LDAP authentication not working

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Try as I might, with 0.8.40 and the current Subversion HEAD, I cannot
get LDAP authentication to work.  Here is the environment:

 * Gentoo Linux 2.6.12, Tomcat/5.0.27, Blackdown-1.4.2-02
   (I think this is all pretty mainstream)

 * No error messages are displayed to the user although, as the
   CATALINA.LOG records show, the user successfully authenticated

 * XWIKI.LOG has FormBeanConfig errors, but this seems to be a know
   problem (judging from the ticket in the tracking system)

If I set "log4j.logger.com.xpn.xwiki=info" in classes/log4j.properties,
I get this line, but nothing else helpful:

 INFO http-8080-Processor23
 http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin
 MyFormAuthenticator:processLogin:142 - User [hidden email] login
 has failed

I've been banging my head against this for two days and am about to give
up in favor of a less attractive, yet likely at least functional,
solution with a different wiki system.  Advice would be greatly
appreciated...



XWIKI.CONF
xwiki.authentication.cookiedomains=ohiolink.edu
xwiki.authentication.useip=false
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=ldap.ohiolink.edu
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=ou=People,dc=ohiolink,dc=edu
xwiki.authentication.ldap.UID_addr=mail  # Login is e-mail address
xwiki.authentication.ldap.fields_mapping=name=mail,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
xwiki.authentication.ldap.check_level=0  # Also tried "1"


XWIKI.LOG
  WARN http-8080-Processor25
http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
XWikiStatsServiceImpl:addCookie:474 - Setting cookie
12SKZHIOAL5BZEUWE7AVRXP7BJAT2IKN for name visitid with domain
ohiolink.edu and path / and maxage 942002
  WARN http-8080-Processor24  RequestUtils:createActionForm:177 - No
FormBeanConfig found under 'login'
  WARN http-8080-Processor24
http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin?xredirect=http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
RequestUtils:createActionForm:177 - No FormBeanConfig found under
'loginerror'
  WARN http-8080-Processor24  RequestUtils:createActionForm:177 - No
FormBeanConfig found under 'login'
  WARN http-8080-Processor24
http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin?xredirect=http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
RequestUtils:createActionForm:177 - No FormBeanConfig found under
'loginerror'


CATALINA.LOG:
 JNDIRealm[Catalina]:   Searching for [hidden email]
 JNDIRealm[Catalina]:   base: ou=People,dc=ohiolink,dc=edu  filter:
(mail=[hidden email])
 JNDIRealm[Catalina]:   entry found for [hidden email] with dn
uid=peter,ou=People,dc=ohiolink,dc=edu
 JNDIRealm[Catalina]:   retrieving values for attribute memberOf
 JNDIRealm[Catalina]:   validating credentials by binding as the user
 JNDIRealm[Catalina]:   binding as uid=peter,ou=People,dc=ohiolink,dc=edu
 JNDIRealm[Catalina]: Username [hidden email] successfully authenticated
 JNDIRealm[Catalina]:   getRoles(uid=peter,ou=People,dc=ohiolink,dc=edu)
 JNDIRealm[Catalina]:   Searching role base
'ou=Groups,dc=ohiolink,dc=edu' for attribute 'cn'
 JNDIRealm[Catalina]:   With filter expression
'(uniqueMember=uid=peter,ou=People,dc=ohiolink,dc=edu)'
 JNDIRealm[Catalina]:   retrieving values for attribute cn
 JNDIRealm[Catalina]:   retrieving values for attribute cn
 JNDIRealm[Catalina]:   Returning 2 roles
 JNDIRealm[Catalina]:   Found role developers
 JNDIRealm[Catalina]:   Found role drcadmin
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC+0t14+t4qSfPIHIRAtBvAJ9nFj0jpbPfPShwsm1RbEJPJc5mEwCeJnUG
9G65anfEx7ubb9YsG2MYPFU=
=qKVk
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Ludovic Dubost

Hi Peter,

There is something that seems weird to me.. In the catalina.log, this
does not seem very xwiki:

"JNDIRealm[Catalina]"

Wouldn't it be possible that you have something else configured with
LDAP on your tomcat..
What type of user auth do you see ? Do you see a Form based interface of
xwiki or a basic auth ?

Ludovic

Peter Murray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Try as I might, with 0.8.40 and the current Subversion HEAD, I cannot
> get LDAP authentication to work.  Here is the environment:
>
>  * Gentoo Linux 2.6.12, Tomcat/5.0.27, Blackdown-1.4.2-02
>    (I think this is all pretty mainstream)
>
>  * No error messages are displayed to the user although, as the
>    CATALINA.LOG records show, the user successfully authenticated
>
>  * XWIKI.LOG has FormBeanConfig errors, but this seems to be a know
>    problem (judging from the ticket in the tracking system)
>
> If I set "log4j.logger.com.xpn.xwiki=info" in classes/log4j.properties,
> I get this line, but nothing else helpful:
>
>  INFO http-8080-Processor23
>  http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin
>  MyFormAuthenticator:processLogin:142 - User [hidden email] login
>  has failed
>
> I've been banging my head against this for two days and am about to give
> up in favor of a less attractive, yet likely at least functional,
> solution with a different wiki system.  Advice would be greatly
> appreciated...
>
>
>
> XWIKI.CONF
> xwiki.authentication.cookiedomains=ohiolink.edu
> xwiki.authentication.useip=false
> xwiki.authentication.ldap=1
> xwiki.authentication.ldap.server=ldap.ohiolink.edu
> xwiki.authentication.ldap.port=389
> xwiki.authentication.ldap.base_DN=ou=People,dc=ohiolink,dc=edu
> xwiki.authentication.ldap.UID_addr=mail  # Login is e-mail address
> xwiki.authentication.ldap.fields_mapping=name=mail,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
> xwiki.authentication.ldap.check_level=0  # Also tried "1"
>
>
> XWIKI.LOG
>   WARN http-8080-Processor25
> http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
> XWikiStatsServiceImpl:addCookie:474 - Setting cookie
> 12SKZHIOAL5BZEUWE7AVRXP7BJAT2IKN for name visitid with domain
> ohiolink.edu and path / and maxage 942002
>   WARN http-8080-Processor24  RequestUtils:createActionForm:177 - No
> FormBeanConfig found under 'login'
>   WARN http-8080-Processor24
> http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin?xredirect=http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
> RequestUtils:createActionForm:177 - No FormBeanConfig found under
> 'loginerror'
>   WARN http-8080-Processor24  RequestUtils:createActionForm:177 - No
> FormBeanConfig found under 'login'
>   WARN http-8080-Processor24
> http://green.ohiolink.edu:8080/xwiki/bin/login/XWiki/XWikiLogin?xredirect=http://green.ohiolink.edu:8080/xwiki/bin/view/Main/WebHome
> RequestUtils:createActionForm:177 - No FormBeanConfig found under
> 'loginerror'
>
>
> CATALINA.LOG:
>  JNDIRealm[Catalina]:   Searching for [hidden email]
>  JNDIRealm[Catalina]:   base: ou=People,dc=ohiolink,dc=edu  filter:
> (mail=[hidden email])
>  JNDIRealm[Catalina]:   entry found for [hidden email] with dn
> uid=peter,ou=People,dc=ohiolink,dc=edu
>  JNDIRealm[Catalina]:   retrieving values for attribute memberOf
>  JNDIRealm[Catalina]:   validating credentials by binding as the user
>  JNDIRealm[Catalina]:   binding as uid=peter,ou=People,dc=ohiolink,dc=edu
>  JNDIRealm[Catalina]: Username [hidden email] successfully authenticated
>  JNDIRealm[Catalina]:   getRoles(uid=peter,ou=People,dc=ohiolink,dc=edu)
>  JNDIRealm[Catalina]:   Searching role base
> 'ou=Groups,dc=ohiolink,dc=edu' for attribute 'cn'
>  JNDIRealm[Catalina]:   With filter expression
> '(uniqueMember=uid=peter,ou=People,dc=ohiolink,dc=edu)'
>  JNDIRealm[Catalina]:   retrieving values for attribute cn
>  JNDIRealm[Catalina]:   retrieving values for attribute cn
>  JNDIRealm[Catalina]:   Returning 2 roles
>  JNDIRealm[Catalina]:   Found role developers
>  JNDIRealm[Catalina]:   Found role drcadmin
> - --
> Peter Murray                       http://www.pandc.org/peter/work/
> Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
> OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC+0t14+t4qSfPIHIRAtBvAJ9nFj0jpbPfPShwsm1RbEJPJc5mEwCeJnUG
> 9G65anfEx7ubb9YsG2MYPFU=
> =qKVk
> -----END PGP SIGNATURE-----
>
>  
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/11/05 9:10 AM, Ludovic Dubost wrote:
> There is something that seems weird to me.. In the catalina.log, this
>  does not seem very xwiki:
>
> "JNDIRealm[Catalina]"
>
> Wouldn't it be possible that you have something else configured with
> LDAP on your tomcat..

I do indeed -- we use LDAP as a source for single-signon, so other
applications on the same server use a JNDI realm for user authentication.

> What type of user auth do you see ? Do you see a Form based interface
> of xwiki or a basic auth ?

I see a the form-based interface, not basic auth.  At the point I'm
trying to log into XWiki, I have not signed into other applications on
the same server using basic auth (so there are no basic auth credentials
stored in the browser).


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC+3rp4+t4qSfPIHIRApUOAJ48IOxwnsv/42pKqydbQVbZG/6RfgCcCeRV
fFbw5OLR32KgZlLCaUXgwcs=
=z9QY
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...I did not thank you for your initial reply looking at this issue,
Ludovic.  My fault.  Thank you.

And, for what it's worth, I disabled the LDAP UserDatabase realm in
Tomcat's server.xml file, stopped and restarted tomcat, and the same
problem still occurs.  (Same exact symptoms.)


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC+35K4+t4qSfPIHIRAukHAJ43fBkz8soB2eOapR8ax5GQ7b6OwQCgvawv
ykMHIOJe415EdPEza2psvEg=
=dLCs
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: LDAP authentication not working

Ludovic Dubost

You should switch to "debug" in the log4j.properties to see if at least
it goes through the LDAP code..
Although some more debug code would be needed in the LDAP module to
actually know exactly what is happening..

Now I see that you have no bind_DN and bind_pass.. I suspect this is
necessary.. We would have to ask alex though who has written the LDAP
module..
Alex is there any anonymous binding ?

Ludovic

Peter Murray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ...I did not thank you for your initial reply looking at this issue,
> Ludovic.  My fault.  Thank you.
>
> And, for what it's worth, I disabled the LDAP UserDatabase realm in
> Tomcat's server.xml file, stopped and restarted tomcat, and the same
> problem still occurs.  (Same exact symptoms.)
>
>
> Peter
> - --
> Peter Murray                       http://www.pandc.org/peter/work/
> Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
> OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC+35K4+t4qSfPIHIRAukHAJ43fBkz8soB2eOapR8ax5GQ7b6OwQCgvawv
> ykMHIOJe415EdPEza2psvEg=
> =dLCs
> -----END PGP SIGNATURE-----
>
>  
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the suggestions, but I think I still have the same problem.
I tried using non-anonymous binding (using the Active Directory
instructions as guidelines) and turning on debugging.  My xwiki.xml file
now has:

 xwiki.authentication.ldap.bind_DN=mail={0},ou=People,dc=ohiolink,dc=edu
 xwiki.authentication.ldap.bind_pass={1}

and with debugging turned on (and removing the time and URL information
to shorten the log entries) I get:

 DEBUG  XWikiHibernateStore:beginTransaction:376 - Trying to open
transaction
 DEBUG  XWikiHibernateStore:beginTransaction:378 - Opened transaction
org.hibernate.transaction.JDBCTransaction@595420
 DEBUG  XWikiHibernateStore:endTransaction:407 - Releasing hibernate
transaction org.hibernate.transaction.JDBCTransaction@595420
 DEBUG  XWikiHibernateStore:closeSession:424 - Releasing hibernate
session
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
  INFO  DBCPConnectionProvider:logStatistics:271 - active: 0 (max: 50)
 idle: 1(max: 5)
  INFO  MyFormAuthenticator:processLogin:142 - User [hidden email]
login has failed
  WARN  RequestUtils:createActionForm:177 - No FormBeanConfig found
under 'loginerror'


Peter

On 8/12/05 3:05 AM, Ludovic Dubost wrote:
> You should switch to "debug" in the log4j.properties to see if at
> least it goes through the LDAP code.. Although some more debug code
> would be needed in the LDAP module to actually know exactly what is
> happening..
>
> Now I see that you have no bind_DN and bind_pass.. I suspect this is
>  necessary.. We would have to ask alex though who has written the
> LDAP module.. Alex is there any anonymous binding ?

- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC/IwX4+t4qSfPIHIRAi7aAJsFm2DJzrr1eFHq6dVHBgv9JjoyfgCfQkzI
T7hIv1SDp891T39Kc3M30N4=
=VFX/
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: LDAP authentication not working

Ludovic Dubost

There should be a message from the LDAP module..
I've added some debug info in the class.. Try this instead of the LDAP
Auth class

Ludovic

Peter Murray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Thanks for the suggestions, but I think I still have the same problem.
> I tried using non-anonymous binding (using the Active Directory
> instructions as guidelines) and turning on debugging.  My xwiki.xml file
> now has:
>
>  xwiki.authentication.ldap.bind_DN=mail={0},ou=People,dc=ohiolink,dc=edu
>  xwiki.authentication.ldap.bind_pass={1}
>
> and with debugging turned on (and removing the time and URL information
> to shorten the log entries) I get:
>
>  DEBUG  XWikiHibernateStore:beginTransaction:376 - Trying to open
> transaction
>  DEBUG  XWikiHibernateStore:beginTransaction:378 - Opened transaction
> org.hibernate.transaction.JDBCTransaction@595420
>  DEBUG  XWikiHibernateStore:endTransaction:407 - Releasing hibernate
> transaction org.hibernate.transaction.JDBCTransaction@595420
>  DEBUG  XWikiHibernateStore:closeSession:424 - Releasing hibernate
> session
> org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
> ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
> collectionRemovals=[] collectionUpdates=[]])
>   INFO  DBCPConnectionProvider:logStatistics:271 - active: 0 (max: 50)
>  idle: 1(max: 5)
>   INFO  MyFormAuthenticator:processLogin:142 - User [hidden email]
> login has failed
>   WARN  RequestUtils:createActionForm:177 - No FormBeanConfig found
> under 'loginerror'
>
>
> Peter
>
> On 8/12/05 3:05 AM, Ludovic Dubost wrote:
>  
>> You should switch to "debug" in the log4j.properties to see if at
>> least it goes through the LDAP code.. Although some more debug code
>> would be needed in the LDAP module to actually know exactly what is
>> happening..
>>
>> Now I see that you have no bind_DN and bind_pass.. I suspect this is
>>  necessary.. We would have to ask alex though who has written the
>> LDAP module.. Alex is there any anonymous binding ?
>>    
>
> - --
> Peter Murray                       http://www.pandc.org/peter/work/
> Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
> OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC/IwX4+t4qSfPIHIRAi7aAJsFm2DJzrr1eFHq6dVHBgv9JjoyfgCfQkzI
> T7hIv1SDp891T39Kc3M30N4=
> =VFX/
> -----END PGP SIGNATURE-----
>
>  
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

LDAPAuthServiceImpl.class (17K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/12/05 9:16 AM, Ludovic Dubost wrote:
> There should be a message from the LDAP module.. I've added some
> debug info in the class.. Try this instead of the LDAP Auth class

The plot thickens.  I can see your debug messages, and it lead me to
look at the code.  Remember that I am using e-mail address as the
userid (bind_DN is "mail={0},ou=People,dc=OhioLINK,dc=edu").  Near the
top of the authenticate() method in LDAPAuthServiceImpl.java is this
chunk of code:

        if (context!=null) {
            String susername = username;
            int i = username.indexOf(".");
            if (i!=-1)
                susername = username.substring(i+1);

           String DN = getLDAP_DN(susername, context);

Initially I think why I was failing is the part that is taking just the
left segment of the string up the first period.  My e-mail address, of
course, has a period, so it was in effect getting truncated before being
passed to getLDAP_DN.

So I switched to using just a uid (no periods) and I get a little
farther in xwiki.log:

 DEBUG  LDAPAuthServiceImpl:checkUserPassword:230 - LDAP Password check
for user peter
 DEBUG  LDAPAuthServiceImpl:checkUserPassword:253 - LDAP Connect
successfull to host ldap.ohiolink.edu and port 389
 DEBUG  LDAPAuthServiceImpl:Bind:441 - LDAP Bind starting
 DEBUG  LDAPAuthServiceImpl:Bind:451 - LDAP Bind successfull
  INFO  MyFormAuthenticator:processLogin:142 - User peter login has failed

(references to Hibernate and DBCPConnectionProvider have been removed).

I'm looking at this again after a few hours, and I still can't figure
out why I'm falling through to line 142 of MyFormAuthenticator.  FWIW, I
am hoping to make use of the dynamic account creation feature out of
LDAP information, so there isn't (yet) a "peter" login in the XWiki user
database.  Could that be where the next problem is?


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC/OzD4+t4qSfPIHIRAh/fAJ0Wz66vN2cCMo4G70Dx+J3y0oRBfACgr3cV
gyHDpzrTjzA4XCbgLaCeO0Y=
=nMKe
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: LDAP authentication not working

Ludovic Dubost

Hi Peter,

Right.. I had the feeling an email address would not work..
The fact that there is no page yet in the wiki should not be a problem
at this point..

I don't get why you get no message between these two:

 DEBUG  LDAPAuthServiceImpl:Bind:451 - LDAP Bind successfull
  INFO  MyFormAuthenticator:processLogin:142 - User peter login has failed

There should be at least one.. when I look at the code I put to give
some debut messages
What is your LDAP server by the way ?

Ludovic

Peter Murray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 8/12/05 9:16 AM, Ludovic Dubost wrote:
>  
>> There should be a message from the LDAP module.. I've added some
>> debug info in the class.. Try this instead of the LDAP Auth class
>>    
>
> The plot thickens.  I can see your debug messages, and it lead me to
> look at the code.  Remember that I am using e-mail address as the
> userid (bind_DN is "mail={0},ou=People,dc=OhioLINK,dc=edu").  Near the
> top of the authenticate() method in LDAPAuthServiceImpl.java is this
> chunk of code:
>
>         if (context!=null) {
>             String susername = username;
>             int i = username.indexOf(".");
>             if (i!=-1)
>                 susername = username.substring(i+1);
>
>            String DN = getLDAP_DN(susername, context);
>
> Initially I think why I was failing is the part that is taking just the
> left segment of the string up the first period.  My e-mail address, of
> course, has a period, so it was in effect getting truncated before being
> passed to getLDAP_DN.
>
> So I switched to using just a uid (no periods) and I get a little
> farther in xwiki.log:
>
>  DEBUG  LDAPAuthServiceImpl:checkUserPassword:230 - LDAP Password check
> for user peter
>  DEBUG  LDAPAuthServiceImpl:checkUserPassword:253 - LDAP Connect
> successfull to host ldap.ohiolink.edu and port 389
>  DEBUG  LDAPAuthServiceImpl:Bind:441 - LDAP Bind starting
>  DEBUG  LDAPAuthServiceImpl:Bind:451 - LDAP Bind successfull
>   INFO  MyFormAuthenticator:processLogin:142 - User peter login has failed
>
> (references to Hibernate and DBCPConnectionProvider have been removed).
>
> I'm looking at this again after a few hours, and I still can't figure
> out why I'm falling through to line 142 of MyFormAuthenticator.  FWIW, I
> am hoping to make use of the dynamic account creation feature out of
> LDAP information, so there isn't (yet) a "peter" login in the XWiki user
> database.  Could that be where the next problem is?
>
>
> Peter
> - --
> Peter Murray                       http://www.pandc.org/peter/work/
> Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
> OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC/OzD4+t4qSfPIHIRAh/fAJ0Wz66vN2cCMo4G70Dx+J3y0oRBfACgr3cV
> gyHDpzrTjzA4XCbgLaCeO0Y=
> =nMKe
> -----END PGP SIGNATURE-----
>
>  
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/12/05 3:05 PM, Ludovic Dubost wrote:
> Right.. I had the feeling an email address would not work.. The fact
> that there is no page yet in the wiki should not be a problem at this
> point..

Okay -- we'll need to work around that at some point because most of my
folks log in with an e-mail address (just a few of us have non-email
UIDs in the LDAP directory).  First, though, I'd like to fix this
challenge, then worry about that.

> I don't get why you get no message between these two:
>
> DEBUG  LDAPAuthServiceImpl:Bind:451 - LDAP Bind successfull INFO
> MyFormAuthenticator:processLogin:142 - User peter login has failed

'tis true, 'tis true.  For me it ranks right up there with trying to
figure out how I got to line 142 of MyFormAuthenticator.

> There should be at least one.. when I look at the code I put to give
>  some debut messages
> What is your LDAP server by the way ?

OpenLDAP (latest version -- just installed it).


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC/i8r4+t4qSfPIHIRAlZ5AJ4jJUlPNWIiWrJWQhmdb20tlJ+zBwCgxJ13
wp1UQgLQPAXQQkX0KTUVgz8=
=02y/
-----END PGP SIGNATURE-----




--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: Re: LDAP authentication not working

Ludovic Dubost

I've added some more debug code to the LDAP auth class.. Can you send me
a full log file to check it out..
If this does not give more info I suggest debugging..

Ludovic

Peter Murray wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 8/12/05 3:05 PM, Ludovic Dubost wrote:
>  
>> Right.. I had the feeling an email address would not work.. The fact
>> that there is no page yet in the wiki should not be a problem at this
>> point..
>>    
>
> Okay -- we'll need to work around that at some point because most of my
> folks log in with an e-mail address (just a few of us have non-email
> UIDs in the LDAP directory).  First, though, I'd like to fix this
> challenge, then worry about that.
>
>  
>> I don't get why you get no message between these two:
>>
>> DEBUG  LDAPAuthServiceImpl:Bind:451 - LDAP Bind successfull INFO
>> MyFormAuthenticator:processLogin:142 - User peter login has failed
>>    
>
> 'tis true, 'tis true.  For me it ranks right up there with trying to
> figure out how I got to line 142 of MyFormAuthenticator.
>
>  
>> There should be at least one.. when I look at the code I put to give
>>  some debut messages
>> What is your LDAP server by the way ?
>>    
>
> OpenLDAP (latest version -- just installed it).
>
>
> Peter
> - --
> Peter Murray                       http://www.pandc.org/peter/work/
> Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
> OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (Darwin)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFC/i8r4+t4qSfPIHIRAlZ5AJ4jJUlPNWIiWrJWQhmdb20tlJ+zBwCgxJ13
> wp1UQgLQPAXQQkX0KTUVgz8=
> =02y/
> -----END PGP SIGNATURE-----
>
>
>  
> ------------------------------------------------------------------------
>
>
> --
> You receive this message as a subscriber of the [hidden email] mailing list.
> To unsubscribe: mailto:[hidden email]
> For general help: mailto:[hidden email]?subject=help
> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>  

--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic


package com.xpn.xwiki.user.impl.LDAP;

import com.xpn.xwiki.user.impl.xwiki.*;
import com.xpn.xwiki.XWikiContext;
import com.xpn.xwiki.XWikiException;
import com.xpn.xwiki.objects.classes.BaseClass;
import com.xpn.xwiki.objects.BaseObject;
import com.xpn.xwiki.doc.XWikiDocument;
import com.novell.ldap.*;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.lang.StringUtils;
import org.securityfilter.realm.SimplePrincipal;

import java.security.Principal;
import java.io.UnsupportedEncodingException;
import java.util.*;
import java.text.MessageFormat;

/**
 * Created by IntelliJ IDEA.
 * User: Alex
 * Date: 18 avr. 2005
 * Time: 16:18:50
 * To change this template use File | Settings | File Templates.
 */
public class LDAPAuthServiceImpl extends XWikiAuthServiceImpl {
    private static final Log log = LogFactory.getLog(LDAPAuthServiceImpl.class);

    public Principal authenticate(String username, String password, XWikiContext context) throws XWikiException {
        Principal principal = null;

        if ((username==null)||(username.trim().equals("")))
            return null;

        if ((password==null)||(password.trim().equals("")))
            return null;

        String superadmin = "superadmin";
        if (username.equals(superadmin)) {
            String superadminpassword = context.getWiki().Param("xwiki.superadminpassword");
            if ((superadminpassword!=null)&&(superadminpassword.equals(password))) {
                principal = new SimplePrincipal("XWiki.superadmin");
                return principal;
            } else {
                return null;
            }
        }

        // If we have the context then we are using direct mode
        // then we should specify the database
        // This is needed for virtual mode to work
        if (context!=null) {
            String susername = username;
            int i = username.indexOf(".");
            if (i!=-1)
                susername = username.substring(i+1);

           String DN = getLDAP_DN(susername, context);

           if (DN != null && DN.length()!=0)
           {
               if (checkDNPassword(DN, susername, password, context))
               {
                   principal = GetUserPrincipal(susername, context);
               }
           }
           else
            {
               HashMap attributes = new HashMap();
               if (checkUserPassword(susername, password, attributes, context))
               {
                   principal = GetUserPrincipal(susername, context);
                   if (principal == null && attributes.size() > 0)
                   {
                       CreateUserFromLDAP(susername, attributes, context);
                       principal = GetUserPrincipal(susername, context);
                   }
               }
            }
        }
        return principal;
    }

    private void CreateUserFromLDAP(String susername, HashMap attributes, XWikiContext context) throws XWikiException {
        String ldapFieldMapping = getParam("ldap_fields_mapping",context);
        if (ldapFieldMapping != null && ldapFieldMapping.length() > 0)
        {
            String[] fields = ldapFieldMapping.split(",");
            BaseClass bclass = context.getWiki().getUserClass(context);
            BaseObject bobj = new BaseObject();
            bobj.setClassName(bclass.getName());
            String name = null;
            String fullwikiname = null;
            for(int i = 0; i < fields.length; i++ )
            {
                String[] field = fields[i].split("=");
                if (2 == field.length)
                {
                   String fieldName = field[0];
                   if (attributes.containsKey(field[1]))
                   {
                       String fieldValue;
                       fieldValue = (String)attributes.get(field[1]);
                       if (fieldName.equals("name"))
                       {
                           name = fieldValue;
                           fullwikiname = "XWiki." + name;
                           bobj.setName(fullwikiname);
                       }
                       else
                       {
                           bobj.setStringValue(fieldName, fieldValue);
                       }
                   }
                }
            }

            if (name != null && name.length() > 0)
            {
                XWikiDocument doc = context.getWiki().getDocument(fullwikiname, context);
                doc.setParent("");
                doc.addObject(bclass.getName(), bobj);
                doc.setContent("#includeForm(\"XWiki.XWikiUserTemplate\")");

                context.getWiki().ProtectUserPage(context, fullwikiname, "edit", doc);

                context.getWiki().saveDocument(doc, null, context);

                context.getWiki().SetUserDefaultGroup(context, fullwikiname);
            }
        }
    }

    protected Principal GetUserPrincipal(String susername, XWikiContext context) {
        Principal principal = null;

        // First we check in the local database
        try {
            String user = findUser(susername, context);
            if (user!=null) {
                principal = new SimplePrincipal(user);
            }
        } catch (Exception e) {}

        if (context.isVirtual()) {
            if (principal==null) {
                // Then we check in the main database
                String db = context.getDatabase();
                try {
                    context.setDatabase(context.getWiki().getDatabase());
                    try {
                        String user = findUser(susername, context);
                        if (user!=null)
                            principal = new SimplePrincipal(context.getDatabase() + ":" + user);
                    } catch (Exception e) {}
                } finally {
                    context.setDatabase(db);
                }
            }
        }
        return principal;
    }

    public String getLDAP_DN(String susername, XWikiContext context)
    {
        String DN=null;
        if (context!=null) {
            // First we check in the local database
            try {
                String user = findUser(susername, context);
                if (user!=null && user.length()!=0) {
                    DN = readLDAP_DN(user, context);
                }
            } catch (Exception e) {}

            if (context.isVirtual()) {
                if (DN==null && DN.length()!=0) {
                    // Then we check in the main database
                    String db = context.getDatabase();
                    try {
                        context.setDatabase(context.getWiki().getDatabase());
                        try {
                            String user = findUser(susername, context);
                            if (user!=null && user.length()!=0)
                                DN = readLDAP_DN(user, context);
                        } catch (Exception e) {}
                    } finally {
                        context.setDatabase(db);
                    }
                }
            }
        }
        return DN;
    }

    private String readLDAP_DN(String username, XWikiContext context) {
        String DN = null;
        try {
            XWikiDocument doc = context.getWiki().getDocument(username, context);
            // We only allow empty password from users having a XWikiUsers object.
            if (doc.getObject("XWiki.XWikiUsers")!=null) {
              DN = doc.getStringValue("XWiki.XWikiUsers", "ldap_dn");
            }

        } catch (Throwable e) {}
        return DN;
    }

    protected boolean checkUserPassword(String username, String password, HashMap attributes, XWikiContext context) throws XWikiException {
        LDAPConnection lc = new LDAPConnection();
        boolean result = false;
        boolean notinLDAP = false;
        String foundDN = null;

        try {
            if (log.isDebugEnabled())
                 log.debug("LDAP Password check for user " + username);

            int ldapPort = getLDAPPort(context);
            int ldapVersion = LDAPConnection.LDAP_V3;
            String ldapHost = getParam("ldap_server", context);
            String bindDNFormat = getParam("ldap_bind_DN",context);
            String bindPasswordFormat = getParam("ldap_bind_pass",context);

            int checkLevel = GetCheckLevel(context);

            Object[] arguments = {
                username,
                password
             };
            String bindDN = MessageFormat.format(bindDNFormat, arguments);
            String bindPassword =  MessageFormat.format(bindPasswordFormat, arguments);

            String baseDN = getParam("ldap_base_DN",context);


            lc.connect( ldapHost, ldapPort );

            if (log.isDebugEnabled())
                 log.debug("LDAP Connect successfull to host " + ldapHost + " and port " + ldapPort );

            // authenticate to the server
            result = Bind(bindDN, bindPassword, lc, ldapVersion);

            if (log.isDebugEnabled())
                 log.debug("LDAP Bind returned");

            if (result && checkLevel > 0)
            {
                if (log.isDebugEnabled())
                     log.debug("LDAP searching user");

                LDAPSearchResults searchResults =
                    lc.search(  baseDN,
                                LDAPConnection.SCOPE_SUB ,
                                "("+ getParam("ldap_UID_attr",context) +
                                   "=" + username + ")",
                                null,          // return all attributes
                                false);        // return attrs and values

                if (searchResults.hasMore())
                {
                    if (log.isDebugEnabled())
                         log.debug("LDAP searching found user");

                    LDAPEntry nextEntry = searchResults.next();
                    foundDN = nextEntry.getDN();

                    if (log.isDebugEnabled())
                         log.debug("LDAP searching found DN: " + foundDN);

                    if (checkLevel > 1)
                    {
                        if (log.isDebugEnabled())
                             log.debug("LDAP comparing password");

                        LDAPAttribute attr = new LDAPAttribute(
                                                        "userPassword", password );
                        result = lc.compare( foundDN, attr );
                    }
                    if (result)
                    {
                        if (log.isDebugEnabled())
                             log.debug("LDAP adding user attributes");

                        LDAPAttributeSet attributeSet = nextEntry.getAttributeSet();
                        Iterator allAttributes = attributeSet.iterator();

                        while(allAttributes.hasNext()) {
                            LDAPAttribute attribute =
                                        (LDAPAttribute)allAttributes.next();
                            String attributeName = attribute.getName();

                            Enumeration allValues = attribute.getStringValues();

                            if( allValues != null) {
                                while(allValues.hasMoreElements()) {
                                    if (log.isDebugEnabled())
                                         log.debug("LDAP adding user attribute " + attributeName);

                                    String Value = (String) allValues.nextElement();
                                    attributes.put(attributeName, Value);
                                }
                            }
                        }
                        attributes.put("dn", foundDN);
                    }
                }
                else {
                    if (log.isDebugEnabled())
                       log.debug("LDAP search user failed");
                    notinLDAP = true;
                }

                if (log.isInfoEnabled()) {
                    if (result)
                     log.info("LDAP Password check for user " + username + " successfull");
                    else
                     log.info("LDAP Password check for user " + username + " failed");
                }
            }
        }
        catch( LDAPException e ) {
            if (log.isInfoEnabled())
                log.info("LDAP Password check for user " + username + " failed with exception " + e.getMessage());

            if ( e.getResultCode() == LDAPException.NO_SUCH_OBJECT ) {
                notinLDAP = true;
            } else if ( e.getResultCode() ==
                                        LDAPException.NO_SUCH_ATTRIBUTE ) {
                notinLDAP = true;
            }
        }
        catch (Throwable e) {
            notinLDAP = true;
            if (log.isErrorEnabled())
                 log.error("LDAP Password check for user " + username + " failed with exception " + e.getMessage());
        }
        finally
        {
            if (log.isDebugEnabled())
                 log.debug("LDAP check in finally block");

            try {
                lc.disconnect();
            } catch (LDAPException e) {
                e.printStackTrace();
            }
        }

        if (notinLDAP)
        {
            if (log.isDebugEnabled())
                 log.debug("LDAP Password check reverting to XWiki");

            // Use XWiki password if user not in LDAP
            result = checkPassword(username, password, context);
            foundDN = null;
        }

        return result;
    }

    private String getParam(String name, XWikiContext context) {
        String param = "";
        try {
         param = context.getWiki().getXWikiPreference(name,context);
        } catch (Exception e) {}
        if (param == null || "".equals(param))
        {
            try{
             param = context.getWiki().Param("xwiki.authentication." + StringUtils.replace(name, "ldap_","ldap."));
            } catch (Exception e) {}
        }
        if (param == null)
            param = "";
        return param;
    }

    protected int GetCheckLevel(XWikiContext context)
    {
        String checkLevel = getParam("ldap_check_level",  context);
        int val = 2;
        if ("1".equals(checkLevel))
            val = 1;
        else if ("0".equals(checkLevel))
            val = 0;
        return val;
    }

    private int getLDAPPort(XWikiContext context) {
        try {
         return context.getWiki().getXWikiPreferenceAsInt("ldap_port", context);
        } catch (Exception e) {
         return (int)context.getWiki().ParamAsLong("xwiki.authentication.ldap.port", LDAPConnection.DEFAULT_PORT);
        }
    }

    protected boolean checkDNPassword(String DN, String username, String password, XWikiContext context) throws XWikiException {
        LDAPConnection lc = new LDAPConnection();
        boolean result = false;
        boolean notinLDAP = false;
        try {

            int ldapPort = getLDAPPort(context);
            int ldapVersion = LDAPConnection.LDAP_V3;
            String ldapHost = getParam("ldap_server", context);
            String bindDN = getParam("ldap_bind_DN",context);
            String bindPassword = getParam("ldap_bind_pass",context);
            String baseDN = getParam("ldap_base_DN",context);

            lc.connect( ldapHost, ldapPort );

            // authenticate to the server
            result = Bind(DN, password, lc, ldapVersion);

            if (log.isDebugEnabled()) {
                if (result)
                 log.debug("(debug) Password check for user " + DN + " successfull");
                else
                 log.debug("(debug) Password check for user " + DN + " failed");
            }
        }
        catch( LDAPException e ) {
            if ( e.getResultCode() == LDAPException.NO_SUCH_OBJECT ) {
                notinLDAP = true;
            } else if ( e.getResultCode() ==
                                        LDAPException.NO_SUCH_ATTRIBUTE ) {
                notinLDAP = true;
            }
        }
        catch (Throwable e) {
            e.printStackTrace();
        }
        finally
        {
            try {
                lc.disconnect();
            } catch (LDAPException e) {
                e.printStackTrace();
            }
        }
        if (notinLDAP)
        {
            // Use XWiki password if user not in LDAP
            result = checkPassword(username, password, context);
        }
        return result;
    }


    private boolean Bind(String bindDN, String bindPassword, LDAPConnection lc, int ldapVersion) throws UnsupportedEncodingException {
        boolean bound = false;
        if (log.isDebugEnabled())
             log.debug("LDAP Bind starting");            

        if (bindDN != null && bindDN.length() > 0 && bindPassword != null)
        {
            try
            {
                lc.bind( ldapVersion, bindDN, bindPassword.getBytes("UTF8") );
                bound = true;

                if (log.isDebugEnabled())
                     log.debug("LDAP Bind successfull");
            }
            catch(LDAPException e) {
                if (log.isErrorEnabled())
                     log.error("LDAP Bind failed with Exception " + e.getMessage());
            };
        } else {
            if (log.isDebugEnabled())
                 log.debug("LDAP Bind does not have binding info");
        }
        return bound;
    }
}


--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws

LDAPAuthServiceImpl.class (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/15/05 6:52 AM, Ludovic Dubost wrote:
> I've added some more debug code to the LDAP auth class.. Can you send
> me a full log file to check it out.. If this does not give more info
> I suggest debugging..

Sorry for the delay, and thanks again for looking at this.  I put the
new class in place, and this is the entirety of the log file through the
point of "MyFormAuthenticator:processLogin:142 - User xxxxx login has
failed"

###,142  WARN RequestUtils:createActionForm:177 - No FormBeanConfig
found under 'login'
###,146 DEBUG  XWikiHibernateStore:beginTransaction:361 - Trying to get
session from pool
###,148 DEBUG  XWikiHibernateStore:beginTransaction:367 - Taken session
from pool
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,152  INFO  DBCPConnectionProvider:logStatistics:271 - active: 1
(max: 50)   idle: 4(max: 5)
###,155 DEBUG  XWikiHibernateStore:beginTransaction:376 - Trying to open
transaction
###,158 DEBUG  XWikiHibernateStore:beginTransaction:378 - Opened
transaction org.hibernate.transaction.JDBCTransaction@d1cea7
###,166 DEBUG  XWikiHibernateStore:endTransaction:407 - Releasing
hibernate transaction org.hibernate.transaction.JDBCTransaction@d1cea7
###,169 DEBUG  XWikiHibernateStore:closeSession:424 - Releasing
hibernate session
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,174  INFO  DBCPConnectionProvider:logStatistics:271 - active: 0
(max: 50)   idle: 5(max: 5)
###,177 DEBUG  XWikiHibernateStore:beginTransaction:361 - Trying to get
session from pool
###,180 DEBUG  XWikiHibernateStore:beginTransaction:367 - Taken session
from pool
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,202  INFO  DBCPConnectionProvider:logStatistics:271 - active: 1
(max: 50)   idle: 4(max: 5)
###,205 DEBUG  XWikiHibernateStore:beginTransaction:376 - Trying to open
transaction
###,208 DEBUG  XWikiHibernateStore:beginTransaction:378 - Opened
transaction org.hibernate.transaction.JDBCTransaction@a2d31
###,224 DEBUG  XWikiHibernateStore:endTransaction:407 - Releasing
hibernate transaction org.hibernate.transaction.JDBCTransaction@a2d31
###,227 DEBUG  XWikiHibernateStore:closeSession:424 - Releasing
hibernate session
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,230  INFO  DBCPConnectionProvider:logStatistics:271 - active: 0
(max: 50)   idle: 5(max: 5)
###,233 DEBUG  LDAPAuthServiceImpl:checkUserPassword:218 - LDAP Password
check for user peter
###,243 DEBUG  LDAPAuthServiceImpl:checkUserPassword:241 - LDAP Connect
successfull to host ldap.ohiolink.edu and port 389
###,245 DEBUG  LDAPAuthServiceImpl:Bind:456 - LDAP Bind starting
###,249 DEBUG  LDAPAuthServiceImpl:Bind:466 - LDAP Bind successfull
###,251 DEBUG  LDAPAuthServiceImpl:checkUserPassword:247 - LDAP Bind
returned
###,253 DEBUG  LDAPAuthServiceImpl:checkUserPassword:343 - LDAP check in
finally block
###,328 DEBUG  XWikiHibernateStore:beginTransaction:361 - Trying to get
session from pool
###,330 DEBUG  XWikiHibernateStore:beginTransaction:367 - Taken session
from pool
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,333  INFO  DBCPConnectionProvider:logStatistics:271 - active: 1
(max: 50)   idle: 4(max: 5)
###,336 DEBUG  XWikiHibernateStore:beginTransaction:376 - Trying to open
transaction
###,338 DEBUG  XWikiHibernateStore:beginTransaction:378 - Opened
transaction org.hibernate.transaction.JDBCTransaction@9faacf
###,348 DEBUG  XWikiHibernateStore:endTransaction:407 - Releasing
hibernate transaction org.hibernate.transaction.JDBCTransaction@9faacf
###,351 DEBUG  XWikiHibernateStore:closeSession:424 - Releasing
hibernate session
org.hibernate.impl.SessionImpl(PersistentContext[entitiesByKey={}]
ActionQueue[insertions=[] updates=[] deletions=[] collectionCreations=[]
collectionRemovals=[] collectionUpdates=[]])
###,355  INFO  DBCPConnectionProvider:logStatistics:271 - active: 0
(max: 50)   idle: 5(max: 5)
###,357  INFO  MyFormAuthenticator:processLogin:142 - User peter login
has failed
###,360  WARN  RequestUtils:createActionForm:177 - No FormBeanConfig
found under 'loginerror'
###,363 DEBUG  XWikiRightServiceImpl:logAllow:47 - Access has been
granted for (XWiki.XWikiGuest,XWiki.XWikiLogin,loginerror): login/logout
pages
###,400 DEBUG  XWikiRightServiceImpl:checkRight:233 - Checking right:
XWiki.XWikiGuest,XWiki.XWikiPreferences,admin,true,true,true
###,403 DEBUG  XWikiRightServiceImpl:checkRight:251 - Found a right for true
###,421 DEBUG  XWikiRightServiceImpl:checkRight:284 - Searching for
matching rights at group level
###,425 DEBUG  XWikiRightServiceImpl:checkRight:348 - Searching for
matching rights for 0 groups: []
###,428 DEBUG  XWikiRightServiceImpl:checkRight:371 - Finished searching
for rights for XWiki.XWikiGuest: true


Peter
- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDCNNV4+t4qSfPIHIRAn4ZAKCaOP6fJV4mI4rZxt2hgqll7fjNBQCfaMjv
KNRHrDj3twiM3+XAuBt3eu8=
=lw1v
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
Reply | Threaded
Open this post in threaded view
|

Re: LDAP authentication not working

Peter Murray
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh, cr*p.  My xwiki.cfg file had "xwiki.authentication.ldap.UID_addr"
instead of "xwiki.authentication.ldap.UID_attr" (the difference between
addr and attr).  I've gotten it to work now.  For what its worth, I'd
leave the debug code in -- it was helpful in figuring out what was going
on with the LDAP server.

Now, back to an original goal -- I'd like the login ID to be the e-mail
address, but early in LDAPAuthServiceImpl.authenticate there is a bit
which removes everything except what follows the final period in the
string.  Why?  Is there any harm in commenting out this part of the code?


Peter

On 8/21/05 3:17 PM, Peter Murray wrote:
> On 8/15/05 6:52 AM, Ludovic Dubost wrote:
>> I've added some more debug code to the LDAP auth class.. Can you send
>> me a full log file to check it out.. If this does not give more info
>> I suggest debugging..
>
> Sorry for the delay, and thanks again for looking at this.  I put the
> new class in place, and this is the entirety of the log file through the
> point of "MyFormAuthenticator:processLogin:142 - User xxxxx login has
> failed"

- --
Peter Murray                       http://www.pandc.org/peter/work/
Assistant Director, Multimedia Systems  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network   Columbus, Ohio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (Darwin)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDCN8d4+t4qSfPIHIRAi2wAJ9sj57LKqSX2nWtMz28nx+M/pwwaACgiPyY
D1I/uPcgwuIYbOY4Hxl/4PU=
=jByl
-----END PGP SIGNATURE-----



--
You receive this message as a subscriber of the [hidden email] mailing list.
To unsubscribe: mailto:[hidden email]
For general help: mailto:[hidden email]?subject=help
ObjectWeb mailing lists service home page: http://www.objectweb.org/wws