I have configured Xwiki (release 1.6-milestone-2.12601) to authenticate
against my OpenLDAP (v2.3.35). I am continuously getting a "Wrong user name"
message on my UI. On investigating my ldap logs, I found that Xwiki first
authenticates successfully to OpenLDAP with the users id & password.
However it then tries to do a lookup of the user (I assume for the details
of the user), and at that time, it does not seem to be passing the base DN
in the request. In such scenarios OpenLDAP returns a "No such object" error.
I tried to do a test using ldapsearch without passing the base, and I got
the same error. Also, the error did not occur when I passed the base
parameter to ldapsearch.
I am trying to trace through this problem in the source, but meanwhile,
would like some help in figuring out whether my configuration is wrong, or
if someone has encountered a similar problem before.
Regards,
Milan...
----------------------------------------------------------------------------
-------------------------------------------------------
Xwiki.cfg - LDAP Section
----------------------------------------------------------------------------
--------------------------------------------------------
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer
viceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap-slave
xwiki.authentication.ldap.port=389
#-# base DN for searches
xwiki.authentication.ldap.base_DN=dc=<mycompany>,dc=<mycountry
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
#xwiki.authentication.ldap.bind_DN=cn=cname#,department=USER,department=INFO
RMATIK,department=1230,o=MP
#xwiki.authentication.ldap.bind_DN=cn=Manager,department=USER,department=INF
ORMATIK,department=1230
xwiki.authentication.ldap.bind_DN=cn=Manager,dc=<mycompany>,dc=<mycountry
xwiki.authentication.ldap.bind_pass=<dummy
#-# Force to check password after LDAP connection
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap.validate_password=0
#-# only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#xwiki.authentication.ldap.user_group=ou=People,dc=<mycompany>,dc=<mycountry
#-# [SINCE 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=uid
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password" is set to 1
xwiki.authentication.ldap.password_field=userPassword
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
xwiki.authentication.ldap.group_classes=posixGroup
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
xwiki.authentication.ldap.group_memberfields=memberUid
#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
#-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for
faster access
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,
fullname=cn,email=mail,ldap_dn=dn
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki account is created.
xwiki.authentication.ldap.update_user=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,o
u=groups,o=MegaNova,c=US|\
#
XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed from
LDAP (default=3600*6)
# xwiki.authentication.ldap.groupcache_expiration=21800
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
xwiki.authentication.ldap.mode_group_sync=always
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0: normal
#-# 1: SSL
xwiki.authentication.ldap.ssl=0
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P
rovider
----------------------------------------------------------------------------
-------------------------------------------------------
OpenLDAP Log output (invoked from xwiki)
----------------------------------------------------------------------------
--------------------------------------------------------
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=<mycompany>,dc=<mycountry>)=0
<<< dnPrettyNormal:
<cn=Manager,dc=<mycompany>,dc=<mycountry>>,
<cn=manager,dc=<mycompany>,dc=<mycountry>
do_bind: version=3
dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128
==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry
do_bind: v3 bind:
"cn=Manager,dc=<mycompany>,dc=<mycountry>" to
"cn=Manager,dc=<mycompany>,dc=<mycountry>"
send_ldap_result: conn=5 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=13 tag=97 err=0
ber_flush: 14 bytes to sd 19
connection_get(19)
connection_get(19): got connid=5
connection_read(19): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 14 contents:
ber_get_next
do_extended
ber_scanf fmt ({m) ber:
do_extended: unsupported operation "0.0.0.0"
send_ldap_result: conn=5 op=1 p=3
send_ldap_result: err=2 matched="" text="unsupported extended
operation"
send_ldap_response: msgid=14 tag=120 err=2
ber_flush: 44 bytes to sd 19
connection_get(19)
connection_get(19): got connid=5
connection_read(19): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 40 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <
<<<
dnPrettyNormal: <>, <
SRCH "" 2 0
1000 0 0
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
filter: (uid=mmehta)
ber_scanf fmt ({M}}) ber:
attrs:
send_ldap_result: conn=5 op=2 p=3
send_ldap_result: err=10 matched="" text=""
send_ldap_response: msgid=15 tag=101 err=32
----------------------------------------------------------------------------
-------------------------------------------------------
OpenLDAP Log output (invoked by ldapsearch with base parameter specified)
----------------------------------------------------------------------------
--------------------------------------------------------
<<< dnPrettyNormal:
<cn=Manager,dc=<mycompany>,dc=<mycountry>>,
<cn=manager,dc=<mycompany>,dc=<mycountry>
do_bind: version=3
dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128
==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry
do_bind: v3 bind:
"cn=Manager,dc=<mycompany>,dc=<mycountry>" to
"cn=Manager,dc=<mycompany>,dc=<mycountry>"
send_ldap_result: conn=10 op=0 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 21
connection_get(21)
connection_get(21): got connid=10
connection_read(21): checking for input on id=10
ber_get_next
ber_get_next: tag 0x30 len 58 contents:
ber_get_next
do_search
ber_scanf fmt ({miiiib) ber:
>>> dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>
=>
ldap_bv2dn(dc=<mycompany>,dc=<mycountry>,0)
<= ldap_bv2dn(dc=<mycompany>,dc=<mycountry>)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0
<<< dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>>,
<dc=<mycompany>,dc=<mycountry>
SRCH "dc=<mycompany>,dc=<mycountry>" 2 0 0 0 0
************** This is the
place where the base is available **********************
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
end get_filter 0
filter: (uid=mmehta)
ber_scanf fmt ({M}}) ber:
attrs:
=> bdb_search
bdb_dn2entry("dc=<mycompany>,dc=<mycountry>")
entry_decode: "dc=<mycompany>,dc=<mycountry>"
<= entry_decode(dc=<mycompany>,dc=<mycountry>)
search_candidates: base="dc=<mycompany>,dc=<mycountry>" (0x00000001)
scope=2
=> bdb_dn2idl("dc=<mycompany>,dc=<mycountry>")
=> bdb_filter_candidates
AND
=> bdb_list_candidates 0xa0
=> bdb_filter_candidates
OR
=> bdb_list_candidates 0xa1
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (objectClass)
=> key_read
bdb_idl_fetch_key: [b49d1940]
<= bdb_index_read: failed (-30990)
<= bdb_equality_candidates: id=0, first=0, last=0
<= bdb_filter_candidates: id=0 first=0 last=0
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (uid)
=> key_read
bdb_idl_fetch_key: [b5212845]
<= bdb_index_read 1 candidates
<= bdb_equality_candidates: id=1, first=37, last=37
<= bdb_filter_candidates: id=1 first=37 last=37
<= bdb_list_candidates: id=1 first=37 last=37
<= bdb_filter_candidates: id=1 first=37 last=37
<= bdb_list_candidates: id=1 first=37 last=37
<= bdb_filter_candidates: id=1 first=37 last=37
bdb_search_candidates: id=1 first=37 last=37
=> test_filter
EQUALITY
<= test_filter 6
=> send_search_entry: conn 10
dn="uid=mmehta,ou=People,dc=<mycompany>,dc=<mycountry>"
ber_flush: 769 bytes to sd 21
<= send_search_entry: conn 10 exit.
send_ldap_result: conn=10 op=1 p=3
send_ldap_result: err=0 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=0