Re: [xwiki-users] XWiki + OpenLDAP Invalid credentials problem

Hello, I'm quite new to XWiki. I have a problem with making its log-in work with OpenLDAP. I'm running Ubuntu server 11.10, my Xwiki version is 4.0, OpenLDAP (slapd) shows version 2.4.25-1.1ubuntu4.1. I've followed instructions from XWiki documentation here http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAut… I have user named 'xwiki' in ldap. When I try to log in from my Xwiki, I get the 'Invalid credentials' message. catalina.out shows this error: 2012-06-14 10:02:16,919 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 2012-06-14 10:02:16,919 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_classes: [groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniquenames, group] 2012-06-14 10:02:16,919 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig      - ldap_group_memberfields: [member, uniquemember] 2012-06-14 10:02:16,919 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Connection to LDAP server [127.0.0.1:389] 2012-06-14 10:02:16,925 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection  - Binding to LDAP server with credentials login=[cn=xwiki] 2012-06-14 10:02:16,930 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException. Wrapped Exception: Invalid Credentials        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:172) ~[xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:101) ~[xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:305) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:273) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:193) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:175) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:242) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4070) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:172) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4083) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5245) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:179) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:116) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431) [struts-1.2.9.jar:1.2.9]        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) [struts-1.2.9.jar:1.2.9]        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) [struts-1.2.9.jar:1.2.9]        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) [struts-1.2.9.jar:1.2.9]        at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) [servlet-api-2.5.jar:na]        at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api-2.5.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:120) [xwiki-platform-legacy-oldcore-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:144) [xwiki-platform-wysiwyg-server-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66) [xwiki-platform-webdav-server-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66) [xwiki-platform-webdav-server-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208) [xwiki-platform-container-servlet-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111) [xwiki-platform-container-servlet-4.0.jar:na]        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina-6.0.32.jar:6.0.32]        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:300) [catalina-6.0.32.jar:6.0.32]        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote-6.0.32.jar:6.0.32]        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588) [tomcat-coyote-6.0.32.jar:6.0.32]        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote-6.0.32.jar:6.0.32]        at java.lang.Thread.run(Thread.java:679) [na:1.6.0_23] Caused by: com.novell.ldap.LDAPException: Invalid Credentials        at com.novell.ldap.LDAPResponse.getResultException(Unknown Source) ~[jldap-4.3.jar:na]        at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source) ~[jldap-4.3.jar:na]        at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source) ~[jldap-4.3.jar:na]        at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na]        at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na]        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:206) ~[xwiki-platform-legacy-oldcore-4.0.jar:na]        at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:168) ~[xwiki-platform-legacy-oldcore-4.0.jar:na]        ... 47 common frames omitted 2012-06-14 10:02:16,931 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB 2012-06-14 10:02:16,938 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [xwiki] 2012-06-14 10:02:16,974 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN o.x.v.i.DefaultVelocityEngine  - Deprecated usage of method [com.xpn.xwiki.api.XWiki.parseMessage] in /templates/login.vm@29,33 Here is my xwiki.cfg with part regarding LDAP: #------------------------------------------------------------------------------------- # LDAP #------------------------------------------------------------------------------------- #-# LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# - 0: disable #-# - 1: enable #-# The default is 1 xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=127.0.0.1 xwiki.authentication.ldap.port=389 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the user name, {1} with the password #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP xwiki.authentication.ldap.bind_DN=cn={0},ou=People,dc=debuntu,dc=local

xwiki.authentication.ldap.bind_pass={1} #-# The Base DN used in LDAP searches xwiki.authentication.ldap.base_DN=ou=People,dc=debuntu,dc=local #-# LDAP query to search the user in the LDAP database (in case a static admin user is provided in #-# xwiki.authentication.ldap.bind_DN) #-# {0} is replaced with the user uid field name and {1} with the user name #-# The default is ({0}={1}) # xwiki.authentication.ldap.ldap_user_search_fmt=({0}={1}) #-# Only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] #-# Only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name #-# The default is cn xwiki.authentication.ldap.UID_attr=cn

#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. # xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. # xwiki.authentication.ldap.group_memberfields=member,uniqueMember #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) xwiki.authentication.ldap.fields_mapping=name=uid,last_name=sn,first_name=givenName,fullname=cn,email=mail,ldap_dn=dn #last_name=sn,first_name=givenName,email=mail #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki #-# account is created. #-# - 0: only when creating user #-# - 1: at each authentication #-# The default is 1 xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# Maps XWiki groups to LDAP groups, separator is "|". The following kind of groups are supported: #-# * LDAP static groups (users/subgroups are listed statically in the group object) #-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit) #-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter), #-#   | character in the filter need to be escaped with backslash (\). #-# #-# Here is an example: # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\ # XWiki.LDAPUsers=ou=groups,o=domain,c=com|\ #                                         XWiki.Organisation=(cn=testers) #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# Time in s after which the list of members in a group is refreshed from LDAP #-# The default is 21600 (6 hours) # xwiki.authentication.ldap.groupcache_expiration=21600 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login #-# The default is always # xwiki.authentication.ldap.mode_group_sync=always #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials #-# The default is 1 xwiki.authentication.ldap.trylocal=1 #-# The default is 1 xwiki.authentication.ldap.trylocal=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# - 0: normal #-# - 1: SSL #-# The default is 0 # xwiki.authentication.ldap.ssl=0 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore= #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection #-# The default is com.sun.net.ssl.internal.ssl.Provider # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider #-# Bypass standard LDAP bind validation by doing a direct password comparison. #-# If you don't know what you do, don't use that. It's covering very rare and bad use cases. #-# - 0: disable #-# - 1: enable #-# The default is 0 xwiki.authentication.ldap.validate_password=0 #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" #-# is set to 1 # xwiki.authentication.ldap.password_field=userPassword I'm familiar neither with LDAP, nor with OpenLDAP, so I've set the configuration on localhost port 389 as in this tutorial: http://www.debuntu.org/ldap-server-and-linux-ldap-clients LDAP seems to recognize 'xwiki' user properly: ldapsearch -x -b uid=xwiki,ou=people,dc=debuntu,dc=local # extended LDIF # # LDAPv3 # base <uid=xwiki,ou=People,dc=debuntu,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # xwiki, People, debuntu.local dn: uid=xwiki,ou=People,dc=debuntu,dc=local uid: xwiki cn: xwiki objectClass: account objectClass: posixAccount objectClass: top loginShell: /bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /home/xwiki gecos: xwiki,,, # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 When I create the 'xwiki' user in Xwiki registration interface, I can log in as 'xwiki', but in catalina.out I see that LDAP authentication failed and the XWiki seems to get credentials from its own database: [exception as before] 2012-06-14 10:48:24,815 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB 2012-06-14 10:48:24,816 [http://10.1.0.220:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication succeed with principal [XWiki.xwiki] I've searched the mailing list and found similar problem in http://www.mail-archive.com/users@xwiki.org/msg04827.html but it's 4 years old and it didn't help me. I've been trying to solve the problem with my colleagues, but neither of them could fix it. I've run out of ideas. Any help would be appreciated. Patricia _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users