Try to uncomment xwiki.authentication.ldap.validate_password=0 You should not have 5 as this is used to force login/pass validation when you don't connect to LDAP with provided user/pass (bind_DN and bind_pass set to an existing ldap user/pass) Another thing, in your example you seem to test with a user name containing a ".", the LDAP authenticator does not support it yet, see http://jira.xwiki.org/jira/browse/XWIKI-2264 2008/5/8 Mihails Agafonovs <[email protected]>:
Here's a pice from xwiki.log: ----------------------------------------------- java.lang.NullPointerException at com.xpn.xwiki.plugin.lucene.IndexUpdater.run(IndexUpdater.java:209) at java.lang.Thread.run(Thread.java:619) 2008-05-07 14:11:31,078 [index updating thread] [Thread-20] ERROR lucene.IndexUpdater - Writer not open and closeWriter called 2008-05-07 14:15:49,735 [http://192.168.220.128/xwiki/bin/view/Main] [TP-Processor3] INFO .AbstractXWikiMigrationManager - No storage migration required since current version is [7351] 2008-05-07 14:17:37,228 [http://192.168.220.128/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [TP-Processor3] ERROR LDAP.LDAPAuthServiceImpl - LDAP Bind failed with Exception Invalid Credentials 2008-05-07 14:20:29,787 [http://192.168.220.128/xwiki/bin/view/Main] [TP-Processor3] INFO .AbstractXWikiMigrationManager - No storage migration required since current version is [7351] 2008-05-07 14:25:32,020 [index updating thread] [Thread-20] ERROR lucene.IndexUpdater - IOException when opening Lucene Index for writing at /var/lib/tomcat5/webapps/xwiki/WEB-INF/work/lucene -------------------------------------------------------------------------------------
And from Wireshark it's the same I pasted in a previous mail. I can add the function sequence watched via Wireshark: 1) bindRequest() with domainname.surname 2) bindresponse() - success 3) searchRequest() with dc=domain, dc=com, sAMAccountName=name.surname 4) searchResEntry() - returns my full correct dn 5) compareRequest() with my full dn and userPassword=mypass 6) LDAP error about no such attribute userPassword 7) unbindRequest()
Quoting Thomas Mortagne : Could be you paste the whole error log ? 2008/5/8 Mihails Agafonovs :
Again, the same error from LDAP:
LDAPMessage compareResponse(7) noSuchAttribute (00002080: AtrErr:
DSID-03080139, #1: 0: 00002080: DSID-03080139, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword) )
Quoting Thomas Mortagne : 2008/5/7 Mihails Agafonovs <[email protected]>: > Hi! > > I've been trying to setup LDAP connection on XWiki 1.3.2. Using > Wireshark, I've discovered, that LDAP performs unbindRequest() after > the following error: > > LDAPMessage compareResponse(3) noSuchAttribute (00002080: AtrErr: > DSID-03080139, #1: > 0: 00002080: DSID-03080139, problem 1001
(NO_ATTRIBUTE_OR_VAL), data > 0, Att 23 (userPassword) > ) > Here is the configuration: > > ---------------------------------------------- > xwiki.authentication.ldap=1 > xwiki.authentication.ldap.server=my.domain.com > xwiki.authentication.ldap.port=389 > xwiki.authentication.ldap.bind_DN={0} > xwiki.authentication.ldap.bind_pass={1} > # xwiki.authentication.ldap.validate_password=0 >
xwiki.authentication.ldap.user_group=ou=Riga,ou=LAT,dc=domain,dc=com
> xwiki.authentication.ldap.base_DN=dc=domain,dc=com > xwiki.authentication.ldap.UID_attr=cn >
xwiki.authentication.ldap.fields_mapping=name=cn,last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn
> # xwiki.authentication.ldap.update_user=1 >
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=ou=Riga,ou=LAT,dc=GDNEurope,dc=com|
> > XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US > # xwiki.authentication.ldap.groupcache_expiration=21800 > # xwiki.authentication.ldap.mode_group_sync=always > xwiki.authentication.ldap.trylocal=1
I don't know AD very well but,according to
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication,
should't be: xwiki.authentication.ldap.bind_DN=subdomain{0} xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
? > ------------------------------------------------------ > > Any ideas? > > P.S. If I use in the login form [email protected] or > domainname.surname as a username, I can login, but without any > rights. > > Ar cieņu, Mihails > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users Ar cieņu, Mihails
Links: ------ [1] mailto:[email protected]
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users Ar cieņu, Mihails
Links: ------ [1] mailto:[email protected] _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne