Miltidomain LDAP Invalid Credentials

vDubrovskiy · October 13, 2023, 1:04pm

I am using xWiki version 14.10.18 (LTS).

I am trying to set up authentication in ActiveDirectory via LDAP. I need to configure connection to two ADs, as some users are located on another server.

If I specify settings for only one server, everything works fine.

Example:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=ip-address1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=subdomain1,dc=domain,dc=com
xwiki.authentication.ldap.bind_DN=cn=robot,ou=temp,dc=my,dc=domain,dc=com
xwiki.authentication.ldap.bind_pass=passw1
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.groupcache_expiration=3600

But if I try to connect the second server, I get an error every time I log in.

org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
Caused by: com.novell.ldap.LDAPException: Invalid Credentials

Example settings: (used the instructions from https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HGenericLDAPconfiguration)."

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.groupcache_expiration=3600

xwiki.authentication.ldap.httpHeader=REMOTE_USER
xwiki.authentication.ldap.remoteUserParser=(.+)@(.+)
xwiki.authentication.ldap.remoteUserMapping.1=uid
xwiki.authentication.ldap.remoteUserMapping.2=domain,ldap_server,ldap_port,ldap_base_DN,ldap_bind_DN,ldap_bind_pass
xwiki.authentication.ldap.remoteUserMapping.ldap_server=DOMAIN1=ip-address1|DOMAIN2=ip-address2
xwiki.authentication.ldap.remoteUserMapping.ldap_port=DOMAIN1=389|DOMAIN2=389
xwiki.authentication.ldap.remoteUserMapping.ldap_base_DN=DOMAIN1=dc=subdomain1,dc=domain,dc=com|DOMAIN2=dc=subdomain2,dc=domain,dc=com
xwiki.authentication.ldap.remoteUserMapping.ldap_bind_DN=DOMAIN1=cn=robot1,ou=temp,dc=subdomain1,dc=domain,dc=com|DOMAIN2=cn=robot2,ou=temp,dc=subdomain2,dc=domain,dc=com
xwiki.authentication.ldap.remoteUserMapping.ldap_bind_pass=DOMAIN1=passw1|DOMAIN2=passw2

In the second case i use for login “user@domain”

What’s my mistake?

vDubrovskiy · October 17, 2023, 9:35am

A few more logs.

TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode. 
TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 
DEBUG o.x.c.l.XWikiLDAPConfig        - remoteUserParser: (.+)@(.+) 
DEBUG o.x.c.l.XWikiLDAPConfig        - hostConvertor: {} 
DEBUG o.x.c.l.XWikiLDAPConfig        - hostConvertor: {} 
DEBUG o.x.c.l.XWikiLDAPConfig        - hostConvertor: {DOMAIN1=subdomain1.DOMAIN.com, DOMAIN2=subdomain2.DOMAIN.com} 
DEBUG o.x.c.l.XWikiLDAPConfig        - hostConvertor: {DOMAIN1=dc=subdomain1,dc=domain,dc=com, DOMAIN2=dc=subdomain2,dc=domain,dc=com} 
DEBUG o.x.c.l.XWikiLDAPConfig        - hostConvertor: {DOMAIN1={0}, DOMAIN2={0}} 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux] 
DEBUG o.x.c.l.XWikiLDAPConfig        - ldap_group_memberfields: [uniquemember, memberuid, member] 
TRACE o.x.c.l.XWikiLDAPConnection    - SRV record found: 0 100 389 kurinfdc04.subdomain1.DOMAIN1.com. 
TRACE o.x.c.l.XWikiLDAPConnection    - SRV record found: 0 100 389 kurinfdc03.subdomain1.DOMAIN1.com. 
DEBUG o.x.c.l.XWikiLDAPConnection    - 2 SRV record(s) discovered 
DEBUG o.x.c.l.XWikiLDAPConnection    - Connection to LDAP server [kurinfdc04.subdomain1.DOMAIN.com.:389 kurinfdc03.subdomain1.DOMAIN.com.:389 :389] 
DEBUG o.x.c.l.XWikiLDAPConnection    - Binding to LDAP server with credentials login=[subdomain1.DOMAIN1.com] 
DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. 
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.

As far as I understand, the problem is that the system is trying to substitute the domain in the login, not the username. (The line “Binding to LDAP server with credentials login”). But I don’t understand how to fix this.