Hello Thomas, I guess you're right. I get a 'not allowed'error message, even when being authenticated on the domain. This means that Windows AD 2008 ldap authentication is out for now?
Met vriendelijke groet/Best regards, Paul Rijnhout ICT Manager -----Oorspronkelijk bericht----- Van: [email protected] [mailto:[email protected]] Namens Thomas Mortagne Verzonden: maandag 16 november 2009 14:40 Aan: XWiki Users Onderwerp: Re: [xwiki-users] LDAP Authentication fails with AD On Mon, Nov 16, 2009 at 13:31, Paul Rijnhout <[email protected]> wrote: > HI Thomas, > > Thanks for your reply. I'm using 2.0.3, freshly installed, no other pages > imported or loaded, just the default Xwiki XAR, and this is the result. > I think the jldap automatic referral support support only anonymous access to referals. Does ldap://ForestDnsZones.mega.local/DC=ForestDnsZones,DC=mega,DC=local login/password ? That maybe would explain. If that's the case would be great if you could create an issue on http://jira.xwiki.org about referral with authentication support. What is weird is that error message seems to indicate that automatic referral support is not enabled ("referral following is off"), i would need to test it more when i can find some time. > Met vriendelijke groet/Best regards, > > Paul Rijnhout > ICT Manager > > -----Oorspronkelijk bericht----- > Van: [email protected] [mailto:[email protected]] Namens Thomas > Mortagne > Verzonden: zaterdag 14 november 2009 18:24 > Aan: XWiki Users > Onderwerp: Re: [xwiki-users] LDAP Authentication fails with AD > > Hi, > > On Sat, Nov 14, 2009 at 10:19, Paul Rijnhout > <[email protected]> wrote: >> Hello, >> >> I seem to have a LDAP configuration problem which I can not solve. I'm tryin >> gto authenticate to a AD Windows 2008 domain. The domain is standard one >> forest, one domain named mega.local. I;ve configured xwiki.cfg according >> instructions with: >> #------------------------------------------------------------------------------------- >> # LDAP >> #------------------------------------------------------------------------------------- >> >> #-# new LDAP authentication service >> xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl >> >> #-# Turn LDAP authentication on - otherwise only XWiki authentication >> #-# 0: disable >> #-# 1: enable >> xwiki.authentication.ldap=1 >> >> #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) >> xwiki.authentication.ldap.server=hf-dom02.mega.local >> xwiki.authentication.ldap.port=389 >> >> #-# LDAP login, empty = anonymous access, otherwise specify full dn >> #-# {0} is replaced with the username, {1} with the password >> xwiki.authentication.ldap.bind_DN=mega\\sa_ad >> xwiki.authentication.ldap.bind_pass=..... >> >> #-# Force to check password after LDAP connection >> #-# 0: disable >> #-# 1: enable >> xwiki.authentication.ldap.validate_password=0 >> >> #-# only members of the following group will be verified in the LDAP >> #-# otherwise only users that are found after searching starting from the >> base_DN >> # xwiki.authentication.ldap.user_group=cn=Users >> >> #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] >> #-# only users not member of the following group can autheticate >> # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US >> >> #-# base DN for searches >> xwiki.authentication.ldap.base_DN=dc=mega,dc=local >> >> #-# Specifies the LDAP attribute containing the identifier to be used as the >> XWiki name (default=cn) >> xwiki.authentication.ldap.UID_attr=saAMAccountName > > It's sAMAccountName, maybe you did a wrong copy past in the mail > >> >> But all searches failed with the following error. Anyone ideas left? >> >> 2009-11-13 13:53:47,157 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> INFO .AbstractXWikiMigrationManager - No storage migration required since >> current version is [15429] >> 2009-11-13 13:53:48,735 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is null. We don't >> try to authenticate, it probably means the user is in non logged mode. >> 2009-11-13 13:53:48,735 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG ldap.XWikiLDAPConfig - ldap_group_classes: [groupofnames, >> groupwisedistributionlist, dynamicgroup, dynamicgroupaux, >> groupofuniquenames, group] >> 2009-11-13 13:53:48,735 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> ldap.XWikiLDAPConfig - ldap_group_memberfields: [member, >> uniquemember<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20DEBUG%20ldap.XWikiLDAPConfig%20 -%20ldap_group_memberfields:%20%5bmember,%20uniquemember>] >> 2009-11-13 13:53:48,767 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG ldap.XWikiLDAPConnection - Connection to LDAP server >> [hf-dom02.mega.local:389] >> 2009-11-13 13:53:48,782 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG ldap.XWikiLDAPConnection - Binding to LDAP server with >> credentials login=[mega\sa_ad] >> 2009-11-13 13:53:48,813 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG ldap.XWikiLDAPUtils - Searching for the user in LDAP: >> user:p.rijnhout base:dc=mega,dc=local query:(saAMAccountName=p.rijnhout) >> uid:saAMAccountName >> 2009-11-13 13:53:48,813 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> ldap.XWikiLDAPConnection - LDAP search: >> baseDN=[dc=mega,dc=local<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20DEBUG%20ldap.XWikiLDAPConnection%20 -%20LDAP%20search:%20baseDN=%5bdc=mega,dc=local>] >> query=[(saAMAccountName=p.rijnhout)] attr=[[sn, givenName, mail]] >> ldapScope=[2] >> 2009-11-13 13:53:48,829 >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin] >> [http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin<http://ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin%5d%20%5bhttp:/ict.mega.local/bin/loginsubmit/XWiki/XWikiLogin>] >> DEBUG ldap.XWikiLDAPConnection - LDAP Search failed >> LDAPReferralException: Search result reference received, and referral >> following is off (10) Referral > > Looks like the result is in another LDAP server (a referral), a > partial support of LDAP referrals has been added in XWiki 2.0.3, if > you are using older version that's why it's not working for you. > >> LDAPReferralException: Referral: >> ldap://ForestDnsZones.mega.local/DC=ForestDnsZones,DC=mega,DC=local >> at com.novell.ldap.LDAPSearchResults.next(Unknown Source) >> at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.searchLD >> >> Met vriendelijke groet/Best regards, >> >> Paul Rijnhout >> >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users >> > > > > -- > Thomas Mortagne > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
