Details
-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
4.1.3
-
Linux 2.6.32-5-vserver-686-bigmem
-
Unknown
-
N/A
-
N/A
-
Description
XWiki 4.1.3 installed via .war to tomcat 7.0.27.
XWiki LDAP-authentication works, except the groups restriction via
property xwiki.authentication.ldap.user_group.
The LDAP works and is successfully used in other environments.
I have the following configuration in xwiki.cfg:
#########
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.bind_DN=uid=
,ou=people,dc=ourcompany,dc=com
xwiki.authentication.ldap.bind_pass=
xwiki.authentication.ldap.base_DN=dc=ourcompany,dc=com
#xwiki.authentication.ldap.user_group=cn=developer,ou=group,dc=ourcompany,dc=com
xwiki.authentication.ldap.UID_attr=uid
xwiki.authentication.ldap.group_memberfields=memberUid,member,uniqueMember
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
xwiki.authentication.ldap.trylocal=0
#########
The XWiki LDAP messages are:
TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - The provided user is null. We
don't try to authenticate, it probably means the user is in non logged
mode.
TRACE u.i.L.XWikiLDAPAuthServiceImpl - Starting LDAP authentication
DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group
_classes: [groupofnames, groupwisedistributionlist, dynamicgroup,
dynamicgroupaux, groupofuniquenames, group]
DEBUG c.x.x.p.l.XWikiLDAPConfig - ldap_group
_memberfields: [member, memberuid, uniquemember]
DEBUG c.x.x.p.l.XWikiLDAPConnection - Connection to LDAP server
[192.168.12.34:389]
DEBUG c.x.x.p.l.XWikiLDAPConnection - Binding to
LDAP server with credentials login
[uid=theuser,ou=people,dc=ourcompany,dc=com]
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Checking if the user belongs to
the user group: cn=developer,ou=group,dc=ourcompany,dc=com
DEBUG c.x.x.p.l.XWikiLDAPUtils - Retrieving
Members of the group [cn=developer,ou=group,dc=ourcompany,dc=com]
DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search:
baseDN=[cn=developer,ou=group,dc=ourcompany,dc=com] query=[null]
attr=[[objectClass, member, memberuid, uniquemember, uid]] ldapScope=[2]
DEBUG c.x.x.p.l.XWikiLDAPUtils - Probably a organization unit or a
search
DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like
[cn=developer,ou=group,dc=ourcompany,dc=com] is not a DN, lets try
filter or id
DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search:
baseDN=[dc=ourcompany,dc=com]
query=[cn=developer,ou=group,dc=ourcompany,dc=com] attr=[[objectClass,
member, memberuid, uniquemember, uid]] ldapScope=[2]
DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group
[cn=developer,ou=group,dc=ourcompany,dc=com] members [null]
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user theuser
does not belong to LDAP group cn=developer,ou=group,dc=ourcompany,dc=com.
Now I can see that the XWiki cannot resolve the members of a group, but
as the same LDAP is successfully used against other systems, I suspect
that there might be an issue with XWiki here.
E.g. the Apache authentication against the same LDAP-server (with group
identification) is:
<Location "/someurl">
AuthType Basic
AuthBasicProvider ldap
AuthzLdapAuthoritative on
AuthLDAPURL ldap://192.168.12.34/dc=ourcompany,dc=com?uid
Require ldap-group cn=developer,ou=group,dc=ourcompany,dc=com
Require ldap-attribute gidNumber=10101
AuthLDAPGroupAttribute memberUid
AuthName "someurl"
</Location>
I notice that in the XWiki DEBUG, the memberUid is written in lowercase,
but I don't know if this has anything to do with this.
The XWiki LDAP authentication works in other ways, and this is not a
blocker so just thought to let you know if there is something to it.
RELATED?
http://jira.xwiki.org/browse/XWIKI-2294
http://jira.xwiki.org/browse/XWIKI-4030