Changes for page LDAP Tools

Last modified by Thomas Mortagne on 2023/10/10 16:40

<
From version < 30.1 >
edited by Thomas Mortagne
on 2017/05/22 11:38
To version < 31.1 >
edited by Ecaterina Moraru (Valica)
on 2017/09/04 15:29
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.ThomasMortagne
1 +xwiki:XWiki.evalica
ExtensionCode.ExtensionClass[0]
Description
... ... @@ -10,27 +10,32 @@
10 10  
11 11  This is simply an UI that exposes the LDAP configuration properties.
12 12  
13 -You can refer to [[the LDAP Authentication tutorial>>platform:AdminGuide.Authentication||anchor=HLDAPAuthentication]] and [[the LDAP Authentication Use Cases>>platform:AdminGuide.LDAPAuthenticationUseCases]] for more information about LDAP configuration in XWiki.
13 +You can refer to [[the LDAP Authentication tutorial>>platform:AdminGuide.Authentication||anchor="HLDAPAuthentication"]] and [[the LDAP Authentication Use Cases>>platform:AdminGuide.LDAPAuthenticationUseCases]] for more information about LDAP configuration in XWiki.
14 14  
15 15  {{warning}}
16 16  The ##xwiki.authentication.authclass## property **must be set** in ##xwiki.cfg## to use the LDAP authenticator for the authentication to work as expected.
17 17  {{/warning}}
18 18  
19 -{{image reference=ldapAdmin.png/}}
19 +{{image reference="ldapAdmin.png"/}}
20 20  
21 21  |=Option |=##xwiki.cfg## analog |=Default |=Description meaning
22 22  |Ldap |xwiki.authentication.ldap|off|Turn LDAP authentication on - otherwise only XWiki authentication
23 -|Ldap server adress|xwiki.authentication.ldap.server| - |(%rowspan="2"%)LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
23 +|Ldap server adress|xwiki.authentication.ldap.server| - |(% rowspan="2" %)LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
24 24  |Ldap server port|xwiki.authentication.ldap.port| -
25 -|Ldap login matching|xwiki.authentication.ldap.bind_DN| - |(%rowspan="2"%)(((LDAP login, empty = anonymous access, otherwise specify full dn
25 +|Ldap login matching|xwiki.authentication.ldap.bind_DN| - |(% rowspan="2" %)(((
26 +LDAP login, empty = anonymous access, otherwise specify full dn
26 26  {0} is replaced with the user name, {1} with the password.
27 -It may be an explicit username and password to access your LDAP directory.)))
28 +It may be an explicit username and password to access your LDAP directory.
29 +)))
28 28  |Ldap password matching|xwiki.authentication.ldap.bind_pass| -
29 -|Validate Ldap user/password|xwiki.authentication.ldap.validate_password|off|(((Bypass standard LDAP bind validation by doing a direct password comparison.
31 +|Validate Ldap user/password|xwiki.authentication.ldap.validate_password|off|(((
32 +Bypass standard LDAP bind validation by doing a direct password comparison.
30 30  If you don't know what you do, don't use that. It's covering very rare and bad use cases.
31 31  )))
32 -|Ldap group filter|xwiki.authentication.ldap.user_group| - |(((only members of the following group will be verified in the LDAP
33 -otherwise only users that are found after searching starting from the base_DN)))
35 +|Ldap group filter|xwiki.authentication.ldap.user_group| - |(((
36 +only members of the following group will be verified in the LDAP
37 +otherwise only users that are found after searching starting from the base_DN
38 +)))
34 34  |Ldap group to exclude|xwiki.authentication.ldap.exclude_group| - |[Since 1.5RC1, XWikiLDAPAuthServiceImpl] only users not member of the following group can authenticate
35 35  |Ldap base DN|xwiki.authentication.ldap.base_DN| - |base DN for searches
36 36  |Ldap UID attribute name|xwiki.authentication.ldap.UID_attr|cn|Specifies the LDAP attribute containing the identifier to be used as the XWiki name
... ... @@ -37,7 +37,8 @@
37 37  |Try local login|xwiki.authentication.ldap.trylocal|off|[Since 1.3M2, XWikiLDAPAuthServiceImpl] if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
38 38  |Update user from LDAP|xwiki.authentication.ldap.update_user||[Since 1.3M2, XWikiLDAPAuthServiceImpl] on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created.
39 39  |Ldap user fiels mapping|xwiki.authentication.ldap.fields_mapping| - |retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
40 -|Ldap groups mapping|xwiki.authentication.ldap.group_mapping| - |((([Since 1.3M2, XWikiLDAPAuthServiceImpl]
45 +|Ldap groups mapping|xwiki.authentication.ldap.group_mapping| - |(((
46 +[Since 1.3M2, XWikiLDAPAuthServiceImpl]
41 41  maps XWiki groups to LDAP groups, separator is "|"
42 42  
43 43  {{code language="cfg"}}
... ... @@ -45,13 +45,16 @@
45 45  XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
46 46  {{/code}}
47 47  
48 -{{warning}}When copy/pasting this configuration parameter from ##xwiki.cfg## please make sure to remove '\' line concatenation sign as well as forward and trailing whitespaces. It is acceptable to split different record into multiple lines, but again without extra whitespaces. The reason for removing whitespaces is that if they are present, it will try to create e.g. '+++XWiki.Organisation' group which would be incorrect and prevent proper group mapping and hence authentication.{{/warning}}
49 -
54 +{{warning}}
55 +When copy/pasting this configuration parameter from ##xwiki.cfg## please make sure to remove '\' line concatenation sign as well as forward and trailing whitespaces. It is acceptable to split different record into multiple lines, but again without extra whitespaces. The reason for removing whitespaces is that if they are present, it will try to create e.g. '+++XWiki.Organisation' group which would be incorrect and prevent proper group mapping and hence authentication.
56 +{{/warning}}
50 50  )))
51 51  |LDAP groups members cache|xwiki.authentication.ldap.groupcache_expiration|3600*6|[Since 1.3M2, XWikiLDAPAuthServiceImpl] time in seconds after which the list of members in a group is refreshed from LDAP
52 -|LDAP groups sync mode|xwiki.authentication.ldap.mode_group_sync|always|((([Since 1.3M2, XWikiLDAPAuthServiceImpl]
59 +|LDAP groups sync mode|xwiki.authentication.ldap.mode_group_sync|always|(((
60 +[Since 1.3M2, XWikiLDAPAuthServiceImpl]
53 53   create : synchronize group membership only when the user is first created
54 - always: synchronize on every login)))
62 + always: synchronize on every login
63 +)))
55 55  
56 56  == LDAP synchronization feature ==
57 57  
... ... @@ -60,15 +60,16 @@
60 60  {{/info}}
61 61  
62 62  {{warning}}
63 -* This feature is only available **starting with XWiki Enterprise 3.0**
72 +* This feature is only available **starting with XWiki 3.0**
64 64  * If your version of XWiki is compatible and the extension has been installed according to the installations instructions, you will see a section about the synchronization right under the general LDAP configuration section
65 65  {{/warning}}
66 66  
67 -{{image reference=ldapSync.png/}}
76 +{{image reference="ldapSync.png"/}}
68 68  
69 69  === Configuring the synchronization frequencies ===
70 70  
71 71  The LDAP synchronization relies on the [[Scheduler Application]]. It bring two scheduler jobs:
81 +
72 72  * One is responsible for **starting a synchronization cycle**. Its name in the scheduler job table is //Start LDAP synchronization cycle//. Its default cron configuration is **0 0 2 * * ?**, which means every night at 2 A.M.
73 73  * The other one is responsible for **executing batches of user account synchronization**. Its name in the scheduler job table is //Execute LDAP synchronization batch//. Its default configuration is **0 0/5 * * * ?**, meaning every five minutes.
74 74  

Get Connected