Re: [xwiki-users] New users and LDAP
On Thu, Nov 13, 2008 at 6:49 PM, mtenhoor [EMAIL PROTECTED] wrote: Ok, turns out the xwikircs table in mysql was marked as crashed. Once I repaired it, most of the problems went away. However, the login page still provides no feedback to the user as to why the login has failed when using only LDAP authentication, ie 'bad password'. The login page just refreshes as if nothing happened, but I can see from the log that it tried LDAP and either the user name or password was rejected. In xwiki.log I see the following when trying to log in with a user name that does not exist in LDAP: -xwiki.log- 11:45:12,156 [http://192.168.128.178:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. java.lang.NullPointerException at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:341) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:176) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:131) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148) at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205) at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3566) at com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139) at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3574) at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4480) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:94) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) --- My only other gripe is that the change password link still shows up on the users page even though it doesn't do anything. Is there a way to remove it? It seems there is a problem with the LDAP search that makes authentication to fail (it looks like the bug in 1.6 fixed in 1.6.1). Could you enable debug log (see
Re: [xwiki-users] New users and LDAP
Ok, turns out the xwikircs table in mysql was marked as crashed. Once I repaired it, most of the problems went away. However, the login page still provides no feedback to the user as to why the login has failed when using only LDAP authentication, ie 'bad password'. The login page just refreshes as if nothing happened, but I can see from the log that it tried LDAP and either the user name or password was rejected. In xwiki.log I see the following when trying to log in with a user name that does not exist in LDAP: -xwiki.log- 11:45:12,156 [http://192.168.128.178:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. java.lang.NullPointerException at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:341) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:176) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:131) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148) at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205) at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3566) at com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139) at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3574) at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4480) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190) at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115) at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:94) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:619) --- My only other gripe is that the change password link still shows up on the users page even though it doesn't do anything. Is there a way to remove it? -- View this message in context: http://n2.nabble.com/New-users-and-LDAP-tp1482130p1494840.html Sent from the XWiki- Users mailing list archive at Nabble.com. ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] New users and LDAP
Hi, I'm trying to implement xwiki for the first time in our environment. We have an OpenLDAP server that I would like to use for authentication. I have been able to get xwiki to authenticate via LDAP for users that already exist in the xwiki database, but there are a few things that still are not right. 1. I can not log in to xwiki unless the user already exists in the xwiki database. This would not be a problem (and in fact is probably prefered) except... 2. When xwiki is configured to use LDAP, I can not add a user to the database. I also can not change xwiki group membership or permissions for any user when xwiki is configured for LDAP. Everything related to users seems to be locked while xwiki is on LDAP. 3. Users can authenticate using their LDAP password or the password that is stored in the xwiki database. I know that has to do with the 'xwiki.authentication.ldap.trylocal=1' setting, but without that it, the login form gives no feedback as to why the login failed. ex. Wrong user name etc. Right now it seems to me that the only way for me to add a new user to xwiki would be to: 1. take xwiki off LDAP 2. add user to xwiki database 3. set permissions 4. put xwiki back on LDAP There has to be an easier way to do this. Some of the threads I've been reading indicate that users are automatically created when authenticated via LDAP. This would be fine with me as long as the default group had no permissions, and I could later assign the user to the appropriate group. I've included an excerpt from my xwiki.cfg file. Please let me know if I'm doing something wrong. Thanks. FYI my xwiki version number is 1.6.1.13621 --- Excerpt from xwiki.cfg: #- # LDAP #- #-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=192.168.xxx.xxx xwiki.authentication.ldap.port=389 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password xwiki.authentication.ldap.bind_DN=cn=manager,dc=[domain],dc=[TLD] xwiki.authentication.ldap.bind_pass=xxx #-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0 #-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] #-# only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# base DN for searches xwiki.authentication.ldap.base_DN=ou=Users,dc=percipenz,dc=com #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used when xwiki.authentication.ldap.validate_password i$ # xwiki.authentication.ldap.password_field=userPassword #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. # xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDi$ #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. # xwiki.authentication.ldap.group_memberfields=member,uniqueMember #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for faster access xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki accou$ xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is | # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\ # XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) # xwiki.authentication.ldap.groupcache_expiration=21800 #-#