[xwiki-users] Trouble with LDAP/ActiveDirectory authentication
I've set up XWiki 1.6 for my IT department, and configured the LDAP authentication (the new, default XWikiLDAPAuthServiceImpl) to point to our corporate Active Directory server. For all users in the "US-IS" ActievDirectory group, it works fine; however, I have some users that are split off into "US-info_mgmt" that can't log in. I don't have the power to alter the Active Directory group membership or structure, so I'm stuck with it how it is. #-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN xwiki.authentication.ldap.user_group=cn=US-IS,cn=Users,dc=XXXX,dc=YYYY After looking through the XWikiLDAPAuthServiceImpl, it looks like this is a single value, not multiple. So, I can't simply list two groups. My next thought was to comment this out because the XWikiLDAPAuthServiceImpl looks like it will ignore the group check if its not set to a value. However, when I did this, no one could log in... sort of. Actually, I was able to log in, but then the custom logo in the skin didn't show up, and the comments area showed another login screen embedded within the page. Any ideas on how I can configure this? Regards, Brian. ----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
Hi Brian, user_group is really just a filter and do nothing else, so I don't have any idea how it can have influence on the skin. What version of XWiki Core/Enterprise are you using ? Is the user's profile is correctly created and contains rights informations ? Is this append all the time for any user ? On Tue, Oct 21, 2008 at 5:11 AM, <[email protected]> wrote:
I've set up XWiki 1.6 for my IT department, and configured the LDAP authentication (the new, default XWikiLDAPAuthServiceImpl) to point to our corporate Active Directory server. For all users in the "US-IS" ActievDirectory group, it works fine; however, I have some users that are split off into "US-info_mgmt" that can't log in. I don't have the power to alter the Active Directory group membership or structure, so I'm stuck with it how it is.
#-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN xwiki.authentication.ldap.user_group=cn=US-IS,cn=Users,dc=XXXX,dc=YYYY
After looking through the XWikiLDAPAuthServiceImpl, it looks like this is a single value, not multiple. So, I can't simply list two groups.
My next thought was to comment this out because the XWikiLDAPAuthServiceImpl looks like it will ignore the group check if its not set to a value. However, when I did this, no one could log in... sort of. Actually, I was able to log in, but then the custom logo in the skin didn't show up, and the comments area showed another login screen embedded within the page.
Any ideas on how I can configure this?
Regards, Brian.
----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
user_group is really just a filter and do nothing else, so I don't have any idea how it can have influence on the skin.
I also didn't expect it to have the effect it did.
Is the user's profile is correctly created and contains rights informations ?
I believe so. I can go to the user's page in XWiki and it shows up as I expect it.
Is this append all the time for any user ?
Sadly, I can only test for myself at the moment as I don't have access to the other users' passwords. - - - - - - - - - - Now here's some more details: After I commented out the "xwiki.authentication.ldap.user_group", I still couldn't log in (well, half way, as I said before). Then I looked deeper in teh config and noticed that my search base DN was not what I expected. I changed it to include "cn=Users": xwiki.authentication.ldap.base_DN=cn=Users,dc=XXXX,dc=YYYY However, even then I couldn't log in. I'm not confident that is the right base_DN to use, but I'm unsure of what else to test. I also discovered that I had it falling back to XWiki's DB, so the problematic could still log in if I created her account manually: xwiki.authentication.ldap.trylocal=1 However, I'm not sure I like that solution. Regards, Brian. ----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
I think I know what is the problem: I just seen you used 1.6, did you tried 1.6.1 ? There is another thing user_group is used for : when listing LDAP group to find the user, LDAP authenticator get group's members DNs. So the user DN is already found during this process and don't need to be searched. But there is a bug in 1.6 (and fixed in 1.6.1) that makes search of DN by uid to fail. On Tue, Oct 28, 2008 at 5:03 AM, <[email protected]> wrote:
user_group is really just a filter and do nothing else, so I don't have any idea how it can have influence on the skin.
I also didn't expect it to have the effect it did.
Is the user's profile is correctly created and contains rights informations ?
I believe so. I can go to the user's page in XWiki and it shows up as I expect it.
Is this append all the time for any user ?
Sadly, I can only test for myself at the moment as I don't have access to the other users' passwords.
- - - - - - - - - -
Now here's some more details:
After I commented out the "xwiki.authentication.ldap.user_group", I still couldn't log in (well, half way, as I said before). Then I looked deeper in teh config and noticed that my search base DN was not what I expected. I changed it to include "cn=Users":
xwiki.authentication.ldap.base_DN=cn=Users,dc=XXXX,dc=YYYY
However, even then I couldn't log in. I'm not confident that is the right base_DN to use, but I'm unsure of what else to test.
I also discovered that I had it falling back to XWiki's DB, so the problematic could still log in if I created her account manually:
xwiki.authentication.ldap.trylocal=1
However, I'm not sure I like that solution.
Regards, Brian.
----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
I think I know what is the problem: I just seen you used 1.6, did you tried 1.6.1 ?
I've not tried 1.6.1. We were on 1.1-m1 for a LONG time. I upgraded to 1.6 after a lot of red tape on my end. Seems like the next day, 1.6.1 came out :-(
There is another thing user_group is used for : when listing LDAP group to find the user, LDAP authenticator get group's members DNs. So the user DN is already found during this process and don't need to be searched. But there is a bug in 1.6 (and fixed in 1.6.1) that makes search of DN by uid to fail.
I'd like to find that reported bug so I can develop a better understanding. My ultimate goal is to have the ability to specify multiple groups (not one) to filter for out of LDAP an have users in those automatically created and NOT fall back to internal XWiki DB authentication. The only reason I turned off the group filter was because it doesn't support multiple groups (I'm considering submitting a patch) hoping that I could just allow users in any LDAP group to participate. Regards, Brian. "Thomas Mortagne" <thomas.mortagne@ xwiki.com> To Sent by: "XWiki Users" <[email protected]> users-bounces@xwi cc ki.org Subject Re: [xwiki-users] Trouble with 10/28/2008 10:10 LDAP/ActiveDirectory authentication AM Please respond to XWiki Users <[email protected]> I think I know what is the problem: I just seen you used 1.6, did you tried 1.6.1 ? There is another thing user_group is used for : when listing LDAP group to find the user, LDAP authenticator get group's members DNs. So the user DN is already found during this process and don't need to be searched. But there is a bug in 1.6 (and fixed in 1.6.1) that makes search of DN by uid to fail. On Tue, Oct 28, 2008 at 5:03 AM, <[email protected]> wrote:
user_group is really just a filter and do nothing else, so I don't have any idea how it can have influence on the skin.
I also didn't expect it to have the effect it did.
Is the user's profile is correctly created and contains rights informations ?
I believe so. I can go to the user's page in XWiki and it shows up as I expect it.
Is this append all the time for any user ?
Sadly, I can only test for myself at the moment as I don't have access to the other users' passwords.
- - - - - - - - - -
Now here's some more details:
After I commented out the "xwiki.authentication.ldap.user_group", I still couldn't log in (well, half way, as I said before). Then I looked deeper in teh config and noticed that my search base DN was not what I expected. I changed it to include "cn=Users":
xwiki.authentication.ldap.base_DN=cn=Users,dc=XXXX,dc=YYYY
However, even then I couldn't log in. I'm not confident that is the right base_DN to use, but I'm unsure of what else to test.
I also discovered that I had it falling back to XWiki's DB, so the problematic could still log in if I created her account manually:
xwiki.authentication.ldap.trylocal=1
However, I'm not sure I like that solution.
Regards, Brian.
----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
On Tue, Oct 28, 2008 at 9:24 AM, <[email protected]> wrote:
I think I know what is the problem: I just seen you used 1.6, did you tried 1.6.1 ?
I've not tried 1.6.1. We were on 1.1-m1 for a LONG time. I upgraded to 1.6 after a lot of red tape on my end. Seems like the next day, 1.6.1 came out :-(
There is another thing user_group is used for : when listing LDAP group to find the user, LDAP authenticator get group's members DNs. So the user DN is already found during this process and don't need to be searched. But there is a bug in 1.6 (and fixed in 1.6.1) that makes search of DN by uid to fail.
I'd like to find that reported bug so I can develop a better understanding.
FYI bug is http://jira.xwiki.org/jira/browse/XWIKI-2747
My ultimate goal is to have the ability to specify multiple groups (not one) to filter for out of LDAP an have users in those automatically created and NOT fall back to internal XWiki DB authentication. The only reason I turned off the group filter was because it doesn't support multiple groups (I'm considering submitting a patch) hoping that I could just allow users in any LDAP group to participate.
See http://jira.xwiki.org/jira/browse/XWIKI-2518
Regards, Brian.
"Thomas Mortagne" <thomas.mortagne@ xwiki.com> To Sent by: "XWiki Users" <[email protected]> users-bounces@xwi cc ki.org Subject Re: [xwiki-users] Trouble with 10/28/2008 10:10 LDAP/ActiveDirectory authentication AM
Please respond to XWiki Users <[email protected]>
I think I know what is the problem: I just seen you used 1.6, did you tried 1.6.1 ?
There is another thing user_group is used for : when listing LDAP group to find the user, LDAP authenticator get group's members DNs. So the user DN is already found during this process and don't need to be searched. But there is a bug in 1.6 (and fixed in 1.6.1) that makes search of DN by uid to fail.
On Tue, Oct 28, 2008 at 5:03 AM, <[email protected]> wrote:
user_group is really just a filter and do nothing else, so I don't have any idea how it can have influence on the skin.
I also didn't expect it to have the effect it did.
Is the user's profile is correctly created and contains rights informations ?
I believe so. I can go to the user's page in XWiki and it shows up as I expect it.
Is this append all the time for any user ?
Sadly, I can only test for myself at the moment as I don't have access to the other users' passwords.
- - - - - - - - - -
Now here's some more details:
After I commented out the "xwiki.authentication.ldap.user_group", I still couldn't log in (well, half way, as I said before). Then I looked deeper in teh config and noticed that my search base DN was not what I expected. I changed it to include "cn=Users":
xwiki.authentication.ldap.base_DN=cn=Users,dc=XXXX,dc=YYYY
However, even then I couldn't log in. I'm not confident that is the right base_DN to use, but I'm unsure of what else to test.
I also discovered that I had it falling back to XWiki's DB, so the problematic could still log in if I created her account manually:
xwiki.authentication.ldap.trylocal=1
However, I'm not sure I like that solution.
Regards, Brian.
----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
Thanks, Thomas. I'll have to find time to upgrade to 1.6.1 to see if that helps my intermediate plan. For my ultimate plan, I just voted for #2518. Regards, Brian. ----------------------------------------- CONFIDENTIALITY STATEMENT: This e-mail transmission contains information that is intended to be confidential. It is intended only for the addressee named above. If you receive this e-mail in error, please do not read, copy, or disseminate it. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated.
participants (2)
-
BSayatovic@amig.com -
Thomas Mortagne