I have a working Xwiki WAR install in jetty on CentOS 7 that can do LDAP authentication against my 2012 R2 AD environment. I would like to also enable SSO for a better end user experience.
The Kerberos SSO Authentication in the AdminGuide (https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/) mentions tomcat, apache, mod_jk, and mod_auth_kerb. I would really like to do this on jetty instead, has anyone implemented this use case? Jetty seems to also support spnego and has similar Kerberos options to tomcat to pass credentials. (https://wiki.eclipse.org/Jetty/Howto/Spnego) I have reasonable experience with SPNs and have Kerberos authentication working elsewhere in my environment, e.g. Postgresql on Linux talking to AD.
When I enable the Jetty Spnego options I can’t get SSO (any auth method) to work. I tried the AppServerTrustedKerberosAuthServiceImpl, XWikiAuthServiceImpl, and XWikiLDAPAuthServiceImpl.
The main reason I want to do this with jetty is CentOS doesn’t have packages for those Apache modules so I’d have to compile them. Open to trying that route if someone has a detailed guide but I couldn’t find anything. All the SSO information also seems very old, has anyone used this recently?
My troubleshooting is complicated by the fact I can’t make anything log in any kind of useful manner. I tried the Logging Application, but enabling DEBUG on any LDAP or auth plugins doesn’t give me any additional output anywhere. I would expect messages on the console when users login. Putting -Dorg.eclipse.jetty.LEVEL=debug in the start.ini of jetty produces tons of output on the console, so much I can’t see anything useful.
If anyone has any helpful suggestions it would be most appreciated.
Thanks,
- Scott