30 Jan
2013
30 Jan
'13
5:47 p.m.
Greetings Xwiki Gurus,
I've been trying to get our installation authenticating with LDAP and am having no
luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows Server 2008 R2 Standard. I
have installed the LDAP Application Extension and tried configuring it both through the
web interface and xwiki.config with no success. Every time I attempt to login I receive
an Invalid Credentials error (stack trace below,) and the LDAP section from xwiki.config
file is below that. I've tried a number of different values for the server, bind DN,
and the base DN, but nothing works. Any suggestions are greatly appreciated? Is there
any additional logging that I can add for more information?
Thanks,
Barry
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica
tion
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is nul
l. We don't try to authenticate, it probably means the user is in non logged mod
e.
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica
tion
2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [gro
upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniq
uenames, group]
2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields:
[member, uniquemember]
2013-01-30 10:12:55,857 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP serve
r [ldap.nov.com:389]
2013-01-30 10:12:55,868 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server w
ith credentials login=[cn=papeb,dc=nov,dc=com]
2013-01-30 10:12:55,928 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authenticatio
n failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind fai
led with LDAPException.
Wrapped Exception: Invalid Credentials
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat
eInContext(XWikiLDAPAuthServiceImpl.java:305) [xwiki-platform-legacy-oldcore-4.4
.jar:na]
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.nov.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the user name, {1} with the password
xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com
xwiki.authentication.ldap.bind_pass={1}
#-# The Base DN used in LDAP searches
xwiki.authentication.ldap.base_DN=dc=nov,dc=com
#-# LDAP query to search the user in the LDAP database (in case a static admin user is
provided in
#-# xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.user_search_fmt=({0}={1})
#-# Only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the base_DN
# xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# Only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name
#-# The default is cn
# xwiki.authentication.ldap.UID_attr=sAMAccountName
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members. Separated by
commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user object
(xwiki-attribute=ldap-attribute)
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens
only once when the XWiki
#-# account is created.
#-# - 0: only when creating user
#-# - 1: at each authentication
#-# The default is 0
#xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Maps XWiki groups to LDAP groups, separator is "|". The following kind of
groups are supported:
#-# * LDAP static groups (users/subgroups are listed statically in the group object)
#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the
provided organization unit)
#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the
provided filter),
#-# | character in the filter need to be escaped with backslash (\).
#-#
#-# Here is an example:
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
# XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
# XWiki.Organisation=(cn=testers)
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Time in s after which the list of members in a group is refreshed from LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first created
#-# - always: synchronize on every login
#-# The default is always
# xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# If ldap authentication fails for any reason, try XWiki DB authentication with the same
credentials
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
#-# Bypass standard LDAP bind validation by doing a direct password comparison.
#-# If you don't know what you do, don't use that. It's covering very rare and
bad use cases.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
# xwiki.authentication.ldap.validate_password=0
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password"
#-# is set to 1
# xwiki.authentication.ldap.password_field=userPassword
#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
#-# The maximum number of milliseconds the client waits for any operation under these
constraints to complete.
#-# The default is 1000
# xwiki.authentication.ldap.timeout=1000
30 Jan
30 Jan
5:55 p.m.
All I can say is that XWiki is able to access server ldap.nov.com with
port 389 and then try to authenticate with user DN
"cn=papeb,dc=nov,dc=com" and whatever password you typed on the login
page but fail.
The possible causes I can think of:
* there is no user with DN "cn=papeb,dc=nov,dc=com" on LDAP server
"ldap.nov.com". You can check with one of the clients listed on
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication.
* you type the wrong password
On Wed, Jan 30, 2013 at 5:47 PM, Pape, Barry <Barry.Pape(a)nov.com> wrote:
Greetings Xwiki Gurus,
I've been trying to get our installation authenticating with LDAP and am having no
luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows Server 2008 R2 Standard. I
have installed the LDAP Application Extension and tried configuring it both through the
web interface and xwiki.config with no success. Every time I attempt to login I receive
an Invalid Credentials error (stack trace below,) and the LDAP section from xwiki.config
file is below that. I've tried a number of different values for the server, bind DN,
and the base DN, but nothing works. Any suggestions are greatly appreciated? Is there
any additional logging that I can add for more information?
Thanks,
Barry
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica
tion
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is nul
l. We don't try to authenticate, it probably means the user is in non logged mod
e.
2013-01-30 10:12:55,825 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentica
tion
2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_classes: [gro
upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux, groupofuniq
uenames, group]
2013-01-30 10:12:55,840 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group_memberfields:
[member, uniquemember]
2013-01-30 10:12:55,857 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP serve
r [ldap.nov.com:389]
2013-01-30 10:12:55,868 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP server w
ith credentials login=[cn=papeb,dc=nov,dc=com]
2013-01-30 10:12:55,928 [http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authenticatio
n failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind fai
led with LDAPException.
Wrapped Exception: Invalid Credentials
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat
eInContext(XWikiLDAPAuthServiceImpl.java:305) [xwiki-platform-legacy-oldcore-4.4
.jar:na]
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.nov.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the user name, {1} with the password
xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com
xwiki.authentication.ldap.bind_pass={1}
#-# The Base DN used in LDAP searches
xwiki.authentication.ldap.base_DN=dc=nov,dc=com
#-# LDAP query to search the user in the LDAP database (in case a static admin user is
provided in
#-# xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.user_search_fmt=({0}={1})
#-# Only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the base_DN
# xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# Only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name
#-# The default is cn
# xwiki.authentication.ldap.UID_attr=sAMAccountName
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members. Separated by
commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user object
(xwiki-attribute=ldap-attribute)
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens
only once when the XWiki
#-# account is created.
#-# - 0: only when creating user
#-# - 1: at each authentication
#-# The default is 0
#xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Maps XWiki groups to LDAP groups, separator is "|". The following kind of
groups are supported:
#-# * LDAP static groups (users/subgroups are listed statically in the group object)
#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the
provided organization unit)
#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the
provided filter),
#-# | character in the filter need to be escaped with backslash (\).
#-#
#-# Here is an example:
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
# XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
# XWiki.Organisation=(cn=testers)
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Time in s after which the list of members in a group is refreshed from LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first created
#-# - always: synchronize on every login
#-# The default is always
# xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# If ldap authentication fails for any reason, try XWiki DB authentication with the
same credentials
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
#-# Bypass standard LDAP bind validation by doing a direct password comparison.
#-# If you don't know what you do, don't use that. It's covering very rare
and bad use cases.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
# xwiki.authentication.ldap.validate_password=0
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password"
#-# is set to 1
# xwiki.authentication.ldap.password_field=userPassword
#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
#-# The maximum number of milliseconds the client waits for any operation under these
constraints to complete.
#-# The default is 1000
# xwiki.authentication.ldap.timeout=1000
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
6:04 p.m.
Hi,
Are you sure you need to authenticate for ldap bind, and if yes, of the
user/pwd ?
During my little experience, I've encountered ldap bind with anonymous
access, or with specific admin account.
(binding is not authentication)
"provided user is null" seems a bit strange.
But I'm no ldap expert...
Le 30 janv. 2013 17:47, "Pape, Barry" <Barry.Pape(a)nov.com> a écrit :
Greetings Xwiki Gurus,
I've been trying to get our installation authenticating with LDAP and am
having no luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows
Server 2008 R2 Standard. I have installed the LDAP Application Extension
and tried configuring it both through the web interface and xwiki.config
with no success. Every time I attempt to login I receive an Invalid
Credentials error (stack trace below,) and the LDAP section from
xwiki.config file is below that. I've tried a number of different values
for the server, bind DN, and the base DN, but nothing works. Any
suggestions are greatly appreciated? Is there any additional logging that
I can add for more information?
Thanks,
Barry
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP
authentica
tion
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user
is nul
l. We don't try to authenticate, it probably means the user is in non
logged mod
e.
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP
authentica
tion
2013-01-30 10:12:55,840 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig -
ldap_group_classes: [gro
upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniq
uenames, group]
2013-01-30 10:12:55,840 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig -
ldap_group_memberfields:
[member, uniquemember]
2013-01-30 10:12:55,857 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to
LDAP serve
r [ldap.nov.com:389]
2013-01-30 10:12:55,868 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP
server w
ith credentials login=[cn=papeb,dc=nov,dc=com]
2013-01-30 10:12:55,928 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP
authenticatio
n failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP
bind fai
led with LDAPException.
Wrapped Exception: Invalid Credentials
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat
eInContext(XWikiLDAPAuthServiceImpl.java:305)
[xwiki-platform-legacy-oldcore-4.4
.jar:na]
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.nov.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the user name, {1} with the password
xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com
xwiki.authentication.ldap.bind_pass={1}
#-# The Base DN used in LDAP searches
xwiki.authentication.ldap.base_DN=dc=nov,dc=com
#-# LDAP query to search the user in the LDAP database (in case a static
admin user is provided in
#-# xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.user_search_fmt=({0}={1})
#-# Only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# Only users not member of the following group can autheticate
#
xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as
the XWiki name
#-# The default is cn
# xwiki.authentication.ldap.UID_attr=sAMAccountName
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki
user object (xwiki-attribute=ldap-attribute)
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# On every login update the mapped attributes from LDAP to XWiki
otherwise this happens only once when the XWiki
#-# account is created.
#-# - 0: only when creating user
#-# - 1: at each authentication
#-# The default is 0
#xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Maps XWiki groups to LDAP groups, separator is "|". The following kind
of groups are supported:
#-# * LDAP static groups (users/subgroups are listed statically in the
group object)
#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub
object of the provided organization unit)
#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search
with the provided filter),
#-# | character in the filter need to be escaped with backslash (\).
#-#
#-# Here is an example:
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
#
XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
# XWiki.Organisation=(cn=testers)
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Time in s after which the list of members in a group is refreshed from
LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
#-# The default is always
# xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# If ldap authentication fails for any reason, try XWiki DB
authentication with the same credentials
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
#
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
#-# Bypass standard LDAP bind validation by doing a direct password
comparison.
#-# If you don't know what you do, don't use that. It's covering very rare
and bad use cases.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
# xwiki.authentication.ldap.validate_password=0
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password"
#-# is set to 1
# xwiki.authentication.ldap.password_field=userPassword
#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
#-# The maximum number of milliseconds the client waits for any operation
under these constraints to complete.
#-# The default is 1000
# xwiki.authentication.ldap.timeout=1000
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
6:45 p.m.
AD requires* an authenticated bind.
*unless anonymous bind has been specifically enabled
Cheers
Sent on the move
On 30 Jan 2013, at 17:04, Jeremie BOUSQUET <jeremie.bousquet(a)gmail.com> wrote:
Hi,
Are you sure you need to authenticate for ldap bind, and if yes, of the
user/pwd ?
During my little experience, I've encountered ldap bind with anonymous
access, or with specific admin account.
(binding is not authentication)
"provided user is null" seems a bit strange.
But I'm no ldap expert...
Le 30 janv. 2013 17:47, "Pape, Barry" <Barry.Pape(a)nov.com> a écrit :
Greetings Xwiki Gurus,
I've been trying to get our installation authenticating with LDAP and am
having no luck. We are running XWiki 4.3 in Tomcat 7.0.34 on Windows
Server 2008 R2 Standard. I have installed the LDAP Application Extension
and tried configuring it both through the web interface and xwiki.config
with no success. Every time I attempt to login I receive an Invalid
Credentials error (stack trace below,) and the LDAP section from
xwiki.config file is below that. I've tried a number of different values
for the server, bind DN, and the base DN, but nothing works. Any
suggestions are greatly appreciated? Is there any additional logging that
I can add for more information?
Thanks,
Barry
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP
authentica
tion
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user
is nul
l. We don't try to authenticate, it probably means the user is in non
logged mod
e.
2013-01-30 10:12:55,825 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP
authentica
tion
2013-01-30 10:12:55,840 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig -
ldap_group_classes: [gro
upofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniq
uenames, group]
2013-01-30 10:12:55,840 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConfig -
ldap_group_memberfields:
[member, uniquemember]
2013-01-30 10:12:55,857 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to
LDAP serve
r [ldap.nov.com:389]
2013-01-30 10:12:55,868 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to LDAP
server w
ith credentials login=[cn=papeb,dc=nov,dc=com]
2013-01-30 10:12:55,928 [
http://usa-111b4s1.nov.com:8080/xwiki/bin/loginsubmit/X
Wiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP
authenticatio
n failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP
bind fai
led with LDAPException.
Wrapped Exception: Invalid Credentials
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:184) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnectio
n.java:113) ~[xwiki-platform-legacy-oldcore-4.4.jar:na]
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticat
eInContext(XWikiLDAPAuthServiceImpl.java:305)
[xwiki-platform-legacy-oldcore-4.4
.jar:na]
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.nov.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the user name, {1} with the password
xwiki.authentication.ldap.bind_DN= cn={0},dc=nov,dc=com
xwiki.authentication.ldap.bind_pass={1}
#-# The Base DN used in LDAP searches
xwiki.authentication.ldap.base_DN=dc=nov,dc=com
#-# LDAP query to search the user in the LDAP database (in case a static
admin user is provided in
#-# xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.user_search_fmt=({0}={1})
#-# Only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# Only users not member of the following group can autheticate
#
xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# Specifies the LDAP attribute containing the identifier to be used as
the XWiki name
#-# The default is cn
# xwiki.authentication.ldap.UID_attr=sAMAccountName
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki
user object (xwiki-attribute=ldap-attribute)
#xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# On every login update the mapped attributes from LDAP to XWiki
otherwise this happens only once when the XWiki
#-# account is created.
#-# - 0: only when creating user
#-# - 1: at each authentication
#-# The default is 0
#xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Maps XWiki groups to LDAP groups, separator is "|". The following kind
of groups are supported:
#-# * LDAP static groups (users/subgroups are listed statically in the
group object)
#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub
object of the provided organization unit)
#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search
with the provided filter),
#-# | character in the filter need to be escaped with backslash (\).
#-#
#-# Here is an example:
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
#
XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
# XWiki.Organisation=(cn=testers)
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# Time in s after which the list of members in a group is refreshed from
LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
#-# The default is always
# xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# If ldap authentication fails for any reason, try XWiki DB
authentication with the same credentials
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
#
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
#-# Bypass standard LDAP bind validation by doing a direct password
comparison.
#-# If you don't know what you do, don't use that. It's covering very rare
and bad use cases.
#-# - 0: disable
#-# - 1: enable
#-# The default is 0
# xwiki.authentication.ldap.validate_password=0
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password"
#-# is set to 1
# xwiki.authentication.ldap.password_field=userPassword
#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
#-# The maximum number of milliseconds the client waits for any operation
under these constraints to complete.
#-# The default is 1000
# xwiki.authentication.ldap.timeout=1000
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
4247
days inactive
4247
days old
3 comments
4 participants
participants (4)
-
Jeremie BOUSQUET -
Pape, Barry -
shouldbeq931 -
Thomas Mortagne