LDAP Configuration Help

I’m trying to setup LDAP for my XWiki installation, but it isn’t working. It always returns “Error: Invalid credentials” when I try to login. My xwiki.cfg looks like this:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
xwiki.authentication.ldap.server=<server>
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=<domain>\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=cn
xwiki.authentication.ldap.base_DN=dc=<domain>,dc=<suffix>
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail,phone=telephoneNumber
xwiki.authentication.ldap.update_user=1

Note that <server>, <domain>, and <suffix> have the proper values in the actual file.

I have tried using a service account in “xwiki.authentication.ldap.bind_DN” and “xwiki.authentication.ldap.bind_pass”, and I’ve tried using “xwiki.authentication.ldap.UID_attr=sAMAccountName” instead of cn.

Note also that I have an existing XWiki 7.1.2 install, and am trying to install this new version (11.1) on a new server and migrate the data. These settings work fine in 7.1.2, but I’m using the LDAP extension in 7.1.2 and am trying to do this via the xwiki.cfg this time.

Any idea what I’m doing wrong?

7.1.2 settings should work the same (except that there is new stuff) with the LDAP authenticator extension since it’s actually the same authenticator which was renamed (so the only difference should be the authclass). Are those the exact same ?

If your LDAP server is Active Directory then your UID_attr looks wrong, it’s generally sAMAccountName.

When you are not sure what’s wrong with your setup the best is generally to enabled debug log: see https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HEnableLDAPdebuglog. It give you a detailed step by step of what the authenticator try to do and the answers it get from the server.

The LDAP Authenticator Extension is now paid, so I’m trying to get by without using it. It was free in 7.1.2.

I tried using sAMAccountName, with no luck.

I also tried enabling debug log, and saw absolutely nothing in the log from LDAP. I saw other things in the log, but nothing from LDAP.

No it’s not as you can see on https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/. You are are mixing with the Active Directory authenticator which never been free.

Again the LDAP authenticator just been extracted from XWiki Standard as an optional extension but it’s still the same thing, you just need to install it.

Oh, then you mean the one that I already have, the documentation for which tells you to do exactly what I’m trying to do above.

Not to sound crass, but that’s exactly what I’m doing. I’m trying to configure that extension.

After changing to “all extensions” from “recommended” I found the “LDAP Application”, which is what I was using in 7.1.2. I’m going to play with that for a bit and see if I can get that to work.

I worked fine once I used the “Legacy LDAP Authenticator.” Again, the key was to not look only at recommended extensions, but to look at all extensions.

The only difference between “Legacy LDAP Authenticator.” and “LDAP Authenticator.” (which is tagged as recommended) is the value of the “xwiki.authentication.authclass” property which stay the same as in 7.1.2. It’s just a bridge to the new one.