AD requires* an authenticated bind. *unless anonymous bind has been specifically enabled
Cheers Sent on the move On 30 Jan 2013, at 17:04, Jeremie BOUSQUET <[email protected]> wrote: > Hi, > > Are you sure you need to authenticate for ldap bind, and if yes, of the > user/pwd ? > During my little experience, I've encountered ldap bind with anonymous > access, or with specific admin account. > (binding is not authentication) > > "provided user is null" seems a bit strange. > But I'm no ldap expert... > Le 30 janv. 2013 17:47, "Pape, Barry" <[email protected]> a écrit : > >> Greetings Xwiki Gurus, >> >> I've been trying to get our installation authenticating with LDAP and am >> having no luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows >> Server 2008 R2 Standard. I have installed the LDAP Application Extension >> and tried configuring it both through the web interface and xwiki.config >> with no success. Every time I attempt to login I receive an Invalid >> Credentials error (stack trace below,) and the LDAP section from >> xwiki.config file is below that. I've tried a number of different values >> for the server, bind DN, and the base DN, but nothing works. Any >> suggestions are greatly appreciated? Is there any additional logging that >> I can add for more information? >> >> Thanks, >> Barry >> >> >> >> >> 2013-01-30 10:12:55,825 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP >> authentica >> tion >> 2013-01-30 10:12:55,825 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user >> is nul >> l. We don't try to authenticate, it probably means the user is in non >> logged mod >> e. >> 2013-01-30 10:12:55,825 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP >> authentica >> tion >> 2013-01-30 10:12:55,840 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - >> ldap_group_classes: [gro >> upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, >> groupofuniq >> uenames, group] >> 2013-01-30 10:12:55,840 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - >> ldap_group_memberfields: >> [member, uniquemember] >> 2013-01-30 10:12:55,857 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to >> LDAP serve >> r [ldap.nov.com:389] >> 2013-01-30 10:12:55,868 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP >> server w >> ith credentials login=[cn=papeb,dc=nov,dc=com] >> 2013-01-30 10:12:55,928 [ >> http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X >> Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP >> authenticatio >> n failed. >> com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP >> bind fai >> led with LDAPException. >> Wrapped Exception: Invalid Credentials >> at >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio >> n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na] >> at >> com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio >> n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na] >> at >> com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat >> eInContext(XWikiLDAPAuthServiceImpl.java:305) >> [xwiki-platform-legacy-oldcore-4.4 >> .jar:na] >> >> >> >> >> >> #------------------------------------------------------------------------------------- >> # LDAP >> >> #------------------------------------------------------------------------------------- >> >> #-# LDAP authentication service >> >> xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl >> >> #-# Turn LDAP authentication on - otherwise only XWiki authentication >> #-# - 0: disable >> #-# - 1: enable >> #-# The default is 0 >> xwiki.authentication.ldap=1 >> >> #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) >> xwiki.authentication.ldap.server=ldap.nov.com >> xwiki.authentication.ldap.port=389 >> >> #-# LDAP login, empty = anonymous access, otherwise specify full dn >> #-# {0} is replaced with the user name, {1} with the password >> xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com >> xwiki.authentication.ldap.bind_pass={1} >> >> #-# The Base DN used in LDAP searches >> xwiki.authentication.ldap.base_DN=dc=nov,dc=com >> >> #-# LDAP query to search the user in the LDAP database (in case a static >> admin user is provided in >> #-# xwiki.authentication.ldap.bind_DN) >> #-# {0} is replaced with the user uid field name and {1} with the user name >> #-# The default is ({0}={1}) >> # xwiki.authentication.ldap.user_search_fmt=({0}={1}) >> >> #-# Only members of the following group will be verified in the LDAP >> #-# otherwise only users that are found after searching starting from the >> base_DN >> # >> xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US >> >> #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] >> #-# Only users not member of the following group can autheticate >> # >> xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US >> >> #-# Specifies the LDAP attribute containing the identifier to be used as >> the XWiki name >> #-# The default is cn >> # xwiki.authentication.ldap.UID_attr=sAMAccountName >> >> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] >> #-# The potential LDAP groups classes. Separated by commas. >> # >> xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList >> >> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] >> #-# The potential names of the LDAP groups fields containings the members. >> Separated by commas. >> # xwiki.authentication.ldap.group_memberfields=member,uniqueMember >> >> #-# retrieve the following fields from LDAP and store them in the XWiki >> user object (xwiki-attribute=ldap-attribute) >> >> #xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# On every login update the mapped attributes from LDAP to XWiki >> otherwise this happens only once when the XWiki >> #-# account is created. >> #-# - 0: only when creating user >> #-# - 1: at each authentication >> #-# The default is 0 >> #xwiki.authentication.ldap.update_user=1 >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# Maps XWiki groups to LDAP groups, separator is "|". The following kind >> of groups are supported: >> #-# * LDAP static groups (users/subgroups are listed statically in the >> group object) >> #-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub >> object of the provided organization unit) >> #-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search >> with the provided filter), >> #-# | character in the filter need to be escaped with backslash (\). >> #-# >> #-# Here is an example: >> # >> xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\ >> # >> XWiki.LDAPUsers=ou=groups,o=domain,c=com|\ >> # XWiki.Organisation=(cn=testers) >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# Time in s after which the list of members in a group is refreshed from >> LDAP >> #-# The default is 21600 (6 hours) >> # xwiki.authentication.ldap.groupcache_expiration=21600 >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# - create : synchronize group membership only when the user is first >> created >> #-# - always: synchronize on every login >> #-# The default is always >> # xwiki.authentication.ldap.mode_group_sync=always >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# If ldap authentication fails for any reason, try XWiki DB >> authentication with the same credentials >> #-# - 0: disable >> #-# - 1: enable >> #-# The default is 0 >> xwiki.authentication.ldap.trylocal=1 >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# SSL connection to LDAP server >> #-# - 0: normal >> #-# - 1: SSL >> #-# The default is 0 >> # xwiki.authentication.ldap.ssl=0 >> >> #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] >> #-# The keystore file to use in SSL connection >> # xwiki.authentication.ldap.ssl.keystore= >> >> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] >> #-# The java secure provider used in SSL connection >> #-# The default is com.sun.net.ssl.internal.ssl.Provider >> # >> xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider >> >> #-# Bypass standard LDAP bind validation by doing a direct password >> comparison. >> #-# If you don't know what you do, don't use that. It's covering very rare >> and bad use cases. >> #-# - 0: disable >> #-# - 1: enable >> #-# The default is 0 >> # xwiki.authentication.ldap.validate_password=0 >> >> #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] >> #-# Specifies the LDAP attribute containing the password to be used "when >> xwiki.authentication.ldap.validate_password" >> #-# is set to 1 >> # xwiki.authentication.ldap.password_field=userPassword >> >> #-# [Since 4.3M1, XWikiLDAPAuthServiceImpl] >> #-# The maximum number of milliseconds the client waits for any operation >> under these constraints to complete. >> #-# The default is 1000 >> # xwiki.authentication.ldap.timeout=1000 >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
