Re: [xwiki-users] Antw: Re: support for LDAP over SSL
Gunter Leeb wrote: > Hi Ricardo, > > Yes, 1-3. is correct. One of the features that I am proposing in > JIRA-1079 is the (configurable) fallback authentication using the XWiki > DB. > Fallback authentication works great. Here a typical sequence registered in xwiki.log 12:02:24,625 [http-193.144.34.240-80-1] ERROR thentication.LDAPAuthenticater - Bind to LDAP server failed. 12:02:24,625 [http-193.144.34.240-80-1] DEBUG thentication.LDAPAuthenticater - Trying authentication against XWiki DB 12:02:24,651 [http-193.144.34.240-80-1] DEBUG thentication.LDAPAuthenticater - Finding user egarciarodeja 12:02:24,652 [http-193.144.34.240-80-1] DEBUG thentication.LDAPAuthenticater - Found user egarciarodeja 12:02:24,653 [http-193.144.34.240-80-1] DEBUG thentication.LDAPAuthenticater - XWiki DB login succeeded > My library was developed based on code of the ldap authentication > plug-in from XWiki pre-1.0. I have not followed any changes in XWiki's > ldap plug-in since then. > I am afraid I am not devoting time enough to follow XWiki development, so I am a bit lost. Must I be able to find a LDAP authentication plug-in in XWiki Code Zone? I guess it is bundled in the XWiki distribution? > I have added SSL binding to the LDAP Server later and added the code to > the JIRA issue. > I am using the classes included in ldap.zip dated on May the 29th, 2007. I think the errors I am getting are related with the value of xwiki.authentication.ldap.ssl.keystore parameter. Does this make any sense for you? mire:/home/webmaster/bin # tail -200 xwiki.log | grep SSLException javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) I read in XWIKI-1079 issue: # keystore for certificates / root certificates (default is .keystore in the xwiki-process-users homedirectory) xwiki.authentication.ldap.ssl.keystore= Please what is the xwiki-process-users homedirectory? > The code checked in the JIRA issue is a suggestion for improvement of > XWiki coming out of the community. It is a plug-in and therefore is > fairly independent from the regular XWiki development and build process. > By referencing xwiki.jar (and novell's ldap jar) you should be able to > compile the sources that I provided. JIRA issue XWIKI-1079 is related with XWIKI-865 by Philippe Marzouk. There is a xwiki-ldap-ssl.patch attached there, but no comments or any further information. I understand this proposal has not been considered and never added to the main distribution. And that your classes keep also out of the main distribution and are only available from the JIRA issue, am I right? Please, Gunter, when a suggestion from the community does become part of the official distribution? Just trying to understand how things are done... > I have also added the class files. > You are corret the last bug fixes I checked in in the mentioned > attachment. > > If you haven't done before, before you go thorough compiling the > plug-in try out the classes. See if you can handle the configuration. > > Regards, > > Gunter > I will try to use your classes, then moved ahead and try to compile the last version. Cheers, Ricardo -- Ricardo Rodríguez Your XEN ICT Team ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Antw: Re: support for LDAP over SSL
Hi Ricardo, Yes, 1-3. is correct. One of the features that I am proposing in JIRA-1079 is the (configurable) fallback authentication using the XWiki DB. My library was developed based on code of the ldap authentication plug-in from XWiki pre-1.0. I have not followed any changes in XWiki's ldap plug-in since then. I have added SSL binding to the LDAP Server later and added the code to the JIRA issue. The code checked in the JIRA issue is a suggestion for improvement of XWiki coming out of the community. It is a plug-in and therefore is fairly independent from the regular XWiki development and build process. By referencing xwiki.jar (and novell's ldap jar) you should be able to compile the sources that I provided. I have also added the class files. You are corret the last bug fixes I checked in in the mentioned attachment. If you haven't done before, before you go thorough compiling the plug-in try out the classes. See if you can handle the configuration. Regards, Gunter >>> Your XEN ICT Team - Ricardo Rodriguez <[EMAIL PROTECTED]> 04.10.2007 16:38 >>> Gunter Leeb wrote: > Hi Sheila and Ricardo > > The authentication classes JIRA-1079 can use SSL for the connection to > the LDAP repository. This component has no way to switch XWiki to use > SSL. > > It would be great if XWiki could be configured to use SSL just for the > authentication. > > Regards, > > Gunter Hi Gunter, Thanks for jumping in here! Please, let me sum up what I am understanding while dealing with ldap authentication. 1. XE includes a ldap authentication class (ldap-UNKNOWN.jar) which we can not use simultaneously with XWiki DB. If I activate ldap authentication (xwiki.authentication.ldap=1), XWiki DB won't be asked for the existence of a given user. 2. With JIRA-1079 classes it is possible to use ldap authentication and XWiki DB: if ldap fails to authenticate an user, XWiki will check its database before rejecting the login. 3. JIRA-1079 classes support SSL binding with ldap servers. From here, please, *what is the JIRA-1079 class **most updated release **supporting SSL binding? *Is it http://jira.xwiki.org/jira/secure/attachment/11160/LDAPAuthenticater.java date on June 18th, 2007? Please, what do we need to compile it? I've gone ahead and updated to 1.2M1. I am not able to bind to our eDirectory server. I've not used SSL before, so I don't remember how could I connect to an eDirectory server without confidenciality until now. But it worked. Please, do you know if this is possible and how? Thanks. Sorry if I have not skills enough as to follow the JIRA-1079 issue. Mainly I don't understand how it relates with the "regular" XWiki development process. Any help will be welcome! All the best, Ricardo -- Ricardo Rodríguez Your XEN ICT Team --- Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. --- ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Antw: Re: support for LDAP over SSL
Gunter Leeb wrote: > Hi Sheila and Ricardo > > The authentication classes JIRA-1079 can use SSL for the connection to > the LDAP repository. This component has no way to switch XWiki to use > SSL. > > It would be great if XWiki could be configured to use SSL just for the > authentication. > > Regards, > > Gunter > Gunter, In Jire XWIKI-1079 you said the authentication library was tested against Novell eDirectory. Please, could you be so kind as for posting a xwiki.cfg sample with the parameters you have used to do that? Thanks! Best regards, Ricardo -- Ricardo Rodríguez Your XEN ICT Team ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Antw: Re: support for LDAP over SSL
Gunter Leeb wrote: Hi Sheila and Ricardo The authentication classes JIRA-1079 can use SSL for the connection to the LDAP repository. This component has no way to switch XWiki to use SSL. It would be great if XWiki could be configured to use SSL just for the authentication. Regards, Gunter Hi Gunter, Thanks for jumping in here! Please, let me sum up what I am understanding while dealing with ldap authentication. 1. XE includes a ldap authentication class (ldap-UNKNOWN.jar) which we can not use simultaneously with XWiki DB. If I activate ldap authentication (xwiki.authentication.ldap=1), XWiki DB won't be asked for the existence of a given user. 2. With JIRA-1079 classes it is possible to use ldap authentication and XWiki DB: if ldap fails to authenticate an user, XWiki will check its database before rejecting the login. 3. JIRA-1079 classes support SSL binding with ldap servers. From here, please, *what is the JIRA-1079 class **most updated release **supporting SSL binding? *Is it http://jira.xwiki.org/jira/secure/attachment/11160/LDAPAuthenticater.java date on June 18th, 2007? Please, what do we need to compile it? I've gone ahead and updated to 1.2M1. I am not able to bind to our eDirectory server. I've not used SSL before, so I don't remember how could I connect to an eDirectory server without confidenciality until now. But it worked. Please, do you know if this is possible and how? Thanks. Sorry if I have not skills enough as to follow the JIRA-1079 issue. Mainly I don't understand how it relates with the "regular" XWiki development process. Any help will be welcome! All the best, Ricardo -- Ricardo Rodríguez Your XEN ICT Team ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] Antw: Re: support for LDAP over SSL
Hi Sheila and Ricardo The authentication classes JIRA-1079 can use SSL for the connection to the LDAP repository. This component has no way to switch XWiki to use SSL. It would be great if XWiki could be configured to use SSL just for the authentication. Regards, Gunter >>> Your XEN ICT Team - Ricardo Rodriguez <[EMAIL PROTECTED]> 04.10.2007 00:31 >>> Sheila Hobeck wrote: > I read up on JIRA about this issue. Since I configured the LDAP > (which works great), I now need it to be over SSL. I am not sure if > it is available in the current version or not (I downloaded the latest > which is 1.1.1?) - and if not, how can I add in this patch? Did > anybody do this successfully? > > Sheila Hi, Sheila, Have you tried any of the classes available at http://jira.xwiki.org/jira/browse/XWIKI-1079? XWiki.zip contents a well documented xwiki.cfg, but it seems that ssl support was only added in a newer release. Thus, I have not a clear idea about what classes could we try. I swear I've been working with this http://mire.environmentalchange.net/~webmaster/software/classesFromMire.zip conectiong to an eDirectory server. But after a XWiki upgrade, I keep geeting an expectable LDAPException: Confidentiality Required (13) Confidentiality Required error. Please, what LDAP server are you trying to connect with? Thanks. -- Ricardo Rodríguez Your XEN ICT Team ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users --- Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. --- ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users