Uploaded image for project: 'LDAP'
  1. LDAP
  2. LDAP-98

Group cache "already exist" error when having form based login and SSO enabled at the same time

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 9.5
    • Fix Version/s: 9.5.1
    • Component/s: Authenticator
    • Labels:
      None
    • Environment:
      XWiki 9.11.7 (jetty/hsql) and 11.10.12 (Debian package)
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      Same setup as for LDAP-96 : have both SSO and form based login active at the same time, and use different LDAP attributes as uid's.

      In that case when e.g. first SSO is used and then someone logs in via form based login, the following error is shown in the log:

      2020-12-08 17:44:23,625 [http://localhost:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] ERROR o.x.c.l.XWikiLDAPUtils         - Unknown error with cache 
      org.xwiki.cache.CacheException: Cache with name [ldap.groups] already exist
              at org.xwiki.cache.infinispan.internal.InfinispanCacheFactory.newCache(InfinispanCacheFactory.java:152)
              at org.xwiki.cache.internal.DefaultCacheManager.createNewCache(DefaultCacheManager.java:112)
              at org.xwiki.cache.internal.DefaultCacheManager.createNewCache(DefaultCacheManager.java:85)
              at org.xwiki.contrib.ldap.internal.LDAPGroupsCache.getGroupCache(LDAPGroupsCache.java:103)
              at org.xwiki.contrib.ldap.XWikiLDAPUtils.getGroupMembers(XWikiLDAPUtils.java:826)
              at org.xwiki.contrib.ldap.XWikiLDAPUtils.isMemberOfGroup(XWikiLDAPUtils.java:866)
              at org.xwiki.contrib.ldap.XWikiLDAPUtils.isMemberOfGroups(XWikiLDAPUtils.java:892)
              at org.xwiki.contrib.ldap.XWikiLDAPUtils.syncGroupsMembership(XWikiLDAPUtils.java:1191)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:781)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.syncGroupsMembership(XWikiLDAPAuthServiceImpl.java:763)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:709)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:373)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:307)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:280)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:194)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:176)
              at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
              at org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl.checkAuth(XWikiLDAPAuthServiceImpl.java:167)
              at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:4295)
              at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
              at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
              at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:4313)
              at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:5503)
              at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:404)
              at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:218)
              at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
              at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
              at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
              at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
      [...]
      

      As a result the user logging in is removed from all XWiki groups which are mapped to LDAP groups.

      I think there are two issues here:

      • either the group cache should not be recreated when using a different uid for the dame LDAP server; or it should be registered with a different name for inifinispan
      • if something goes wrong with the group sync, the user should keep their current groups, not get stripped off all of them

        Attachments

          Activity

            People

            Assignee:
            camil7 Clemens Robbenhaar
            Reporter:
            camil7 Clemens Robbenhaar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response: