Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-2414

Support for LDAP groups where the member attributes do not contain the full dn

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.3.2, 1.4
    • Fix Version/s: 1.6 M1
    • Labels:
      None
    • keywords:
      ldap authentication group openldap posixGroup
    • Tests:
      Integration
    • Similar issues:

      Description

      Another problem I ran into with posixGroup is that the members are listed only by their userid and not their full dn. For example the ldif of my xwiki group :

      1. xwiki, Group, example.com
      dn: cn=xwiki,ou=Group,dc=example,dc=com
      cn: xwiki
      description: Utilisateurs de XWiki
      gidNumber: 2005
      memberUid: mjeanson
      memberUid: jmdault
      memberUid: julien
      memberUid: luiggi
      objectClass: top
      objectClass: posixGroup

      Xwiki expects to have the full dn for each member attribute and so is not able to map group membership. Here is the debug output I get :

      For each member of the xwiki group :
      14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find att
      ribute uid for LDAP dn frobichaud
      14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPConnection - LDAP Search failed

      LDAPException: Invalid DN Syntax (34) Invalid DN Syntax
      LDAPException: Server Message: invalid DN
      LDAPException: Matched DN:
      at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
      at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
      at com.novell.ldap.LDAPSearchResults.next(Unknown Source)
      at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.searchLDAP(XWikiLDAPConnection.java:274)
      at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.searchGroupsMembers(XWikiLDAPUtils.java:211)
      ...

      And finaly :
      14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find attribute uid for LDAP dn mjeanson
      14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - Found user dn in user group:null
      14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - LDAP authentication failed: user not in LDAP user group
      14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
      14:22:19,739 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] WARN LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed.
      com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user mjeanson does not belong to LDAP group cn=xwiki,ou=Group,dc=example,dc=com.
      at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:216)
      at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107)
      at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:195)
      at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:128)
      at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:113)
      at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205)
      ...

      I wrote a patch that does an ldap request for each group member to find their full dn. It's clearly a hack, please understand that I am by no mean a java programmer nor a programmer at all but I needed the ldap authentication to work.

      I think the proper solution, correct me if I'm wrong, would be to add a configuration option allowing to match ldap group membership with the userid instead of the full dn.

        Attachments

          Activity

            People

            Assignee:
            tmortagne Thomas Mortagne
            Reporter:
            mjeanson Michael Jeanson
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response: