Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-8068

XWiki 4.1.3, about LDAP-authentication groups restriction (xwiki.authentication.ldap.user_group)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 4.1.3
    • Fix Version/s: None
    • Labels:
    • Environment:
      Linux 2.6.32-5-vserver-686-bigmem
    • Difficulty:
      Unknown
    • Documentation:
      N/A
    • Documentation in Release Notes:
      N/A
    • Similar issues:

      Description

      XWiki 4.1.3 installed via .war to tomcat 7.0.27.

      XWiki LDAP-authentication works, except the groups restriction via
      property xwiki.authentication.ldap.user_group.

      The LDAP works and is successfully used in other environments.

      I have the following configuration in xwiki.cfg:

      #########
      xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
      xwiki.authentication.ldap=1
      xwiki.authentication.ldap.bind_DN=uid=

      {0}

      ,ou=people,dc=ourcompany,dc=com
      xwiki.authentication.ldap.bind_pass=

      {1}

      xwiki.authentication.ldap.base_DN=dc=ourcompany,dc=com
      #xwiki.authentication.ldap.user_group=cn=developer,ou=group,dc=ourcompany,dc=com
      xwiki.authentication.ldap.UID_attr=uid
      xwiki.authentication.ldap.group_memberfields=memberUid,member,uniqueMember
      xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
      xwiki.authentication.ldap.trylocal=0
      #########

      The XWiki LDAP messages are:

      TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication

      DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We
      don't try to authenticate, it probably means the user is in non logged
      mode.

      TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication

      DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group
      _classes: [groupofnames, groupwisedistributionlist, dynamicgroup,
      dynamicgroupaux, groupofuniquenames, group]

      DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group
      _memberfields: [member, memberuid, uniquemember]

      DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server
      [192.168.12.34:389]

      DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to
      LDAP server with credentials login
      [uid=theuser,ou=people,dc=ourcompany,dc=com]

      DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Checking if the user belongs to
      the user group: cn=developer,ou=group,dc=ourcompany,dc=com

      DEBUG c.x.x.p.l.XWikiLDAPUtils - Retrieving
      Members of the group [cn=developer,ou=group,dc=ourcompany,dc=com]

      DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search:
      baseDN=[cn=developer,ou=group,dc=ourcompany,dc=com] query=[null]
      attr=[[objectClass, member, memberuid, uniquemember, uid]] ldapScope=[2]

      DEBUG c.x.x.p.l.XWikiLDAPUtils - Probably a organization unit or a
      search

      DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like
      [cn=developer,ou=group,dc=ourcompany,dc=com] is not a DN, lets try
      filter or id

      DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search:
      baseDN=[dc=ourcompany,dc=com]
      query=[cn=developer,ou=group,dc=ourcompany,dc=com] attr=[[objectClass,
      member, memberuid, uniquemember, uid]] ldapScope=[2]

      DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group
      [cn=developer,ou=group,dc=ourcompany,dc=com] members [null]

      DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
      com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user theuser
      does not belong to LDAP group cn=developer,ou=group,dc=ourcompany,dc=com.

      Now I can see that the XWiki cannot resolve the members of a group, but
      as the same LDAP is successfully used against other systems, I suspect
      that there might be an issue with XWiki here.

      E.g. the Apache authentication against the same LDAP-server (with group
      identification) is:

      <Location "/someurl">
      AuthType Basic
      AuthBasicProvider ldap
      AuthzLdapAuthoritative on
      AuthLDAPURL ldap://192.168.12.34/dc=ourcompany,dc=com?uid
      Require ldap-group cn=developer,ou=group,dc=ourcompany,dc=com
      Require ldap-attribute gidNumber=10101
      AuthLDAPGroupAttribute memberUid

      AuthName "someurl"
      </Location>

      I notice that in the XWiki DEBUG, the memberUid is written in lowercase,
      but I don't know if this has anything to do with this.

      The XWiki LDAP authentication works in other ways, and this is not a
      blocker so just thought to let you know if there is something to it.

      RELATED?
      http://jira.xwiki.org/browse/XWIKI-2294
      http://jira.xwiki.org/browse/XWIKI-4030

        Attachments

          Activity

            People

            • Assignee:
              tmortagne Thomas Mortagne
              Reporter:
              ari Ari Takku
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Date of First Response: