Details
-
Bug
-
Resolution: Fixed
-
Major
-
9.5
-
None
-
XWiki 9.11.7 (jetty/hsql) and 11.10.12 (Debian package)
-
Unknown
-
Description
Same setup as for LDAP-96 : have both SSO and form based login active at the same time, and use different LDAP attributes as uid's.
In that case when e.g. first SSO is used and then someone logs in via form based login, the following error is shown in the log:
2020-12-08 17:44:23,625 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] ERROR o.x.c.l.XWikiLDAPUtils - Unknown error with cache
org.xwiki.cache.CacheException: Cache with name [ldap.groups] already exist
at org.xwiki.cache.infinispan.internal.InfinispanCacheFactory.newCache(InfinispanCacheFactory.java:152)
at org.xwiki.cache.internal.DefaultCacheManager.createNewCache(DefaultCacheManager.java:112)
at org.xwiki.cache.internal.DefaultCacheManager.createNewCache(DefaultCacheManager.java:85)
at org.xwiki.contrib.ldap.internal.LDAPGroupsCache.getGroupCache(LDAPGroupsCache.java:103)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:826)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.isMemberOfGroup(XWikiLDAPUtils.java:866)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.isMemberOfGroups(XWikiLDAPUtils.java:892)
at org.xwiki.contrib.ldap.XWikiLDAPUtils.syncGroupsMembership(XWikiLDAPUtils.java:1191)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:781)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:763)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:709)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:280)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:194)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:176)
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4295)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4313)
at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5503)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:404)
at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:218)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[...]
As a result the user logging in is removed from all XWiki groups which are mapped to LDAP groups.
I think there are two issues here:
- either the group cache should not be recreated when using a different uid for the dame LDAP server; or it should be registered with a different name for inifinispan
- if something goes wrong with the group sync, the user should keep their current groups, not get stripped off all of them