How to fix common LDAP issues in XWiki

19 Aug 2021 5 min read

Written by

Oana Elena Florea

, Customer Support Manager

LDAP is an open computer network authentication protocol supported by many different directory services and access management solutions. As an enterprise platform, XWiki is commonly used with an LDAP server to reuse information like users and groups, improve security and easily manage replication. Our seasoned support team would like to share with our community how to fix the most common LDAP issues in XWiki.

How to connect XWiki with LDAP?

To connect XWiki to an LDAP server, you can choose any of the following options:

What are the most common configuration issues?

1. LDAP Invalid Credentials

For this type of connection issue, on support we noticed the following common symptoms:

  • The user cannot connect.
  • For the Active Directory Pro application, there is an error message when clicking to check the connection.

    LDAPConnectionError.png

  • The server logs display an error message mentioning “Invalid Credentials”, e.g.
Caused by: LDAPException: Invalid Credentials (49) Invalid Credentials
LDAPException: Server Message: 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839

To investigate the issue, here is a recommendation from our support team:

  • Testing with a different user to confirm the problem is caused by the invalid password.
  • Checking the password for the LDAP bind DN used to setup the LDAP server 

2. LDAP Certificates

Certificate issues can look similar to connection issues as the user notices he cannot connect and the error message “Invalid credentials” may be present on the XWiki login UI. However, in this case, there is a specific error on the application server logs:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path

Our support team recommends checking with the infrastructure team or your service provider to update the certificate.

3. Group mapping

To synchronize LDAP groups to XWiki groups, you would need to add the group mapping in xwiki.cfg or use the visual editor for the Active Directory Pro application.

When the group is not created in the wiki upon login, our support team recommends the following fix:

  • Check the exact group DN from the Active Directory/LDAP server and add it to the mapping section.

ADGroupMapping.png

Tips and Tricks

Before you start any investigation for LDAP, our support team recommends enabling more logs:

  • Open the “Global Administration: Logging” section on your wiki.
  • Search for “ldap”.
  • Set the log level to DEBUG.

LDAP-logging.png

  • Redo the login and check again the server logs.

If you have further questions concerning LDAP and XWiki, do not hesitate to get in touch with us. Write to us directly on the support mail address support@xwiki.com or if you are a client, you can also contact the support team through our Customer Portal with your dedicated account.

Looking to connect to Azure? Take a look at the new Microsoft Azure Active Directory Single Sign-On Pro application.

You may also be interested in:

Best practices

Run your on-prem wiki instance like a pro with Admin Tools Application (Pro)

XWiki SAS has released the Admin Tools Application (Pro) v1.0, one of the many business-ready Pro Apps, available in the XWiki SAS store. Through this app, you can optimize your XWiki on-prem installation, maintenance, and resources allocation — all from one central dashboard. Read the full article here.