LDAP Configuration Issue

Good day all. I am having an issue setting up my LDAP, I followed the step by step processes and have viewed the other threads regarding it, and by all that I have read it should be working (at least according to my limited knowledge). I enabled logging, kindly the output below, as well as the general setting I am using in the LDAP Auth app. Any help is greatly appreciated as always. I have changed the ip and loging details to XXXXXX for security reasons, otherwise they contain the standard details such as ip address and login name etc.

2017-09-13 09:09:16,147 [http://XXXXXXXXXXXX/xwiki/bin/loginsubmit/XWiki/XW ikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against X Wiki DB
2017-09-13 09:09:16,151 [http://XXXXXXXXXXXX/xwiki/bin/loginsubmit/XWiki/XW ikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [XXXXXXXXXXXX@XXXXXXXX.XXXX]
2017-09-13 09:09:16,151 [http://XXXXXXXXXXXX/xwiki/bin/loginsubmit/XWiki/XW ikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2017-09-13 09:09:16,258 [http://XXXXXXXXXXXX/xwiki/bin/jsx/TaskManager/Task ManagerSheet?language=en&docVersion=1.1] TRACE x.c.l.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
2017-09-13 09:09:16,258 [http://XXXXXXXXXXXX/xwiki/bin/jsx/TaskManager/Task ManagerSheet?language=en&docVersion=1.1] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the u ser is in non logged mode.
2017-09-13 09:09:16,258 [http://XXXXXXXXXXXX/xwiki/bin/jsx/TaskManager/Task ManagerSheet?language=en&docVersion=1.1] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2017-09-13 09:09:16,449 [http://XXXXXXXXXXXX/xwiki/bin/get/TourCode/TourJso n?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] TRACE x.c.l.XWikiLDAP AuthServiceImpl - Starting LDAP authentication
2017-09-13 09:09:16,450 [http://XXXXXXXXXXXX/xwiki/bin/get/TourCode/TourJso n?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAP AuthServiceImpl - The provided user is null. We don’t try to authenticate, it pr obably means the user is in non logged mode.
2017-09-13 09:09:16,450 [http://XXXXXXXXXXXX/xwiki/bin/get/TourCode/TourJso n?xpage=plain&outputSyntax=plain&tourDoc=XWiki.XWikiLogin] DEBUG x.c.l.XWikiLDAP AuthServiceImpl - XWikiUser: null

The log you pasted is missing the actual authentication, it’s starting after it.

That’s all I am getting when I run the “tail -f /var/log/tomcat7/catalina.out” command. Unless theres a way to get more details, that’s all its showing me.

Heres a more detailed look at the log, hope this helps.

org.xwiki.contrib.ldap.XWikiLDAPException: Error number 0 in 5: LDAP bind failed with LDAPExcept$
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:227)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:155)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAu$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthService$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.ja$
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.jav$
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.ja$
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3812)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(X$
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiC$
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3830)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4894)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:364)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:210)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:$
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:112)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHead$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(Save$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetC$
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:134)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterCha$
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:$
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:221)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:436)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java$
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol$
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.novell.ldap.LDAPException: Invalid Credentials
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at com.novell.ldap.LDAPConnection.bind(Unknown Source)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.bind(XWikiLDAPConnection.java:261)
at org.xwiki.contrib.ldap.XWikiLDAPConnection.open(XWikiLDAPConnection.java:223)

Yes better But still missing some stuff, you should have a log right before this error indicating what DN it’s trying to bind with.

So as far as I can see here your issues is that you entered wrong uid/password in the login form or the pattern you used to generate the DN in your configuration is wrong.

Managed to get the full catalnina output log for a given event, kindly see attached text file

If it will be helpful, I can upload images of the full config for the ldap application as well.

Catalina output.txt (11.8 KB)

So according to the log XWiki tried to authenticate on the LDAP server with the DN cn=firstname.lastname,dc=company,dc=co,dc=zm and the password you gave it in the login form and the server answered that this those credentials are wrong (so either the DN does not exist or the password is wrong).

So as I suggested in the previous message either the pattern you indicated in the configuration is wrong or you simply made a mistake when you entered the uid/password in the login form.

I guess the next step is to use some LDAP client an do some tests with it directly (try the DN you gave XWiki, the password, etc.). See http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HLDAPclients for some suggestions.

LdapConf.txt (11.0 KB)

Thanks for link. I have since tweaked my config file since then, and obtained the correct DN’s using the clients, but sadly still stumped. Even though I am able to use said clients with virtually the same parameters. Kindly look through my config text, maybe I am messing up there in the format I am using. I should mention I am using active directory ldap if that changes anything

Ps. I also tried changing the bind to this but still no avail:

xwiki.authentication.ldap.bind_DN=CN={0},OU=IT,OU=group,DC=domain,DC=co,DC=zm
xwiki.authentication.ldap.bind_pass={1}

with groupings following this format:
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAllGroup=CN=DL-MIS,OU=IT,OU=group,DC=domain,DC=co,DC=zm|
XWiki.LDAPusers=OU=IT,OU=group,DC=domain,DC=co,DC=zm

As always, your help is greatly appreciated.

So what log do you have now ? Still the exact same credentials error ?

You might want to take a look at http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HActiveDirectory.

I have this as my current setup, used it yesterday, unless I was using the bind wrongly:
xwiki.authentication.ldap.bind_DN=subdomain\{0}

Can anyone show me a more practical example of the above bind… eg if companies name is subdomain is “ocelot” and base DN is dc=ocelot, dc=co,dc=zm, would that mean the link would be : xwiki.authentication.ldap.bind_DN=ocelot{0}??

Oh and yes, I am still getting the credentials error in the log.

I also have another question, does the xwiki.cfg file overwrite the configurations done on the LDAP authentication application?

We use a functional user “wiki_bind” to perform the LDAP bind as our users are in different OUs. Even if that’s not the case in your environment, do you get the same error when trying to use a specific user for the bind?

Our config looks quite similar to yours, I just removed the SSL and SSO bits that are not needed, especially when debugging.

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=domaincontroller.company.com
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=CN=wiki_bind,OU=functional_users,OU=site_1,OU=company,DC=company,DC=com
xwiki.authentication.ldap.bind_pass=Password1234
xwiki.authentication.ldap.base_DN=OU=company,DC=company,DC=com
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.group_mapping=some_group_mappings

No it’s the opposite. The authenticator look at wiki level preference and then fallback on xwiki.cfg.

Good morning all, thanks to both your tips @tmortagne and @Johannes, I managed to link ldap. It was due the binding I was using not having the appropriate permissions. I used Johannes example and we created an account specifically for binding. Still have an issue with the permissions and grouping. Can I use the same binding for group mapping as well if I simply want to have them all fall under a general login?? Eg:

xwiki.authentication.ldap.group_mapping=XWiki.Somegroup= CN=CN=wiki_bind,OU=functional_users,OU=site_1,OU=company,DC=company,DC=company

Because users can login in well and good, but I cant seem to assign them to groups(and they have full admin rights). They exists in the xiwikiall group, but they don’t seem to be bound to whatever group class I state when placing the settings.

As always, your help is greatly appreciated.

The part

wiki.authentication.ldap.group_mapping

is for the acutal group mapping itself.

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=(cn=WikiAdmins)|XWiki.SomeWikiGroup=(cn=SomeADGroup)

where WikiAdmins or SomeADGroup are the common names of your AD-Groups you want to map to the XWiki groups.

Ahhhhhh, corrected and they are being assigned to the correct groups. Now I am still stuck with the permissions issue. I have set the permissions for the set group to ONLY view and comment, and set the edit and delete sections to be set to none accessible. It works just fine when I use the wiki login, but when I login in with the ldap login, they still have all their permissions. Have you ever experienced this?