Discussion:
[xwiki-users] kerberos SSO -> strip domainname from username
Mark Jas
2013-03-05 15:35:07 UTC
Permalink
Hi all,

?
I have configured xwiki with LDAP authentication and kerberos SSO.

When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.

But when I set the browser to use automatic logon, I get the xwiki login page! (at least in FireFox, IE says ?cannot show page?)

I get the same results when I manually login with ?username at DOMAIN? and ?password?. ?So I think the domain part is used in the automatic logon. (and is the actual problem?)

?
I see there is java code that strips the @DOMAIN part from the username. But I have no idea how or where to implement this. I hope some can help me!

?
Mark

?
Thomas Mortagne
2013-03-07 09:42:50 UTC
Permalink
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN? and ?password?. So I think the domain part is used in the automatic logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed
to do that all the time. Maybe there is a bug.

You can try to enable debug log[1] for class
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going
on. At least ou should get what remote user XWiki is getting if any.

[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
Mark Jas
2013-03-08 12:53:04 UTC
Permalink
Hi Thomas,

Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.

If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...

Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?

Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.

You can try to enable debug log[1] for class com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.

[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
Thomas Mortagne
2013-03-08 13:51:32 UTC
Permalink
Post by Mark Jas
Hi Thomas,
Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.
If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
only know about remote user and just create the user page, it's not
connecting to LDAP to update informations or group membership like the
LDAP authenticator do. There is no such authenticator by default but
you can look at
https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap.
Post by Mark Jas
Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?
Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.
You can try to enable debug log[1] for class com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.
[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
Mark Jas
2013-03-08 14:41:25 UTC
Permalink
Hi Thomas,

I think xwiki-authentication-trusted-ldap is exactly what I need. But I'm not that experienced to compiling java. Can I download it somewhere as a .jar file? Or can you point me the way to extract this from git and compile it myself?

Thanks,
Mark
Post by Mark Jas
Hi Thomas,
Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.
If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap.
Post by Mark Jas
Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?
Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.
You can try to enable debug log[1] for class
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.
[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
Mark Jas
2013-03-09 16:07:34 UTC
Permalink
I managed to compile and activate the xwiki-authentication-trusted-ldap plugin. But still the same result: login works with login prompt, fails with SSO.

Debugging showed me that the xwiki doesn't accept the SSO because username doesn't match. I suppose my xwiki.authentication.trustedldap.remoteUserParser settings is incorrect.
Can anyone tell me what this settings should be when my kerberos sso user is "user at DOMAIN.COM" and my sAMAccountName in ldap is just "user"?
Post by Mark Jas
Hi Thomas,
Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.
If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap.
Post by Mark Jas
Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?
Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.
You can try to enable debug log[1] for class
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.
[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
Mark Jas
2013-03-09 17:06:53 UTC
Permalink
Mailed to soon. Solved it. The default works just fine.
xwiki.authentication.trustedldap.remoteUserParser=(.+)@(.+)
xwiki.authentication.trustedldap.remoteUserMapping.1=login


-----Oorspronkelijk bericht-----
Van: users-bounces at xwiki.org [mailto:users-bounces at xwiki.org] Namens Mark
Verzonden: zaterdag 9 maart 2013 17:08
Aan: XWiki Users
Onderwerp: Re: [xwiki-users] kerberos SSO -> strip domainname from username

I managed to compile and activate the xwiki-authentication-trusted-ldap plugin. But still the same result: login works with login prompt, fails with SSO.

Debugging showed me that the xwiki doesn't accept the SSO because username doesn't match. I suppose my xwiki.authentication.trustedldap.remoteUserParser settings is incorrect.
Can anyone tell me what this settings should be when my kerberos sso user is "user at DOMAIN.COM" and my sAMAccountName in ldap is just "user"?
Post by Mark Jas
Hi Thomas,
Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.
If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap.
Post by Mark Jas
Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?
Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.
You can try to enable debug log[1] for class
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.
[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Thomas Mortagne
2013-03-10 13:25:17 UTC
Permalink
Sorry for the delay. Glad you found it :)
Post by Mark Jas
Mailed to soon. Solved it. The default works just fine.
xwiki.authentication.trustedldap.remoteUserMapping.1=login
-----Oorspronkelijk bericht-----
Van: users-bounces at xwiki.org [mailto:users-bounces at xwiki.org] Namens Mark
Verzonden: zaterdag 9 maart 2013 17:08
Aan: XWiki Users
Onderwerp: Re: [xwiki-users] kerberos SSO -> strip domainname from username
I managed to compile and activate the xwiki-authentication-trusted-ldap plugin. But still the same result: login works with login prompt, fails with SSO.
Debugging showed me that the xwiki doesn't accept the SSO because username doesn't match. I suppose my xwiki.authentication.trustedldap.remoteUserParser settings is incorrect.
Can anyone tell me what this settings should be when my kerberos sso user is "user at DOMAIN.COM" and my sAMAccountName in ldap is just "user"?
Post by Mark Jas
Hi Thomas,
Thanks for your reply. I should have given you some more info.
I'm using the default authenticator, because if I use the com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl, my ldap stops working.
If I use com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl Kerberos works fine, but new users aren't created, and group sync isn't working etc etc...
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
only know about remote user and just create the user page, it's not connecting to LDAP to update informations or group membership like the LDAP authenticator do. There is no such authenticator by default but you can look at https://github.com/xwiki-contrib/sandbox/tree/master/authenticators/xwiki-authentication-trusted-ldap.
Post by Mark Jas
Maybe my question should be: How do I get LDAP working with the Kerberos authenticator?
Mark
Post by Mark Jas
Hi all,
I have configured xwiki with LDAP authentication and kerberos SSO.
When I use a browser without automatic Kerberos SSO, I get a keberos login page. When I fill in username and password manually it works great.
But when I set the browser to use automatic logon, I get the xwiki
login page! (at least in FireFox, IE says ?cannot show page?)
I get the same results when I manually login with ?username at DOMAIN?
and ?password?. So I think the domain part is used in the automatic
logon. (and is the actual problem?)
I never used it myself but from what I see in the code it's supposed to do that all the time. Maybe there is a bug.
You can try to enable debug log[1] for class
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
(that's the authenticator you are using, right ?) to see what's going on. At least ou should get what remote user XWiki is getting if any.
[1] http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Logging
Post by Mark Jas
Mark
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne

Loading...