Re: [xwiki-users] New users and LDAP

2008-11-13 Thread mtenhoor 

Ok, turns out the xwikircs table in mysql was marked as crashed.  Once I
repaired it, most of the problems went away.  However, the login page still
provides no feedback to the user as to why the login has failed when using
only LDAP authentication, ie 'bad password'.  The login page just refreshes
as if nothing happened, but I can see from the log that it tried LDAP and
either the user name or password was rejected.  In xwiki.log I see the
following when trying to log in with a user name that does not exist in
LDAP:



-xwiki.log-

11:45:12,156
[http://192.168.128.178:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
[http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl   - Local LDAP
authentication failed.
java.lang.NullPointerException
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:341)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:176)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:131)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3566)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3574)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4480)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:94)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)

---

My only other gripe is that the change password link still shows up on the
users page even though it doesn't do anything.  Is there a way to remove it?

-- 
View this message in context: 
http://n2.nabble.com/New-users-and-LDAP-tp1482130p1494840.html
Sent from the XWiki- Users mailing list archive at Nabble.com.

___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

[xwiki-users] New users and LDAP

2008-11-10 Thread mtenhoor 

Hi, I'm trying to implement xwiki for the first time in our environment.  We
have an OpenLDAP server that I would like to use for authentication.  I have
been able to get xwiki to authenticate via LDAP for users that already exist
in the xwiki database, but there are a few things that still are not right.  

1.  I can not log in to xwiki unless the user already exists in the xwiki
database.  This would not be a problem (and in fact is probably prefered)
except...

2.  When xwiki is configured to use LDAP, I can not add a user to the
database.  I also can not change xwiki group membership or permissions for
any user when xwiki is configured for LDAP.  Everything related to users
seems to be locked while xwiki is on LDAP.

3.  Users can authenticate using their LDAP password or the password that is
stored in the xwiki database.  I know that has to do with the
'xwiki.authentication.ldap.trylocal=1' setting, but without that it, the
login form gives no feedback as to why the login failed.  ex. Wrong user
name etc.

Right now it seems to me that the only way for me to add a new user to xwiki
would be to:

1. take xwiki off LDAP
2. add user to xwiki database
3. set permissions
4. put xwiki back on LDAP

There has to be an easier way to do this.  Some of the threads I've been
reading indicate that users are automatically created when authenticated via
LDAP.  This would be fine with me as long as the default group had no
permissions, and I could later assign the user to the appropriate group.

I've included an excerpt from my xwiki.cfg file.  Please let me know if I'm
doing something wrong.  

Thanks.

FYI my xwiki version number is 1.6.1.13621

---

Excerpt from xwiki.cfg:


#-
# LDAP
#-

#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl

#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap=1

#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=192.168.xxx.xxx
xwiki.authentication.ldap.port=389

#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN=cn=manager,dc=[domain],dc=[TLD]
xwiki.authentication.ldap.bind_pass=xxx

#-# Force to check password after LDAP connection
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap.validate_password=0

#-# only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US

#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US

#-# base DN for searches
xwiki.authentication.ldap.base_DN=ou=Users,dc=percipenz,dc=com

#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=uid

#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used when
xwiki.authentication.ldap.validate_password i$
# xwiki.authentication.ldap.password_field=userPassword

#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDi$

#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember

#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
#-# ldap_dn=dn  -- dn is set by class, caches dn in XWiki.user object for
faster access
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail

#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki accou$
xwiki.authentication.ldap.update_user=1

#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is |
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\
#
XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US

#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed from
LDAP (default=3600*6)
# xwiki.authentication.ldap.groupcache_expiration=21800

#-#