[xwiki-users] kerberos SSO -> strip domainname from username
Hi all, I have configured xwiki with LDAP authentication and kerberos SSO. When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great. But when I set the browser to use automatic logon, I get the xwiki login page! (at least in FireFox, IE says “cannot show page”) I get the same results when I manually login with “username@DOMAIN” and “password”. So I think the domain part is used in the automatic logon. (and is the actual problem…) I see there is java code that strips the @DOMAIN part from the username. But I have no idea how or where to implement this. I hope some can help me! Mark ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] kerberos SSO -> strip domainname from username
Has anyone xwiki 4.5 with kerberos SSO working? -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Mark Jas Verzonden: dinsdag 5 maart 2013 16:35 Aan: users@xwiki.org Onderwerp: [xwiki-users] kerberos SSO -> strip domainname from username Hi all, I have configured xwiki with LDAP authentication and kerberos SSO. When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great. But when I set the browser to use automatic logon, I get the xwiki login page! (at least in FireFox, IE says "cannot show page") I get the same results when I manually login with "username@DOMAIN" and "password". So I think the domain part is used in the automatic logon. (and is the actual problem...) I see there is java code that strips the @DOMAIN part from the username. But I have no idea how or where to implement this. I hope some can help me! Mark ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] kerberos SSO -> strip domainname from username
Hi Thomas, Thanks for your reply. I should have given you some more info. I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working. If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc... Maybe my question should be: How do I get LDAP working with the Kerberos authenticator? Mark On Tue, Mar 5, 2013 at 4:35 PM, Mark Jas wrote: > Hi all, > > > I have configured xwiki with LDAP authentication and kerberos SSO. > > When I use a browser without automatic Kerberos SSO, I get a keberos login > page. When I fill in username and password manually it works great. > > But when I set the browser to use automatic logon, I get the xwiki > login page! (at least in FireFox, IE says “cannot show page”) > > I get the same results when I manually login with “username@DOMAIN” > and “password”. So I think the domain part is used in the automatic > logon. (and is the actual problem…) > > > I see there is java code that strips the @DOMAIN part from the username. But > I have no idea how or where to implement this. I hope some can help me! I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug. You can try to enable debug log[1] for class com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl (that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any. [1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging > > > Mark > > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] kerberos SSO -> strip domainname from username
Hi Thomas, I think xwiki-authentication-trusted-ldap is exactly what I need. But I'm not that experienced to compiling java. Can I download it somewhere as a .jar file? Or can you point me the way to extract this from git and compile it myself? Thanks, Mark On Fri, Mar 8, 2013 at 1:53 PM, Mark Jas wrote: > Hi Thomas, > > Thanks for your reply. I should have given you some more info. > I'm using the default authenticator, because if I use the > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my > ldap stops working. > > If I use > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > Kerberos works fine, but new users aren't created, and group sync isn't > working etc etc... com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap. > > Maybe my question should be: How do I get LDAP working with the Kerberos > authenticator? > > Mark > > > On Tue, Mar 5, 2013 at 4:35 PM, Mark Jas wrote: >> Hi all, >> >> >> I have configured xwiki with LDAP authentication and kerberos SSO. >> >> When I use a browser without automatic Kerberos SSO, I get a keberos login >> page. When I fill in username and password manually it works great. >> >> But when I set the browser to use automatic logon, I get the xwiki >> login page! (at least in FireFox, IE says “cannot show page”) >> >> I get the same results when I manually login with “username@DOMAIN” >> and “password”. So I think the domain part is used in the automatic >> logon. (and is the actual problem…) >> >> >> I see there is java code that strips the @DOMAIN part from the username. But >> I have no idea how or where to implement this. I hope some can help me! > > I never used it myself but from what I see in the code it's supposed to do > that all the time. Maybe there is a bug. > > You can try to enable debug log[1] for class > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > (that's the authenticator you are using, right ?) to see what's going on. At > least ou should get what remote user XWiki is getting if any. > > [1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging > >> >> >> Mark >> >> >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] kerberos SSO -> strip domainname from username
I managed to compile and activate the xwiki-authentication-trusted-ldap plugin. But still the same result: login works with login prompt, fails with SSO. Debugging showed me that the xwiki doesn't accept the SSO because username doesn't match. I suppose my xwiki.authentication.trustedldap.remoteUserParser settings is incorrect. Can anyone tell me what this settings should be when my kerberos sso user is "u...@domain.com" and my sAMAccountName in ldap is just "user"? On Fri, Mar 8, 2013 at 1:53 PM, Mark Jas wrote: > Hi Thomas, > > Thanks for your reply. I should have given you some more info. > I'm using the default authenticator, because if I use the > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my > ldap stops working. > > If I use > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > Kerberos works fine, but new users aren't created, and group sync isn't > working etc etc... com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap. > > Maybe my question should be: How do I get LDAP working with the Kerberos > authenticator? > > Mark > > > On Tue, Mar 5, 2013 at 4:35 PM, Mark Jas wrote: >> Hi all, >> >> >> I have configured xwiki with LDAP authentication and kerberos SSO. >> >> When I use a browser without automatic Kerberos SSO, I get a keberos login >> page. When I fill in username and password manually it works great. >> >> But when I set the browser to use automatic logon, I get the xwiki >> login page! (at least in FireFox, IE says “cannot show page”) >> >> I get the same results when I manually login with “username@DOMAIN” >> and “password”. So I think the domain part is used in the automatic >> logon. (and is the actual problem…) >> >> >> I see there is java code that strips the @DOMAIN part from the username. But >> I have no idea how or where to implement this. I hope some can help me! > > I never used it myself but from what I see in the code it's supposed to do > that all the time. Maybe there is a bug. > > You can try to enable debug log[1] for class > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > (that's the authenticator you are using, right ?) to see what's going on. At > least ou should get what remote user XWiki is getting if any. > > [1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging > >> >> >> Mark >> >> >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] kerberos SSO -> strip domainname from username
Mailed to soon. Solved it. The default works just fine. xwiki.authentication.trustedldap.remoteUserParser=(.+)@(.+) xwiki.authentication.trustedldap.remoteUserMapping.1=login -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Mark Verzonden: zaterdag 9 maart 2013 17:08 Aan: XWiki Users Onderwerp: Re: [xwiki-users] kerberos SSO -> strip domainname from username I managed to compile and activate the xwiki-authentication-trusted-ldap plugin. But still the same result: login works with login prompt, fails with SSO. Debugging showed me that the xwiki doesn't accept the SSO because username doesn't match. I suppose my xwiki.authentication.trustedldap.remoteUserParser settings is incorrect. Can anyone tell me what this settings should be when my kerberos sso user is "u...@domain.com" and my sAMAccountName in ldap is just "user"? On Fri, Mar 8, 2013 at 1:53 PM, Mark Jas wrote: > Hi Thomas, > > Thanks for your reply. I should have given you some more info. > I'm using the default authenticator, because if I use the > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my > ldap stops working. > > If I use > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > Kerberos works fine, but new users aren't created, and group sync isn't > working etc etc... com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap. > > Maybe my question should be: How do I get LDAP working with the Kerberos > authenticator? > > Mark > > > On Tue, Mar 5, 2013 at 4:35 PM, Mark Jas wrote: >> Hi all, >> >> >> I have configured xwiki with LDAP authentication and kerberos SSO. >> >> When I use a browser without automatic Kerberos SSO, I get a keberos login >> page. When I fill in username and password manually it works great. >> >> But when I set the browser to use automatic logon, I get the xwiki >> login page! (at least in FireFox, IE says “cannot show page”) >> >> I get the same results when I manually login with “username@DOMAIN” >> and “password”. So I think the domain part is used in the automatic >> logon. (and is the actual problem…) >> >> >> I see there is java code that strips the @DOMAIN part from the username. But >> I have no idea how or where to implement this. I hope some can help me! > > I never used it myself but from what I see in the code it's supposed to do > that all the time. Maybe there is a bug. > > You can try to enable debug log[1] for class > com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl > (that's the authenticator you are using, right ?) to see what's going on. At > least ou should get what remote user XWiki is getting if any. > > [1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging > >> >> >> Mark >> >> >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] TRANSPORT_ERROR with SSO in tree view
Hello, I get a popup with the error “Server returned TRANSPORT_ERROR with no error message.” If I select the tree view in the document index. I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and use the normal login, everything works just fine. Is this a bug? Mark ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Hi Marius, I used firebug like you said. Here my findings: - Scheme is ok. (all http) - hostname is ok (all "xwiki") - the console shows me a lot of request with a "401 authorization required" (not only on the tree page, but also on other pages) - all the REST request on the tree page have "401 authorization required" responses. - No authentication errors in apache logs - http://xwiki/xwiki/rest/ with SSO gives me an "Internal Server Error" (no error in apache logs) - http://xwiki/xwiki/rest/ without SSO gives me some XML - All REST requests I see in the console are the same: http://xwiki/xwiki/rest/wikis/xwiki/spaces?r=221031 Hope you can help. Thanks. Mark -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Marius Dumitru Florea Verzonden: donderdag 14 maart 2013 8:22 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view On Wed, Mar 13, 2013 at 9:06 PM, Mark Jas wrote: > Hello, > > > I get a popup with the error “Server returned TRANSPORT_ERROR with no error > message.” If I select the tree view in the document index. > > I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and > use the normal login, everything works just fine. > > Is this a bug? Could be. TRANSPORT_ERROR normally happens when a request made by the tree fails (usually because the URL is bad). The tree uses the REST system to fetch its data, so all requests made by the tree are /rest/ requests. It would be of great help if you could tell us what requests are failing (their URL is important). In order to check this you can use Firefox with its Firebug extension. This extension has a Console tab where you can see all the (AJAX) requests made by the editor and its tree, if the console was opened before the page was loaded, otherwise you need to reload the page. The failed requests are displayed in red so they are easy to notice. You can click on each request to get more information, but more importantly you can right click to get the full URL with parameters. Post here the bad URLs and also the URL for the edit mode. The things to check are: * are the REST URLs using the same scheme (HTTP/HTTPS) as the edit mode URL? * do they have the same domain? * is the REST system working when Kerberos SSO is enabled? Thanks, Marius > > > Mark > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Forgot to mention -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Mark Jas Verzonden: donderdag 14 maart 2013 12:34 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view Hi Marius, I used firebug like you said. Here my findings: - Scheme is ok. (all http) - hostname is ok (all "xwiki") - the console shows me a lot of request with a "401 authorization required" (not only on the tree page, but also on other pages) - all the REST request on the tree page have "401 authorization required" responses. - No authentication errors in apache logs - http://xwiki/xwiki/rest/ with SSO gives me an "Internal Server Error" (no error in apache logs) - http://xwiki/xwiki/rest/ without SSO gives me some XML - All REST requests I see in the console are the same: http://xwiki/xwiki/rest/wikis/xwiki/spaces?r=221031 Hope you can help. Thanks. Mark -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Marius Dumitru Florea Verzonden: donderdag 14 maart 2013 8:22 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view On Wed, Mar 13, 2013 at 9:06 PM, Mark Jas wrote: > Hello, > > > I get a popup with the error “Server returned TRANSPORT_ERROR with no error > message.” If I select the tree view in the document index. > > I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and > use the normal login, everything works just fine. > > Is this a bug? Could be. TRANSPORT_ERROR normally happens when a request made by the tree fails (usually because the URL is bad). The tree uses the REST system to fetch its data, so all requests made by the tree are /rest/ requests. It would be of great help if you could tell us what requests are failing (their URL is important). In order to check this you can use Firefox with its Firebug extension. This extension has a Console tab where you can see all the (AJAX) requests made by the editor and its tree, if the console was opened before the page was loaded, otherwise you need to reload the page. The failed requests are displayed in red so they are easy to notice. You can click on each request to get more information, but more importantly you can right click to get the full URL with parameters. Post here the bad URLs and also the URL for the edit mode. The things to check are: * are the REST URLs using the same scheme (HTTP/HTTPS) as the edit mode URL? * do they have the same domain? * is the REST system working when Kerberos SSO is enabled? Thanks, Marius > > > Mark > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Forgot to mention: Catalina.out shows me this: 2013-03-14 12:35:58,430 [http://xwiki/xwiki/bin/get/Main/WebHome?xpage=xpart&vm=commentsinline.vm] WARN a.t.TrustedLDAPAuthServiceImpl - Failed to resolve remote user. It usually mean that no SSO information has been provided to XWiki. -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Mark Jas Verzonden: donderdag 14 maart 2013 12:34 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view Hi Marius, I used firebug like you said. Here my findings: - Scheme is ok. (all http) - hostname is ok (all "xwiki") - the console shows me a lot of request with a "401 authorization required" (not only on the tree page, but also on other pages) - all the REST request on the tree page have "401 authorization required" responses. - No authentication errors in apache logs - http://xwiki/xwiki/rest/ with SSO gives me an "Internal Server Error" (no error in apache logs) - http://xwiki/xwiki/rest/ without SSO gives me some XML - All REST requests I see in the console are the same: http://xwiki/xwiki/rest/wikis/xwiki/spaces?r=221031 Hope you can help. Thanks. Mark -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Marius Dumitru Florea Verzonden: donderdag 14 maart 2013 8:22 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view On Wed, Mar 13, 2013 at 9:06 PM, Mark Jas wrote: > Hello, > > > I get a popup with the error “Server returned TRANSPORT_ERROR with no error > message.” If I select the tree view in the document index. > > I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and > use the normal login, everything works just fine. > > Is this a bug? Could be. TRANSPORT_ERROR normally happens when a request made by the tree fails (usually because the URL is bad). The tree uses the REST system to fetch its data, so all requests made by the tree are /rest/ requests. It would be of great help if you could tell us what requests are failing (their URL is important). In order to check this you can use Firefox with its Firebug extension. This extension has a Console tab where you can see all the (AJAX) requests made by the editor and its tree, if the console was opened before the page was loaded, otherwise you need to reload the page. The failed requests are displayed in red so they are easy to notice. You can click on each request to get more information, but more importantly you can right click to get the full URL with parameters. Post here the bad URLs and also the URL for the edit mode. The things to check are: * are the REST URLs using the same scheme (HTTP/HTTPS) as the edit mode URL? * do they have the same domain? * is the REST system working when Kerberos SSO is enabled? Thanks, Marius > > > Mark > > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Hi Marius, There are a lot of AJAX requests, some work, some don't. All requests have cookie headers. But it looks like the failed requests have no authorization header, and the other requests do have one. On the main page I see some failed requests (without authorization header) and right after, the same request again with authorization header that succeeds! Looks like some kind of retry. With the REST request, I do not see this duplicate requests. Mark -Oorspronkelijk bericht- Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Marius Dumitru Florea Verzonden: donderdag 14 maart 2013 12:52 Aan: XWiki Users Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view Ok, so the problem is: * either the AJAX requests don't have the necessary authentication information * or the REST system doesn't understand or doesn't handle properly the authentication information from the request. All AJAX requests should have all the cookies that the main request (for the edit mode) has. So if the authentication information is stored in cookies then it is send with the AJAX requests. The first thing to check is if the AJAX requests (logged in the Firebug console) have the authentication information. I don't know how the Kerberos SSO works nor if it integrates well with REST. We need the help of a REST guru here :) Thanks, Marius On Thu, Mar 14, 2013 at 1:37 PM, Mark Jas wrote: > Forgot to mention: > Catalina.out shows me this: > > 2013-03-14 12:35:58,430 > [http://xwiki/xwiki/bin/get/Main/WebHome?xpage=xpart&vm=commentsinline.vm] > WARN a.t.TrustedLDAPAuthServiceImpl - Failed to resolve remote user. It > usually mean that no SSO information has been provided to XWiki. > > -Oorspronkelijk bericht- > Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens > Mark Jas > Verzonden: donderdag 14 maart 2013 12:34 > Aan: XWiki Users > Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view > > Hi Marius, > > I used firebug like you said. Here my findings: > - Scheme is ok. (all http) > - hostname is ok (all "xwiki") > - the console shows me a lot of request with a "401 authorization > required" (not only on the tree page, but also on other pages) > - all the REST request on the tree page have "401 authorization > required" responses. > - No authentication errors in apache logs > - http://xwiki/xwiki/rest/ with SSO gives me an "Internal Server Error" > (no error in apache logs) > - http://xwiki/xwiki/rest/ without SSO gives me some XML > - All REST requests I see in the console are the same: > http://xwiki/xwiki/rest/wikis/xwiki/spaces?r=221031 > > Hope you can help. > Thanks. > Mark > > -Oorspronkelijk bericht- > Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens > Marius Dumitru Florea > Verzonden: donderdag 14 maart 2013 8:22 > Aan: XWiki Users > Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view > > On Wed, Mar 13, 2013 at 9:06 PM, Mark Jas wrote: >> Hello, >> >> >> I get a popup with the error “Server returned TRANSPORT_ERROR with no error >> message.” If I select the tree view in the document index. >> >> I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and >> use the normal login, everything works just fine. >> >> Is this a bug? > > Could be. TRANSPORT_ERROR normally happens when a request made by the tree > fails (usually because the URL is bad). The tree uses the REST system to > fetch its data, so all requests made by the tree are /rest/ requests. It > would be of great help if you could tell us what requests are failing (their > URL is important). In order to check this you can use Firefox with its > Firebug extension. This extension has a Console tab where you can see all the > (AJAX) requests made by the editor and its tree, if the console was opened > before the page was loaded, otherwise you need to reload the page. The failed > requests are displayed in red so they are easy to notice. You can click on > each request to get more information, but more importantly you can right > click to get the full URL with parameters. Post here the bad URLs and also > the URL for the edit mode. > > The things to check are: > * are the REST URLs using the same scheme (HTTP/HTTPS) as the edit mode URL? > * do they have the same domain? > * is the REST system working when Kerberos SSO is enabled? > > Thanks, > Marius > >> >> >> Mark >> >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org
Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
I solved the SSO error in catalina.out. This was the result of an apache
misconfiguration. ("Limit GET POST" instead of "limit GET")
I'm now back to the trouble with the Tree view.
It still looks that authorization headers are missing in some requests. Does
anybody know if this is a correct assumption? And if it is, how can I solve
this?
-Oorspronkelijk bericht-
Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Mark Jas
Verzonden: donderdag 14 maart 2013 13:43
Aan: XWiki Users
Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Hi Marius,
There are a lot of AJAX requests, some work, some don't.
All requests have cookie headers.
But it looks like the failed requests have no authorization header, and the
other requests do have one.
On the main page I see some failed requests (without authorization header) and
right after, the same request again with authorization header that succeeds!
Looks like some kind of retry. With the REST request, I do not see this
duplicate requests.
Mark
-Oorspronkelijk bericht-
Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens Marius
Dumitru Florea
Verzonden: donderdag 14 maart 2013 12:52
Aan: XWiki Users
Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
Ok, so the problem is:
* either the AJAX requests don't have the necessary authentication information
* or the REST system doesn't understand or doesn't handle properly the
authentication information from the request.
All AJAX requests should have all the cookies that the main request (for the
edit mode) has. So if the authentication information is stored in cookies then
it is send with the AJAX requests. The first thing to check is if the AJAX
requests (logged in the Firebug console) have the authentication information.
I don't know how the Kerberos SSO works nor if it integrates well with REST. We
need the help of a REST guru here :)
Thanks,
Marius
On Thu, Mar 14, 2013 at 1:37 PM, Mark Jas wrote:
> Forgot to mention:
> Catalina.out shows me this:
>
> 2013-03-14 12:35:58,430
> [http://xwiki/xwiki/bin/get/Main/WebHome?xpage=xpart&vm=commentsinline.vm]
> WARN a.t.TrustedLDAPAuthServiceImpl - Failed to resolve remote user. It
> usually mean that no SSO information has been provided to XWiki.
>
> -Oorspronkelijk bericht-----
> Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens
> Mark Jas
> Verzonden: donderdag 14 maart 2013 12:34
> Aan: XWiki Users
> Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
>
> Hi Marius,
>
> I used firebug like you said. Here my findings:
> - Scheme is ok. (all http)
> - hostname is ok (all "xwiki")
> - the console shows me a lot of request with a "401 authorization
> required" (not only on the tree page, but also on other pages)
> - all the REST request on the tree page have "401 authorization
> required" responses.
> - No authentication errors in apache logs
> - http://xwiki/xwiki/rest/ with SSO gives me an "Internal Server Error"
> (no error in apache logs)
> - http://xwiki/xwiki/rest/ without SSO gives me some XML
> - All REST requests I see in the console are the same:
> http://xwiki/xwiki/rest/wikis/xwiki/spaces?r=221031
>
> Hope you can help.
> Thanks.
> Mark
>
> -Oorspronkelijk bericht-
> Van: users-boun...@xwiki.org [mailto:users-boun...@xwiki.org] Namens
> Marius Dumitru Florea
> Verzonden: donderdag 14 maart 2013 8:22
> Aan: XWiki Users
> Onderwerp: Re: [xwiki-users] TRANSPORT_ERROR with SSO in tree view
>
> On Wed, Mar 13, 2013 at 9:06 PM, Mark Jas wrote:
>> Hello,
>>
>>
>> I get a popup with the error “Server returned TRANSPORT_ERROR with no error
>> message.” If I select the tree view in the document index.
>>
>> I’m using xwiki 4.5 with kerberos SSO. If I disable kerberos in apache and
>> use the normal login, everything works just fine.
>>
>> Is this a bug?
>
> Could be. TRANSPORT_ERROR normally happens when a request made by the tree
> fails (usually because the URL is bad). The tree uses the REST system to
> fetch its data, so all requests made by the tree are /rest/ requests. It
> would be of great help if you could tell us what requests are failing (their
> URL is important). In order to check this you can use Firefox with its
> Firebug extension. This extension has a Console tab where you can see all the
> (AJAX) requests made by the editor and its tree, if the console was opened
> before the page was loaded, otherwise you need to reload the page. The failed
> requests are displayed in red so they are easy to notice. You can click on
> each request to g
[xwiki-users] AD group mapping problem
Hello, I’m using Xwiki enterprise 4.1 with LDAP authentication to an Active Directory server. Authentication works fine, but my group mappings don’t work. I think the problem is that I’m using sAMAccountName as UID_attr, but the memberfields of my groups contain the full ldap-dn of the user. So this way, they do not match and users are not seen as members in the group. Is my assumption correct? And is there a solution for this problem? (I have an other site with an OpenLDAP server which has normal uid’s in the group memberfields. This one works fine!) Regards, Mark ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] AD group mapping problem
The LDAP debugging log revealed that my group dn was incorrect. :-S Thanks for your help! ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
