LDAP-Login changes in new version

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP-Login changes in new version

Stefan Woehrer
Hi,

we just upgraded our XWiki from 1.3.2 to 1.7.1.
Right afterwards the firewall registers LDAP-Packages from the XWiki mashine as an attack, saying:

"A malicious LDAP packet may indicate a potential attack. An attacker could use a modified LDAP message to cause buffer overflows on defective systems and execute arbitary code. (LDAP message contains malicious data which does not comply with ASN.1)"

It seems that it has something to to with the changings made since 1.3.2. Is that possible?

Greetings,
Steve
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Thomas Mortagne
Administrator
Hi,

On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <[hidden email]> wrote:

>
> Hi,
>
> we just upgraded our XWiki from 1.3.2 to 1.7.1.
> Right afterwards the firewall registers LDAP-Packages from the XWiki mashine
> as an attack, saying:
>
> "A malicious LDAP packet may indicate a potential attack. An attacker could
> use a modified LDAP message to cause buffer overflows on defective systems
> and execute arbitary code. (LDAP message contains malicious data which does
> not comply with ASN.1)"
>
> It seems that it has something to to with the changings made since 1.3.2. Is
> that possible?

By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
the old one. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAuthentication

Now on the technical details it's using exactly the same Novell ldap
client implementation and the differences are more on the XWiki side
so I don't see why it would suddenly send wrong datas.

>
> Greetings,
> Steve
> --
> View this message in context: http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Stefan Woehrer

thanks a lot. it seems that this was an additional problem with the firewall(!?)
anyway, the firewall is now configured to let through the whole ldap traffic from the xwiki machine. the problem hasn't changed: sometimes, users are randomly logged out with the "wrong passowrd" error message. when they try to log in, they get the very same error message for a couple of times. a few minutes later, they can login again and everything works.
this happens spontaniously a couple of times per day.

does any1 experience the same problem?


the next issue is that suddenly no (error/warning) messages are generated any more. i will try a tomcat restart in the afternoon, but since we did that a lot of times before i don't think this will help.

i would very much apprechiate any kind of help! thank you in advance.


steve


tmortagne wrote
Hi,

On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <stefan_woehrer@yahoo.de> wrote:
>
> Hi,
>
> we just upgraded our XWiki from 1.3.2 to 1.7.1.
> Right afterwards the firewall registers LDAP-Packages from the XWiki mashine
> as an attack, saying:
>
> "A malicious LDAP packet may indicate a potential attack. An attacker could
> use a modified LDAP message to cause buffer overflows on defective systems
> and execute arbitary code. (LDAP message contains malicious data which does
> not comply with ASN.1)"
>
> It seems that it has something to to with the changings made since 1.3.2. Is
> that possible?

By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
the old one. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAuthentication

Now on the technical details it's using exactly the same Novell ldap
client implementation and the differences are more on the XWiki side
so I don't see why it would suddenly send wrong datas.

>
> Greetings,
> Steve
> --
> View this message in context: http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Stefan Woehrer

hi,

i just discovered some warning messages in the stdout_yyyymmdd.log - file in the tomcat log directory, maby it helps: (does the skin have to be updated?)

[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in XWiki.XWikiLogin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in skins.ourskin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in XWiki.XWikiLogin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in Main.WebHome@1,15
[WARNING] Deprecated usage of method [com.xpn.xwiki.api.Document.getRenderedContent] in /templates/commentsinline.vm@28,40

"ourskin" is basically the toucan skin with a few changes.

cheers,
steve
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Thomas Mortagne
Administrator
In reply to this post by Stefan Woehrer
I think you get "wrong passowrd" just because LDAP failed to connect
for some reason so the authentication tried the XWiki authenticator
and obviously it fail since the password is registered on LDAP server
and not in XWiki database.

Could you enable LDAP debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableLDAPdebuglog)
and try to reproduce it ? We will see better what append when LDAP
fail to connect.

On Thu, Feb 5, 2009 at 10:24 AM, Stefan Woehrer <[hidden email]> wrote:

>
>
> thanks a lot. it seems that this was an additional problem with the
> firewall(!?)
> anyway, the firewall is now configured to let through the whole ldap traffic
> from the xwiki machine. the problem hasn't changed: sometimes, users are
> randomly logged out with the "wrong passowrd" error message. when they try
> to log in, they get the very same error message for a couple of times. a few
> minutes later, they can login again and everything works.
> this happens spontaniously a couple of times per day.
>
> does any1 experience the same problem?
>
>
> the next issue is that suddenly no (error/warning) messages are generated
> any more. i will try a tomcat restart in the afternoon, but since we did
> that a lot of times before i don't think this will help.
>
> i would very much apprechiate any kind of help! thank you in advance.
>
>
> steve
>
>
>
> tmortagne wrote:
>>
>> Hi,
>>
>> On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <[hidden email]>
>> wrote:
>>>
>>> Hi,
>>>
>>> we just upgraded our XWiki from 1.3.2 to 1.7.1.
>>> Right afterwards the firewall registers LDAP-Packages from the XWiki
>>> mashine
>>> as an attack, saying:
>>>
>>> "A malicious LDAP packet may indicate a potential attack. An attacker
>>> could
>>> use a modified LDAP message to cause buffer overflows on defective
>>> systems
>>> and execute arbitary code. (LDAP message contains malicious data which
>>> does
>>> not comply with ASN.1)"
>>>
>>> It seems that it has something to to with the changings made since 1.3.2.
>>> Is
>>> that possible?
>>
>> By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
>> the old one. See
>> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAuthentication
>>
>> Now on the technical details it's using exactly the same Novell ldap
>> client implementation and the differences are more on the XWiki side
>> so I don't see why it would suddenly send wrong datas.
>>
>>>
>>> Greetings,
>>> Steve
>>> --
>>> View this message in context:
>>> http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.html
>>> Sent from the XWiki- Users mailing list archive at Nabble.com.
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> http://lists.xwiki.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Thomas Mortagne
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2273948.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Stefan Woehrer


ok .. as i enabled ldap debugging i get tons of messages ;-) very good.

here is a piece of xwiki.log when the login doesn't work (beginning with "Connection to LDAP server"):



11:31:34,605 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3] DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP server [company.comp.co:389]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-5] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-5] DEBUG ldap.XWikiLDAPConfig            - ldap_group_classes: [groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniquenames, group]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-5] DEBUG ldap.XWikiLDAPConfig            - ldap_group_memberfields: [member, uniquemember]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-5] DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP server [company.comp.co:389]
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
Wrapped Exception: Connect Error
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:174)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
        at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
        at com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
        at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Unknown Source)


Wrapped Exception:


java.net.ConnectException: Connection timed out: connect
        at java.net.PlainSocketImpl.socketConnect(Native Method)
        at java.net.PlainSocketImpl.doConnect(Unknown Source)
        at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
        at java.net.PlainSocketImpl.connect(Unknown Source)
        at java.net.SocksSocketImpl.connect(Unknown Source)
        at java.net.Socket.connect(Unknown Source)
        at java.net.Socket.connect(Unknown Source)
        at java.net.Socket.<init>(Unknown Source)
        at java.net.Socket.<init>(Unknown Source)
        at com.novell.ldap.Connection.connect(Unknown Source)
        at com.novell.ldap.Connection.connect(Unknown Source)
        at com.novell.ldap.LDAPConnection.connect(Unknown Source)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.connect(XWikiLDAPConnection.java:194)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:166)
        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
        at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
        at com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
        at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Unknown Source)
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Trying authentication against XWiki DB
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - LDAP authentication failed for user [woeste]
11:31:55,918 [http://xwiki/bin/view/Main/DocumentDoesNotExist] [http-80-3] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.




------------------------------------------------------------------------

here is a piece of xwiki.log when the login works again (one minute later) (also beginning with "Connection to LDAP server"):





11:32:21,496 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP server [company.comp.co:389]
11:32:21,543 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        - Binding to LDAP server with credentials login=[CN=xWiKi,OU=ServicesAccounts,DC=company,DC=comp,DC=co]
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPUtils             - Searching for the user in LDAP: user:asakur base:DC=company,DC=comp,DC=co query:(sAMAccountName=asakur) uid:sAMAccountName
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        - LDAP search: baseDN=[DC=company,DC=comp,DC=co] query=[(sAMAccountName=asakur)] attr=[[sAMAccountName, sn, givenName, fullName, mail, dn]] ldapScope=[2]
11:32:21,746 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "givenName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [Stefan]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "sn"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [Woehrer]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "mail"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [woeste@company.at]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "sAMAccountName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [woeste]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConnection        - LDAP search found attributes: [{name=dn value=CN=company Kurt,OU=Poweruser,DC=company,DC=comp,DC=co}, {name=givenName value=woe}, {name=sn value=company}, {name=mail value=woeste@company.at}, {name=sAMAccountName value=woeste}]
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - LDAP attributes will be used to update XWiki attributes.
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Creating new XWiki user based on LDAP attribues located at CN=Woehrer Stefan,OU=Poweruser,DC=company,DC=comp,DC=co
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Start synchronising LDAP profile
....

even groupmapping works correctly

11:32:22,121 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin] [http-80-4] DEBUG ldap.XWikiLDAPConfig            - Groupmapping found: XWiki.XWikiAdminGroup [CN=xwiki_Admin,OU=xWiki Groups,DC=company,DC=comp,DC=co]

...

------------------------------------------------------------------------

hope this helps

stefan



<quote author="tmortagne">
I think you get "wrong passowrd" just because LDAP failed to connect
for some reason so the authentication tried the XWiki authenticator
and obviously it fail since the password is registered on LDAP server
and not in XWiki database.

Could you enable LDAP debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableLDAPdebuglog)
and try to reproduce it ? We will see better what append when LDAP
fail to connect.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Thomas Mortagne
Administrator
On Thu, Feb 5, 2009 at 12:03, Stefan Woehrer <[hidden email]> wrote:

>
>
>
> ok .. as i enabled ldap debugging i get tons of messages ;-) very good.
>
> here is a piece of xwiki.log when the login doesn't work (beginning with
> "Connection to LDAP server"):
>
>
>
> 11:31:34,605 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
> DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP server
> [company.comp.co:389]
> 11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-5] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - The provided user is
> null. We don't try to authenticate, it probably means the user is in non
> logged mode.
> 11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-5] DEBUG ldap.XWikiLDAPConfig            - ldap_group_classes:
> [groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
> groupofuniquenames, group]
> 11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-5] DEBUG ldap.XWikiLDAPConfig            - ldap_group_memberfields:
> [member, uniquemember]
> 11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-5] DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP
> server [company.comp.co:389]
> 11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
> DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Local LDAP authentication failed.
> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind
> failed with LDAPException.
> Wrapped Exception: Connect Error
>        at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:174)
>        at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
>        at
> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
>        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
>        at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
>        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
>        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
>        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
>        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
>        at
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
>        at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
>        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
>        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>        at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>        at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>        at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>        at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>        at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>        at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>        at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>        at java.lang.Thread.run(Unknown Source)
>
>
> Wrapped Exception:
>
>
> java.net.ConnectException: Connection timed out: connect
>        at java.net.PlainSocketImpl.socketConnect(Native Method)
>        at java.net.PlainSocketImpl.doConnect(Unknown Source)
>        at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
>        at java.net.PlainSocketImpl.connect(Unknown Source)
>        at java.net.SocksSocketImpl.connect(Unknown Source)
>        at java.net.Socket.connect(Unknown Source)
>        at java.net.Socket.connect(Unknown Source)
>        at java.net.Socket.<init>(Unknown Source)
>        at java.net.Socket.<init>(Unknown Source)
>        at com.novell.ldap.Connection.connect(Unknown Source)
>        at com.novell.ldap.Connection.connect(Unknown Source)
>        at com.novell.ldap.LDAPConnection.connect(Unknown Source)
>        at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.connect(XWikiLDAPConnection.java:194)
>        at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:166)
>        at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
>        at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
>        at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
>        at
> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
>        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
>        at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
>        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
>        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
>        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
>        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
>        at
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
>        at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
>        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
>        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
>        at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
>        at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
>        at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
>        at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
>        at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
>        at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
>        at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
>        at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
>        at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
>        at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
>        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
>        at java.lang.Thread.run(Unknown Source)
> 11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
> DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Trying authentication against XWiki
> DB
> 11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
> DEBUG LDAP.XWikiLDAPAuthServiceImpl   - LDAP authentication failed for user
> [woeste]
> 11:31:55,918 [http://xwiki/bin/view/Main/DocumentDoesNotExist] [http-80-3]
> DEBUG LDAP.XWikiLDAPAuthServiceImpl   - The provided user is null. We don't
> try to authenticate, it probably means the user is in non logged mode.
>
>
>
>
> ------------------------------------------------------------------------
>
> here is a piece of xwiki.log when the login works again (one minute later)
> (also beginning with "Connection to LDAP server"):
>
>
>
>
>
> 11:32:21,496 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        - Connection to LDAP
> server [company.comp.co:389]
> 11:32:21,543 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        - Binding to LDAP server
> with credentials
> login=[CN=xWiKi,OU=ServicesAccounts,DC=company,DC=comp,DC=co]
> 11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPUtils             - Searching for the user
> in LDAP: user:asakur base:DC=company,DC=comp,DC=co
> query:(sAMAccountName=asakur) uid:sAMAccountName
> 11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        - LDAP search:
> baseDN=[DC=company,DC=comp,DC=co] query=[(sAMAccountName=asakur)]
> attr=[[sAMAccountName, sn, givenName, fullName, mail, dn]] ldapScope=[2]
> 11:32:21,746 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute
> "givenName"
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [Stefan]
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute
> "sn"
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [Woehrer]
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute
> "mail"
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |-
> [[hidden email]]
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute
> "sAMAccountName"
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        -     |- [woeste]
> 11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConnection        - LDAP search found
> attributes: [{name=dn value=CN=company
> Kurt,OU=Poweruser,DC=company,DC=comp,DC=co}, {name=givenName value=woe},
> {name=sn value=company}, {name=mail value=[hidden email]},
> {name=sAMAccountName value=woeste}]
> 11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - LDAP attributes will be
> used to update XWiki attributes.
> 11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Creating new XWiki user
> based on LDAP attribues located at CN=Woehrer
> Stefan,OU=Poweruser,DC=company,DC=comp,DC=co
> 11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Start synchronising LDAP
> profile
> ....
>
> even groupmapping works correctly
>
> 11:32:22,121 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
> [http-80-4] DEBUG ldap.XWikiLDAPConfig            - Groupmapping found:
> XWiki.XWikiAdminGroup [CN=xwiki_Admin,OU=xWiki
> Groups,DC=company,DC=comp,DC=co]
>
> ...
>
> ------------------------------------------------------------------------
>
> hope this helps

"java.net.ConnectException: Connection timed out: connect", looks like
there is a connection issue here, it means XWiki had to wait too long
to get server answer.

>
> stefan
>
>
>
>
> I think you get "wrong passowrd" just because LDAP failed to connect
> for some reason so the authentication tried the XWiki authenticator
> and obviously it fail since the password is registered on LDAP server
> and not in XWiki database.
>
> Could you enable LDAP debug log (see
> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableLDAPdebuglog)
> and try to reproduce it ? We will see better what append when LDAP
> fail to connect.
>
> --
> View this message in context: http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2274317.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Stefan Woehrer
Hi,
after a network analysis it turned out that one of the active directory servers in the pool was not responding and the load balancer didn't recognice it. If anyone has got the same problem (random login problems), I recommend to try out your connection with a LDAP-Browser (which helped us already a lot with xwiki in the past) and with ping and maby do it in a loop and log the results.
Thanks for your help.
Reply | Threaded
Open this post in threaded view
|

Re: LDAP-Login changes in new version

Thomas Mortagne
Administrator
Your welcome, glad you found the issue :)

On Tue, Feb 10, 2009 at 09:40, Stefan Woehrer <[hidden email]> wrote:

>
> Hi,
> after a network analysis it turned out that one of the active directory
> servers in the pool was not responding and the load balancer didn't
> recognice it. If anyone has got the same problem (random login problems), I
> recommend to try out your connection with a LDAP-Browser (which helped us
> already a lot with xwiki in the past) and with ping and maby do it in a loop
> and log the results.
> Thanks for your help.
> --
> View this message in context: http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2301463.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users