Quantcast

XWKI and AD DS authentication trouble

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

XWKI and AD DS authentication trouble

Thomas Froehlich
Hi @all

I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.

This is my XWIKI installation:

XWIKI Enterprise 9.2
LDAP relecant Extensions:
- LDAP Application 9.2.4
- LDAP Class Libraries for Java (JLDAP) 4.3
- LDAP API 9.2.4
- LDAP Authenticator 9.2.4

The only LDAP related settings in xwiki.cfg are:
    xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
    xwiki.authentication.ldap.trylocal=1

These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
   Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
   Ldap password matching: {1}
   Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
   Ldap base DN: DC=ttbv,DC=local
   Ldap UID attribute name: CN


Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:

TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG o.x.contrib.ldap.XWikiLDAPConfig - remoteUserParser: null
DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
DEBUG o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server [xxx.xx.xxx.x:xxx]
DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
        at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
        at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
        at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
        at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)

The same exception occurs if I use the following subdomain setting (found on the Internet):
Ldap login matching: ttbv\\{0}

I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).

I have no more ideas what else to do or what else to test.  Any kind of help is welcome.

With kind regards
Thomas
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: XWKI and AD DS authentication trouble

Thomas Mortagne
Administrator
On Fri, Apr 7, 2017 at 12:33 PM, Thomas Froehlich
<[hidden email]> wrote:

> Hi @all
>
> I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.
>
> This is my XWIKI installation:
>
> XWIKI Enterprise 9.2
> LDAP relecant Extensions:
> - LDAP Application 9.2.4
> - LDAP Class Libraries for Java (JLDAP) 4.3
> - LDAP API 9.2.4
> - LDAP Authenticator 9.2.4
>
> The only LDAP related settings in xwiki.cfg are:
>     xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
>     xwiki.authentication.ldap.trylocal=1
>
> These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
>    Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
>    Ldap password matching: {1}
>    Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
>    Ldap base DN: DC=ttbv,DC=local
>    Ldap UID attribute name: CN
>
>
> Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:
>
> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
> DEBUG o.x.contrib.ldap.XWikiLDAPConfig - remoteUserParser: null
> DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
> DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
> DEBUG o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server [xxx.xx.xxx.x:xxx]
> DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
> org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
>         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
>         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)
>
> The same exception occurs if I use the following subdomain setting (found on the Internet):
> Ldap login matching: ttbv\\{0}
>
> I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).

If the DN we see in the debug log ("Binding to LDAP server with
credentials...") is right then all I can think of are:
* a wrong password (make sure you don't have some white space before
or after for example)
* wrong server host/port which lead to an LDAP server but not the expected one

>
> I have no more ideas what else to do or what else to test.  Any kind of help is welcome.
>
> With kind regards
> Thomas



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: XWKI and AD DS authentication trouble

Thomas Froehlich
Hi Thomas Mortagne,

ty for your response.

>* a wrong password (make sure you don't have some white space before or after for example)
>* wrong server host/port which lead to an LDAP server but not the expected one


I checked all settings again: there are no white spaces. And the server ip and port are the right ones. Till now I found no solution for thisAD DS bind  problem.

What about the following log file DEBUG messages:

> o.x.contrib.ldap.XWikiLDAPConfig -  ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup,
> groupwisedistributionlist, group, dynamicgroupaux]
> o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]

I never configured group attributes / fields or such things. These messages are normal and not an indication of some missing configuration?

Kind regards
Thomas


-----Ursprüngliche Nachricht-----
Von: users [mailto:[hidden email]] Im Auftrag von Thomas Mortagne
Gesendet: Freitag, 7. April 2017 13:35
An: XWiki Users <[hidden email]>
Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble

On Fri, Apr 7, 2017 at 12:33 PM, Thomas Froehlich <[hidden email]> wrote:

> Hi @all
>
> I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.
>
> This is my XWIKI installation:
>
> XWIKI Enterprise 9.2
> LDAP relecant Extensions:
> - LDAP Application 9.2.4
> - LDAP Class Libraries for Java (JLDAP) 4.3
> - LDAP API 9.2.4
> - LDAP Authenticator 9.2.4
>
> The only LDAP related settings in xwiki.cfg are:
>     xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
>     xwiki.authentication.ldap.trylocal=1
>
> These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
>    Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
>    Ldap password matching: {1}
>    Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
>    Ldap base DN: DC=ttbv,DC=local
>    Ldap UID attribute name: CN
>
>
> Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:
>
> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
> authentication DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
> authentication DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
> remoteUserParser: null DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
> ldap_group_classes: [groupofnames, posixgroup, apple-group,
> groupofuniquenames, dynamicgroup, groupwisedistributionlist, group,
> dynamicgroupaux] DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
> ldap_group_memberfields: [uniquemember, memberuid, member] DEBUG
> o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server
> [xxx.xx.xxx.x:xxx] DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to
> LDAP server with credentials login=[CN=Thomas
> Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
> org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
>         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
>         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)
>
> The same exception occurs if I use the following subdomain setting (found on the Internet):
> Ldap login matching: ttbv\\{0}
>
> I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).

If the DN we see in the debug log ("Binding to LDAP server with
credentials...") is right then all I can think of are:
* a wrong password (make sure you don't have some white space before or after for example)
* wrong server host/port which lead to an LDAP server but not the expected one

>
> I have no more ideas what else to do or what else to test.  Any kind of help is welcome.
>
> With kind regards
> Thomas



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: XWKI and AD DS authentication trouble

Thomas Mortagne
Administrator
On Mon, Apr 10, 2017 at 3:10 PM, Thomas Froehlich
<[hidden email]> wrote:
> Hi Thomas Mortagne,
>
> ty for your response.
>
>>* a wrong password (make sure you don't have some white space before or after for example)
>>* wrong server host/port which lead to an LDAP server but not the expected one
>
>
> I checked all settings again: there are no white spaces. And the server ip and port are the right ones. Till now I found no solution for thisAD DS bind  problem.

I was not talking about the setting, {0} means "use the password the
user put in the login form".

Also make sure you did not set some LDAP properties with LDAP
Application at some point and forgot to reset them (yes even if you
uninstalled the application).

>
> What about the following log file DEBUG messages:
>
>> o.x.contrib.ldap.XWikiLDAPConfig -  ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup,
>>       groupwisedistributionlist, group, dynamicgroupaux]
>> o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
>
> I never configured group attributes / fields or such things. These messages are normal and not an indication of some missing configuration?

Those are the default.

Anyway it does not matter since the authenticator can not even bind to
the LDAP server.

>
> Kind regards
> Thomas
>
>
> -----Ursprüngliche Nachricht-----
> Von: users [mailto:[hidden email]] Im Auftrag von Thomas Mortagne
> Gesendet: Freitag, 7. April 2017 13:35
> An: XWiki Users <[hidden email]>
> Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble
>
> On Fri, Apr 7, 2017 at 12:33 PM, Thomas Froehlich <[hidden email]> wrote:
>> Hi @all
>>
>> I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.
>>
>> This is my XWIKI installation:
>>
>> XWIKI Enterprise 9.2
>> LDAP relecant Extensions:
>> - LDAP Application 9.2.4
>> - LDAP Class Libraries for Java (JLDAP) 4.3
>> - LDAP API 9.2.4
>> - LDAP Authenticator 9.2.4
>>
>> The only LDAP related settings in xwiki.cfg are:
>>     xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
>>     xwiki.authentication.ldap.trylocal=1
>>
>> These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
>>    Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
>>    Ldap password matching: {1}
>>    Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
>>    Ldap base DN: DC=ttbv,DC=local
>>    Ldap UID attribute name: CN
>>
>>
>> Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:
>>
>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>> authentication DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>> authentication DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> remoteUserParser: null DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> ldap_group_classes: [groupofnames, posixgroup, apple-group,
>> groupofuniquenames, dynamicgroup, groupwisedistributionlist, group,
>> dynamicgroupaux] DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> ldap_group_memberfields: [uniquemember, memberuid, member] DEBUG
>> o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server
>> [xxx.xx.xxx.x:xxx] DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to
>> LDAP server with credentials login=[CN=Thomas
>> Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
>> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
>> org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
>>         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
>>         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)
>>
>> The same exception occurs if I use the following subdomain setting (found on the Internet):
>> Ldap login matching: ttbv\\{0}
>>
>> I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).
>
> If the DN we see in the debug log ("Binding to LDAP server with
> credentials...") is right then all I can think of are:
> * a wrong password (make sure you don't have some white space before or after for example)
> * wrong server host/port which lead to an LDAP server but not the expected one
>
>>
>> I have no more ideas what else to do or what else to test.  Any kind of help is welcome.
>>
>> With kind regards
>> Thomas
>
>
>
> --
> Thomas Mortagne



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: XWKI and AD DS authentication trouble

Thomas Froehlich
> Also make sure you did not set some LDAP properties with LDAP Application at
> some point and forgot to reset them (yes even if you uninstalled the application).

How else to reset them except to change the settings in the XWIKi Administration at "Global Administration: LDAP"?


-----Ursprüngliche Nachricht-----
Von: users [mailto:[hidden email]] Im Auftrag von Thomas Mortagne
Gesendet: Montag, 10. April 2017 15:51
An: XWiki Users <[hidden email]>
Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble

On Mon, Apr 10, 2017 at 3:10 PM, Thomas Froehlich <[hidden email]> wrote:

> Hi Thomas Mortagne,
>
> ty for your response.
>
>>* a wrong password (make sure you don't have some white space before
>>or after for example)
>>* wrong server host/port which lead to an LDAP server but not the
>>expected one
>
>
> I checked all settings again: there are no white spaces. And the server ip and port are the right ones. Till now I found no solution for thisAD DS bind  problem.

I was not talking about the setting, {0} means "use the password the user put in the login form".

Also make sure you did not set some LDAP properties with LDAP Application at some point and forgot to reset them (yes even if you uninstalled the application).

>
> What about the following log file DEBUG messages:
>
>> o.x.contrib.ldap.XWikiLDAPConfig -  ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup,
>>       groupwisedistributionlist, group, dynamicgroupaux]
>> o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields:
>> [uniquemember, memberuid, member]
>
> I never configured group attributes / fields or such things. These messages are normal and not an indication of some missing configuration?

Those are the default.

Anyway it does not matter since the authenticator can not even bind to the LDAP server.

>
> Kind regards
> Thomas
>
>
> -----Ursprüngliche Nachricht-----
> Von: users [mailto:[hidden email]] Im Auftrag von Thomas
> Mortagne
> Gesendet: Freitag, 7. April 2017 13:35
> An: XWiki Users <[hidden email]>
> Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble
>
> On Fri, Apr 7, 2017 at 12:33 PM, Thomas Froehlich <[hidden email]> wrote:
>> Hi @all
>>
>> I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.
>>
>> This is my XWIKI installation:
>>
>> XWIKI Enterprise 9.2
>> LDAP relecant Extensions:
>> - LDAP Application 9.2.4
>> - LDAP Class Libraries for Java (JLDAP) 4.3
>> - LDAP API 9.2.4
>> - LDAP Authenticator 9.2.4
>>
>> The only LDAP related settings in xwiki.cfg are:
>>     xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
>>     xwiki.authentication.ldap.trylocal=1
>>
>> These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
>>    Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
>>    Ldap password matching: {1}
>>    Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
>>    Ldap base DN: DC=ttbv,DC=local
>>    Ldap UID attribute name: CN
>>
>>
>> Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:
>>
>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>> authentication DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>> authentication DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> remoteUserParser: null DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> ldap_group_classes: [groupofnames, posixgroup, apple-group,
>> groupofuniquenames, dynamicgroup, groupwisedistributionlist, group,
>> dynamicgroupaux] DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>> ldap_group_memberfields: [uniquemember, memberuid, member] DEBUG
>> o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server
>> [xxx.xx.xxx.x:xxx] DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to
>> LDAP server with credentials login=[CN=Thomas
>> Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
>> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
>> org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
>>         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
>>         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)
>>
>> The same exception occurs if I use the following subdomain setting (found on the Internet):
>> Ldap login matching: ttbv\\{0}
>>
>> I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).
>
> If the DN we see in the debug log ("Binding to LDAP server with
> credentials...") is right then all I can think of are:
> * a wrong password (make sure you don't have some white space before
> or after for example)
> * wrong server host/port which lead to an LDAP server but not the
> expected one
>
>>
>> I have no more ideas what else to do or what else to test.  Any kind of help is welcome.
>>
>> With kind regards
>> Thomas
>
>
>
> --
> Thomas Mortagne



--
Thomas Mortagne
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: XWKI and AD DS authentication trouble

Thomas Mortagne
Administrator
No other way. If all in empty in the LDAP form that shoud be ok (at
least on this side).

On Mon, Apr 10, 2017 at 5:43 PM, Thomas Froehlich
<[hidden email]> wrote:

>> Also make sure you did not set some LDAP properties with LDAP Application at
>> some point and forgot to reset them (yes even if you uninstalled the application).
>
> How else to reset them except to change the settings in the XWIKi Administration at "Global Administration: LDAP"?
>
>
> -----Ursprüngliche Nachricht-----
> Von: users [mailto:[hidden email]] Im Auftrag von Thomas Mortagne
> Gesendet: Montag, 10. April 2017 15:51
> An: XWiki Users <[hidden email]>
> Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble
>
> On Mon, Apr 10, 2017 at 3:10 PM, Thomas Froehlich <[hidden email]> wrote:
>> Hi Thomas Mortagne,
>>
>> ty for your response.
>>
>>>* a wrong password (make sure you don't have some white space before
>>>or after for example)
>>>* wrong server host/port which lead to an LDAP server but not the
>>>expected one
>>
>>
>> I checked all settings again: there are no white spaces. And the server ip and port are the right ones. Till now I found no solution for thisAD DS bind  problem.
>
> I was not talking about the setting, {0} means "use the password the user put in the login form".
>
> Also make sure you did not set some LDAP properties with LDAP Application at some point and forgot to reset them (yes even if you uninstalled the application).
>
>>
>> What about the following log file DEBUG messages:
>>
>>> o.x.contrib.ldap.XWikiLDAPConfig -  ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup,
>>>       groupwisedistributionlist, group, dynamicgroupaux]
>>> o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields:
>>> [uniquemember, memberuid, member]
>>
>> I never configured group attributes / fields or such things. These messages are normal and not an indication of some missing configuration?
>
> Those are the default.
>
> Anyway it does not matter since the authenticator can not even bind to the LDAP server.
>
>>
>> Kind regards
>> Thomas
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: users [mailto:[hidden email]] Im Auftrag von Thomas
>> Mortagne
>> Gesendet: Freitag, 7. April 2017 13:35
>> An: XWiki Users <[hidden email]>
>> Betreff: Re: [xwiki-users] XWKI and AD DS authentication trouble
>>
>> On Fri, Apr 7, 2017 at 12:33 PM, Thomas Froehlich <[hidden email]> wrote:
>>> Hi @all
>>>
>>> I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server.
>>>
>>> This is my XWIKI installation:
>>>
>>> XWIKI Enterprise 9.2
>>> LDAP relecant Extensions:
>>> - LDAP Application 9.2.4
>>> - LDAP Class Libraries for Java (JLDAP) 4.3
>>> - LDAP API 9.2.4
>>> - LDAP Authenticator 9.2.4
>>>
>>> The only LDAP related settings in xwiki.cfg are:
>>>     xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
>>>     xwiki.authentication.ldap.trylocal=1
>>>
>>> These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface:
>>>    Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local
>>>    Ldap password matching: {1}
>>>    Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local
>>>    Ldap base DN: DC=ttbv,DC=local
>>>    Ldap UID attribute name: CN
>>>
>>>
>>> Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception:
>>>
>>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>>> authentication DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
>>> TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP
>>> authentication DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>>> remoteUserParser: null DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>>> ldap_group_classes: [groupofnames, posixgroup, apple-group,
>>> groupofuniquenames, dynamicgroup, groupwisedistributionlist, group,
>>> dynamicgroupaux] DEBUG o.x.contrib.ldap.XWikiLDAPConfig -
>>> ldap_group_memberfields: [uniquemember, memberuid, member] DEBUG
>>> o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server
>>> [xxx.xx.xxx.x:xxx] DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to
>>> LDAP server with credentials login=[CN=Thomas
>>> Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local]
>>> DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
>>> org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException.
>>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
>>>         at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
>>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518)
>>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334)
>>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268)
>>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
>>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
>>>         at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
>>>         at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
>>>         at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163)
>>>         at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788)
>>>
>>> The same exception occurs if I use the following subdomain setting (found on the Internet):
>>> Ldap login matching: ttbv\\{0}
>>>
>>> I tested the connection settings from above using  another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).
>>
>> If the DN we see in the debug log ("Binding to LDAP server with
>> credentials...") is right then all I can think of are:
>> * a wrong password (make sure you don't have some white space before
>> or after for example)
>> * wrong server host/port which lead to an LDAP server but not the
>> expected one
>>
>>>
>>> I have no more ideas what else to do or what else to test.  Any kind of help is welcome.
>>>
>>> With kind regards
>>> Thomas
>>
>>
>>
>> --
>> Thomas Mortagne
>
>
>
> --
> Thomas Mortagne



--
Thomas Mortagne
Loading...