Details
-
Improvement
-
Resolution: Fixed
-
Major
-
1.3.2, 1.4
-
None
-
ldap authentication group openldap posixGroup
-
Integration
-
Description
Another problem I ran into with posixGroup is that the members are listed only by their userid and not their full dn. For example the ldif of my xwiki group :
1. xwiki, Group, example.com
dn: cn=xwiki,ou=Group,dc=example,dc=com
cn: xwiki
description: Utilisateurs de XWiki
gidNumber: 2005
memberUid: mjeanson
memberUid: jmdault
memberUid: julien
memberUid: luiggi
objectClass: top
objectClass: posixGroup
Xwiki expects to have the full dn for each member attribute and so is not able to map group membership. Here is the debug output I get :
For each member of the xwiki group :
14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find att
ribute uid for LDAP dn frobichaud
14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPConnection - LDAP Search failed
LDAPException: Invalid DN Syntax (34) Invalid DN Syntax
LDAPException: Server Message: invalid DN
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPSearchResults.next(Unknown Source)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.searchLDAP(XWikiLDAPConnection.java:274)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.searchGroupsMembers(XWikiLDAPUtils.java:211)
...
And finaly :
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find attribute uid for LDAP dn mjeanson
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - Found user dn in user group:null
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - LDAP authentication failed: user not in LDAP user group
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
14:22:19,739 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] WARN LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed.
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user mjeanson does not belong to LDAP group cn=xwiki,ou=Group,dc=example,dc=com.
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:216)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:195)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:128)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:113)
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205)
...
I wrote a patch that does an ldap request for each group member to find their full dn. It's clearly a hack, please understand that I am by no mean a java programmer nor a programmer at all but I needed the ldap authentication to work.
I think the proper solution, correct me if I'm wrong, would be to add a configuration option allowing to match ldap group membership with the userid instead of the full dn.