[xwiki-devs] Problem connecting Xwiki with OpenLDAP
I have configured Xwiki (release 1.6-milestone-2.12601) to authenticate against my OpenLDAP (v2.3.35). I am continuously getting a "Wrong user name" message on my UI. On investigating my ldap logs, I found that Xwiki first authenticates successfully to OpenLDAP with the users id & password. However it then tries to do a lookup of the user (I assume for the details of the user), and at that time, it does not seem to be passing the base DN in the request. In such scenarios OpenLDAP returns a "No such object" error. I tried to do a test using ldapsearch without passing the base, and I got the same error. Also, the error did not occur when I passed the base parameter to ldapsearch. I am trying to trace through this problem in the source, but meanwhile, would like some help in figuring out whether my configuration is wrong, or if someone has encountered a similar problem before. Regards, Milan... ---------------------------------------------------------------------------- ------------------------------------------------------- Xwiki.cfg - LDAP Section ---------------------------------------------------------------------------- -------------------------------------------------------- #-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer viceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=ldap-slave xwiki.authentication.ldap.port=389 #-# base DN for searches xwiki.authentication.ldap.base_DN=dc=<mycompany>,dc=<mycountry> #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password #xwiki.authentication.ldap.bind_DN=cn=cname#,department=USER,department=INFO RMATIK,department=1230,o=MP #xwiki.authentication.ldap.bind_DN=cn=Manager,department=USER,department=INF ORMATIK,department=1230 xwiki.authentication.ldap.bind_DN=cn=Manager,dc=<mycompany>,dc=<mycountry> xwiki.authentication.ldap.bind_pass=<dummy> #-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0 #-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #xwiki.authentication.ldap.user_group=ou=People,dc=<mycompany>,dc=<mycountry
#-# [SINCE 1.5RC1, XWikiLDAPAuthServiceImpl] #-# only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1 xwiki.authentication.ldap.password_field=userPassword #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. xwiki.authentication.ldap.group_classes=posixGroup #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. xwiki.authentication.ldap.group_memberfields=memberUid #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for faster access #xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName, fullname=cn,email=mail,ldap_dn=dn #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. xwiki.authentication.ldap.update_user=1 #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is "|" # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,o u=groups,o=MegaNova,c=US|\ # XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) # xwiki.authentication.ldap.groupcache_expiration=21800 #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login xwiki.authentication.ldap.mode_group_sync=always #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1 #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# 0: normal #-# 1: SSL xwiki.authentication.ldap.ssl=0 #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore= #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P rovider ---------------------------------------------------------------------------- ------------------------------------------------------- OpenLDAP Log output (invoked from xwiki) ---------------------------------------------------------------------------- -------------------------------------------------------- => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=<mycompany>,dc=<mycountry>)=0 <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>, <cn=manager,dc=<mycompany>,dc=<mycountry>> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128 ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to "cn=Manager,dc=<mycompany>,dc=<mycountry>" send_ldap_result: conn=5 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=13 tag=97 err=0 ber_flush: 14 bytes to sd 19 connection_get(19) connection_get(19): got connid=5 connection_read(19): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 14 contents: ber_get_next do_extended ber_scanf fmt ({m) ber: do_extended: unsupported operation "0.0.0.0" send_ldap_result: conn=5 op=1 p=3 send_ldap_result: err=2 matched="" text="unsupported extended operation" send_ldap_response: msgid=14 tag=120 err=2 ber_flush: 44 bytes to sd 19 connection_get(19) connection_get(19): got connid=5 connection_read(19): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 40 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> SRCH "" 2 0 1000 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: end get_filter 0 filter: (uid=mmehta) ber_scanf fmt ({M}}) ber: attrs: send_ldap_result: conn=5 op=2 p=3 send_ldap_result: err=10 matched="" text="" send_ldap_response: msgid=15 tag=101 err=32
---------------------------------------------------------------------------- ------------------------------------------------------- OpenLDAP Log output (invoked by ldapsearch with base parameter specified) ---------------------------------------------------------------------------- -------------------------------------------------------- <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>, <cn=manager,dc=<mycompany>,dc=<mycountry>> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128 ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to "cn=Manager,dc=<mycompany>,dc=<mycountry>" send_ldap_result: conn=10 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 21 connection_get(21) connection_get(21): got connid=10 connection_read(21): checking for input on id=10 ber_get_next ber_get_next: tag 0x30 len 58 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>> => ldap_bv2dn(dc=<mycompany>,dc=<mycountry>,0) <= ldap_bv2dn(dc=<mycompany>,dc=<mycountry>)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0 <<< dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>>, <dc=<mycompany>,dc=<mycountry>> SRCH "dc=<mycompany>,dc=<mycountry>" 2 0 0 0 0 ************** This is the place where the base is available ********************** begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: end get_filter 0 filter: (uid=mmehta) ber_scanf fmt ({M}}) ber: attrs: => bdb_search bdb_dn2entry("dc=<mycompany>,dc=<mycountry>") entry_decode: "dc=<mycompany>,dc=<mycountry>" <= entry_decode(dc=<mycompany>,dc=<mycountry>) search_candidates: base="dc=<mycompany>,dc=<mycountry>" (0x00000001) scope=2 => bdb_dn2idl("dc=<mycompany>,dc=<mycountry>") => bdb_filter_candidates AND => bdb_list_candidates 0xa0 => bdb_filter_candidates OR => bdb_list_candidates 0xa1 => bdb_filter_candidates EQUALITY => bdb_equality_candidates (objectClass) => key_read bdb_idl_fetch_key: [b49d1940] <= bdb_index_read: failed (-30990) <= bdb_equality_candidates: id=0, first=0, last=0 <= bdb_filter_candidates: id=0 first=0 last=0 => bdb_filter_candidates EQUALITY => bdb_equality_candidates (uid) => key_read bdb_idl_fetch_key: [b5212845] <= bdb_index_read 1 candidates <= bdb_equality_candidates: id=1, first=37, last=37 <= bdb_filter_candidates: id=1 first=37 last=37 <= bdb_list_candidates: id=1 first=37 last=37 <= bdb_filter_candidates: id=1 first=37 last=37 <= bdb_list_candidates: id=1 first=37 last=37 <= bdb_filter_candidates: id=1 first=37 last=37 bdb_search_candidates: id=1 first=37 last=37 => test_filter EQUALITY <= test_filter 6 => send_search_entry: conn 10 dn="uid=mmehta,ou=People,dc=<mycompany>,dc=<mycountry>" ber_flush: 769 bytes to sd 21 <= send_search_entry: conn 10 exit. send_ldap_result: conn=10 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=101 err=0
Hi, This bug is fixed in 1.6.1. See http://jira.xwiki.org/jira/browse/XWIKI-2747 On Sat, Nov 1, 2008 at 1:04 PM, Milan Mehta <[email protected]> wrote:
I have configured Xwiki (release 1.6-milestone-2.12601) to authenticate against my OpenLDAP (v2.3.35). I am continuously getting a "Wrong user name" message on my UI. On investigating my ldap logs, I found that Xwiki first authenticates successfully to OpenLDAP with the users id & password.
However it then tries to do a lookup of the user (I assume for the details of the user), and at that time, it does not seem to be passing the base DN in the request. In such scenarios OpenLDAP returns a "No such object" error. I tried to do a test using ldapsearch without passing the base, and I got the same error. Also, the error did not occur when I passed the base parameter to ldapsearch.
I am trying to trace through this problem in the source, but meanwhile, would like some help in figuring out whether my configuration is wrong, or if someone has encountered a similar problem before.
Regards, Milan... ---------------------------------------------------------------------------- ------------------------------------------------------- Xwiki.cfg - LDAP Section ---------------------------------------------------------------------------- -------------------------------------------------------- #-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer viceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=ldap-slave xwiki.authentication.ldap.port=389
#-# base DN for searches xwiki.authentication.ldap.base_DN=dc=<mycompany>,dc=<mycountry>
#-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password #xwiki.authentication.ldap.bind_DN=cn=cname#,department=USER,department=INFO RMATIK,department=1230,o=MP #xwiki.authentication.ldap.bind_DN=cn=Manager,department=USER,department=INF ORMATIK,department=1230 xwiki.authentication.ldap.bind_DN=cn=Manager,dc=<mycompany>,dc=<mycountry> xwiki.authentication.ldap.bind_pass=<dummy>
#-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0
#-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #xwiki.authentication.ldap.user_group=ou=People,dc=<mycompany>,dc=<mycountry
#-# [SINCE 1.5RC1, XWikiLDAPAuthServiceImpl] #-# only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1 xwiki.authentication.ldap.password_field=userPassword
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. xwiki.authentication.ldap.group_classes=posixGroup
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. xwiki.authentication.ldap.group_memberfields=memberUid
#-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for faster access #xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName, fullname=cn,email=mail,ldap_dn=dn
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. xwiki.authentication.ldap.update_user=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is "|" # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,o u=groups,o=MegaNova,c=US|\ # XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) # xwiki.authentication.ldap.groupcache_expiration=21800
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login xwiki.authentication.ldap.mode_group_sync=always
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# 0: normal #-# 1: SSL xwiki.authentication.ldap.ssl=0
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore=
#-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P rovider
---------------------------------------------------------------------------- ------------------------------------------------------- OpenLDAP Log output (invoked from xwiki) ---------------------------------------------------------------------------- -------------------------------------------------------- => ldap_dn2bv(272) <= ldap_dn2bv(cn=manager,dc=<mycompany>,dc=<mycountry>)=0 <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>, <cn=manager,dc=<mycompany>,dc=<mycountry>> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128 ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to "cn=Manager,dc=<mycompany>,dc=<mycountry>" send_ldap_result: conn=5 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=13 tag=97 err=0 ber_flush: 14 bytes to sd 19 connection_get(19) connection_get(19): got connid=5 connection_read(19): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 14 contents: ber_get_next do_extended ber_scanf fmt ({m) ber: do_extended: unsupported operation "0.0.0.0" send_ldap_result: conn=5 op=1 p=3 send_ldap_result: err=2 matched="" text="unsupported extended operation" send_ldap_response: msgid=14 tag=120 err=2 ber_flush: 44 bytes to sd 19 connection_get(19) connection_get(19): got connid=5 connection_read(19): checking for input on id=5 ber_get_next ber_get_next: tag 0x30 len 40 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <> <<< dnPrettyNormal: <>, <> SRCH "" 2 0 1000 0 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: end get_filter 0 filter: (uid=mmehta) ber_scanf fmt ({M}}) ber: attrs: send_ldap_result: conn=5 op=2 p=3 send_ldap_result: err=10 matched="" text="" send_ldap_response: msgid=15 tag=101 err=32
---------------------------------------------------------------------------- ------------------------------------------------------- OpenLDAP Log output (invoked by ldapsearch with base parameter specified) ---------------------------------------------------------------------------- -------------------------------------------------------- <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>, <cn=manager,dc=<mycompany>,dc=<mycountry>> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128 ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to "cn=Manager,dc=<mycompany>,dc=<mycountry>" send_ldap_result: conn=10 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=97 err=0 ber_flush: 14 bytes to sd 21 connection_get(21) connection_get(21): got connid=10 connection_read(21): checking for input on id=10 ber_get_next ber_get_next: tag 0x30 len 58 contents: ber_get_next do_search ber_scanf fmt ({miiiib) ber:
dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>> => ldap_bv2dn(dc=<mycompany>,dc=<mycountry>,0) <= ldap_bv2dn(dc=<mycompany>,dc=<mycountry>)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0 => ldap_dn2bv(272) <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0 <<< dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>>, <dc=<mycompany>,dc=<mycountry>> SRCH "dc=<mycompany>,dc=<mycountry>" 2 0 0 0 0 ************** This is the place where the base is available ********************** begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: end get_filter 0 filter: (uid=mmehta) ber_scanf fmt ({M}}) ber: attrs: => bdb_search bdb_dn2entry("dc=<mycompany>,dc=<mycountry>") entry_decode: "dc=<mycompany>,dc=<mycountry>" <= entry_decode(dc=<mycompany>,dc=<mycountry>) search_candidates: base="dc=<mycompany>,dc=<mycountry>" (0x00000001) scope=2 => bdb_dn2idl("dc=<mycompany>,dc=<mycountry>") => bdb_filter_candidates AND => bdb_list_candidates 0xa0 => bdb_filter_candidates OR => bdb_list_candidates 0xa1 => bdb_filter_candidates EQUALITY => bdb_equality_candidates (objectClass) => key_read bdb_idl_fetch_key: [b49d1940] <= bdb_index_read: failed (-30990) <= bdb_equality_candidates: id=0, first=0, last=0 <= bdb_filter_candidates: id=0 first=0 last=0 => bdb_filter_candidates EQUALITY => bdb_equality_candidates (uid) => key_read bdb_idl_fetch_key: [b5212845] <= bdb_index_read 1 candidates <= bdb_equality_candidates: id=1, first=37, last=37 <= bdb_filter_candidates: id=1 first=37 last=37 <= bdb_list_candidates: id=1 first=37 last=37 <= bdb_filter_candidates: id=1 first=37 last=37 <= bdb_list_candidates: id=1 first=37 last=37 <= bdb_filter_candidates: id=1 first=37 last=37 bdb_search_candidates: id=1 first=37 last=37 => test_filter EQUALITY <= test_filter 6 => send_search_entry: conn 10 dn="uid=mmehta,ou=People,dc=<mycompany>,dc=<mycountry>" ber_flush: 769 bytes to sd 21 <= send_search_entry: conn 10 exit. send_ldap_result: conn=10 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=101 err=0
_______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
-- Thomas Mortagne
participants (2)
-
Milan Mehta -
Thomas Mortagne