Hi,
our freshly configured XWiki (7.4, running open SUSE 13.1 with Tomcat
8.0.30) works fine through LDAP but fails as soon as we switch to ldaps.
The current relevant settings for LDAP authentication in xwiki.cfg are:
---------------
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=OUR_LDAP_SERVER
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.ssl=0
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.validate_password=0
xwiki.authentication.ldap.password_field=userPassword
---------------
As soon as we change the settings to use SSL secured LDAP...
---------------
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl=1
---------------
...authentication fails and we get the error message in catalina.out
(debugging enabled according to
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…)
that you can find at the end of this mail. Connecting with the standard
LDAP tools (ldapsearch) via SSL works fine.
However: We haven't configured a keystore, as we are not in possession
ot the server's certificate. ldapsearch only connects correctly with
TLS_REQCERT=never. Could that be the problem with XWiki, too? If yes,
is there a way to configure XWiki to ignore the certificate completely?
Cheers
Frank
catalina.out messages related to one failed LDAP authentication
===============================================================
[...]
2016-02-09 10:37:52,261
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE
u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2016-02-09 10:37:52,262
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try
to authenticate, it probably means the user is in non logged mode.
2016-02-09 10:37:52,265
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE
u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2016-02-09 10:37:52,333
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames,
groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniquenames, posixgroup, apple-group, group]
2016-02-09 10:37:52,336
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields: [member,
memberuid, uniquemember]
2016-02-09 10:37:52,355
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection - Connecting to LDAP using SSL
2016-02-09 10:37:52,533
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server
[ad.dkfz-heidelberg.de:389]
2016-02-09 10:37:52,567
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server with credentials
login=[XXXX]
2016-02-09 10:37:52,777
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP
bind failed with LDAPException.
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:196)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:122)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:306)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129)
[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3565)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
[xwiki-platform-security-bridge-7.4.jar:na]
at
org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
[xwiki-platform-security-bridge-7.4.jar:na]
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3583)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4657)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:339)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:184)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
[struts-core-1.3.10.jar:1.3.10]
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
[struts-core-1.3.10.jar:1.3.10]
at
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
[struts-core-1.3.10.jar:1.3.10]
at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
[struts-core-1.3.10.jar:1.3.10]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
[servlet-api.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:115)
[xwiki-platform-legacy-oldcore-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
[xwiki-platform-wysiwyg-server-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
[tomcat-websocket.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
[xwiki-platform-container-servlet-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:66)
[xwiki-platform-webdav-server-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
[xwiki-platform-container-servlet-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
[xwiki-platform-container-servlet-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:137)
[xwiki-platform-resource-servlet-7.4.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
[catalina.jar:8.0.30]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
[catalina.jar:8.0.30]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
[catalina.jar:8.0.30]
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
[catalina.jar:8.0.30]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
[catalina.jar:8.0.30]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
[catalina.jar:8.0.30]
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
[tomcat-coyote.jar:8.0.30]
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
[tomcat-coyote.jar:8.0.30]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
[tomcat-coyote.jar:8.0.30]
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
[tomcat-coyote.jar:8.0.30]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[na:1.7.0_95]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[na:1.7.0_95]
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
[tomcat-util.jar:8.0.30]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_95]
Caused by: com.novell.ldap.LDAPException: Connect Error
at com.novell.ldap.Connection.writeMessage(Unknown Source)
~[jldap-4.3.jar:na]
at com.novell.ldap.Connection.writeMessage(Unknown Source)
~[jldap-4.3.jar:na]
at com.novell.ldap.Message.sendMessage(Unknown Source) ~[jldap-4.3.jar:na]
at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
~[jldap-4.3.jar:na]
at com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown Source)
~[jldap-4.3.jar:na]
at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na]
at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na]
at com.novell.ldap.LDAPConnection.bind(Unknown Source) ~[jldap-4.3.jar:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:230)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:192)
~[xwiki-platform-ldap-authenticator-7.4.jar:na]
... 63 common frames omitted
Caused by: javax.net.ssl.SSLException: Connection has been shutdown:
javax.net.ssl.SSLException: java.net.SocketException: Connection reset
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
~[na:1.7.0_95]
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
~[na:1.7.0_95]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:70)
~[na:1.7.0_95]
... 73 common frames omitted
Caused by: javax.net.ssl.SSLException: java.net.SocketException:
Connection reset
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.7.0_95]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
~[na:1.7.0_95]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1874)
~[na:1.7.0_95]
at
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1838)
~[na:1.7.0_95]
at
sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1783)
~[na:1.7.0_95]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:113)
~[na:1.7.0_95]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
~[na:1.7.0_95]
at com.novell.ldap.asn1.ASN1Identifier.<init>(Unknown Source)
~[jldap-4.3.jar:na]
at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
~[jldap-4.3.jar:na]
... 1 common frames omitted
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:196)
~[na:1.7.0_95]
at java.net.SocketInputStream.read(SocketInputStream.java:122)
~[na:1.7.0_95]
at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
~[na:1.7.0_95]
at sun.security.ssl.InputRecord.read(InputRecord.java:480) ~[na:1.7.0_95]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946)
~[na:1.7.0_95]
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
~[na:1.7.0_95]
at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:901)
~[na:1.7.0_95]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
~[na:1.7.0_95]
... 4 common frames omitted
2016-02-09 10:37:52,786
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2016-02-09 10:37:52,870
[
https://XXXX:8443/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [XXXX]
[...]