Problem with LDAP authenticator

patidaba · November 16, 2023, 10:47am

I can get start LDAP extension working:
This is my xwiki.cnf

-# LDAP authentication service
#xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1

#-# Enable local accounts in addition to LDAP.
#-# Without this setting you will be unable to log into XWiki with local accounts.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1


xwiki.authentication.ldap.server=ldap.ad.domain.com
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.base_DN=DC=ad,DC=domain,DC=com
xwiki.authentication.ldap.bind_DN=CN=xWiki_agent,OU=_acc,OU=ccb,DC=ad,DC=domain,DC=com
xwiki.authentication.ldap.bind_pass=*******
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
# xwiki.authentication.ldap.user_search_fmt=(sAMAccountName={1})
# Define the class of the LDAP objects to consider as groups
xwiki.authentication.ldap.group_classes=groupOfUniqueNames,posixGroup

# Define the attribute in the LDAP object that contains the group members
xwiki.authentication.ldap.group_memberfields=uniqueMember,memberUid

# Define the group mapping from LDAP to XWiki
#xwiki.authentication.ldap.group_mapping=XWiki.Confluence=CN=Confluece user,OU=_Grupas,OU=comm,DC=ad,DC=domain,DC=com

my logback.xml

  <!-- LDAP debugging -->
   <logger name="org.xwiki.contrib.ldap" level="trace"/>
   <logger name="org.xpn.xwiki.plugin.ldap" level="trace"/>
   <logger name="org.xpn.xwiki.user.impl.LDAP" level="trace"/>

when i check logs i can find referces to ldap. from what i read in forums i should see some thing like this in logs:
u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication

im running xwiki 14.10.18 on docker

tmortagne · November 16, 2023, 10:58am

Did you mean "can’t ?

Note that if you use the logback configuration file, you need to restart for it to be taken into account. It’s generally simpler to use the log UI in the administration, as indicated on https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HWiththeLoggingAdminUI.

Those packages don’t exist (even in the very very old previous LDAP authenticator), where did you find them ?

patidaba · November 16, 2023, 11:30am

now i set these to debugL

but still no reference to ldap in logs

tmortagne · November 16, 2023, 1:17pm

Setting org.xwiki.contrib.ldap is enough, I don’t know what the others are, but they have nothing to do with the LDAP authenticator. Also the “org.xpn” looks like a mistake in whatever extension this is (it’s supposed to be either com.xpn or org.xwiki)

You sure you have XWiki log at all in the file you are looking at (i.e. is it the right file) ?

patidaba · November 16, 2023, 1:26pm

I gues I see my log attempts in docker logs:

16-Nov-2023 12:50:30.066 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [23115] milliseconds
2023-11-16 13:14:17,904 [https-openssl-nio-8443-exec-1 - https://xwiki-domain.com:8085/bin/loginsubmit/XWiki/XWikiLogin] WARN  nticationFailureLoggerListener - Authentication failure with login ```

atleast i see other xwiki related processes there

tmortagne · November 16, 2023, 1:55pm

Definitely looks like an XWiki log yes.

I honestly have no idea why the log produced during an authentication does not end up in that file the way you enabled DEBUG on org.xwiki.contrib.ldap. It feels like it’s not really the authenticator which is used. Do you have any other authenticator installed which might force itself as the authenticator no matter what xwiki.authentication.authclass indicates (I know the ActiveDirectory authenticator does that for example) ?

On 14.10.18 you can install the extension “AuthService Backport Application” to get an entry in the admin which shows what has been identified as the current authenticator.

patidaba · November 16, 2023, 2:06pm

yes, we had it inslattled for tryout period but then uninstalled.
How ever i see ther are som dependencies left:

tmortagne · November 16, 2023, 3:15pm

One of them is actually the authenticator (you only uninstalled the application, so the UI basically) so that seems to be your problem.

patidaba · November 29, 2023, 10:54am

thx, that was the issue