuser]

Have you an Idea?

Because of the Error with Provided User is 0 here my complete XWIKI Config for LDAP:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.server=Example.com

#LDAP
#xwiki.authentication.ldap.port=389
#xwiki.authentication.ldap=1

#LDAPS
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.ssl.keystore=/data/xwiki/DC.keystore

xwiki.authentication.ldap.base_DN=dc=sub,dc=domain,dc=com
xwiki.authentication.ldap.bind_DN=sub\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=sAMAccountName

xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn

xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.update_user=1

xwiki.authentication.ldap.group_mapping=XWiki.Group=CN=User_IT,OU=User,OU=Groups,OU=Gru,OU=VBS,DC=sub,DC=domain,DC=com|\

For anyone that can help me, before LDAP in XWIKI makes me crazy --> Thank you very much.

Knight01 · October 30, 2020, 5:05pm

I Found the solution:

Eliminate the xwiki.authentication.ldap.ssl.keystore Parameter from the Xwiki.cfg.

Now the Debug Logs showing “all” Problems.

I attached in the Java cacerts keystore my Certificate Authority Certs and now it works like a charm.

Still thanks to everyone.