Details
-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
1.3
-
None
-
None
-
- Linux Redhat 5 64 bits for the web server, LDAP server, client(s)
- Open LDAP 2.3.27
- XWiki 1.3.8295 running on a Tomcat 6.0.14 with a Postgre SQL 8.2.5 database
-
LDAP group authentication
-
Description
After changing the XWiki.XWikiPreferences page (according to issue XWIKI-2201), the group mapping still doesn't work: the users is correctly authenticated, belongs to the XWiki.XWikiAll group, but not to the XWiki group mapped with the LDAP group he belongs to. I'm pretty sure the problem comes from xwiki (or my config file) : I tried mediawiki before, and the group mapping was fine.
I would have been happy to debug it myself, but I gave up after two days trying to build XWiki with Maven :-/
Here is some information. Any private info has been removed, but it should still be OK.
---------------------------------------------------------------
LDAP structure (ldif file)
---------------------------------------------------------------
dn: dc=sag,dc=test,dc=fr
objectClass: domain
dc: sag
dn: ou=utilisateurs,dc=sag,dc=test,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: utilisateurs
dn: cn=dev,ou=groupes,dc=sag,dc=test,dc=fr
objectClass: groupOfUniqueNames
objectClass: top
cn: dev
uniqueMember: uid=lorgana,ou=utilisateurs,dc=sag,dc=test,dc=fr
uniqueMember: uid=dmaul,ou=utilisateurs,dc=sag,dc=test,dc=fr
uniqueMember: uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
dn: ou=groupes,dc=sag,dc=test,dc=fr
objectClass: organizationalUnit
objectClass: top
ou: groupes
dn: cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
objectClass: groupOfUniqueNames
objectClass: top
cn: operateurs
uniqueMember: uid=lorgana,ou=utilisateurs,dc=sag,dc=test,dc=fr
dn: cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
objectClass: groupOfUniqueNames
objectClass: top
cn: experts
uniqueMember: uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
dn: cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
objectClass: groupOfUniqueNames
objectClass: top
cn: administrateurs
uniqueMember: uid=dmaul,ou=utilisateurs,dc=sag,dc=test,dc=fr
dn: uid=dmaul,ou=utilisateurs,dc=sag,dc=test,dc=fr
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Dark MAUL
sn: maul
uid: dmaul
userPassword:: XXXXX
dn: uid=lorgana,ou=utilisateurs,dc=sag,dc=test,dc=fr
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Leia ORGANA
sn: organa
uid: lorgana
userPassword:: XXXXX
dn: uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: Luke SKYWALKER
sn: skywalker
uid: lskywalk
userPassword:: XXXXX
---------------------------------------------------------------
Log entries : debug mode
This is generated while starting tomcat, authenticate on the main page from sctratch (no navigator session, no cookie) and stopping tomcat right after the authentication.
Only the lines containing the [L|l][D|d][A|a][P|p] regexp has been kept, but I also saved the whole log file just in case.
The timestamps have been removed, the page and server info is kept only on the first line the page appears to.
---------------------------------------------------------------
http://localhost:8080/xwiki/bin/view/Main/WebHome [http-8080-1] DEBUG xwiki.XWiki - Using custom AuthClass com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.
http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Found user dn with the user object: uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Password is already supposed to be verified when bound to LDAP
DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP attributes will be used to update XWiki attributes.
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating existing user with LDAP attribues located at uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field ldap_dn (from LDAP attribute: dn) Value:uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field fullname (from LDAP attribute: sn) Value:skywalker
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field last_name (from LDAP attribute: cn) Value:Luke SKYWALKER
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.administrateurs cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.operateurs cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.experts cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating group membership for the user: lskywalk
DEBUG LDAP.XWikiLDAPAuthServiceImpl - The user belongs to following XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - All defined XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.administrateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.experts
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.operateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAdminGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
DEBUG ldap.XWikiLDAPUtils - Cache does not caontains group cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
com.xpn.xwiki.cache.api.XWikiCacheNeedsRefreshException
at com.xpn.xwiki.cache.impl.OSCacheCache.getFromCache(OSCacheCache.java:120)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:329)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:517)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:448)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:282)
DEBUG ldap.XWikiLDAPUtils - Retrieving Members of the group: cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPUtils - Cache does not caontains group cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
com.xpn.xwiki.cache.api.XWikiCacheNeedsRefreshException
at com.xpn.xwiki.cache.impl.OSCacheCache.getFromCache(OSCacheCache.java:120)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:329)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:517)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:448)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:282)
DEBUG ldap.XWikiLDAPUtils - Retrieving Members of the group: cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPUtils - Cache does not caontains group cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
com.xpn.xwiki.cache.api.XWikiCacheNeedsRefreshException
at com.xpn.xwiki.cache.impl.OSCacheCache.getFromCache(OSCacheCache.java:120)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:329)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:517)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:448)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:282)
DEBUG ldap.XWikiLDAPUtils - Retrieving Members of the group: cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
http://localhost:8080/xwiki/bin/view/Main/WebHome [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Found user dn with the user object: uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Password is already supposed to be verified when bound to LDAP
DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP attributes will be used to update XWiki attributes.
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating existing user with LDAP attribues located at uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field ldap_dn (from LDAP attribute: dn) Value:uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field fullname (from LDAP attribute: sn) Value:skywalker
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field last_name (from LDAP attribute: cn) Value:Luke SKYWALKER
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.administrateurs cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.operateurs cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.experts cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating group membership for the user: lskywalk
DEBUG LDAP.XWikiLDAPAuthServiceImpl - The user belongs to following XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - All defined XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.administrateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.experts
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.operateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAdminGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Checking if the user belongs to the user group:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Found user dn with the user object: null
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Searching for the user in LDAP: user:lskywalk base:dc=sag,dc=test,dc=fr query:(uid=lskywalk) uid:uid
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Password is already supposed to be verified when bound to LDAP
DEBUG LDAP.XWikiLDAPAuthServiceImpl - LDAP attributes will be used to update XWiki attributes.
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating existing user with LDAP attribues located at uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Ready to create user from LDAP with fields last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field ldap_dn (from LDAP attribute: dn) Value:uid=lskywalk,ou=utilisateurs,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field fullname (from LDAP attribute: sn) Value:skywalker
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Setting XWiki field last_name (from LDAP attribute: cn) Value:Luke SKYWALKER
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.administrateurs cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.operateurs cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG ldap.XWikiLDAPConfig - Groupmapping found: XWiki.experts cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
DEBUG LDAP.XWikiLDAPAuthServiceImpl - Updating group membership for the user: lskywalk
DEBUG LDAP.XWikiLDAPAuthServiceImpl - The user belongs to following XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - All defined XWiki groups:
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.administrateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.experts
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.operateurs
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAdminGroup
DEBUG LDAP.XWikiLDAPAuthServiceImpl - XWiki.XWikiAllGroup
---------------------------------------------------------------
xwiki.cfg config file (again, only LDAP relevant lines)
---------------------------------------------------------------
-
-
- new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
- new LDAP authentication service
-
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=empereur
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=uid=
{0},ou=utilisateurs,dc=sag,dc=test,dc=fr
xwiki.authentication.ldap.bind_pass=
- User group: commented, does not apply
xwiki.authentication.ldap.base_DN=dc=sag,dc=test,dc=fr
xwiki.authentication.ldap.UID_attr=uid
xwiki.authentication.ldap.fields_mapping=last_name=cn,first_name=givenName,fullname=sn,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.group_mapping=XWiki.administrateurs=cn=administrateurs,ou=groupes,dc=sag,dc=test,dc=fr|\
XWiki.operateurs=cn=operateurs,ou=groupes,dc=sag,dc=test,dc=fr|\
XWiki.experts=cn=experts,ou=groupes,dc=sag,dc=test,dc=fr
Group cache expiration: commented
- xwiki.authentication.ldap.groupcache_expiration=21800
xwiki.authentication.ldap.mode_group_sync=always
xwiki.authentication.ldap.trylocal=0
- xwiki.authentication.ldap.ssl=0
SSL keystore: commented
- xwiki.authentication.ldap.ssl.keystore=
xwiki.authentication.unauthorized_code=200
---------------------------------------------------------------
Here it is, if anyone has an idea I'll be pleased to hear about it.
Thanks a lot
Sébastien Fieux