Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4379

LDAP (Active Directory Windows 2003) authentication problem with users in more than one orginisational unit

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 1.7.1
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
      xwiki 1.7.1, MS/SQL, Windows 2003
    • keywords:
      LDAP,
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      we're having problems here with authenticating users against a Windows 2003 active directory.
      Our users are located in different OU (organisational units) in the active directory
      So i followed the instructions in
      http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication
      unfortunatelly without success.

      My searchuser as all rights and is perfectly working with OTRS (www.otrs.org)

      Here in xWiki, only users in one organisational unit are found?!
      For all other users I'm getting the errormessage: user not found

      #-------------------------------------------------------------------------------------
      # LDAP
      #-------------------------------------------------------------------------------------
      #-# new LDAP authentication service
      xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
      #-# Turn LDAP authentication on - otherwise only XWiki authentication
      #-# 0: disable
      #-# 1: enable
      xwiki.authentication.ldap=1
      #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
      #-# Kann zur Not auf eine fixe IP gesetzt werden
      xwiki.authentication.ldap.server=aohdc03.asamer.holding.ah
      #xwiki.authentication.ldap.server=asamer.holding.ah
      xwiki.authentication.ldap.port=389
      xwiki.authentication.ldap.check_level=2
      #-# LDAP login, empty = anonymous access, otherwise specify full dn
      #-# {0} is replaced with the username, {1} with the password
      #xwiki.authentication.ldap.bind_DN=CN=xWiKi,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah
      #xwiki.authentication.ldap.bind_pass=xwiki4ldap1
      xwiki.authentication.ldap.bind_DN=CN=otrs,OU=ServicesAccounts,DC=asamer,DC=holding,DC=ah
      xwiki.authentication.ldap.bind_pass=xxxyyy
      #-# Force to check password after LDAP connection
      #-# 0: disable
      #-# 1: enable
      xwiki.authentication.ldap.validate_password=0
      #-# only members of the following group will be verified in the LDAP
      #-# otherwise only users that are found after searching starting from the base_DN
      # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
      #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
      #-# only users not member of the following group can autheticate
      # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
      #-# base DN for searches
      # xwiki.authentication.ldap.base_DN=DC=asamer,DC=holding,DC=ah
      xwiki.authentication.ldap.base_DN=DC=holding,DC=ah
      #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn)
      xwiki.authentication.ldap.UID_attr=sAMAccountName
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1
      # xwiki.authentication.ldap.password_field=userPassword
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The potential LDAP groups classes. Separated by commas.
      # xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The potential names of the LDAP groups fields containings the members. Separated by commas. 
      # xwiki.authentication.ldap.group_memberfields=member,uniqueMember
      #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
      # xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn
      xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=fullName,email=mail
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created.
      xwiki.authentication.ldap.update_user=1
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# mapps XWiki groups to LDAP groups, separator is "|"
      xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=xwiki_Admin,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.ViewAllGroup=CN=xwiki_ViewAll,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.ACGroup=CN=xwiki_AC,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.CEGroup=CN=xwiki_CE,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.FNGroup=CN=xwiki_FN,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.HRGroup=CN=xwiki_HR,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.IMGroup=CN=xwiki_IM,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.INGroup=CN=xwiki_IN,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.ITGroup=CN=xwiki_IT,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.ITsecureGroup=CN=xwiki_ITsecure,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.JSGroup=CN=xwiki_JS,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.LDGroup=CN=xwiki_LD,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.PDGroup=CN=xwiki_PD,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.PDsecureGroup=CN=xwiki_PDsecure,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.PRGroup=CN=xwiki_PR,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.PTGroup=CN=xwiki_PT,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah|\
      XWiki.QAGroup=CN=xwiki_QA,OU=xWiki Groups,DC=asamer,DC=holding,DC=ah
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6)
      xwiki.authentication.ldap.groupcache_expiration=21800
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# - create : synchronize group membership only when the user is first created
      #-# - always: synchronize on every login
      xwiki.authentication.ldap.mode_group_sync=always
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
      xwiki.authentication.ldap.trylocal=1
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# SSL connection to LDAP server
      #-# 0: normal
      #-# 1: SSL
      # xwiki.authentication.ldap.ssl=0
      #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
      #-# The keystore file to use in SSL connection
      # xwiki.authentication.ldap.ssl.keystore=
      #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
      #-# The java secure provider used in SSL connection
      # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              fuewol Wolfgang Furtbauer
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response: