Hi,
This bug is fixed in 1.6.1. See http://jira.xwiki.org/jira/browse/XWIKI-2747
On Sat, Nov 1, 2008 at 1:04 PM, Milan Mehta
<[EMAIL PROTECTED]> wrote:
> I have configured Xwiki (release 1.6-milestone-2.12601) to authenticate
> against my OpenLDAP (v2.3.35). I am continuously getting a "Wrong user name"
> message on my UI. On investigating my ldap logs, I found that Xwiki first
> authenticates successfully to OpenLDAP with the users id & password.
>
> However it then tries to do a lookup of the user (I assume for the details
> of the user), and at that time, it does not seem to be passing the base DN
> in the request. In such scenarios OpenLDAP returns a "No such object" error.
> I tried to do a test using ldapsearch without passing the base, and I got
> the same error. Also, the error did not occur when I passed the base
> parameter to ldapsearch.
>
> I am trying to trace through this problem in the source, but meanwhile,
> would like some help in figuring out whether my configuration is wrong, or
> if someone has encountered a similar problem before.
>
> Regards,
> Milan...
> ----------------------------------------------------------------------------
> -------------------------------------------------------
> Xwiki.cfg - LDAP Section
> ----------------------------------------------------------------------------
> --------------------------------------------------------
> #-# new LDAP authentication service
> xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer
> viceImpl
>
> #-# Turn LDAP authentication on - otherwise only XWiki authentication
> #-# 0: disable
> #-# 1: enable
> xwiki.authentication.ldap=1
>
> #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
> xwiki.authentication.ldap.server=ldap-slave
> xwiki.authentication.ldap.port=389
>
> #-# base DN for searches
> xwiki.authentication.ldap.base_DN=dc=<mycompany>,dc=<mycountry>
>
> #-# LDAP login, empty = anonymous access, otherwise specify full dn
> #-# {0} is replaced with the username, {1} with the password
> #xwiki.authentication.ldap.bind_DN=cn=cname#,department=USER,department=INFO
> RMATIK,department=1230,o=MP
> #xwiki.authentication.ldap.bind_DN=cn=Manager,department=USER,department=INF
> ORMATIK,department=1230
> xwiki.authentication.ldap.bind_DN=cn=Manager,dc=<mycompany>,dc=<mycountry>
> xwiki.authentication.ldap.bind_pass=<dummy>
>
> #-# Force to check password after LDAP connection
> #-# 0: disable
> #-# 1: enable
> xwiki.authentication.ldap.validate_password=0
>
> #-# only members of the following group will be verified in the LDAP
> #-# otherwise only users that are found after searching starting from the
> base_DN
> #
> xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
> #xwiki.authentication.ldap.user_group=ou=People,dc=<mycompany>,dc=<mycountry
>>
>
> #-# [SINCE 1.5RC1, XWikiLDAPAuthServiceImpl]
> #-# only users not member of the following group can autheticate
> # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
>
> #-# Specifies the LDAP attribute containing the identifier to be used as the
> XWiki name (default=cn)
> xwiki.authentication.ldap.UID_attr=uid
>
> #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# Specifies the LDAP attribute containing the password to be used "when
> xwiki.authentication.ldap.validate_password" is set to 1
> xwiki.authentication.ldap.password_field=userPassword
>
> #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The potential LDAP groups classes. Separated by commas.
> xwiki.authentication.ldap.group_classes=posixGroup
>
> #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The potential names of the LDAP groups fields containings the members.
> Separated by commas.
> xwiki.authentication.ldap.group_memberfields=memberUid
>
> #-# retrieve the following fields from LDAP and store them in the XWiki user
> object (xwiki-attribute=ldap-attribute)
> #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for
> faster access
> #xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,
> fullname=cn,email=mail,ldap_dn=dn
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# on every login update the mapped attributes from LDAP to XWiki otherwise
> this happens only once when the XWiki account is created.
> xwiki.authentication.ldap.update_user=1
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# mapps XWiki groups to LDAP groups, separator is "|"
> #
> xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,o
> u=groups,o=MegaNova,c=US|\
> #
> XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# time in s after which the list of members in a group is refreshed from
> LDAP (default=3600*6)
> # xwiki.authentication.ldap.groupcache_expiration=21800
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# - create : synchronize group membership only when the user is first
> created
> #-# - always: synchronize on every login
> xwiki.authentication.ldap.mode_group_sync=always
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# if ldap authentication fails for any reason, try XWiki DB authentication
> with the same credentials
> xwiki.authentication.ldap.trylocal=1
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# SSL connection to LDAP server
> #-# 0: normal
> #-# 1: SSL
> xwiki.authentication.ldap.ssl=0
>
> #-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
> #-# The keystore file to use in SSL connection
> # xwiki.authentication.ldap.ssl.keystore=
>
> #-# [SINCE 1.5M1, XWikiLDAPAuthServiceImpl]
> #-# The java secure provider used in SSL connection
> #
> xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P
> rovider
>
> ----------------------------------------------------------------------------
> -------------------------------------------------------
> OpenLDAP Log output (invoked from xwiki)
> ----------------------------------------------------------------------------
> --------------------------------------------------------
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=manager,dc=<mycompany>,dc=<mycountry>)=0
> <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>,
> <cn=manager,dc=<mycompany>,dc=<mycountry>>
> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128
> ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry>
> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to
> "cn=Manager,dc=<mycompany>,dc=<mycountry>"
> send_ldap_result: conn=5 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=13 tag=97 err=0
> ber_flush: 14 bytes to sd 19
> connection_get(19)
> connection_get(19): got connid=5
> connection_read(19): checking for input on id=5
> ber_get_next
> ber_get_next: tag 0x30 len 14 contents:
> ber_get_next
> do_extended
> ber_scanf fmt ({m) ber:
> do_extended: unsupported operation "0.0.0.0"
> send_ldap_result: conn=5 op=1 p=3
> send_ldap_result: err=2 matched="" text="unsupported extended operation"
> send_ldap_response: msgid=14 tag=120 err=2
> ber_flush: 44 bytes to sd 19
> connection_get(19)
> connection_get(19): got connid=5
> connection_read(19): checking for input on id=5
> ber_get_next
> ber_get_next: tag 0x30 len 40 contents:
> ber_get_next
> do_search
> ber_scanf fmt ({miiiib) ber:
>>>> dnPrettyNormal: <>
> <<< dnPrettyNormal: <>, <>
> SRCH "" 2 0 1000 0 0
> begin get_filter
> EQUALITY
> ber_scanf fmt ({mm}) ber:
> end get_filter 0
> filter: (uid=mmehta)
> ber_scanf fmt ({M}}) ber:
> attrs:
> send_ldap_result: conn=5 op=2 p=3
> send_ldap_result: err=10 matched="" text=""
> send_ldap_response: msgid=15 tag=101 err=32
>
> ----------------------------------------------------------------------------
> -------------------------------------------------------
> OpenLDAP Log output (invoked by ldapsearch with base parameter specified)
> ----------------------------------------------------------------------------
> --------------------------------------------------------
> <<< dnPrettyNormal: <cn=Manager,dc=<mycompany>,dc=<mycountry>>,
> <cn=manager,dc=<mycompany>,dc=<mycountry>>
> do_bind: version=3 dn="cn=Manager,dc=<mycompany>,dc=<mycountry>" method=128
> ==> bdb_bind: dn: cn=Manager,dc=<mycompany>,dc=<mycountry>
> do_bind: v3 bind: "cn=Manager,dc=<mycompany>,dc=<mycountry>" to
> "cn=Manager,dc=<mycompany>,dc=<mycountry>"
> send_ldap_result: conn=10 op=0 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=1 tag=97 err=0
> ber_flush: 14 bytes to sd 21
> connection_get(21)
> connection_get(21): got connid=10
> connection_read(21): checking for input on id=10
> ber_get_next
> ber_get_next: tag 0x30 len 58 contents:
> ber_get_next
> do_search
> ber_scanf fmt ({miiiib) ber:
>>>> dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>>
> => ldap_bv2dn(dc=<mycompany>,dc=<mycountry>,0)
> <= ldap_bv2dn(dc=<mycompany>,dc=<mycountry>)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(dc=<mycompany>,dc=<mycountry>)=0
> <<< dnPrettyNormal: <dc=<mycompany>,dc=<mycountry>>,
> <dc=<mycompany>,dc=<mycountry>>
> SRCH "dc=<mycompany>,dc=<mycountry>" 2 0 0 0 0 ************** This is the
> place where the base is available **********************
> begin get_filter
> EQUALITY
> ber_scanf fmt ({mm}) ber:
> end get_filter 0
> filter: (uid=mmehta)
> ber_scanf fmt ({M}}) ber:
> attrs:
> => bdb_search
> bdb_dn2entry("dc=<mycompany>,dc=<mycountry>")
> entry_decode: "dc=<mycompany>,dc=<mycountry>"
> <= entry_decode(dc=<mycompany>,dc=<mycountry>)
> search_candidates: base="dc=<mycompany>,dc=<mycountry>" (0x00000001) scope=2
> => bdb_dn2idl("dc=<mycompany>,dc=<mycountry>")
> => bdb_filter_candidates
> AND
> => bdb_list_candidates 0xa0
> => bdb_filter_candidates
> OR
> => bdb_list_candidates 0xa1
> => bdb_filter_candidates
> EQUALITY
> => bdb_equality_candidates (objectClass)
> => key_read
> bdb_idl_fetch_key: [b49d1940]
> <= bdb_index_read: failed (-30990)
> <= bdb_equality_candidates: id=0, first=0, last=0
> <= bdb_filter_candidates: id=0 first=0 last=0
> => bdb_filter_candidates
> EQUALITY
> => bdb_equality_candidates (uid)
> => key_read
> bdb_idl_fetch_key: [b5212845]
> <= bdb_index_read 1 candidates
> <= bdb_equality_candidates: id=1, first=37, last=37
> <= bdb_filter_candidates: id=1 first=37 last=37
> <= bdb_list_candidates: id=1 first=37 last=37
> <= bdb_filter_candidates: id=1 first=37 last=37
> <= bdb_list_candidates: id=1 first=37 last=37
> <= bdb_filter_candidates: id=1 first=37 last=37
> bdb_search_candidates: id=1 first=37 last=37
> => test_filter
> EQUALITY
> <= test_filter 6
> => send_search_entry: conn 10
> dn="uid=mmehta,ou=People,dc=<mycompany>,dc=<mycountry>"
> ber_flush: 769 bytes to sd 21
> <= send_search_entry: conn 10 exit.
> send_ldap_result: conn=10 op=1 p=3
> send_ldap_result: err=0 matched="" text=""
> send_ldap_response: msgid=2 tag=101 err=0
>
> _______________________________________________
> devs mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/devs
>
--
Thomas Mortagne
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
