Re: [xwiki-users] LDAP integration issue

21 Apr 2009

Hi Thomas,
Thank you for your response!
For security reason, the proxy account is not allowed to compare
userPassword attribute.
Furthermore, our ldap userPassword attributes are encrypted with SSHA and
xwiki will compare password using cleartext password what will never work.
Xwiki should definitly either re-bind with the proxy account to check groups
mapping or bind first with the xwiki user and then bind with proxy user.
Another solution might be to check the membership (memberOf attribute) of
ldap user instead of searching for all members of the ldap groups....
Is there any bug/imporvement already logged for that issue? We have a lot of
ldap groups to manage and group mapping is realy needed.
BTW when no members are found, a NullPointerException is thrown, preventing
the user to log in (only in 1.8). That seems indeed to be a bug (see
exception stacktrace below).
2009-04-19 11:20:59,007 [http://...wiki/bin/loginsubmit/XWiki/XWikiLogin]
[AJPRequestHandler-HTTPThreadGroup-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl
- Local LDAP authentication failed.
java.lang.NullPointerException
    at
com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroup(XWikiLDAPUtils.java:443)
    at
com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroups(XWikiLDAPUtils.java:465)
    at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:585)
    at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:537)
    at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:427)
    at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
    at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
    at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:244)
    at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:170)
    at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:153)
    at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:199)
    at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3603)
    at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
    at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3611)
    at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4621)
    at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
    at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
    at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
    at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
    at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
    at
com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
    at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:145)
    at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
    at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:111)
    at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
    at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
    at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
    at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:295)
    at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
    at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
    at
com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
    at
com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
    at
com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
    at
com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
    at
com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
    at
com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
    at
oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
    at
com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
    at java.lang.Thread.run(Thread.java:595)
On Mon, Apr 20, 2009 at 2:20 PM, Thomas Mortagne
&lt;thomas.mortagne(a)xwiki.com&gt;wrote;wrote:
...
  Hi Laurent,
 This is a bug I think, by default bind is used to validate user
 credential (AFAIK that's the only way which is working for all LDAP
 servers) and should rebind to the proxy after that.
 But you can force LDAP authenticator to use simple user/pass data
 comparison instead of bind using option
 xwiki.authentication.ldap.validate_password=1
 xwiki.authentication.ldap.password_field=<password field name>
 where <password field name> is the name to the filed containing the
 password.
 On Mon, Apr 20, 2009 at 12:27, ratso rizo &lt;ratso.rizo(a)gmail.com&gt; wrote:
  Hi,
 We are facing issue integrating XWiki against our enterprise LDAP
 directories.
 The fact is that we can't implement the LDAP group-mapping feature
 (xwiki.authentication.ldap.group_mapping)
 because xwiki tries to retrieve groups members using the xwiki
 logged/authenticated user
 who has no access right on the LDAP groups entries.
 That's why we configured xwiki to use a "proxy" ldap account
 (ldap_dn/ldap_pass) which has
 the required access privileges to query the whole ldap.
 But unfortunately, Xwiki binds first using this proxy account and
 then binds again using the logged user credentials before
 actually searching for the mapped groups members.
 Please find below the ldap requests made by xwiki I caught using a  network
  sniffer tool:
 1. xwiki binds against the ldap server using the "proxy" account
 (bind_dn/bind_pass)
 2. xwiki get all members of the "ldap.user_group" xwiki parameter (it 
works
  since still connected with the proxy account)
 3. xwiki binds using the credentials provided by the user
 4. xwiki search for the user information (ldap.fields_mapping)
 5. xwiki get the "ldap.group_mapping" members --> returns no entry
 Unfortunatly we are not in charge of the ldap servers administration and  we
  are not able to change
 their configuration and grant read access on the groups entries to all  the
  users.
 Is there any parameter to force xwiki to perform ldap queries (expect to
 authenticate the user) using the
 proxy account (credential defined in ldap_dn/ldap_pass)?
 XWiki should bind first using the users credential to authenticate the  user
  and then perform
 all other required ldap requests using the proxy account.
 We are currently evaluating the last stable release 1.8 (but applies to
 previous release as well) and
 group mapping feature is highly needed.
 Any help will be greatly welcome.
 Thank you in advance.
 Regards,
 Laurent
 _______________________________________________
 users mailing list
 users(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users
 
 --
 Thomas Mortagne
 _______________________________________________
 users mailing list
 users(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/users

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [xwiki-users] LDAP integration issue