I have basic LDAP to Active Directory working, but need to configure LDAP with SSL. I’m using the Docker image so some additional config was needed to fit in with that. So far, I have done this:
- Exported the cert from Active Directory.
keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
- Created a docker volume called
xwiki-cfg
which points to/usr/local/tomcat/webapps/ROOT/WEB-INF
. I copied the jssecacerts file to that location. - Amended my xwiki.cfg:
# LDAP
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.ssl.keystore=/usr/local/tomcat/webapps/ROOT/WEB-INF/jssecacerts
- Changed the web LDAP page in the xwiki admin to use port 636.
- When trying to authenticate, I think the main errors are (a)
Local LDAP authentication failed
and (b)unable to find valid certification path to requested target
. Output from debug below.
I know the Active Directory server is working OK, because I set it up to use LDAPS from Apache for another server yesterday. I know basic non-SSL LDAP is working from XWiki. If anyone has any insight into this problem, please let me know.
Full trace from the LDAPS authentication attempt:
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,915 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,916 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Connecting to LDAP using SSL
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,917 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Connection to LDAP server [10.0.3.20:636]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,931 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConnection - Binding to LDAP server with credentials login=[USERNAME]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,938 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
xwiki-mysql-tomcat-web | org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:153)
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
xwiki-mysql-tomcat-web | at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3776)
xwiki-mysql-tomcat-web | at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:242)
xwiki-mysql-tomcat-web | at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:272)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3794)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4844)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:364)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:210)
xwiki-mysql-tomcat-web | at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
xwiki-mysql-tomcat-web | at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
xwiki-mysql-tomcat-web | at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
xwiki-mysql-tomcat-web | at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
xwiki-mysql-tomcat-web | at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
xwiki-mysql-tomcat-web | at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:292)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:112)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:136)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
xwiki-mysql-tomcat-web | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
xwiki-mysql-tomcat-web | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
xwiki-mysql-tomcat-web | at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:620)
xwiki-mysql-tomcat-web | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
xwiki-mysql-tomcat-web | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
xwiki-mysql-tomcat-web | at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
xwiki-mysql-tomcat-web | at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
xwiki-mysql-tomcat-web | at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2458)
xwiki-mysql-tomcat-web | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
xwiki-mysql-tomcat-web | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
xwiki-mysql-tomcat-web | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
xwiki-mysql-tomcat-web | at java.lang.Thread.run(Thread.java:745)
xwiki-mysql-tomcat-web | Caused by: com.novell.ldap.InterThreadException: Connect Error
xwiki-mysql-tomcat-web | at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
xwiki-mysql-tomcat-web | ... 1 common frames omitted
xwiki-mysql-tomcat-web | Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web | at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
xwiki-mysql-tomcat-web | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
xwiki-mysql-tomcat-web | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
xwiki-mysql-tomcat-web | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
xwiki-mysql-tomcat-web | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
xwiki-mysql-tomcat-web | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
xwiki-mysql-tomcat-web | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
xwiki-mysql-tomcat-web | at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
xwiki-mysql-tomcat-web | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
xwiki-mysql-tomcat-web | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
xwiki-mysql-tomcat-web | at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:928)
xwiki-mysql-tomcat-web | at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
xwiki-mysql-tomcat-web | at sun.security.ssl.AppInputStream.read(AppInputStream.java:71)
xwiki-mysql-tomcat-web | at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
xwiki-mysql-tomcat-web | ... 2 common frames omitted
xwiki-mysql-tomcat-web | Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
xwiki-mysql-tomcat-web | at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
xwiki-mysql-tomcat-web | at sun.security.validator.Validator.validate(Validator.java:260)
xwiki-mysql-tomcat-web | at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
xwiki-mysql-tomcat-web | at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
xwiki-mysql-tomcat-web | at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
xwiki-mysql-tomcat-web | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
xwiki-mysql-tomcat-web | ... 11 common frames omitted
xwiki-mysql-tomcat-web | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xwiki-mysql-tomcat-web | at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
xwiki-mysql-tomcat-web | at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
xwiki-mysql-tomcat-web | at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
xwiki-mysql-tomcat-web | at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
xwiki-mysql-tomcat-web | ... 17 common frames omitted
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [USERNAME]
xwiki-mysql-tomcat-web | 2017-07-11 10:06:52,939 [http://xwiki.COMPANY.com/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,533 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,534 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
xwiki-mysql-tomcat-web | 2017-07-11 10:06:53,534 [http://xwiki.COMPANY.com/bin/get/TourCode/TourJson?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null