On Thu, Jun 14, 2012 at 10:52 AM, Patrycja Suchomska
<[email protected]> wrote:
> Hello,
>
> I'm quite new to XWiki. I have a problem with making its log-in work
> with OpenLDAP. I'm running Ubuntu server 11.10, my Xwiki version is
> 4.0, OpenLDAP (slapd) shows version 2.4.25-1.1ubuntu4.1. I've followed
> instructions from XWiki documentation here
> http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAuthentication
>
> I have user named 'xwiki' in ldap. When I try to log in from my Xwiki,
> I get the 'Invalid credentials' message. catalina.out shows this
> error:
>
>
> 2012-06-14 10:02:16,919
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE
> u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
> 2012-06-14 10:02:16,919
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames,
> groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
> groupofuniquenames, group]
> 2012-06-14 10:02:16,919
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields: [member,
> uniquemember]
> 2012-06-14 10:02:16,919
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server
> [127.0.0.1:389]
> 2012-06-14 10:02:16,925
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server with
> credentials login=[cn=xwiki]
> 2012-06-14 10:02:16,930
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5:
> LDAP bind failed with LDAPException.
> Wrapped Exception: Invalid Credentials
> at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:172)
> ~[xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:101)
> ~[xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:305)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:273)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:193)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:175)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:242)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4070)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:172)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4083)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5245)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:179)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:116)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
> [struts-1.2.9.jar:1.2.9]
> at
> org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
> [struts-1.2.9.jar:1.2.9]
> at
> org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
> [struts-1.2.9.jar:1.2.9]
> at
> org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
> [struts-1.2.9.jar:1.2.9]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
> [servlet-api-2.5.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> [servlet-api-2.5.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:120)
> [xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:144)
> [xwiki-platform-wysiwyg-server-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at
> com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66)
> [xwiki-platform-webdav-server-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66)
> [xwiki-platform-webdav-server-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
> [xwiki-platform-container-servlet-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
> [xwiki-platform-container-servlet-4.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:300)
> [catalina-6.0.32.jar:6.0.32]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
> [tomcat-coyote-6.0.32.jar:6.0.32]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
> [tomcat-coyote-6.0.32.jar:6.0.32]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
> [tomcat-coyote-6.0.32.jar:6.0.32]
> at java.lang.Thread.run(Thread.java:679) [na:1.6.0_23]
> Caused by: com.novell.ldap.LDAPException: Invalid Credentials
> at com.novell.ldap.LDAPResponse.getResultException(Unknown
> Source) ~[jldap-4.3.jar:na]
> at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
> ~[jldap-4.3.jar:na]
> at com.novell.ldap.LDAPConnection.chkResultCode(Unknown
> Source) ~[jldap-4.3.jar:na]
> at com.novell.ldap.LDAPConnection.bind(Unknown Source)
> ~[jldap-4.3.jar:na]
> at com.novell.ldap.LDAPConnection.bind(Unknown Source)
> ~[jldap-4.3.jar:na]
> at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:206)
> ~[xwiki-platform-legacy-oldcore-4.0.jar:na]
> at
> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:168)
> ~[xwiki-platform-legacy-oldcore-4.0.jar:na]
> ... 47 common frames omitted
> 2012-06-14 10:02:16,931
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki
> DB
> 2012-06-14 10:02:16,938
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
> [xwiki]
> 2012-06-14 10:02:16,974
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN
> o.x.v.i.DefaultVelocityEngine - Deprecated usage of method
> [com.xpn.xwiki.api.XWiki.parseMessage] in /templates/login.vm@29,33
>
>
>
> Here is my xwiki.cfg with part regarding LDAP:
>
>
>
> #-------------------------------------------------------------------------------------
> # LDAP
> #-------------------------------------------------------------------------------------
>
> #-# LDAP authentication service
> xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
>
> #-# Turn LDAP authentication on - otherwise only XWiki authentication
> #-# - 0: disable
> #-# - 1: enable
> #-# The default is 1
> xwiki.authentication.ldap=1
>
> #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
> xwiki.authentication.ldap.server=127.0.0.1
> xwiki.authentication.ldap.port=389
>
> #-# LDAP login, empty = anonymous access, otherwise specify full dn
> #-# {0} is replaced with the user name, {1} with the password
> #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
>
> xwiki.authentication.ldap.bind_DN=cn={0},ou=People,dc=debuntu,dc=local
This is not right according to what you found in your LDAP server, the
DN of xwiki user is "uid=xwiki,ou=People,dc=debuntu,dc=local" and not
"cn=xwiki,ou=People,dc=debuntu,dc=local".
> xwiki.authentication.ldap.bind_pass={1}
>
> #-# The Base DN used in LDAP searches
> xwiki.authentication.ldap.base_DN=ou=People,dc=debuntu,dc=local
>
> #-# LDAP query to search the user in the LDAP database (in case a
> static admin user is provided in
> #-# xwiki.authentication.ldap.bind_DN)
> #-# {0} is replaced with the user uid field name and {1} with the user name
> #-# The default is ({0}={1})
> # xwiki.authentication.ldap.ldap_user_search_fmt=({0}={1})
>
> #-# Only members of the following group will be verified in the LDAP
> #-# otherwise only users that are found after searching starting from
> the base_DN
> # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
>
> #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
> #-# Only users not member of the following group can autheticate
> # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
>
> #-# Specifies the LDAP attribute containing the identifier to be used
> as the XWiki name
> #-# The default is cn
> xwiki.authentication.ldap.UID_attr=cn
Seems to me that ut should be "uid" and not "cn" here according to
what you found in your LDAP server.
>
> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The potential LDAP groups classes. Separated by commas.
> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The potential LDAP groups classes. Separated by commas.
> #
> xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
>
> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The potential names of the LDAP groups fields containings the
> members. Separated by commas.
> # xwiki.authentication.ldap.group_memberfields=member,uniqueMember
>
> #-# retrieve the following fields from LDAP and store them in the
> XWiki user object (xwiki-attribute=ldap-attribute)
> xwiki.authentication.ldap.fields_mapping=name=uid,last_name=sn,first_name=givenName,fullname=cn,email=mail,ldap_dn=dn
> #last_name=sn,first_name=givenName,email=mail
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# On every login update the mapped attributes from LDAP to XWiki
> otherwise this happens only once when the XWiki
> #-# account is created.
> #-# - 0: only when creating user
> #-# - 1: at each authentication
> #-# The default is 1
> xwiki.authentication.ldap.update_user=1
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# Maps XWiki groups to LDAP groups, separator is "|". The following
> kind of groups are supported:
> #-# * LDAP static groups (users/subgroups are listed statically in the
> group object)
> #-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub
> object of the provided organization unit)
> #-# * [Since 3.3M1] LDAP filter (users/groups are object found in a
> search with the provided filter),
> #-# | character in the filter need to be escaped with backslash (\).
> #-#
> #-# Here is an example:
> #
> xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
> #
> XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
> # XWiki.Organisation=(cn=testers)
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# Time in s after which the list of members in a group is refreshed from
> LDAP
> #-# The default is 21600 (6 hours)
> # xwiki.authentication.ldap.groupcache_expiration=21600
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# - create : synchronize group membership only when the user is first
> created
> #-# - always: synchronize on every login
> #-# The default is always
> # xwiki.authentication.ldap.mode_group_sync=always
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# if ldap authentication fails for any reason, try XWiki DB
> authentication with the same credentials
> #-# The default is 1
> xwiki.authentication.ldap.trylocal=1
> #-# The default is 1
> xwiki.authentication.ldap.trylocal=1
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# SSL connection to LDAP server
> #-# - 0: normal
> #-# - 1: SSL
> #-# The default is 0
> # xwiki.authentication.ldap.ssl=0
>
> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# The keystore file to use in SSL connection
> # xwiki.authentication.ldap.ssl.keystore=
>
> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The java secure provider used in SSL connection
> #-# The default is com.sun.net.ssl.internal.ssl.Provider
> #
> xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
>
> #-# Bypass standard LDAP bind validation by doing a direct password
> comparison.
> #-# If you don't know what you do, don't use that. It's covering very
> rare and bad use cases.
> #-# - 0: disable
> #-# - 1: enable
> #-# The default is 0
> xwiki.authentication.ldap.validate_password=0
>
> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# Specifies the LDAP attribute containing the password to be used
> "when xwiki.authentication.ldap.validate_password"
> #-# is set to 1
> # xwiki.authentication.ldap.password_field=userPassword
>
>
>
>
> I'm familiar neither with LDAP, nor with OpenLDAP, so I've set the
> configuration on localhost port 389 as in this tutorial:
> http://www.debuntu.org/ldap-server-and-linux-ldap-clients
>
> LDAP seems to recognize 'xwiki' user properly:
>
>
>
> ldapsearch -x -b uid=xwiki,ou=people,dc=debuntu,dc=local
> # extended LDIF
> #
> # LDAPv3
> # base <uid=xwiki,ou=People,dc=debuntu,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # xwiki, People, debuntu.local
> dn: uid=xwiki,ou=People,dc=debuntu,dc=local
> uid: xwiki
> cn: xwiki
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> loginShell: /bin/bash
> uidNumber: 1000
> gidNumber: 1000
> homeDirectory: /home/xwiki
> gecos: xwiki,,,
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
>
> When I create the 'xwiki' user in Xwiki registration interface, I can
> log in as 'xwiki', but in catalina.out I see that LDAP authentication
> failed and the XWiki seems to get credentials from its own database:
> [exception as before]
> 2012-06-14 10:48:24,815
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki
> DB
> 2012-06-14 10:48:24,816
> [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
> u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication succeed with
> principal [XWiki.xwiki]
>
>
>
> I've searched the mailing list and found similar problem in
> http://www.mail-archive.com/[email protected]/msg04827.html but it's 4
> years old and it didn't help me. I've been trying to solve the problem
> with my colleagues, but neither of them could fix it.
>
>
> I've run out of ideas. Any help would be appreciated.
>
> Patricia
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
