Uploaded image for project: 'LDAP'
  1. LDAP
  2. LDAP-87

LDAP Auth only work for the first time after xWiki startup

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Invalid
    • Affects Version/s: 9.4.1
    • Fix Version/s: None
    • Component/s: Authenticator
    • Labels:
      None
    • Environment:
      XWiki 11.10.2 docker version
      MySQL 5.7 docker version
      Docker version: 19.03.5 (CE)
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      It is found that the LDAP authentication is only work after the XWiki is restart, the same account cannot login again after it is logged out. I have captured the both debug log message and the network capture for the investigation.

      The log file for both success and failure cases has been uploaded (some credential has been censored)

      I have also attached the LDAP config as below:

      xwiki.cfg

       

      LDAP authentication service
       xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
      xwiki.authentication.ldap=1
      xwiki.authentication.ldap.trylocal=1
       xwiki.authentication.ldap.update_user=1
      wiki.authentication.ldap.server=192.168.211.111
       xwiki.authentication.ldap.port=389
      xwiki.authentication.ldap.base_DN=dc=office,dc=company,dc=com
       xwiki.authentication.ldap.bind_DN={0}@office.company.com
       xwiki.authentication.ldap.bind_pass={1}
       xwiki.authentication.ldap.UID_attr=sAMAccountName
       xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,email=mail
      xwiki.authentication.ldap.ssl=0
      

       

       

      Unfortunately, the network capture cannot be disclosed due to security policy. I can only draw the both success and fail network flow as below:

       

      Success LDAP login:

       

      #1 Xwiki -> LDAP server : LDAP bindRequest(1) "username@office.company.com" simple
      #2 LDAP server -> Xwiki : LDAP bindResponsee(1) success
      #3 Xwiki -> LDAP server : LDAP searchRequest(2) "dc=office,dc=company,dc=com" wholesubtree
      #4 LDAP server -> Xwiki : LDAP searchResEntry(2) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" [1 result]
      #5 Xwiki -> LDAP server : LDAP bindRequest(3) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" simple
      #6 LDAP server -> Xwiki : LDAP bindResponsee(3) success
      #7 Xwiki -> LDAP server : LDAP bindRequest(4) "username@office.company.com" simple
      #8 LDAP server -> Xwiki : LDAP bindResponsee(4) success
      #9 Xwiki -> LDAP server : LDAP unbindRequest(5) 
      #10 LDAP server -> Xwiki : TCP reset
      

       

       

      Fail LDAP login:

       

      #1 Xwiki -> LDAP server : LDAP bindRequest(1) "username@office.company.com" simple
      #2 LDAP server -> Xwiki : LDAP bindResponsee(1) success
      #3 Xwiki -> LDAP server : LDAP searchRequest(2) "dc=office,dc=company,dc=com" wholesubtree
      #4 LDAP server -> Xwiki : LDAP searchResEntry(2) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" [1 result]
      #5 Xwiki -> LDAP server : LDAP abandonRequest(2)
      #6 LDAP server -> Xwiki : TCP reset
      

       

       

      In the view of the fail LDAP login, there is a "LDAP abandonRequest"  send to the LDAP server while it does not exist in the success login packet. 

      Any finding about this case will be appreciate, thank you.

       

        Attachments

          Activity

            People

            • Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              skcc skccc
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response:
                Date of last seen failure for flicker: