Hi all, I think I have got some new about the LDAP support in Xwiki. It does not support the LDAP Referral (at least by default, perhaps there is a flag somewhere to set ?)
Where you are looking for a specific key into LDAP, sometime you get an information from your current searched LDAP that the information you are looking for is in another LDAP repository, and thus the first LDAP gives you the next LDAP URL to search. In the current Xwiki LDAP this ends with the LDAP Referral exception as indicated below: Automatic referral following not enabled. I have done another test looking directly into the rigth LDAP repository containing my information and I have gone a step further. Now I failed on an attribute that Xwiki seems to need: "userPassword" that I don't have in my user form. I am on my way of defining a dedicated AuthServiceImpl as I only need to check if the bind is ok to allow a user to enter into xwiki. Fabien On Tue, May 20, 2008 at 9:33 AM, Fabien <[EMAIL PROTECTED]> wrote: > My login does not contain a "." and I already get bind, I got another > problem after the bind during the search. > > I got the following error, but I am unable to google what it means. > > Does anyone knows what means this error ? And how to correct it ? > > "LDAP Search failed LDAPReferralException: *Automatic referral following > not enabled* (10) Referral LDAPReferralException: Server Message: > 0000202B: RefErr: DSID-0310063C, data 0, 1 access points" > > > Fabien > > > On Fri, May 16, 2008 at 3:23 PM, Mihails Agafonovs <[EMAIL PROTECTED]> wrote: > >> If your sAMAccountName is like name.surname, it won't work. XWiki has >> some problems with "." (or is this solved?) sign when logging in. >> Quoting Fabien : Hi, >> I don't know if this will help, but here is below my xwiki.cfg >> configuration >> file that enable me to bind. >> I still do not reach the field mapping step though, I get a >> "LDAPReferralException: Automatic referral following not enabled >> (10) >> Referral LDAPReferralException: Server Message: 0000202B: RefErr: >> DSID-0310063C, data 0, 1 access points Iref 1: 'ad.toto.com'" >> ------8 >> > yep, that was the first attempt. no matter what variation i try i >> get >> > bind errors or invalid credentials (depending on what user i try >> to >> > login). xwiki shows an 'internal error' on the login dialog. >> > >> > its very weird. he mediawiki configuration is alost exactly the >> same >> > (using that domain\user syntax rather than ldap) >> > >> > hard to tell what i'm doing wrong :) >> > >> > i'll do another attempt on a different server next week to make >> sure its >> > nothing too stupid. >> > >> > thanks! >> > >> > regards >> > >> > werner >> > >> > >> > >> > >> > Thomas Mortagne schrieb: >> > > Hi, >> > > >> > > Did you tryed the suggested AD configuration at >> > > >> > >> >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >> > > ? >> > > >> > > On Mon, May 12, 2008 at 12:38 PM, Mihails Agafonovs >> > wrote: >> > >> Try LDAP Browser to find the correct configuration. >> > >> >> > >> I've succeeded in connecting to AD, using the CN attribute, so >> in >> > >> config it would be: >> > >> >> > >> bind_DN={0} /// here the user will type his cn >> > >> UID_attr=cn >> > >> Quoting werner mueller : hallo >> > >> >> > >> well i am a little stuck. i cant make it work although i >> copied the >> > >> settings from a working example (well another tool but the >> same >> > >> servers). i can only get to 'invalid credentials' >> > >> does the server need to be in the same domain as the active >> > >> directory to >> > >> use the bind_DN=subdomain{0} bind schema? the server is a >> linux >> > >> machine and is not added to the windows domain. >> > >> is there a unit test or little tool or something one could >> use for >> > >> testing? its a little weird its not working. >> > >> thanks for any ideas :) >> > >> regards >> > >> werner >> > >> Thomas Mortagne schrieb: >> > >> > You can enable "debug" logging, see >> > >> > http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging >> > >> > >> > >> > On Wed, Apr 30, 2008 at 1:54 PM, werner mueller >> > >> >> > >> >> > >> > wrote: >> > >> >> Hallo >> > >> >> >> > >> >> thanks for the quick reply. >> > >> >> >> > >> >> well the config should work then :/ >> > >> >> i compared it with the bugzilla / subversion config which >> uses >> > >> the same >> > >> >> ldap / active directory auth. the only difference is that >> they >> > >> >> distinguish the bind user with the user to be >> authenticated. but >> > >> in my >> > >> >> case even the bind user cannot login. >> > >> >> >> > >> >> >> > >> >> 2008-04-30 13:44:34,891 >> > >> >> >> > >> >> [http://dev.edoras.ch:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] >> > >> >> [http-8080-Processor24] WARN >> LDAP.XWikiLDAPAuthServiceImpl - >> > >> LDAP >> > >> >> authentication failed. >> > >> >> >> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number >> 0 in >> > >> 5: LDAP >> > >> >> bind failed with LDAPException. >> > >> >> Wrapped Exception: Invalid Credentials >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:178) >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:109) >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:194) >> > >> >> at >> > >> >> >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107) >> > >> >> ......... >> > >> >> >> > >> >> Wrapped Exception: >> > >> >> >> > >> >> >> > >> >> LDAPException: Invalid Credentials (49) Invalid >> Credentials >> > >> >> LDAPException: Server Message: 80090308: LdapErr: >> DSID-0C090334, >> > >> >> comment: AcceptSecurityContext error, data 525, vece >> > >> >> LDAPException: Matched DN: >> > >> >> at >> > >> com.novell.ldap.LDAPResponse.getResultException(Unknown >> Source) >> > >> >> at >> com.novell.ldap.LDAPResponse.chkResultCode(Unknown >> > >> Source) >> > >> >> at >> com.novell.ldap.LDAPConnection.chkResultCode(Unknown >> > >> Source) >> > >> >> at com.novell.ldap.LDAPConnection.bind(Unknown >> Source) >> > >> >> at com.novell.ldap.LDAPConnection.bind(Unknown >> Source) >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:170) >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:109) >> > >> >> at >> > >> >> >> > >> >> > >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:194) >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> is there some debug feature i can turn on to get some >> more >> > >> information? >> > >> >> or some small test-class to verify the settings? it seems >> it >> > >> uses the >> > >> >> login name from the login form but then authentication >> fails. >> > >> >> >> > >> >> >> > >> >> >> > >> >> thanks a lot :) >> > >> >> regards >> > >> >> >> > >> >> werner >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> Thomas Mortagne schrieb: >> > >> >> > On Wed, Apr 30, 2008 at 11:55 AM, werner mueller >> > >> >> > >> >> > >> >> > wrote: >> > >> >> >> Hallo >> > >> >> >> >> > >> >> >> thanks for the reply. >> > >> >> >> back to stupid questions: >> > >> >> >> >> > >> >> >> > #-# LDAP login, empty = anonymous access, otherwise >> > >> specify full dn >> > >> >> >> > #-# {0} is replaced with the username, {1} with >> the >> > >> password >> > >> >> >> > >> > >> #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,o=MP >> > >> >> >> >> > >> >> >> > #xwiki.authentication.ldap.bind_pass={1} >> > >> >> >> >> > >> >> >> {0} is the username from the login form in xwiki? >> > >> >> >> {1} is the password from the login form in xwiki? >> > >> >> > >> > >> >> > Yes, you really write "{0}" and "{1}" in the >> configuration and >> > >> it will >> > >> >> > be replaced at runtime by user/pass provided by user in >> the >> > >> login >> > >> >> > form. >> > >> >> > >> > >> >> >> or are these documentation placeholders to be filled >> in the >> > >> config file >> > >> >> >> directly? >> > >> >> >> >> > >> >> >> thanks :) >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> regards >> > >> >> >> >> > >> >> >> werner >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> >> > >> >> >> Thomas Mortagne schrieb: >> > >> >> >> > On Tue, Apr 29, 2008 at 1:30 PM, werner mueller >> > >> >> > >> >> >> > wrote: >> > >> >> >> >> Hallo >> > >> >> >> >> >> > >> >> >> >> thanks for the hints. >> > >> >> >> >> >> > >> >> >> >> i tried some other configurations but with no >> luck. it >> > >> seems not every >> > >> >> >> >> user is allowed to query the ldap structure. i >> have to >> > >> use a special >> > >> >> >> >> user/password to bind xwiki to the active >> directory. >> > >> that user can login >> > >> >> >> >> but thats not a solution. aloow everyone to query >> the ad >> > >> is not an >> > >> >> >> >> option for us. >> > >> >> >> >> >> > >> >> >> >> has anyone a working active directory config he >> or she >> > >> could share? >> > >> >> >> >> >> > >> >> >> >> is it possible to trick xwiki to use a different >> user to >> > >> bind to the AD >> > >> >> >> >> and then use username/password from login to >> process the >> > >> login? >> > >> >> >> >> i've been doing similar things for bugzilla/ldap >> using >> > >> LDAPbinddn = >> > >> >> >> >> cn=,cn=Users,dc=domain,dc=com: >> > >> >> > >> >> > >> >> >> > >> > >> >> >> > Yes and it's the default way to work for LDAP >> > >> authenticator. You can >> > >> >> >> > see in default xwiki.cfg : >> > >> >> >> > >> > >> >> >> > #-# LDAP login, empty = anonymous access, otherwise >> > >> specify full dn >> > >> >> >> > #-# {0} is replaced with the username, {1} with the >> > >> password >> > >> >> >> > >> > >> >> > >> >> #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP >> > >> >> >> > #xwiki.authentication.ldap.bind_pass={1} >> > >> >> >> > >> > >> >> >> > So in your case it would be : >> > >> >> >> > >> > >> >> xwiki.authentication.ldap.bind_DN=cn={0},cn=Users,dc=domain,dc=com >> > >> >> >> > xwiki.authentication.ldap.bind_pass={1} >> > >> >> >> > >> > >> >> >> >> btw: yes i am sure its version 1.3.2.9174. its >> the one >> > >> copy pasted from >> > >> >> >> >> xwiki. unless its not correct there but that >> would be >> > >> weird. >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> any hints or examples would be cool :) >> > >> >> >> >> thanks a lot >> > >> >> >> >> >> > >> >> >> >> regards >> > >> >> >> >> >> > >> >> >> >> werner >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >> >> Thomas Mortagne schrieb: >> > >> >> >> >> > Also I think >> > >> >> > >> >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >> > >> >> >> >> > is based in old LDAP authenticator (see >> > >> >> >> >> > >> > >> >> > >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/AuthenticationLdapOld >> > ). >> > >> >> >> >> > >> > >> >> >> >> > On Thu, Apr 17, 2008 at 7:35 PM, Thomas >> Mortagne >> > >> >> > >> >> >> >> > wrote: >> > >> >> >> >> >> Hi, >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> On Thu, Apr 17, 2008 at 7:02 PM, werner >> mueller >> > >> >> > >> >> > >> >> >> >> >> wrote: >> > >> >> >> >> >> > hallo >> > >> >> >> >> >> > >> > >> >> >> >> >> > i am currently trying to setup xwiki on >> taomcat >> > >> 5.5/mysql. until now its >> > >> >> >> >> >> > doing quite well :) >> > >> >> >> >> >> > >> > >> >> >> >> >> > my next step is to get ldap authentication >> > >> against an active directory >> > >> >> >> >> >> > working. i followed >> > >> >> >> >> >> > >> > >> >> > >> >> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >> > >> >> >> >> >> > and some postings on the mailing list but >> i cant >> > >> get it to work. >> > >> >> >> >> >> > >> > >> >> >> >> >> > i either end up with: >> > >> >> >> >> >> > >> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: >> > >> Error number 0 in 5: LDAP >> > >> >> >> >> >> > bind failed with LDAPException. >> > >> >> >> >> >> > Wrapped Exception: Invalid Credentials >> > >> >> >> >> >> > >> > >> >> >> >> >> > or worse (with in my eyes the propper >> config): >> > >> >> >> >> >> > WARN LDAP.XWikiLDAPAuthS >> > >> >> >> >> >> > erviceImpl - LDAP authentication failed. >> > >> >> >> >> >> > java.lang.NullPointerException >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:256) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:194) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:127) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:112) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:214) >> > >> >> >> >> >> > at >> > >> com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3307) >> > >> >> >> >> >> > at >> > >> >> >> >> >> > >> > >> >> > >> >> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:136) >> > >> >> >> >> >> > at >> > >> com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3315) >> > >> >> >> >> >> > at >> > >> com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4259) >> > >> >> >> >> >> > at >> > >> com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:173) >> > >> >> >> >> >> > ... >> > >> >> >> >> >> >> > >> >> >> >> >> Could you copy/paste your configuration. >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> > >> > >> >> >> >> >> > >> > >> >> >> >> >> > i've done ldap auth on several other tools >> > >> (apache/subversion, >> > >> >> >> >> >> > bugzilla). there i used two accounts: one >> allowed >> > >> to bind to the active >> > >> >> >> >> >> > directory and do searches and the >> useraccount >> > >> itself. >> > >> >> >> >> >> > >> > >> >> >> >> >> > in the xwiki config i can only see the >> user >> > >> logging in is used to bind >> > >> >> >> >> >> > to the ldap server? >> > >> >> >> >> >> >> > >> >> >> >> >> You can define a user able to bind to the >> active >> > >> directory using >> > >> >> >> >> >> "bind_DN" and "bind_pass" properties and it >> will >> > >> search for provided >> > >> >> >> >> >> login in ldap based on "UID_attr" property >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> > >> > >> >> >> >> >> > >> > >> >> >> >> >> > is the documentation current for xwiki >> > >> 1.3.2.9174? or can someone give >> > >> >> >> >> >> > me a hint to make this work? >> > >> >> >> >> >> >> > >> >> >> >> >> Are you sure you use xwiki-core 1.3.2 >> version, I >> > >> can't find in the >> > >> >> >> >> >> code what could make NullPointerException at >> > >> >> >> >> >> XWikiLDAPAuthServiceImpl.java:256 >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> > >> > >> >> >> >> >> > >> > >> >> >> >> >> > thanks a lot >> > >> >> >> >> >> > regards >> > >> >> >> >> >> > >> > >> >> >> >> >> > werner >> > >> >> >> >> >> > >> > >> >> >> >> >> > >> _______________________________________________ >> > >> >> >> >> >> > users mailing list >> > >> >> >> >> >> > [email protected] >> > >> >> >> >> >> > >> http://lists.xwiki.org/mailman/listinfo/users >> > >> >> >> >> >> > >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> >> > >> >> >> >> >> -- >> > >> >> >> >> >> Thomas Mortagne >> > >> >> >> >> >> >> > >> >> >> >> > >> > >> >> >> >> > >> > >> >> >> >> > >> > >> >> >> >> >> > >> >> >> >> _______________________________________________ >> > >> >> >> >> users mailing list >> > >> >> >> >> [email protected] >> > >> >> >> >> http://lists.xwiki.org/mailman/listinfo/users >> > >> >> >> >> >> > >> >> >> > >> > >> >> >> > >> > >> >> >> > >> > >> >> >> >> > >> >> >> _______________________________________________ >> > >> >> >> users mailing list >> > >> >> >> [email protected] >> > >> >> >> http://lists.xwiki.org/mailman/listinfo/users >> > >> >> >> >> > >> >> > >> > >> >> > >> > >> >> > >> > >> >> >> > >> >> _______________________________________________ >> > >> >> users mailing list >> > >> >> [email protected] >> > >> >> http://lists.xwiki.org/mailman/listinfo/users >> > >> >> >> > >> > >> > >> > >> > >> > >> > >> _______________________________________________ >> > >> users mailing list >> > >> [email protected] >> > >> http://lists.xwiki.org/mailman/listinfo/users >> > >> Ar cieņu, Mihails >> > >> >> > >> Links: >> > >> ------ >> > >> [1] mailto:[EMAIL PROTECTED] >> > >> >> > >> >> > >> _______________________________________________ >> > >> users mailing list >> > >> [email protected] >> > >> http://lists.xwiki.org/mailman/listinfo/users >> > >> >> > > >> > > >> > > >> > >> > _______________________________________________ >> > users mailing list >> > [email protected] >> > http://lists.xwiki.org/mailman/listinfo/users >> > >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> Ar cieņu, Mihails >> >> Links: >> ------ >> [1] mailto:[EMAIL PROTECTED] >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> > > _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
