Unable to authenticate

cmpyx · July 27, 2023, 3:02pm

Below is my xwiki.cfg in /usr/lib/xwiki/WEB-INF

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=ip address of domain controller
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=domain,dc=com
xwiki.authentication.ldap.bind_DN=cn=ldap service account name,ou=organizational unit,dc=domain,dc=com
xwiki.authentication.ldap.bind_pass=password for ldap service account
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=GivenName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=0

From all that I have read, this configuration should work, but when we try to authenticate with xwiki using username and password or domain\username and password or username@domain.com and password, we keep getting “Error: invalid credentials”. We tried setting up the account in xwiki first and same results. Even if we register and then try, same results.

Do not know how to enable logging for LDAP so if someone can post a link or any documentation would be helpful, but maybe someone knows or has an idea of what could be wrong.

UPDATE:
I found the following post: Unable to configure LDAPS Authentication with xwiki, and searched for the org.xwiki.contrib.ldap log (Administer xwiki > other > logging > search for org.xwiki.contrib.ldap ) but this returned no results so presume something more has to be installed.

UPDATE:
Found the following article regarding LDAP debugging: LDAP Authenticator (XWiki.org)

acotiuga · July 27, 2023, 4:43pm

Hi,

Just to be sure, is your username the sAMAccountName? The xwiki.authentication.ldap.UID_attr=sAMAccountName states that you authenticate with that value.

cmpyx · July 27, 2023, 5:09pm

Yes,

UID used during xwiki login was sAMAccountName and password. Also tried Domain\sAMAccountName and password. Trying this a few more times since I learned how to enable LDAP logging and will post logs next if nothing immediate jumps out.

cmpyx · July 27, 2023, 7:58pm

Bingo. Logs did help a lot. Going to do a more extensive write up but for anyone new here is how I resolve the problem.

First, config I initially posted is good so you can use this.

To enable logs, follow this article: LDAP Authenticator (XWiki.org)

Logs show that LDAP was failing. Thought I need a local user so I created one and was able to login, but again, the logs showed this was a wiki.username account (local). I deleted the local account.

Digging more I discovered that changing the following 2 lines in the config works:
Change: xwiki.authentication.ldap.bind_DN=cn=ldap service account name,ou=organizational unit,dc=domain,dc=com
To: xwiki.authentication.ldap.bind_DN={0}@domain.com

Change: xwiki.authentication.ldap.bind_pass=password for ldap service account
To: xwiki.authentication.ldap.bind_pass={1}

What I learned here is that the xwiki.authentication.bind_DN and xwiki.authentication.bind_pass are not wanting an account to perform an LDAP lookup but rather is using the credentials from the xwiki login page and passing these crentials through. Although I have tried changing both lines to use the {0} and {1} variables once before, apparently xwiki doesn’t like to use the distinguished name format (ie. CN={0},OU=organizational unit,DC=domain,DC=com).