Thanks!
On Tue, Apr 21, 2009 at 3:24 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
On Tue, Apr 21, 2009 at 14:55, ratso rizo
<ratso.rizo(a)gmail.com> wrote:
Hi Thomas,
Thank you for your response!
For security reason, the proxy account is not allowed to compare
userPassword attribute.
Furthermore, our ldap userPassword attributes are encrypted with SSHA and
xwiki will compare password using cleartext password what will never
work.
Xwiki should definitly either re-bind with the proxy account to check
groups
mapping or bind first with the xwiki user and
then bind with proxy user.
Another solution might be to check the membership (memberOf attribute) of
ldap user instead of searching for all members of the ldap groups....
Is there any bug/imporvement already logged for that issue? We have a lot
of
ldap groups to manage and group mapping is realy
needed.
As I said a created the issue
http://jira.xwiki.org/jira/browse/XWIKI-3642
I also fixed it (it should now re-bind the admin xwiki.cfg user) so it
will be part of 1.8.2
BTW when no members are found, a NullPointerException is thrown,
preventing
the user to log in (only in 1.8). That seems
indeed to be a bug (see
exception stacktrace below).
2009-04-19 11:20:59,007 [http://
...wiki/bin/loginsubmit/XWiki/XWikiLogin]
[AJPRequestHandler-HTTPThreadGroup-4] DEBUG
LDAP.XWikiLDAPAuthServiceImpl
- Local LDAP authentication failed.
java.lang.NullPointerException
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroup(XWikiLDAPUtils.java:443)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.isMemberOfGroups(XWikiLDAPUtils.java:465)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:585)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:537)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:427)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:244)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:170)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:153)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:199)
> at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3603)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
> at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3611)
> at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4621)
> at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
> at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at
com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:145)
at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:15)
> at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:111)
at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:295)
at
com.evermind.server.http.EvermindFilterChain.doFilter(EvermindFilterChain.java:17)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:621)
at
com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:370)
at
com.evermind.server.http.HttpRequestHandler.doProcessRequest(HttpRequestHandler.java:871)
at
com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:453)
at
com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:302)
at
com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:190)
at
oracle.oc4j.network.ServerSocketReadHandler$SafeRunnable.run(ServerSocketReadHandler.java:260)
at
com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:303)
at java.lang.Thread.run(Thread.java:595)
On Mon, Apr 20, 2009 at 2:20 PM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com>wrote;wrote:
> Hi Laurent,
>
> This is a bug I think, by default bind is used to validate user
> credential (AFAIK that's the only way which is working for all LDAP
> servers) and should rebind to the proxy after that.
>
> But you can force LDAP authenticator to use simple user/pass data
> comparison instead of bind using option
>
> xwiki.authentication.ldap.validate_password=1
> xwiki.authentication.ldap.password_field=<password field name>
>
> where <password field name> is the name to the filed containing the
> password.
>
> On Mon, Apr 20, 2009 at 12:27, ratso rizo <ratso.rizo(a)gmail.com> wrote:
> > Hi,
> >
> > We are facing issue integrating XWiki against our enterprise LDAP
> > directories.
> >
> > The fact is that we can't implement the LDAP group-mapping feature
> > (xwiki.authentication.ldap.group_mapping)
> > because xwiki tries to retrieve groups members using the xwiki
> > logged/authenticated user
> > who has no access right on the LDAP groups entries.
> >
> > That's why we configured xwiki to use a "proxy" ldap account
> > (ldap_dn/ldap_pass) which has
> > the required access privileges to query the whole ldap.
> >
> > But unfortunately, Xwiki binds first using this proxy account and
> > then binds again using the logged user credentials before
> > actually searching for the mapped groups members.
> >
> > Please find below the ldap requests made by xwiki I caught using a
> network
> > sniffer tool:
> >
> > 1. xwiki binds against the ldap server using the "proxy" account
> > (bind_dn/bind_pass)
> > 2. xwiki get all members of the "ldap.user_group" xwiki parameter (it
> works
> > since still connected with the proxy account)
> > 3. xwiki binds using the credentials provided by the user
> > 4. xwiki search for the user information (ldap.fields_mapping)
> > 5. xwiki get the "ldap.group_mapping" members --> returns no entry
> >
> > Unfortunatly we are not in charge of the ldap servers administration
and
> we
> > are not able to change
> > their configuration and grant read access on the groups entries to all
> the
> > users.
> >
> > Is there any parameter to force xwiki to perform ldap queries (expect
to
> > authenticate the user) using the
> > proxy account (credential defined in ldap_dn/ldap_pass)?
> >
> > XWiki should bind first using the users credential to authenticate the
> user
> > and then perform
> > all other required ldap requests using the proxy account.
> >
> > We are currently evaluating the last stable release 1.8 (but applies
to
previous release as well) and
group mapping feature is highly needed.
Any help will be greatly welcome.
Thank you in advance.
Regards,
Laurent
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users