Re: [xwiki-users] Unable to use LDAP with Active Directory in XWiki

Hi All, This problem has been driving me crazy for several days. I have XWiki running in Tomcat and it works fine, but I am trying to get LDAP authentication implemented and am unable to get past this current issue. I have looked at all the past issues mentioned on this group and searched the internet, but none of the cases seem to be related to mine. I am able to use LDAP with Apache httpd from my machine against our AD Server, but unable to get XWiki (in Tomcat) to do the same. I have tried different versions of XWiki 1.9.2 and 2.0, followed the instructions http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAP ConfigurationforActiveDirectory, and am able to bind and find the user uid, but then it fails on the password authentication. This is the problem -- XWiki appears to find the user in the directory then fails on the userPassword attribute: 2009-07-06 16:00:34,812 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPUtils             - Searching for the user in LDAP: user:rgill base:dc=AcceptSoftware,dc=local query:(sAMAccountName=rgill) uid:sAMAccountName 2009-07-06 16:00:34,812 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        - LDAP search: baseDN=[dc=AcceptSoftware,dc=local] query=[(sAMAccountName=rgill)] attr=[[sAMAccountName, sn, givenName, displayName, mail, dn]] ldapScope=[2] 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "displayName" 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -     |- [Regan Gill] 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "givenName" 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -     |- [Regan] 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "sn" 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -     |- [Gill] 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "mail" 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -     |- [rgill(a)acceptsoftware.com] 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -   - values for attribute "sAMAccountName" 2009-07-06 16:00:34,859 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        -     |- [rgill] 2009-07-06 16:00:34,875 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        - LDAP search found attributes: [{name=dn value=CN=Regan Gill,OU=Users,OU=Fremont,OU=ASC,DC=AcceptSoftware,DC=local}, {name=displayName value=Regan Gill}, {name=givenName value=Regan}, {name=sn value=Gill}, {name=mail value=rgill(a)acceptsoftware.com}, {name=sAMAccountName value=rgill}] 2009-07-06 16:00:34,875 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-8080-1] DEBUG ldap.XWikiLDAPConnection        - Unable to verify password because userPassword attribute not found. LDAPException: No Such Attribute (16) No Such Attribute LDAPException: Server Message: 00002080: AtrErr: DSID-03080139, #1:                0: 00002080: DSID-03080139, problem 1001 (NO_ATTRIBUTE_OR_VAL), data 0, Att 23 (userPassword) LDAPException: Matched DN:                at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)                at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)                at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)                at com.novell.ldap.LDAPConnection.compare(Unknown Source)                at com.novell.ldap.LDAPConnection.compare(Unknown Source)                at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.checkPassword(XWikiLDAPCon nection.java:251)                at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateIn Context(XWikiLDAPAuthServiceImpl.java:398) The error message in red is exactly what the AD server sends back when the request is made so I know its coming from the AD server itself. However when I using Apache, it authenticates using the same information: [Mon Jul 06 16:05:56 2009] [debug] mod_authnz_ldap.c(474): [client 127.0.0.1] [4444] auth_ldap authenticate: accepting rgill, referer: In addition we have another application that is also able to bind and authenticate with the same settings and AD Server. Since the user is being found in AD in both cases I would expect the authenticate to work as well in XWiki as in Apache's LDAP module. I am not an LDAP or Active Directory expert but it unless someone can help, I may need to become one to get this to work...

Thanks, Regan ________________________________________________________ Regan Gill | Process Architect | Accept Software Corporation office: +1.510.403.4023 | mobile: +1.510.798.3082 | fax: +1.510.979.0220 42840 Christy Street, Suite 201, Fremont, CA  94538  USA www.acceptsoftware.com <http://www.acceptsoftware.com/> _______________________________________________ users mailing list users(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/users