2 Feb
2009
2 Feb
'09
9:48 a.m.
Hi,
we just upgraded our XWiki from 1.3.2 to 1.7.1.
Right afterwards the firewall registers LDAP-Packages from the XWiki mashine
as an attack, saying:
"A malicious LDAP packet may indicate a potential attack. An attacker could
use a modified LDAP message to cause buffer overflows on defective systems
and execute arbitary code. (LDAP message contains malicious data which does
not comply with ASN.1)"
It seems that it has something to to with the changings made since 1.3.2. Is
that possible?
Greetings,
Steve
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
2 Feb
2 Feb
11:02 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
Hi,
On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <stefan_woehrer(a)yahoo.de> wrote:
Hi,
we just upgraded our XWiki from 1.3.2 to 1.7.1.
Right afterwards the firewall registers LDAP-Packages from the XWiki mashine
as an attack, saying:
"A malicious LDAP packet may indicate a potential attack. An attacker could
use a modified LDAP message to cause buffer overflows on defective systems
and execute arbitary code. (LDAP message contains malicious data which does
not comply with ASN.1)"
It seems that it has something to to with the changings made since 1.3.2. Is
that possible?
By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
the old one. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAut…
Now on the technical details it's using exactly the same Novell ldap
client implementation and the differences are more on the XWiki side
so I don't see why it would suddenly send wrong datas.
Greetings,
Steve
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
5 Feb
5 Feb
10:24 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
thanks a lot. it seems that this was an additional problem with the
firewall(!?)
anyway, the firewall is now configured to let through the whole ldap traffic
from the xwiki machine. the problem hasn't changed: sometimes, users are
randomly logged out with the "wrong passowrd" error message. when they try
to log in, they get the very same error message for a couple of times. a few
minutes later, they can login again and everything works.
this happens spontaniously a couple of times per day.
does any1 experience the same problem?
the next issue is that suddenly no (error/warning) messages are generated
any more. i will try a tomcat restart in the afternoon, but since we did
that a lot of times before i don't think this will help.
i would very much apprechiate any kind of help! thank you in advance.
steve
tmortagne wrote:
Hi,
On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <stefan_woehrer(a)yahoo.de>
wrote:
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2273948.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
Hi,
we just upgraded our XWiki from 1.3.2 to 1.7.1.
Right afterwards the firewall registers LDAP-Packages from the XWiki
mashine
as an attack, saying:
"A malicious LDAP packet may indicate a potential attack. An attacker
could
use a modified LDAP message to cause buffer overflows on defective
systems
and execute arbitary code. (LDAP message contains malicious data which
does
not comply with ASN.1)"
It seems that it has something to to with the changings made since 1.3.2.
Is
that possible?
By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
the old one. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAut…
Now on the technical details it's using exactly the same Novell ldap
client implementation and the differences are more on the XWiki side
so I don't see why it would suddenly send wrong datas.
Greetings,
Steve
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
10:30 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
hi,
i just discovered some warning messages in the stdout_yyyymmdd.log - file in
the tomcat log directory, maby it helps: (does the skin have to be updated?)
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in
XWiki.XWikiLogin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in
skins.ourskin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in
XWiki.XWikiLogin@1,15
[WARNING] Deprecated usage of getter [com.xpn.xwiki.api.Document.getWeb] in
Main.WebHome@1,15
[WARNING] Deprecated usage of method
[com.xpn.xwiki.api.Document.getRenderedContent] in
/templates/commentsinline.vm@28,40
"ourskin" is basically the toucan skin with a few changes.
cheers,
steve
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2273973.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
11:05 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
I think you get "wrong passowrd" just because LDAP failed to connect
for some reason so the authentication tried the XWiki authenticator
and obviously it fail since the password is registered on LDAP server
and not in XWiki database.
Could you enable LDAP debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…)
and try to reproduce it ? We will see better what append when LDAP
fail to connect.
On Thu, Feb 5, 2009 at 10:24 AM, Stefan Woehrer <stefan_woehrer(a)yahoo.de> wrote:
thanks a lot. it seems that this was an additional problem with the
firewall(!?)
anyway, the firewall is now configured to let through the whole ldap traffic
from the xwiki machine. the problem hasn't changed: sometimes, users are
randomly logged out with the "wrong passowrd" error message. when they try
to log in, they get the very same error message for a couple of times. a few
minutes later, they can login again and everything works.
this happens spontaniously a couple of times per day.
does any1 experience the same problem?
the next issue is that suddenly no (error/warning) messages are generated
any more. i will try a tomcat restart in the afternoon, but since we did
that a lot of times before i don't think this will help.
i would very much apprechiate any kind of help! thank you in advance.
steve
tmortagne wrote:
--
Thomas Mortagne
Hi,
On Mon, Feb 2, 2009 at 9:48 AM, Stefan Woehrer <stefan_woehrer(a)yahoo.de>
wrote:
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2273948.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Hi,
we just upgraded our XWiki from 1.3.2 to 1.7.1.
Right afterwards the firewall registers LDAP-Packages from the XWiki
mashine
as an attack, saying:
"A malicious LDAP packet may indicate a potential attack. An attacker
could
use a modified LDAP message to cause buffer overflows on defective
systems
and execute arbitary code. (LDAP message contains malicious data which
does
not comply with ASN.1)"
It seems that it has something to to with the changings made since 1.3.2.
Is
that possible?
By default 1.7.1 use the new XWiki LDAP authenticator when 1.3.2 use
the old one. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPAut…
Now on the technical details it's using exactly the same Novell ldap
client implementation and the differences are more on the XWiki side
so I don't see why it would suddenly send wrong datas.
Greetings,
Steve
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2257004.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
12:03 p.m.
New subject: [xwiki-users] LDAP-Login changes in new version
ok .. as i enabled ldap debugging i get tons of messages ;-) very good.
here is a piece of xwiki.log when the login doesn't work (beginning with
"Connection to LDAP server"):
11:31:34,605 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG ldap.XWikiLDAPConnection - Connection to LDAP server
[company.comp.co:389]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is
null. We don't try to authenticate, it probably means the user is in non
logged mode.
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConfig - ldap_group_classes:
[groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniquenames, group]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConfig - ldap_group_memberfields:
[member, uniquemember]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConnection - Connection to LDAP
server [company.comp.co:389]
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind
failed with LDAPException.
Wrapped Exception: Connect Error
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:174)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Wrapped Exception:
java.net.ConnectException: Connection timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.novell.ldap.Connection.connect(Unknown Source)
at com.novell.ldap.Connection.connect(Unknown Source)
at com.novell.ldap.LDAPConnection.connect(Unknown Source)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.connect(XWikiLDAPConnection.java:194)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:166)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki
DB
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
[woeste]
11:31:55,918 [http://xwiki/bin/view/Main/DocumentDoesNotExist] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is null. We don't
try to authenticate, it probably means the user is in non logged mode.
------------------------------------------------------------------------
here is a piece of xwiki.log when the login works again (one minute later)
(also beginning with "Connection to LDAP server"):
11:32:21,496 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - Connection to LDAP
server [company.comp.co:389]
11:32:21,543 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - Binding to LDAP server
with credentials
login=[CN=xWiKi,OU=ServicesAccounts,DC=company,DC=comp,DC=co]
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPUtils - Searching for the user
in LDAP: user:asakur base:DC=company,DC=comp,DC=co
query:(sAMAccountName=asakur) uid:sAMAccountName
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - LDAP search:
baseDN=[DC=company,DC=comp,DC=co] query=[(sAMAccountName=asakur)]
attr=[[sAMAccountName, sn, givenName, fullName, mail, dn]] ldapScope=[2]
11:32:21,746 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"givenName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [Stefan]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"sn"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [Woehrer]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"mail"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |-
[woeste(a)company.at]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"sAMAccountName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [woeste]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - LDAP search found
attributes: [{name=dn value=CN=company
Kurt,OU=Poweruser,DC=company,DC=comp,DC=co}, {name=givenName value=woe},
{name=sn value=company}, {name=mail value=woeste(a)company.at},
{name=sAMAccountName value=woeste}]
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP attributes will be
used to update XWiki attributes.
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Creating new XWiki user
based on LDAP attribues located at CN=Woehrer
Stefan,OU=Poweruser,DC=company,DC=comp,DC=co
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Start synchronising LDAP
profile
....
even groupmapping works correctly
11:32:22,121 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConfig - Groupmapping found:
XWiki.XWikiAdminGroup [CN=xwiki_Admin,OU=xWiki
Groups,DC=company,DC=comp,DC=co]
...
------------------------------------------------------------------------
hope this helps
stefan
I think you get "wrong passowrd" just because LDAP failed to connect
for some reason so the authentication tried the XWiki authenticator
and obviously it fail since the password is registered on LDAP server
and not in XWiki database.
Could you enable LDAP debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…)
and try to reproduce it ? We will see better what append when LDAP
fail to connect.
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2274317.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
6:44 p.m.
New subject: [xwiki-users] LDAP-Login changes in new version
On Thu, Feb 5, 2009 at 12:03, Stefan Woehrer <stefan_woehrer(a)yahoo.de> wrote:
ok .. as i enabled ldap debugging i get tons of messages ;-) very good.
here is a piece of xwiki.log when the login doesn't work (beginning with
"Connection to LDAP server"):
11:31:34,605 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG ldap.XWikiLDAPConnection - Connection to LDAP server
[company.comp.co:389]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is
null. We don't try to authenticate, it probably means the user is in non
logged mode.
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConfig - ldap_group_classes:
[groupofnames, groupwisedistributionlist, dynamicgroup, dynamicgroupaux,
groupofuniquenames, group]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConfig - ldap_group_memberfields:
[member, uniquemember]
11:31:49,761 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-5] DEBUG ldap.XWikiLDAPConnection - Connection to LDAP
server [company.comp.co:389]
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.plugin.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind
failed with LDAPException.
Wrapped Exception: Connect Error
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:174)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Wrapped Exception:
java.net.ConnectException: Connection timed out: connect
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.PlainSocketImpl.doConnect(Unknown Source)
at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at java.net.Socket.<init>(Unknown Source)
at com.novell.ldap.Connection.connect(Unknown Source)
at com.novell.ldap.Connection.connect(Unknown Source)
at com.novell.ldap.LDAPConnection.connect(Unknown Source)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.connect(XWikiLDAPConnection.java:194)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:166)
at
com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:108)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:304)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:202)
at
com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:149)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:239)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:165)
at
com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:148)
at
com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:203)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3578)
at
com.xpn.xwiki.user.impl.xwiki.XWikiRightServiceImpl.checkAccess(XWikiRightServiceImpl.java:139)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3586)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4572)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:190)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:115)
at
org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.plugin.webdav.XWikiDavFilter.doFilter(XWikiDavFilter.java:68)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:135)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:287)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
com.xpn.xwiki.web.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki
DB
11:31:55,621 [http://xwiki/bin/loginsubmit/XWiki/XWikiLogin] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user
[woeste]
11:31:55,918 [http://xwiki/bin/view/Main/DocumentDoesNotExist] [http-80-3]
DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is null. We don't
try to authenticate, it probably means the user is in non logged mode.
------------------------------------------------------------------------
here is a piece of xwiki.log when the login works again (one minute later)
(also beginning with "Connection to LDAP server"):
11:32:21,496 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - Connection to LDAP
server [company.comp.co:389]
11:32:21,543 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - Binding to LDAP server
with credentials
login=[CN=xWiKi,OU=ServicesAccounts,DC=company,DC=comp,DC=co]
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPUtils - Searching for the user
in LDAP: user:asakur base:DC=company,DC=comp,DC=co
query:(sAMAccountName=asakur) uid:sAMAccountName
11:32:21,684 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - LDAP search:
baseDN=[DC=company,DC=comp,DC=co] query=[(sAMAccountName=asakur)]
attr=[[sAMAccountName, sn, givenName, fullName, mail, dn]] ldapScope=[2]
11:32:21,746 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"givenName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [Stefan]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"sn"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [Woehrer]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"mail"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |-
[woeste(a)company.at]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - - values for attribute
"sAMAccountName"
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - |- [woeste]
11:32:21,762 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConnection - LDAP search found
attributes: [{name=dn value=CN=company
Kurt,OU=Poweruser,DC=company,DC=comp,DC=co}, {name=givenName value=woe},
{name=sn value=company}, {name=mail value=woeste(a)company.at},
{name=sAMAccountName value=woeste}]
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP attributes will be
used to update XWiki attributes.
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Creating new XWiki user
based on LDAP attribues located at CN=Woehrer
Stefan,OU=Poweruser,DC=company,DC=comp,DC=co
11:32:21,809 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Start synchronising LDAP
profile
....
even groupmapping works correctly
11:32:22,121 [http://xwiki.company/bin/loginsubmit/XWiki/XWikiLogin]
[http-80-4] DEBUG ldap.XWikiLDAPConfig - Groupmapping found:
XWiki.XWikiAdminGroup [CN=xwiki_Admin,OU=xWiki
Groups,DC=company,DC=comp,DC=co]
...
------------------------------------------------------------------------
hope this helps
"java.net.ConnectException: Connection timed out: connect", looks like
there is a connection issue here, it means XWiki had to wait too long
to get server answer.
stefan
I think you get "wrong passowrd" just because LDAP failed to connect
for some reason so the authentication tried the XWiki authenticator
and obviously it fail since the password is registered on LDAP server
and not in XWiki database.
Could you enable LDAP debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…)
and try to reproduce it ? We will see better what append when LDAP
fail to connect.
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2274317.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
10 Feb
10 Feb
9:40 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
Hi,
after a network analysis it turned out that one of the active directory
servers in the pool was not responding and the load balancer didn't
recognice it. If anyone has got the same problem (random login problems), I
recommend to try out your connection with a LDAP-Browser (which helped us
already a lot with xwiki in the past) and with ping and maby do it in a loop
and log the results.
Thanks for your help.
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2301463.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
11:22 a.m.
New subject: [xwiki-users] LDAP-Login changes in new version
Your welcome, glad you found the issue :)
On Tue, Feb 10, 2009 at 09:40, Stefan Woehrer <stefan_woehrer(a)yahoo.de> wrote:
Hi,
after a network analysis it turned out that one of the active directory
servers in the pool was not responding and the load balancer didn't
recognice it. If anyone has got the same problem (random login problems), I
recommend to try out your connection with a LDAP-Browser (which helped us
already a lot with xwiki in the past) and with ping and maby do it in a loop
and log the results.
Thanks for your help.
--
View this message in context:
http://n2.nabble.com/LDAP-Login-changes-in-new-version-tp2257004p2301463.ht…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
6095
days inactive
6103
days old
8 comments
2 participants
participants (2)
-
Stefan Woehrer -
Thomas Mortagne