Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4004

LDAP Users are not granted privileges of the XWiki they are in, even when the LDAP group is correctly mapped to an XWiki group.

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 1.8.3, 1.9
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      Mac OS X Server 10.5.6
    • keywords:
      ldap,access,rights,privileges
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      I have set up XWiki to use LDAP for the user source, and can successfully login with my LDAP users.

      However, it seems that LDAP users are not given the access that is given to the groups they are members of. The LDAP groups seem to map correctly to the XWiki groups, and the users are shown as members of those groups, but they cannot do anything unless they are a mapped to an XWiki default group (such as XWiki.XWikiAdmin or XWiki.XWikiAllGroup

      The LDAP part of my configuration is here:

      #-# new LDAP authentication service
      xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
      
      #-# Turn LDAP authentication on - otherwise only XWiki authentication
      #-# 0: disable
      #-# 1: enable
      xwiki.authentication.ldap=1
      
      #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
      xwiki.authentication.ldap.server=127.0.0.1
      xwiki.authentication.ldap.port=389
      
      #-# LDAP login, empty = anonymous access, otherwise specify full dn
      #-# {0} is replaced with the username, {1} with the password
      xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=subdomain,dc=domain,dc=tld
      xwiki.authentication.ldap.bind_pass={1}
      
      #-# Force to check password after LDAP connection
      #-# 0: disable
      #-# 1: enable
      xwiki.authentication.ldap.validate_password=0
      
      #-# only members of the following group will be verified in the LDAP
      #-# otherwise only users that are found after searching starting from the base_DN
      # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
      
      #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
      #-# only users not member of the following group can autheticate
      # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
      
      #-# base DN for searches
      xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=tld
      
      #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn)
      xwiki.authentication.ldap.UID_attr=uid
      
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1
      # xwiki.authentication.ldap.password_field=userPassword
      
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The potential LDAP groups classes. Separated by commas.
      xwiki.authentication.ldap.group_classes=apple-group
      
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The potential names of the LDAP groups fields containings the members. Separated by commas.
      xwiki.authentication.ldap.group_memberfields=memberUid
      
      #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
      xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created.
      xwiki.authentication.ldap.update_user=1
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# mapps XWiki groups to LDAP groups, separator is "|"
      xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admin,cn=groups,dc=subdomain,dc=domain,dc=tld|\
                                              XWiki.group_2=cn=group2,cn=groups,dc=subdomain,dc=domain,dc=tld|\
                                              XWiki.group1=cn=group1,cn=groups,dc=subdomain,dc=domain,dc=tld
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6)
      xwiki.authentication.ldap.groupcache_expiration=60
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# - create : synchronize group membership only when the user is first created
      #-# - always: synchronize on every login
      xwiki.authentication.ldap.mode_group_sync=always
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
      xwiki.authentication.ldap.trylocal=1
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# SSL connection to LDAP server
      #-# 0: normal
      #-# 1: SSL
      # xwiki.authentication.ldap.ssl=0
      
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# The keystore file to use in SSL connection
      # xwiki.authentication.ldap.ssl.keystore=
      
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The java secure provider used in SSL connection
      # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
      
      

      My LDAP directory looks like this:

      dc=tld
      |
      dc=domain
      |
      dc=subdomain
      |\
      | \
      |  \
      |   \
      |    \
      |     \
      |       \
      |        \
      |         \
      |          \
      |           \
      |            \
      |             \
      |              \
      |               \
      |                \
      |                 \
      |                  \
      cn=users    cn=groups
      uid=user1   cn=group1
      uid=user2   cn=group2
      
      

      A typical user entry has the following attributes:

      # dignan, users, subdomain.domain.tld
      dn: uid=dignan,cn=users,dc=subdomain,dc=domain,dc=tld
      objectClass:
      uidNumber:
      apple-generateduid:
      apple-mcxflags:
      loginShell:
      userPassword:
      uid:
      cn:
      authAuthority:
      gidNumber:
      givenName:
      sn:
      apple-user-homeurl:
      homeDirectory:
      mail:
      

      A typical group entry has the following attributes:

      # group2, groups, subdomain.domain.tld
      dn: cn=group2,cn=groups,dc=subdomain,dc=domain,dc=tld
      objectClass:
      gidNumber:
      apple-generateduid:
      apple-ownerguid:
      apple-group-services:
      apple-serviceslocator:
      apple-group-realname:
      cn:
      description:
      apple-group-memberguid:
      memberUid:
      

        Attachments

          Activity

            People

            Assignee:
            tmortagne Thomas Mortagne
            Reporter:
            dignan Patrick Dignan
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response: