Uploaded image for project: 'LDAP'
  1. LDAP
  2. LDAP-87

LDAP Auth only work for the first time after xWiki startup

    XMLWordPrintable

Details

    • Bug
    • Resolution: Invalid
    • Major
    • None
    • 9.4.1
    • Authenticator
    • None
    • XWiki 11.10.2 docker version
      MySQL 5.7 docker version
      Docker version: 19.03.5 (CE)
    • Unknown

    Description

      It is found that the LDAP authentication is only work after the XWiki is restart, the same account cannot login again after it is logged out. I have captured the both debug log message and the network capture for the investigation.

      The log file for both success and failure cases has been uploaded (some credential has been censored)

      I have also attached the LDAP config as below:

      xwiki.cfg

       

      LDAP authentication service
 xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.trylocal=1
 xwiki.authentication.ldap.update_user=1
wiki.authentication.ldap.server=192.168.211.111
 xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=office,dc=company,dc=com
 xwiki.authentication.ldap.bind_DN={0}@office.company.com
 xwiki.authentication.ldap.bind_pass={1}
 xwiki.authentication.ldap.UID_attr=sAMAccountName
 xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,email=mail
xwiki.authentication.ldap.ssl=0

       

       

      Unfortunately, the network capture cannot be disclosed due to security policy. I can only draw the both success and fail network flow as below:

       

      Success LDAP login:

       

      #1 Xwiki -> LDAP server : LDAP bindRequest(1) "username@office.company.com" simple
#2 LDAP server -> Xwiki : LDAP bindResponsee(1) success
#3 Xwiki -> LDAP server : LDAP searchRequest(2) "dc=office,dc=company,dc=com" wholesubtree
#4 LDAP server -> Xwiki : LDAP searchResEntry(2) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" [1 result]
#5 Xwiki -> LDAP server : LDAP bindRequest(3) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" simple
#6 LDAP server -> Xwiki : LDAP bindResponsee(3) success
#7 Xwiki -> LDAP server : LDAP bindRequest(4) "username@office.company.com" simple
#8 LDAP server -> Xwiki : LDAP bindResponsee(4) success
#9 Xwiki -> LDAP server : LDAP unbindRequest(5) 
#10 LDAP server -> Xwiki : TCP reset

       

       

      Fail LDAP login:

       

      #1 Xwiki -> LDAP server : LDAP bindRequest(1) "username@office.company.com" simple
#2 LDAP server -> Xwiki : LDAP bindResponsee(1) success
#3 Xwiki -> LDAP server : LDAP searchRequest(2) "dc=office,dc=company,dc=com" wholesubtree
#4 LDAP server -> Xwiki : LDAP searchResEntry(2) "CN=user name,OU=organization unit name,OU=department,DC=office,DC=company,DC=com" [1 result]
#5 Xwiki -> LDAP server : LDAP abandonRequest(2)
#6 LDAP server -> Xwiki : TCP reset

       

       

      In the view of the fail LDAP login, there is a "LDAP abandonRequest"  send to the LDAP server while it does not exist in the success login packet. 

      Any finding about this case will be appreciate, thank you.

       

      Attachments

        Activity

          People

            tmortagne Thomas Mortagne
            skcc skccc
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: