On Tue, Jul 7, 2009 at 01:43, Regan Gill<[email protected]> wrote: > Hi All, > > > > This problem has been driving me crazy for several days. I have XWiki > running in Tomcat and it works fine, but I am trying to get LDAP > authentication implemented and am unable to get past this current issue. > I have looked at all the past issues mentioned on this group and > searched the internet, but none of the cases seem to be related to mine. > I am able to use LDAP with Apache httpd from my machine against our AD > Server, but unable to get XWiki (in Tomcat) to do the same. I have tried > different versions of XWiki 1.9.2 and 2.0, followed the instructions > http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAP > ConfigurationforActiveDirectory, and am able to bind and find the user > uid, but then it fails on the password authentication. > > > > This is the problem -- XWiki appears to find the user in the directory > then fails on the userPassword attribute: > > > > 2009-07-06 16:00:34,812 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPUtils - Searching for the > user in LDAP: user:rgill base:dc=AcceptSoftware,dc=local > query:(sAMAccountName=rgill) uid:sAMAccountName > > 2009-07-06 16:00:34,812 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - LDAP search: > baseDN=[dc=AcceptSoftware,dc=local] query=[(sAMAccountName=rgill)] > attr=[[sAMAccountName, sn, givenName, displayName, mail, dn]] > ldapScope=[2] > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - - values for > attribute "displayName" > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - |- [Regan > Gill] > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - - values for > attribute "givenName" > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - |- [Regan] > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - - values for > attribute "sn" > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - |- [Gill] > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - - values for > attribute "mail" > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - |- > [[email protected]] > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - - values for > attribute "sAMAccountName" > > 2009-07-06 16:00:34,859 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - |- [rgill] > > 2009-07-06 16:00:34,875 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - LDAP search found > attributes: [{name=dn value=CN=Regan > Gill,OU=Users,OU=Fremont,OU=ASC,DC=AcceptSoftware,DC=local}, > {name=displayName value=Regan Gill}, {name=givenName value=Regan}, > {name=sn value=Gill}, {name=mail [email protected]}, > {name=sAMAccountName value=rgill}] > > 2009-07-06 16:00:34,875 > [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] > [http-8080-1] DEBUG ldap.XWikiLDAPConnection - Unable to verify > password because userPassword attribute not found. > > LDAPException: No Such Attribute (16) No Such Attribute > > LDAPException: Server Message: 00002080: AtrErr: DSID-03080139, #1: > > 0: 00002080: DSID-03080139, problem 1001 > (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword) > > > > LDAPException: Matched DN: > > at > com.novell.ldap.LDAPResponse.getResultException(Unknown Source) > > at com.novell.ldap.LDAPResponse.chkResultCode(Unknown > Source) > > at com.novell.ldap.LDAPConnection.chkResultCode(Unknown > Source) > > at com.novell.ldap.LDAPConnection.compare(Unknown > Source) > > at com.novell.ldap.LDAPConnection.compare(Unknown > Source) > > at > com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.checkPassword(XWikiLDAPCon > nection.java:251) > > at > com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateIn > Context(XWikiLDAPAuthServiceImpl.java:398) > > > > The error message in red is exactly what the AD server sends back when > the request is made so I know its coming from the AD server itself. > > > > However when I using Apache, it authenticates using the same > information: > > > > [Mon Jul 06 16:05:56 2009] [debug] mod_authnz_ldap.c(474): [client > 127.0.0.1] [4444] auth_ldap authenticate: accepting rgill, referer: > > > > In addition we have another application that is also able to bind and > authenticate with the same settings and AD Server. Since the user is > being found in AD in both cases I would expect the authenticate to work > as well in XWiki as in Apache's LDAP module. I am not an LDAP or Active > Directory expert but it unless someone can help, I may need to become > one to get this to work... >
Did you enabled xwiki.authentication.ldap.validate_password ? This is the only thing i know which explicitly need the name of the password field. This option is for very particular cases where you want to use as password something which is not considered as standard bind password by LDAP server (it's an old option here only because we used to have some very specif use case once a very long time ago). In 99.9% you don't need that, LDAP authenticator always validate user credentials using a standard bind (even if you use an "admin" user to access the LDAP server). > > > Thanks, > > Regan > > ________________________________________________________ > > Regan Gill | Process Architect | Accept Software Corporation > office: +1.510.403.4023 | mobile: +1.510.798.3082 | fax: +1.510.979.0220 > 42840 Christy Street, Suite 201, Fremont, CA 94538 USA > www.acceptsoftware.com <http://www.acceptsoftware.com/> > > > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
