[xwiki-users] LDAP Authentication Troubles
I have an OpenLDAP installation with the following simple configuration: dc=snapteam,dc=org < root (top) cn=admin < admin login for access to LDAP, no anonymous access (organizationalRole, simpleSecurityObject) ou=groups < group of groups (organizationalUnit) cn=group1 < posixGroups with multiple 'memberUid' attributes with full user DNs cn=group2 cn=admins ou=users < group of users (organizationalUnit) uid=snapadmin < user (inetOrgPerson, posixAccount) - userPassword fields with plaintext password (I'd like to change to sha or somesuch) uid=user1 < another user Here are the settings in the xwiki.cfg: xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer viceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.server=127.0.0.1 xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.bind_DN=cn=admin,dc=snapteam,dc=org xwiki.authentication.ldap.bind_pass=adminPassword xwiki.authentication.ldap.ldap_user_search_fmt=(&({0}={1})(objectClass=posix Account)) xwiki.authentication.ldap.user_group=ou=users,dc=snapteam,dc=org xwiki.authentication.ldap.base_DN=dc=snapteam,dc=org xwiki.authentication.ldap.group_classes=posixGroup xwiki.authentication.ldap.group_memberfields=memberUid xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,e mail=mail xwiki.authentication.ldap.update_user=1 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admins,ou=g roups,dc=snapteam,dc=org|\ XWiki.SnapGroup=cn=snap,ou=groups,dc=snapteam,dc=org|\ XWiki.AARGroup=cn=aar,ou=groups,dc=snapteam,dc=org|\ XWiki.AACUSGroup=cn=aacus,ou=groups,dc=snapteam,dc=org xwiki.authentication.ldap.groupcache_expiration=21800 xwiki.authentication.ldap.mode_group_sync=always xwiki.authentication.ldap.trylocal=1 Here are the log trace I'm getting when trying to log in as one of the users: 2011-04-09 21:35:19,522 DEBUG xwiki.XWiki - Using custom AuthClass com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl. 2011-04-09 21:50:42,946 TRACE LDAP.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 2011-04-09 21:50:42,946 DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode. 2011-04-09 21:50:42,948 TRACE LDAP.XWikiLDAPAuthServiceImpl - Starting LDAP authentication 2011-04-09 21:50:42,967 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: ou=users,dc=snapteam,dc=org 2011-04-09 21:50:42,969 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInCont ext(XWikiLDAPAuthServiceImpl.java:339) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWiki LDAPAuthServiceImpl.java:190) at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAP AuthServiceImpl.java:137) 2011-04-09 21:50:42,970 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB 2011-04-09 21:50:42,974 DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [snapadmin] Any help would be appreciated. Thanks! Joel Schuster [email protected] 719-510-0181
On Sat, Apr 9, 2011 at 23:53, Joel Schuster <[email protected]> wrote:
I have an OpenLDAP installation with the following simple configuration:
dc=snapteam,dc=org < root (top)
cn=admin < admin login for access to LDAP, no anonymous access (organizationalRole, simpleSecurityObject)
ou=groups < group of groups (organizationalUnit)
cn=group1 < posixGroups with multiple 'memberUid' attributes with full user DNs
cn=group2
cn=admins
ou=users < group of users (organizationalUnit)
uid=snapadmin < user (inetOrgPerson, posixAccount) - userPassword fields with plaintext password (I'd like to change to sha or somesuch)
uid=user1 < another user
Here are the settings in the xwiki.cfg:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer viceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=127.0.0.1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=cn=admin,dc=snapteam,dc=org
xwiki.authentication.ldap.bind_pass=adminPassword
xwiki.authentication.ldap.ldap_user_search_fmt=(&({0}={1})(objectClass=posix Account))
xwiki.authentication.ldap.user_group=ou=users,dc=snapteam,dc=org
xwiki.authentication.ldap.base_DN=dc=snapteam,dc=org
xwiki.authentication.ldap.group_classes=posixGroup
xwiki.authentication.ldap.group_memberfields=memberUid
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,e mail=mail
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admins,ou=g roups,dc=snapteam,dc=org|\
XWiki.SnapGroup=cn=snap,ou=groups,dc=snapteam,dc=org|\
XWiki.AARGroup=cn=aar,ou=groups,dc=snapteam,dc=org|\
XWiki.AACUSGroup=cn=aacus,ou=groups,dc=snapteam,dc=org
xwiki.authentication.ldap.groupcache_expiration=21800
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.trylocal=1
Here are the log trace I'm getting when trying to log in as one of the users:
2011-04-09 21:35:19,522 DEBUG xwiki.XWiki - Using custom AuthClass com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.
2011-04-09 21:50:42,946 TRACE LDAP.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2011-04-09 21:50:42,946 DEBUG LDAP.XWikiLDAPAuthServiceImpl - The provided user is null. We don't try to authenticate, it probably means the user is in non logged mode.
2011-04-09 21:50:42,948 TRACE LDAP.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2011-04-09 21:50:42,967 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group: ou=users,dc=snapteam,dc=org
2011-04-09 21:50:42,969 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInCont ext(XWikiLDAPAuthServiceImpl.java:339)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWiki LDAPAuthServiceImpl.java:190)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAP AuthServiceImpl.java:137)
2011-04-09 21:50:42,970 DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2011-04-09 21:50:42,974 DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [snapadmin]
Any help would be appreciated. Thanks!
You should get more log than that. Are you sure you added both lines: log4j.logger.com.xpn.xwiki.plugin.ldap=trace log4j.logger.com.xpn.xwiki.user.impl.LDAP=trace ? Looks like there is only the second one.
Joel Schuster
719-510-0181
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
Thomas, Thanks for the response! Ok, I turned on trace for both. Based on what I see now (I've copied the piece that seems important out of the log) 2011-04-10 21:09:56,257 DEBUG ldap.XWikiLDAPConnection - LDAP search: baseDN=[ou=users,dc=snapteam,dc=org] query=[null] attr=[[objectClass, cn, memberuid]] ldapScope=[0] 2011-04-10 21:09:56,258 DEBUG ldap.XWikiLDAPConnection - - values for attribute "objectClass" 2011-04-10 21:09:56,258 DEBUG ldap.XWikiLDAPConnection - |- [organizationalUnit] 2011-04-10 21:09:56,259 DEBUG ldap.XWikiLDAPConnection - LDAP search found attributes: [{name=dn value=ou=users,dc=snapteam,dc=org}, {name=objectClass value=organizationalUnit}] 2011-04-10 21:09:56,259 ERROR ldap.XWikiLDAPUtils - Could not find attribute cn for LDAP dn ou=users,dc=snapteam,dc=org 2011-04-10 21:09:56,259 DEBUG ldap.XWikiLDAPUtils - Found group [ou=users,dc=snapteam,dc=org] members :null 2011-04-10 21:09:56,259 TRACE xwiki.XWikiException - Error number 8001 in 8: LDAP user snapadmin does not belong to LDAP group ou=users,dc=snapteam,dc=org. I've appended the ldif for the whole ldap tree below. That group doesn't have a cn attribute, why does the main user group need one? This group is for holding ALL users, not separating the users into groups. I can't add a cn attribute as an organizationalUnit doesn't allow for a cn attribute, so I'd need to add a different object type. I'm I simply setting this up the wrong way? This setup is working just fine already for bugzilla, openfire and postfix. - Joel
Here are the settings in the xwiki.cfg:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.server=127.0.0.1 xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.bind_DN=cn=admin,dc=snapteam,dc=org xwiki.authentication.ldap.bind_pass=adminPassword xwiki.authentication.ldap.ldap_user_search_fmt=(&({0}={1})(objectClass=posixAccount)) xwiki.authentication.ldap.user_group=ou=users,dc=snapteam,dc=org xwiki.authentication.ldap.base_DN=dc=snapteam,dc=org xwiki.authentication.ldap.group_classes=posixGroup xwiki.authentication.ldap.group_memberfields=memberUid xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail xwiki.authentication.ldap.update_user=1 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admins,ou=groups,dc=snapteam,dc=org|\ XWiki.SnapGroup=cn=snap,ou=groups,dc=snapteam,dc=org|\ XWiki.AARGroup=cn=aar,ou=groups,dc=snapteam,dc=org|\ XWiki.AACUSGroup=cn=aacus,ou=groups,dc=snapteam,dc=org
xwiki.authentication.ldap.groupcache_expiration=21800 xwiki.authentication.ldap.mode_group_sync=always xwiki.authentication.ldap.trylocal=1
The LDIF: version: 1 dn: dc=snapteam,dc=org objectClass: top objectClass: dcObject objectClass: organization dc: snapteam o: snapteam description: Snapteam LDAP dn: cn=admin,dc=snapteam,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword:: cDFqbXM1Iw== description: LDAP administrator dn: ou=users,dc=snapteam,dc=org objectClass: organizationalUnit ou: users dn: ou=groups,dc=snapteam,dc=org objectClass: organizationalUnit ou: groups dn: cn=admins,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: admins gidNumber: 0 description: Administrators within the snapteam.org domain memberUid: uid=bobf,ou=users,dc=snapteam,dc=org memberUid: uid=snapadmin,ou=users,dc=snapteam,dc=org dn: cn=snap,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: snap gidNumber: 10000 description: snapteam members memberUid: uid=joels,ou=users,dc=snapteam,dc=org memberUid: uid=snapadmin,ou=users,dc=snapteam,dc=org dn: cn=aar,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: aar gidNumber: 10001 description: aar group members dn: cn=aacus,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: aacus gidNumber: 10002 description: aacus group members dn: uid=bobf,ou=users,dc=snapteam,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Bob Frank gidNumber: 0 homeDirectory: /home/bobf sn: Frank uid: bobf uidNumber: 1000 displayName: Bob Frank gecos: Bob Frank givenName: Bob homePhone: 719-123-1234 initials: BF l: Colorado Springs loginShell: /bin/bash mail: [email protected] mobile: 719-123-1234 o: SNAP postalAddress: 1234 Hearth Ct postalCode: 80922 shadowExpire: -1 shadowFlag: 0 shadowLastChange: 10877 shadowMax: 999999 shadowMin: 8 shadowWarning: 7 st: CO title: System Administrator userPassword:: e1NIQX1JZmFqYzRNSUFQdWNmQ1lEMkF6MC9YTytLb3M9 dn: uid=snapadmin,ou=users,dc=snapteam,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Snap Admin gidNumber: 0 homeDirectory: /home/snapadmin sn: Admin uid: snapadmin uidNumber: 1001 displayName: Snap Admin gecos: Snap Admin givenName: Snap homePhone: 719-123-1234 initials: SA l: Colorado Springs loginShell: /bin/bash mail: [email protected] mobile: 719-123-1234 o: SNAP postalAddress: 1234 Hearth Ct postalCode: 80922 shadowExpire: -1 shadowFlag: 0 shadowLastChange: 10877 shadowMax: 999999 shadowMin: 8 shadowWarning: 7 st: CO title: System Administrator userPassword:: cDFqbXM1Iw==
On Sun, Apr 10, 2011 at 23:32, Joel Schuster <[email protected]> wrote:
Thomas,
Thanks for the response!
Ok, I turned on trace for both. Based on what I see now (I've copied the piece that seems important out of the log)
2011-04-10 21:09:56,257 DEBUG ldap.XWikiLDAPConnection - LDAP search: baseDN=[ou=users,dc=snapteam,dc=org] query=[null] attr=[[objectClass, cn, memberuid]] ldapScope=[0] 2011-04-10 21:09:56,258 DEBUG ldap.XWikiLDAPConnection - - values for attribute "objectClass" 2011-04-10 21:09:56,258 DEBUG ldap.XWikiLDAPConnection - |- [organizationalUnit] 2011-04-10 21:09:56,259 DEBUG ldap.XWikiLDAPConnection - LDAP search found attributes: [{name=dn value=ou=users,dc=snapteam,dc=org}, {name=objectClass value=organizationalUnit}] 2011-04-10 21:09:56,259 ERROR ldap.XWikiLDAPUtils - Could not find attribute cn for LDAP dn ou=users,dc=snapteam,dc=org 2011-04-10 21:09:56,259 DEBUG ldap.XWikiLDAPUtils - Found group [ou=users,dc=snapteam,dc=org] members :null 2011-04-10 21:09:56,259 TRACE xwiki.XWikiException - Error number 8001 in 8: LDAP user snapadmin does not belong to LDAP group ou=users,dc=snapteam,dc=org.
I've appended the ldif for the whole ldap tree below. That group doesn't have a cn attribute, why does the main user group need one? This group is for holding ALL users, not separating the users into groups.
I can't add a cn attribute as an organizationalUnit doesn't allow for a cn attribute, so I'd need to add a different object type. I'm I simply setting this up the wrong way? This setup is working just fine already for bugzilla, openfire and postfix.
XWiki only works with groups which explicitly list members (like cn=admins,ou=groups,dc=snapteam,dc=org). Anyway if ou=users,dc=snapteam,dc=org contains all users then you should really not setup xwiki.authentication.ldap.user_group since this property is is here to accept only some user (the ones who are part of this group).
- Joel
Here are the settings in the xwiki.cfg:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl xwiki.authentication.ldap=1 xwiki.authentication.ldap.server=127.0.0.1 xwiki.authentication.ldap.port=389 xwiki.authentication.ldap.bind_DN=cn=admin,dc=snapteam,dc=org xwiki.authentication.ldap.bind_pass=adminPassword xwiki.authentication.ldap.ldap_user_search_fmt=(&({0}={1})(objectClass=posixAccount)) xwiki.authentication.ldap.user_group=ou=users,dc=snapteam,dc=org xwiki.authentication.ldap.base_DN=dc=snapteam,dc=org xwiki.authentication.ldap.group_classes=posixGroup xwiki.authentication.ldap.group_memberfields=memberUid xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail xwiki.authentication.ldap.update_user=1 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admins,ou=groups,dc=snapteam,dc=org|\ XWiki.SnapGroup=cn=snap,ou=groups,dc=snapteam,dc=org|\ XWiki.AARGroup=cn=aar,ou=groups,dc=snapteam,dc=org|\ XWiki.AACUSGroup=cn=aacus,ou=groups,dc=snapteam,dc=org
xwiki.authentication.ldap.groupcache_expiration=21800 xwiki.authentication.ldap.mode_group_sync=always xwiki.authentication.ldap.trylocal=1
The LDIF:
version: 1
dn: dc=snapteam,dc=org objectClass: top objectClass: dcObject objectClass: organization dc: snapteam o: snapteam description: Snapteam LDAP
dn: cn=admin,dc=snapteam,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin userPassword:: cDFqbXM1Iw== description: LDAP administrator
dn: ou=users,dc=snapteam,dc=org objectClass: organizationalUnit ou: users
dn: ou=groups,dc=snapteam,dc=org objectClass: organizationalUnit ou: groups
dn: cn=admins,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: admins gidNumber: 0 description: Administrators within the snapteam.org domain memberUid: uid=bobf,ou=users,dc=snapteam,dc=org memberUid: uid=snapadmin,ou=users,dc=snapteam,dc=org
dn: cn=snap,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: snap gidNumber: 10000 description: snapteam members memberUid: uid=joels,ou=users,dc=snapteam,dc=org memberUid: uid=snapadmin,ou=users,dc=snapteam,dc=org
dn: cn=aar,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: aar gidNumber: 10001 description: aar group members
dn: cn=aacus,ou=groups,dc=snapteam,dc=org objectClass: posixGroup cn: aacus gidNumber: 10002 description: aacus group members
dn: uid=bobf,ou=users,dc=snapteam,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Bob Frank gidNumber: 0 homeDirectory: /home/bobf sn: Frank uid: bobf uidNumber: 1000 displayName: Bob Frank gecos: Bob Frank givenName: Bob homePhone: 719-123-1234 initials: BF l: Colorado Springs loginShell: /bin/bash mail: [email protected] mobile: 719-123-1234 o: SNAP postalAddress: 1234 Hearth Ct postalCode: 80922 shadowExpire: -1 shadowFlag: 0 shadowLastChange: 10877 shadowMax: 999999 shadowMin: 8 shadowWarning: 7 st: CO title: System Administrator userPassword:: e1NIQX1JZmFqYzRNSUFQdWNmQ1lEMkF6MC9YTytLb3M9
dn: uid=snapadmin,ou=users,dc=snapteam,dc=org objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Snap Admin gidNumber: 0 homeDirectory: /home/snapadmin sn: Admin uid: snapadmin uidNumber: 1001 displayName: Snap Admin gecos: Snap Admin givenName: Snap homePhone: 719-123-1234 initials: SA l: Colorado Springs loginShell: /bin/bash mail: [email protected] mobile: 719-123-1234 o: SNAP postalAddress: 1234 Hearth Ct postalCode: 80922 shadowExpire: -1 shadowFlag: 0 shadowLastChange: 10877 shadowMax: 999999 shadowMin: 8 shadowWarning: 7 st: CO title: System Administrator userPassword:: cDFqbXM1Iw==
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne
participants (2)
-
Joel Schuster -
Thomas Mortagne