On Tue, May 20, 2008 at 4:54 PM, Fabien <[EMAIL PROTECTED]> wrote: > Hi all, > > I think I have got some new about the LDAP support in Xwiki. > It does not support the LDAP Referral (at least by default, perhaps there is > a flag somewhere to set ?) > > Where you are looking for a specific key into LDAP, sometime you get an > information from your current searched LDAP that the information you are > looking for is in another LDAP repository, and thus the first LDAP gives you > the next LDAP URL to search.> > In the current Xwiki LDAP this ends with the LDAP Referral exception as > indicated below: Automatic referral following not enabled.
Could you create a jira issue for that at http://jira.xwiki.org/jira/browse/XWIKI ? > > I have done another test looking directly into the rigth LDAP repository > containing my information and I have gone a step further. Now I failed on an > attribute that Xwiki seems to need: "userPassword" that I don't have in my > user form. I you use the "new" LDAP authenticator (com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl since 1.3M2, see http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication), "userPassword" is olny used when you set xwiki.authentication.ldap.validate_password to 1. Otherwise it tries a simple bind to validate the found LDAP user in case xwiki.authentication.ldap.bind_DN and xwiki.authentication.ldap.bind_pass are not configured to directly use provided user/pass to connect to LDAP server. Anyway "userPassword" field name should be configurable is this field does not exists at least for you. > > I am on my way of defining a dedicated AuthServiceImpl as I only need to > check if the bind is ok to allow a user to enter into xwiki. > > Fabien > > On Tue, May 20, 2008 at 9:33 AM, Fabien <[EMAIL PROTECTED]> wrote: > >> My login does not contain a "." and I already get bind, I got another >> problem after the bind during the search. >> >> I got the following error, but I am unable to google what it means. >> >> Does anyone knows what means this error ? And how to correct it ? >> >> "LDAP Search failed LDAPReferralException: *Automatic referral following >> not enabled* (10) Referral LDAPReferralException: Server Message: >> 0000202B: RefErr: DSID-0310063C, data 0, 1 access points" >> >> >> Fabien >> >> >> On Fri, May 16, 2008 at 3:23 PM, Mihails Agafonovs <[EMAIL PROTECTED]> wrote: >> >>> If your sAMAccountName is like name.surname, it won't work. XWiki has >>> some problems with "." (or is this solved?) sign when logging in. >>> Quoting Fabien : Hi, >>> I don't know if this will help, but here is below my xwiki.cfg >>> configuration >>> file that enable me to bind. >>> I still do not reach the field mapping step though, I get a >>> "LDAPReferralException: Automatic referral following not enabled >>> (10) >>> Referral LDAPReferralException: Server Message: 0000202B: RefErr: >>> DSID-0310063C, data 0, 1 access points Iref 1: 'ad.toto.com'" >>> ------8 >>> > yep, that was the first attempt. no matter what variation i try i >>> get >>> > bind errors or invalid credentials (depending on what user i try >>> to >>> > login). xwiki shows an 'internal error' on the login dialog. >>> > >>> > its very weird. he mediawiki configuration is alost exactly the >>> same >>> > (using that domain\user syntax rather than ldap) >>> > >>> > hard to tell what i'm doing wrong :) >>> > >>> > i'll do another attempt on a different server next week to make >>> sure its >>> > nothing too stupid. >>> > >>> > thanks! >>> > >>> > regards >>> > >>> > werner >>> > >>> > >>> > >>> > >>> > Thomas Mortagne schrieb: >>> > > Hi, >>> > > >>> > > Did you tryed the suggested AD configuration at >>> > > >>> > >>> >>> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >>> > > ? >>> > > >>> > > On Mon, May 12, 2008 at 12:38 PM, Mihails Agafonovs >>> > wrote: >>> > >> Try LDAP Browser to find the correct configuration. >>> > >> >>> > >> I've succeeded in connecting to AD, using the CN attribute, so >>> in >>> > >> config it would be: >>> > >> >>> > >> bind_DN={0} /// here the user will type his cn >>> > >> UID_attr=cn >>> > >> Quoting werner mueller : hallo >>> > >> >>> > >> well i am a little stuck. i cant make it work although i >>> copied the >>> > >> settings from a working example (well another tool but the >>> same >>> > >> servers). i can only get to 'invalid credentials' >>> > >> does the server need to be in the same domain as the active >>> > >> directory to >>> > >> use the bind_DN=subdomain{0} bind schema? the server is a >>> linux >>> > >> machine and is not added to the windows domain. >>> > >> is there a unit test or little tool or something one could >>> use for >>> > >> testing? its a little weird its not working. >>> > >> thanks for any ideas :) >>> > >> regards >>> > >> werner >>> > >> Thomas Mortagne schrieb: >>> > >> > You can enable "debug" logging, see >>> > >> > http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging >>> > >> > >>> > >> > On Wed, Apr 30, 2008 at 1:54 PM, werner mueller >>> > >> >>> > >> >>> > >> > wrote: >>> > >> >> Hallo >>> > >> >> >>> > >> >> thanks for the quick reply. >>> > >> >> >>> > >> >> well the config should work then :/ >>> > >> >> i compared it with the bugzilla / subversion config which >>> uses >>> > >> the same >>> > >> >> ldap / active directory auth. the only difference is that >>> they >>> > >> >> distinguish the bind user with the user to be >>> authenticated. but >>> > >> in my >>> > >> >> case even the bind user cannot login. >>> > >> >> >>> > >> >> >>> > >> >> 2008-04-30 13:44:34,891 >>> > >> >> >>> > >> >>> [http://dev.edoras.ch:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] >>> > >> >> [http-8080-Processor24] WARN >>> LDAP.XWikiLDAPAuthServiceImpl - >>> > >> LDAP >>> > >> >> authentication failed. >>> > >> >> >>> > >> >> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number >>> 0 in >>> > >> 5: LDAP >>> > >> >> bind failed with LDAPException. >>> > >> >> Wrapped Exception: Invalid Credentials >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:178) >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:109) >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:194) >>> > >> >> at >>> > >> >> >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107) >>> > >> >> ......... >>> > >> >> >>> > >> >> Wrapped Exception: >>> > >> >> >>> > >> >> >>> > >> >> LDAPException: Invalid Credentials (49) Invalid >>> Credentials >>> > >> >> LDAPException: Server Message: 80090308: LdapErr: >>> DSID-0C090334, >>> > >> >> comment: AcceptSecurityContext error, data 525, vece >>> > >> >> LDAPException: Matched DN: >>> > >> >> at >>> > >> com.novell.ldap.LDAPResponse.getResultException(Unknown >>> Source) >>> > >> >> at >>> com.novell.ldap.LDAPResponse.chkResultCode(Unknown >>> > >> Source) >>> > >> >> at >>> com.novell.ldap.LDAPConnection.chkResultCode(Unknown >>> > >> Source) >>> > >> >> at com.novell.ldap.LDAPConnection.bind(Unknown >>> Source) >>> > >> >> at com.novell.ldap.LDAPConnection.bind(Unknown >>> Source) >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:170) >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:109) >>> > >> >> at >>> > >> >> >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:194) >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> is there some debug feature i can turn on to get some >>> more >>> > >> information? >>> > >> >> or some small test-class to verify the settings? it seems >>> it >>> > >> uses the >>> > >> >> login name from the login form but then authentication >>> fails. >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> thanks a lot :) >>> > >> >> regards >>> > >> >> >>> > >> >> werner >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> >>> > >> >> Thomas Mortagne schrieb: >>> > >> >> > On Wed, Apr 30, 2008 at 11:55 AM, werner mueller >>> > >> >>> > >> >>> > >> >> > wrote: >>> > >> >> >> Hallo >>> > >> >> >> >>> > >> >> >> thanks for the reply. >>> > >> >> >> back to stupid questions: >>> > >> >> >> >>> > >> >> >> > #-# LDAP login, empty = anonymous access, otherwise >>> > >> specify full dn >>> > >> >> >> > #-# {0} is replaced with the username, {1} with >>> the >>> > >> password >>> > >> >> >> > >>> > >> #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,o=MP >>> > >> >> >> >>> > >> >> >> > #xwiki.authentication.ldap.bind_pass={1} >>> > >> >> >> >>> > >> >> >> {0} is the username from the login form in xwiki? >>> > >> >> >> {1} is the password from the login form in xwiki? >>> > >> >> > >>> > >> >> > Yes, you really write "{0}" and "{1}" in the >>> configuration and >>> > >> it will >>> > >> >> > be replaced at runtime by user/pass provided by user in >>> the >>> > >> login >>> > >> >> > form. >>> > >> >> > >>> > >> >> >> or are these documentation placeholders to be filled >>> in the >>> > >> config file >>> > >> >> >> directly? >>> > >> >> >> >>> > >> >> >> thanks :) >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> regards >>> > >> >> >> >>> > >> >> >> werner >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> >>> > >> >> >> Thomas Mortagne schrieb: >>> > >> >> >> > On Tue, Apr 29, 2008 at 1:30 PM, werner mueller >>> > >> >>> > >> >> >> > wrote: >>> > >> >> >> >> Hallo >>> > >> >> >> >> >>> > >> >> >> >> thanks for the hints. >>> > >> >> >> >> >>> > >> >> >> >> i tried some other configurations but with no >>> luck. it >>> > >> seems not every >>> > >> >> >> >> user is allowed to query the ldap structure. i >>> have to >>> > >> use a special >>> > >> >> >> >> user/password to bind xwiki to the active >>> directory. >>> > >> that user can login >>> > >> >> >> >> but thats not a solution. aloow everyone to query >>> the ad >>> > >> is not an >>> > >> >> >> >> option for us. >>> > >> >> >> >> >>> > >> >> >> >> has anyone a working active directory config he >>> or she >>> > >> could share? >>> > >> >> >> >> >>> > >> >> >> >> is it possible to trick xwiki to use a different >>> user to >>> > >> bind to the AD >>> > >> >> >> >> and then use username/password from login to >>> process the >>> > >> login? >>> > >> >> >> >> i've been doing similar things for bugzilla/ldap >>> using >>> > >> LDAPbinddn = >>> > >> >> >> >> cn=,cn=Users,dc=domain,dc=com: >>> > >> >>> > >> >>> > >> >> >> > >>> > >> >> >> > Yes and it's the default way to work for LDAP >>> > >> authenticator. You can >>> > >> >> >> > see in default xwiki.cfg : >>> > >> >> >> > >>> > >> >> >> > #-# LDAP login, empty = anonymous access, otherwise >>> > >> specify full dn >>> > >> >> >> > #-# {0} is replaced with the username, {1} with the >>> > >> password >>> > >> >> >> > >>> > >> >>> > >>> >>> #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP >>> > >> >> >> > #xwiki.authentication.ldap.bind_pass={1} >>> > >> >> >> > >>> > >> >> >> > So in your case it would be : >>> > >> >> >> > >>> > >> >>> xwiki.authentication.ldap.bind_DN=cn={0},cn=Users,dc=domain,dc=com >>> > >> >> >> > xwiki.authentication.ldap.bind_pass={1} >>> > >> >> >> > >>> > >> >> >> >> btw: yes i am sure its version 1.3.2.9174. its >>> the one >>> > >> copy pasted from >>> > >> >> >> >> xwiki. unless its not correct there but that >>> would be >>> > >> weird. >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> any hints or examples would be cool :) >>> > >> >> >> >> thanks a lot >>> > >> >> >> >> >>> > >> >> >> >> regards >>> > >> >> >> >> >>> > >> >> >> >> werner >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> >>> > >> >> >> >> Thomas Mortagne schrieb: >>> > >> >> >> >> > Also I think >>> > >> >>> > >>> >>> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >>> > >> >> >> >> > is based in old LDAP authenticator (see >>> > >> >> >> >> > >>> > >> >>> > >>> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/AuthenticationLdapOld >>> > ). >>> > >> >> >> >> > >>> > >> >> >> >> > On Thu, Apr 17, 2008 at 7:35 PM, Thomas >>> Mortagne >>> > >> >>> > >> >> >> >> > wrote: >>> > >> >> >> >> >> Hi, >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> On Thu, Apr 17, 2008 at 7:02 PM, werner >>> mueller >>> > >> >>> > >> >>> > >> >> >> >> >> wrote: >>> > >> >> >> >> >> > hallo >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > i am currently trying to setup xwiki on >>> taomcat >>> > >> 5.5/mysql. until now its >>> > >> >> >> >> >> > doing quite well :) >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > my next step is to get ldap authentication >>> > >> against an active directory >>> > >> >> >> >> >> > working. i followed >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory >>> > >> >> >> >> >> > and some postings on the mailing list but >>> i cant >>> > >> get it to work. >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > i either end up with: >>> > >> >> >> >> >> > >>> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: >>> > >> Error number 0 in 5: LDAP >>> > >> >> >> >> >> > bind failed with LDAPException. >>> > >> >> >> >> >> > Wrapped Exception: Invalid Credentials >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > or worse (with in my eyes the propper >>> config): >>> > >> >> >> >> >> > WARN LDAP.XWikiLDAPAuthS >>> > >> >> >> >> >> > erviceImpl - LDAP authentication failed. >>> > >> >> >> >> >> > java.lang.NullPointerException >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:256) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:194) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:127) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:112) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:214) >>> > >> >> >> >> >> > at >>> > >> com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3307) >>> > >> >> >> >> >> > at >>> > >> >> >> >> >> > >>> > >> >>> > >>> >>> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:136) >>> > >> >> >> >> >> > at >>> > >> com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3315) >>> > >> >> >> >> >> > at >>> > >> com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4259) >>> > >> >> >> >> >> > at >>> > >> com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:173) >>> > >> >> >> >> >> > ... >>> > >> >> >> >> >> >>> > >> >> >> >> >> Could you copy/paste your configuration. >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > i've done ldap auth on several other tools >>> > >> (apache/subversion, >>> > >> >> >> >> >> > bugzilla). there i used two accounts: one >>> allowed >>> > >> to bind to the active >>> > >> >> >> >> >> > directory and do searches and the >>> useraccount >>> > >> itself. >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > in the xwiki config i can only see the >>> user >>> > >> logging in is used to bind >>> > >> >> >> >> >> > to the ldap server? >>> > >> >> >> >> >> >>> > >> >> >> >> >> You can define a user able to bind to the >>> active >>> > >> directory using >>> > >> >> >> >> >> "bind_DN" and "bind_pass" properties and it >>> will >>> > >> search for provided >>> > >> >> >> >> >> login in ldap based on "UID_attr" property >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > is the documentation current for xwiki >>> > >> 1.3.2.9174? or can someone give >>> > >> >> >> >> >> > me a hint to make this work? >>> > >> >> >> >> >> >>> > >> >> >> >> >> Are you sure you use xwiki-core 1.3.2 >>> version, I >>> > >> can't find in the >>> > >> >> >> >> >> code what could make NullPointerException at >>> > >> >> >> >> >> XWikiLDAPAuthServiceImpl.java:256 >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > thanks a lot >>> > >> >> >> >> >> > regards >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > werner >>> > >> >> >> >> >> > >>> > >> >> >> >> >> > >>> _______________________________________________ >>> > >> >> >> >> >> > users mailing list >>> > >> >> >> >> >> > [email protected] >>> > >> >> >> >> >> > >>> http://lists.xwiki.org/mailman/listinfo/users >>> > >> >> >> >> >> > >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> >>> > >> >> >> >> >> -- >>> > >> >> >> >> >> Thomas Mortagne >>> > >> >> >> >> >> >>> > >> >> >> >> > >>> > >> >> >> >> > >>> > >> >> >> >> > >>> > >> >> >> >> >>> > >> >> >> >> _______________________________________________ >>> > >> >> >> >> users mailing list >>> > >> >> >> >> [email protected] >>> > >> >> >> >> http://lists.xwiki.org/mailman/listinfo/users >>> > >> >> >> >> >>> > >> >> >> > >>> > >> >> >> > >>> > >> >> >> > >>> > >> >> >> >>> > >> >> >> _______________________________________________ >>> > >> >> >> users mailing list >>> > >> >> >> [email protected] >>> > >> >> >> http://lists.xwiki.org/mailman/listinfo/users >>> > >> >> >> >>> > >> >> > >>> > >> >> > >>> > >> >> > >>> > >> >> >>> > >> >> _______________________________________________ >>> > >> >> users mailing list >>> > >> >> [email protected] >>> > >> >> http://lists.xwiki.org/mailman/listinfo/users >>> > >> >> >>> > >> > >>> > >> > >>> > >> > >>> > >> _______________________________________________ >>> > >> users mailing list >>> > >> [email protected] >>> > >> http://lists.xwiki.org/mailman/listinfo/users >>> > >> Ar cieņu, Mihails >>> > >> >>> > >> Links: >>> > >> ------ >>> > >> [1] mailto:[EMAIL PROTECTED] >>> > >> >>> > >> >>> > >> _______________________________________________ >>> > >> users mailing list >>> > >> [email protected] >>> > >> http://lists.xwiki.org/mailman/listinfo/users >>> > >> >>> > > >>> > > >>> > > >>> > >>> > _______________________________________________ >>> > users mailing list >>> > [email protected] >>> > http://lists.xwiki.org/mailman/listinfo/users >>> > >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/users >>> Ar cieņu, Mihails >>> >>> Links: >>> ------ >>> [1] mailto:[EMAIL PROTECTED] >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/users >>> >> >> > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
