On Sat, Aug 6, 2011 at 12:46 AM, Chris Meyer <chris.meyer(a)gmail.com> wrote:
Hi All,
Using Oracle's OID (LDAP) I am trying to get my installation of xWiki to
authenticate using the LDAP.... with logging fully turned up, here is the
messages I am currently getting:
-----------------------------
2011-08-05 15:32:00,761 INFO [STDOUT] (
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin) 2011-08-05
15:32:00,761 [
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server with
credentials login=[uid=204428,cn=users,dc=company,dc=com]
2011-08-05 15:32:00,940 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,940
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind
failed with LDAPException.
Wrapped Exception: Invalid Credentials
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:175)
~[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:104)
~[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:313)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:190)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:137)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:284)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:204)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:187)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:244)
[xwiki-platform-oldcore-3.1.jar!/:na]
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4089)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:170)
[xwiki-platform-oldcore-3.1.jar!/:na]
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4102)
[xwiki-platform-oldcore-3.1.jar!/:na]
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5260)
[xwiki-platform-oldcore-3.1.jar!/:na]
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:189)
[xwiki-platform-oldcore-3.1.jar!/:na]
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
[struts-1.2.9.jar!/:1.2.9]
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
[struts-1.2.9.jar!/:1.2.9]
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
[struts-1.2.9.jar!/:1.2.9]
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
[struts-1.2.9.jar!/:1.2.9]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
[servlet-api.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:129)
[xwiki-platform-oldcore-3.1.jar!/:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:152)
[xwiki-platform-wysiwyg-server-3.1.jar!/:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
[xwiki-platform-webdav-server-3.1.jar!/:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:218)
[xwiki-platform-container-servlet-3.1.jar!/:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
[xwiki-platform-container-servlet-3.1.jar!/:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
[jboss-web-service.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA
date=200905221634)]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
[jbossweb.jar!/:5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)]
at java.lang.Thread.run(Thread.java:619) [na:1.6.0_16]
2011-08-05 15:32:00,942 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,942
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.s.XWikiCacheStore - Cache: begin for doc
xwiki:XWiki.XWikiPreferences in cache
2011-08-05 15:32:00,942 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,942
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.s.XWikiCacheStore - Cache: Trying to get doc
xwiki:XWiki.XWikiPreferences from cache
2011-08-05 15:32:00,942 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,942
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.s.XWikiCacheStore - Cache: got doc
xwiki:XWiki.XWikiPreferences from cache
2011-08-05 15:32:00,943 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,943
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.s.XWikiCacheStore - Cache: end for doc
xwiki:XWiki.XWikiPreferences in cache
2011-08-05 15:32:00,943 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,943
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
[204428]
2011-08-05 15:32:00,943 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,943
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
INFO .x.x.u.i.x.MyFormAuthenticator - User 204428 login has failed
2011-08-05 15:32:00,943 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,943
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG x.x.u.i.x.XWikiAuthServiceImpl -
XWikiAuthServiceImpl.checkAuth(XWikiContext) took 391 milliseconds to run.
2011-08-05 15:32:00,944 INFO [STDOUT]
(
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin)
2011-08-05 15:32:00,944
[
http://hostname:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG .x.u.i.x.XWikiRightServiceImpl - Access has been granted for
(XWiki.XWikiGuest,XWiki.XWikiLogin,loginsubmit): login/logout pages
-----------------------------------------
Also, here is my xwiki.cfg LDAP section.
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 1
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.companyname.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the user name, {1} with the password
xwiki.authentication.ldap.bind_DN=cn={0},cn=users,dc=company,dc=com
xwiki.authentication.ldap.bind_pass={1}
#-# LDAP query to search the user in the LDAP database (in case a static
admin user is provided in xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.ldap_user_search_fmt=({0}={1})
#-# Only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# Only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# The Base DN used in LDAP searches
xwiki.authentication.ldap.base_DN=cn=users,dc=usairways,dc=com
#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name
#-# The default is cn
# xwiki.authentication.ldap.UID_attr=cn
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# On every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki account is created.
#-# - 0: only when creating user
#-# - 1: at each authentication
#-# The default is 1
xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Mapps XWiki groups to LDAP groups, separator is "|"
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=portal_administrators,cn=portal.071022.163744.037656000,cn=groups,dc=usairways,dc=com\
XWiki.XWikiAllGroup=cn=USPerson,cn=Common,cn=Groups,dc=usairways,dc=com
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Time in s after which the list of members in a group is refreshed from
LDAP
#-# The default is 2800
xwiki.authentication.ldap.groupcache_expiration=2800
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
#-# The default is always
xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
#-# The default is 1
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
#
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
#-# Bypass standard LDAP bind validation by doing a direct password
comparison.
#-# If you don't know what you do, don't use that. It's covering very rare
and bad use cases.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
# xwiki.authentication.ldap.validate_password=0
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password" is set to 1
# xwiki.authentication.ldap.password_field=userPassword
---------------------------
So, one thing my LDAP admin noticed was that in the LOG is looks like it is
trying to bid using:
Binding to LDAP server with credentials login=[*
uid=204428,cn=users,dc=company,dc=com*]
Where as in my xwiki.cfg file, I am using:
*xwiki.authentication.ldap.bind_DN=cn={0},cn=users,dc=company,dc=com*
*
*
Any reason you can think of that would cause this discrepancy?????
Not really.
Make sure you don't have another xwiki.authentication.ldap.bind_DN
somewhere in xwiki.cfg file and that... well you are really using that
xwiki.cfg.