Two Questions about LDAP Auhtenticator

Help / Discuss
,
#1

Hi,

i hope some LDAP Authenticator (free) Programmer or Expert can help me. Currently we Authenticate our Users via LDAP on Port 389 (without encryption). This works wonderful. Our XWIKI version is. 11.10.10.

Now we must reconfigure our LDAP Authenticator so it will Encrypt the LDAP-Communication

For this there are 2 Ways how it can achieved:

1.) Use LDAP via Port 389 with SASL and LDAP Encryption or (the Better Way):
2.) Use LDAPs via Port 636

Now my Questions:
To the Point 1 i culdn´t find a thing in the Info-Site https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/ how to activate this. Ist that Maybe default activated?

To Point 2 (Use LDAPs via Port 636) had i tried to reconfigure the xwiki.cfg with this Parameters:
changed: xwiki.authentication.ldap.port=636 (from 389)
and added the line: xwiki.authentication.ldap.ssl=1

But Unfortunatelly with this Parameters LDAPs didn´t work (no Login possible).

I reconfigured other Applications, and they work fine.

Maybe a hint:
On this Site (https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/) is explained that i must additinal add a Keystore File (Truststore). But is that really necessary? Other Linux-Applications don´t need that. And for my colleagues i will implement that so easy as possible. Not that someone exchanges the certificate on the Domaincontrollers and doesn’t think about to change it on the XWiki Server.

I thank you very much for your help.

With best regards

Knight01

#2

hi @Knight01

LDAPs is the way to go.

I think you have to adapt the settings below in xwiki.cfg to your needs and add your ldap-cert, which is bound on the ldap-server to port 636, to the java keystore like this: https://docs.oracle.com/cd/E19509-01/820-3399/ggfrj/index.html

#-# [Since 1.3M2]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0

#-# [Since 1.3M2]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=

#-# [Since 1.5M1]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider

Remember to change your ldap connection from port 389 to 636 afterwards.

#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
#-# The default host is localhost
xwiki.authentication.ldap.server=localhost
#-# The default port is 389 (636 if xwiki.authentication.ldap.ssl is enabled)
xwiki.authentication.ldap.port=636
#3

Hi Jwielsch,

thank you for your quick response.

As in my Post written, i don´t understand why and we will not use fixed Certificates on Client Site for something that. Espacially in other Applications like Snipe-IT etc. s LDAPS working without keystore files and fixed DomainControler Certificates.

It would be great if that works in Xwiki so easily to. Has anyone a clue i this is possible or how to do it with LDAP via Port 389 with SASL and LDAP Encryption?

With best regards

Knight01

#4

I can’t answer that. Sorry.

SASL is, IMHO, not the right way. At last Microsoft set new requirements for connecting to active directory and they are going the tls\ssl way.

#5

Hi Guys,

iám trying since 6 Weeks to get this running --> BUT IT DON´T WILL WORK.

For any Help i would be very thankful:

if i set the following Parameters in my xwiki.cfg (LDAP) all work fine:

#LDAP
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap=1

if i change the COnfiguration to this --> Active Directory LDAP don´t work anymore:
xwiki.authentication.ldap.ssl=1
xwiki.authentication.ldap.port=636
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
xwiki.authentication.ldap.ssl.keystore=/data/xwiki/DC.keystore

@vmassol or @jwielsch --> Have you two or any other Forum Member a Idea?

Unfortunatelly i see no error in the tomcat Log so i have no clue where i have to search.

My other Applications works fine with LDAPS.

For any Help --> THANK YOU VERY MUCH!!!

#6

Hi @Knight01,

since we don’t use ldaps I cannot help you, sorry. It seems, that you’ve done everything right.

Are there no logs, when setting ldap to debug?

image

#7

Hi jwielsch,

First thanks for your answer.

i set in in the config File to “Trace”.

But i didn´t get more information than that in the Tomcat Log File:

  • The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode
  • XWikiUser: null
  • Starting LDAP authentication
  • LDAP authentication failed: LDAP not activ
  • LDAP authentication failed for user [xwikiadtestuser]

Unfortunatelly Microsoft will not allow unencrpyted LDAP Connections to the DCs in 2021 any more. So we must migrate also XWIKI to LDAPs.

#8

can you insert the full message from the logs, please?

#9

Hi jwielsch,

sure. Here they are:

2020-10-30 15:00:52,047 [XWiki initialization] INFO .HibernateDataMigrationManager - Storage schema updates and data migrations are enabled
2020-10-30 15:00:52,213 [XWiki initialization] INFO .HibernateDataMigrationManager - No data migration to apply for wiki [xwiki] currently in version [1138000]
2020-10-30 15:00:52,214 [XWiki initialization] INFO .HibernateDataMigrationManager - Checking Hibernate mapping and updating schema if needed for wiki [xwiki]
2020-10-30 15:01:03,290 [org.xwiki.search.solr.internal.job.IndexerJob@76164bc0([solr, indexer])] INFO o.x.s.s.i.j.IndexerJob - Starting job of type [solr.indexer] with identifier [[solr, indexer]]
2020-10-30 15:01:05,724 [org.xwiki.search.solr.internal.job.IndexerJob@76164bc0([solr, indexer])] INFO o.x.s.s.i.j.IndexerJob - 1721 documents added, 1721 deleted and 0 updated during the synchronization of the Solr index.
2020-10-30 15:01:05,725 [org.xwiki.search.solr.internal.job.IndexerJob@76164bc0([solr, indexer])] INFO o.x.s.s.i.j.IndexerJob - Finished job of type [solr.indexer] with identifier [[solr, indexer]]
2020-10-30 15:01:05,880 [http://companywiki:8082/xwiki/bin/view/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:05,899 [http://companywiki:8082/xwiki/bin/view/Main/] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:06,009 [http://companywiki:8082/xwiki/bin/login/XWiki/XWikiLogin?srid=JdNiA9gR&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DJdNiA9gR] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:06,010 [http://companywiki:8082/xwiki/bin/login/XWiki/XWikiLogin?srid=JdNiA9gR&xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F%3Fsrid%3DJdNiA9gR] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:14,054 [http://companywiki:8082/xwiki/bin/skin/skins/flamingo/flamingo.min.js?cache-version=1597737344000&language=de] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:14,054 [http://companywiki:8082/xwiki/bin/skin/skins/flamingo/flamingo.min.js?cache-version=1597737344000&language=de] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:14,061 [http://companywiki:8082/xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1597737354000&defer=false&language=de] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:14,061 [http://companywiki:8082/xwiki/bin/skin/resources/js/xwiki/xwiki-min.js?cache-version=1597737354000&defer=false&language=de] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:14,088 [http://companywiki:8082/xwiki/bin/skin/resources/uicomponents/async/async.js?cache-version=1597737354000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:14,088 [http://companywiki:8082/xwiki/bin/skin/resources/uicomponents/async/async.js?cache-version=1597737354000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:14,099 [http://companywiki:8082/xwiki/bin/skin/resources/js/scriptaculous/effects.js?cache-version=1597737352000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:14,099 [http://companywiki:8082/xwiki/bin/skin/resources/js/scriptaculous/effects.js?cache-version=1597737352000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:14,279 [http://companywiki:8082/xwiki/bin/skin/resources/icons/xwiki/noavatar.png?cache-version=1597736868000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:14,279 [http://companywiki:8082/xwiki/bin/skin/resources/icons/xwiki/noavatar.png?cache-version=1597736868000] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:22,220 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:22,221 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
2020-10-30 15:01:22,247 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
2020-10-30 15:01:22,247 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
2020-10-30 15:01:22,248 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed: LDAP not activ
2020-10-30 15:01:22,248 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2020-10-30 15:01:22,311 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [xwikiadtestuser]
2020-10-30 15:01:22,311 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN nticationFailureLoggerListener - Authentication failure with login [xwikiadtestuser]
2020-10-30 15:01:22,346 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed: LDAP not activ
2020-10-30 15:01:29,846 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2020-10-30 15:01:29,847 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [xwikiadtestuser]
2020-10-30 15:01:29,847 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN nticationFailureLoggerListener - Authentication failure with login [xwikiadtestuser]
2020-10-30 15:01:29,847 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:37,067 [XWiki Solr index thread] WARN o.a.p.p.f.PDType1Font - Using fallback font LiberationSans for base font Symbol
2020-10-30 15:01:37,067 [XWiki Solr index thread] WARN o.a.p.p.f.PDType1Font - Using fallback font LiberationSans for base font ZapfDingbats
2020-10-30 15:01:37,569 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c74 (74) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:37,571 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c76 (76) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:37,572 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c77 (77) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:37,640 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c71 (71) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:38,434 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c74 (74) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:38,436 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c76 (76) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:38,436 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c77 (77) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:38,481 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for c71 (71) in font VUNAPB+Wingdings-Regular
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - The provided user is null. We don’t try to authenticate, it probably means the user is in non logged mode.
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - remoteUserParser: null
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_classes: [groupofnames, posixgroup, apple-group, groupofuniquenames, dynamicgroup, groupwisedistributionlist, group, dynamicgroupaux]
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG o.x.c.l.XWikiLDAPConfig - ldap_group_memberfields: [uniquemember, memberuid, member]
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed: LDAP not activ
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - LDAP authentication failed for user [xwikiadtestuser]
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] WARN nticationFailureLoggerListener - Authentication failure with login [xwikiadtestuser]
2020-10-30 15:01:58,215 [http://companywiki:8082/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG x.c.l.XWikiLDAPAuthServiceImpl - XWikiUser: null
2020-10-30 15:01:59,430 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif-Bold’ for ‘TimesNewRomanPS-BoldMT’
2020-10-30 15:01:59,431 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif’ for ‘TimesNewRomanPSMT’
2020-10-30 15:01:59,459 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif-BoldItalic’ for ‘TimesNewRomanPS-BoldItalicMT’
2020-10-30 15:01:59,551 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif-Bold’ for ‘TimesNewRomanPS-BoldMT’
2020-10-30 15:01:59,552 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif’ for ‘TimesNewRomanPSMT’
2020-10-30 15:01:59,588 [XWiki Solr index thread] WARN o.a.p.p.f.PDTrueTypeFont - Using fallback font ‘LiberationSerif-BoldItalic’ for ‘TimesNewRomanPS-BoldItalicMT’
2020-10-30 15:02:00,423 [XWiki Solr index thread] WARN o.a.f.t.CmapSubtable - Format 14 cmap table is not supported and will be ignored
2020-10-30 15:02:00,867 [XWiki Solr index thread] WARN o.a.f.t.CmapSubtable - Format 14 cmap table is not supported and will be ignored
2020-10-30 15:02:01,760 [XWiki Solr index thread] WARN o.a.p.p.f.PDSimpleFont - No Unicode mapping for barb1left (1) in font HLVIJR+Wingdings3

#10

This means that you did not enabled LDAP authentication. This is the xwiki.authentication.ldap property in https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HGenericLDAPconfiguration

#11

Sorry attached the wrong Logfile…

#12

Found the solution:

Eliminate the xwiki.authentication.ldap.ssl.keystore Parameter from the Xwiki.cfg.

Now the Debug Logs showing “all” Problems.

I attached in the Java cacerts keystore my Certificate Authority Certs and now it works like a charm.

Still thanks to everyone.

#13

hi @Knight01

great to hear, that it is working now!