Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-13377

LDAP authentication fails when syncing multi-values attributes

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 7.3-rc-1
    • Fix Version/s: 8.1-rc-1, 7.4.4
    • Component/s: {Unused} LDAP
    • Environment:
      Debian 8 amd64
      PostgreSQL
      Oracle JDK 1.8.0_b92
    • Tests:
      Integration
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      After upgrading from 7.1.4, the LDAPĀ authentication for some users does not work.

      Enabling TRACE log level on LDAP related components reveals the following error :

      2016-04-29 08:12:12,334 [http://192.168.56.52:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
      2016-04-29 08:12:12,359 [http://192.168.56.52:8080/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
      java.lang.ClassCastException: java.util.ArrayList cannot be cast to java.lang.String
              at com.xpn.xwiki.objects.BaseStringProperty.setValue(BaseStringProperty.java:45)
              at com.xpn.xwiki.objects.classes.PropertyClass.fromValue(PropertyClass.java:615)
              at com.xpn.xwiki.objects.classes.BaseClass.fromMap(BaseClass.java:413)
              at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.updateUserFromLDAP(XWikiLDAPUtils.java:1183)
              at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.syncUser(XWikiLDAPUtils.java:997)
              at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.syncUser(XWikiLDAPAuthServiceImpl.java:453)
              at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticateInContext(XWikiLDAPAuthServiceImpl.java:417)
              at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:182)
              at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:129)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:272)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:192)
              at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:174)
              at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:239)
              at com.xpn.xwiki.XWiki.checkAuth(XWiki.java:3623)
              at org.xwiki.security.authorization.internal.XWikiCachingRightService.authenticateUser(XWikiCachingRightService.java:241)
              at org.xwiki.security.authorization.internal.XWikiCachingRightService.checkAccess(XWikiCachingRightService.java:271)
              at com.xpn.xwiki.XWiki.checkAccess(XWiki.java:3641)
              at com.xpn.xwiki.XWiki.prepareDocuments(XWiki.java:4715)
              at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:346)
              at com.xpn.xwiki.web.XWikiAction.execute(XWikiAction.java:191)
              at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:425)
              at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:228)
              at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
              at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:644)
              at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at com.xpn.xwiki.web.ActionFilter.doFilter(ActionFilter.java:115)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.xwiki.wysiwyg.server.filter.ConversionFilter.doFilter(ConversionFilter.java:127)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:63)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:208)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:111)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:137)
              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
              at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
              at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1081)
              at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
              at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
              at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
              at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
              at java.lang.Thread.run(Thread.java:745)
      

      The LDAP settings (except server and bind info) are the following :

      xwiki.authentication.ldap=1
      xwiki.authentication.ldap.UID_attr=uid
      xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=cn,email=mail
      xwiki.authentication.ldap.update_user=1
      xwiki.authentication.ldap.trylocal=1
      

      When removing the synchronization for the mail LDAP attribute, connection is possible. This attribute has multiple values for the concerned accounts. When using an account with only one value, connection succeeds.

        Attachments

          Activity

            People

            • Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              fcharton Florent Charton
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: