Re: [xwiki-users] XWKI and AD DS authentication trouble

Hi @all I have some trouble to connect a new blank XWIKI installation to a MS AD DS Server. This is my XWIKI installation: XWIKI Enterprise 9.2 LDAP relecant Extensions: - LDAP Application 9.2.4 - LDAP Class Libraries for Java (JLDAP) 4.3 - LDAP API 9.2.4 - LDAP Authenticator 9.2.4 The only LDAP related settings in xwiki.cfg are: xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap.trylocal=1 These are the most important AD DS connection settings done in the XWIKI "LDAP Application" UI interface: Ldap login matching: CN={0},OU=Benutzer,OU=TTBV,DC=ttbv,DC=local Ldap password matching: {1} Restrict to group: CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local Ldap base DN: DC=ttbv,DC=local Ldap UID attribute name: CN Unfortunately, the bind to the AD DS server doesn't work. In the XWIKI log file with LDAP logging set to "debug" I get the following exception: TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode. TRACE o.x.c.ldap.XWikiLDAPAuthServiceImpl - Starting LDAP authentication DEBUG o.x.contrib.ldap.XWikiLDAPConfig - remoteUserParser: null DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux] DEBUG o.x.contrib.ldap.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member] DEBUG o.x.c.ldap.XWikiLDAPConnection - Connection to LDAP server [xxx.xx.xxx.x:xxx] DEBUG o.x.c.ldap.XWikiLDAPConnection - Binding to LDAP server with credentials login=[CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local] DEBUG o.x.c.ldap.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPException. at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227) at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155) at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:518) at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:334) at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:268) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192) at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174) at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239) at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:163) at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3788) The same exception occurs if I use the following subdomain setting (found on the Internet): Ldap login matching: ttbv\\{0} I tested the connection settings from above using another LDAP client like "SOFTERRA LDAP Browser 4.5" and the settings worked fine: Using this LDAP browser with login credentials "CN=Thomas Froehlich,OU=Benutzer,OU=TTBV,DC=ttbv,DC=local" (plus pwd) I was able to connect to the AD DS server and I was able to browse to the group "CN=xwiki,OU=Gruppen,OU=TTBV,DC=ttbv,DC=local" (so there are no restrictions for this user to browse the directory from base DN down to any group).

I have no more ideas what else to do or what else to test. Any kind of help is welcome. With kind regards Thomas