Only one user appears to not be synchronizing with LDAP

We are running XWiki 8.0 bound to an ActiveDirectory system for user authentication and I have been having an issue with only one particular user. I looked over other forum reported issues, checked that our ActiveDirectory doesn’t have multiple records coming back for the same user and reviewed physical content in the database.

For this one user every week his login fails. When I look at his profile page in the system it is not the same as any of the others. For any other user if I go to the User Index and access their profile I’m presented with the normal page with a breadcrumb trail that looks like

/XWiki/Profile of Joe User

for this one user, when he is unable to log in, first the User Index page only shows his login ID, no first or last name, and accessing his profile page the breadcrumb trail looks like

/XWiki/juser

and the page shows the

Failed to execute the [velocity] macro.

error saying there is a permissions error. When the user contacts me about the login issues, if I delete his user account and his profile page then tell him to log in, he is then able to successfully login and his name details appear to be pulled from LDAP. But the next day it is back to the error state.

One thing I noticed was there are no history records in the database showing his account sync’d with LDAP, whereas all other accounts have records.

I located a record in the xwikircs table associated with this user and extracted the contents. When I compared his <xwikidoc> to working ones one thing I notice is his does not have all of the same <object> classes that others do. One in particular that is missing is XWiki.LDAPProfileClass which has the search query to locate the profile record.

Another data point, when I deleted his user account and deleted his wiki profile page and had him log back in, then queried the database for his xwikircs record the XWR_DOCID after recreating was exactly the same as the one that was supposedly deleted but without an LDAPProfileClass.

And lastly, when I view the XWikiAllGroup user membership list, where not only is his entry the only one that is

juser (XWiki.juser)

whereas everyone else is

Joe User (XWiki.juser)

his is also in the group list twice. As mentioned I confirmed that we shouldn’t be running into the issue https://jira.xwiki.org/browse/LDAP-20 as I’m not seeing duplicates in the LDAP. It appears on initial login the profile data is pulled correctly but then a synchronization appears to fail and effectively corrupts his profile. Our LDAP configuration details are:

xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.bind_DN=myfirm\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn

Any suggestions or insight on either how to completely clean this user out of the system or how to correct this one account would be greatly appreciated.

So let’s see if I understood it correctly.

When the user login for the first time (i.e. the profile does not exist yet) everything is OK. Then a bit later when he comes back the profile is all broken an the login fail. Right ?

What exactly do you mean by “login fails” ? Does he stay on the login form with an explicit login failure error or does he end up with some “You don’t have the right to do this action” ?

In theory the authenticator start by validating the user credentials directly on LDAP server and only then deal with XWiki side stuff synchronization so whatever is on XWiki side should not have any impact on the actual login (but then the user might be in the wrong group, loose some authorization, get a broken profile, etc.).

Are you able to reproduce the issue by doing the following:

  • first login/creation
  • logout
  • login again
    (might need to repeat that several times depending on the cause)
    ?

If you can reproduce the issue that way, enable debug log (see http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HEnableLDAPdebuglog) and get detailed info for each use case so that we can try to analyze how you end up in this situation. If you don’t reproduce the issue this way then it might mean the problem is on AD side where that user is modified for some reason. I would also compare the DN stored in the LDAPProfileClass object. You can access objects editor with an advanced user (you can set that in your user profile).

It actually happened to a second user which helped me get to a little more detail.

What I mean by login fails is the user’s profile page is now bad and throws a “Not Authorized” error trying to invoke the Velocity macro. After more research it appears that once in a while there is a failure on the LDAP sync and the new version of the user’s profile page is broken. If I just delete that version the user can log in without issues. The log messages showed error messages that indicated it was attempting to store an update to the document that apparently had bad characters, my assumption is the actual response from the LDAP was an error page, not real content.

I have since disabled the sync with LDAP on every login since we don’t use the AD groups directly in XWiki and we have not seen the issue happen since.