Changes for page Lemon LDAP and OpenPAAS Configuration
Last modified by Ludovic Dubost on 2020/10/01 11:16
Change comment:
There is no comment for this version
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Title
-
... ... @@ -1,1 +1,1 @@ 1 - ConfigurationLemon LDAPetOpenPAAS1 +Lemon LDAP and OpenPAAS Configuration - Content
-
... ... @@ -1,16 +1,18 @@ 1 1 2 - Cedocument présenteunguide deconfiguration del'authentificateurXWiki OpenIDC avec LemonLDAP aussiutiliséparOpenPAAS (Linagora).3 - Cetteconfiguration aététestée avecune installationdockerdelemonLDAP.2 +This document presents a configuration guide for the XWiki OpenIDC authenticator with LemonLDAP also used by OpenPAAS (Linagora). 3 +This configuration has been tested with a docker installation of lemonLDAP. 4 4 5 - == ConfigurationXWiki==5 +{{toc start=2 /}} 6 6 7 - Toutd'abord l'authentifcateurOpenIDCdoit êtreactivé dansxwiki.cfg:7 +== XWiki Configuration == 8 8 9 +First the OpenIDC Authenticator must be enabled in xwiki.cfg: 10 + 9 9 {{code}} 10 10 xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl 11 11 {{/code}} 12 12 13 - Etconfigurédansxwiki.properties.Voiclesconfigurationsqui doiventêtre modifiées:15 +And configured in xwiki.properties. Here are the properties to configure: 14 14 15 15 {{code}} 16 16 oidc.endpoint.authorization=<url de lemon ldap>/oauth2/authorize ... ... @@ -27,40 +27,45 @@ 27 27 oidc.secret=<a remplir> 28 28 {{/code}} 29 29 30 - Par exemple <urldelemon ldap>peutêtre http://auth.example.com (pourla demoLemonLDAP)32 +For example <url of lemon ldap> can be http://auth.example.com (for LemonLDAP demo) 31 31 32 -== Configuration Lemon LDAP==34 +== Lemon LDAP Configuration == 33 33 34 - Il fautse connecteraumanagerLemonLDAP(par exemple http://manager.example.com).36 +You have to connect to the LemonLDAP manager (for example http://manager.example.com). 35 35 36 - LemoduleOpenIDCdoitêtre activé danslasectionParamètresGénéraux/ModulesFournisseurs / OpenID Connect38 +The OpenIDC module must be activated in the section General Settings / Supplier Modules / OpenID Connect 37 37 38 - image:lemonldap-activationopenidc.png40 +Image: lemonldap-activationopenidc.png 39 39 40 - UneapplicationXWiki doitêtre ajoutéeansla sectionParamètresGénéraux/ Portail / Menu / CatégoriesetApplication.41 - L'URL de XWikidoitêtre indiquée.42 +An XWiki application must be added in the General Settings / Portal / Menu / Categories and Application section. 43 +The XWiki URL must be specified. 42 42 43 - image:lemonldap-ajouterapp.png45 +Image: lemonldap-ajouterapp.png 44 44 45 - Une configurationclientdoit être ajoutéeans"ClientsOpenID Connect".Le nomstlibre.47 +A client configuration must be added in "OpenID Connect Clients". The name can be anything. 46 46 47 - image:lemonldap-ajouterclientopenidc.png49 +Image: lemonldap-ajouterclientopenidc.png 48 48 49 - Lesparamètresclientidetsecretdoiventêtreajoutésdanslasection Options / Authentification.Ceux-cidoitêtreles mêmesquedanslaconfiguration xwiki.properties51 +The clientid and secret parameters must be added in the Options / Authentication section. These must be the same as in the xwiki.properties configuration 50 50 51 - image:lemonldap-authentification.png53 +Image: lemonldap-authentification.png 52 52 53 - Uneaddressederedirection authoriséedoit êtreindiqué danslasection Options /Adressesde redirectionautoriséespourla connexionetOptions /Adressesde redirectionautoriséespourla déconnexion.Celle-cidoit correspondreà l'URLduXWikiet lapartie URIdoitêtre /xwiki/oidc/authenticator/callback.55 +An authorized redirection address must be specified in the Options / Redirection Addresses Allowed for Connection and Options / Redirected Adresses for Disconnection options. This must match the URL of the XWiki and the URI part must be / xwiki / oidc / authenticator / callback. 54 54 55 - image:lemonldap-redirectionauthorisee.png57 +Image: lemonldap-redirectionauthorisee.png 56 56 57 - Afin depermettrela synchronisationdechamps venantdeLemonLDAPdansleprofilXWikidesnouveauxattributscommençantpar xwiki_user_suividunomduchampXWiki (first_name, last_name, company, address)doiventêtre ajoutésdansla sectionAttributs exportés.Il doivent pointervers des nomde champsLemonLDAP eux-même synchronisés versla sourced'authentification(souvent OpenLDAP).Enmodedemo, lemonLDAPn'a pasbeaucoupde champsdisponible,nousavonsdoncsynchroniséle "cn".59 +In order to allow the synchronization of fields from LemonLDAP into the XWiki profile, new attributes starting with xwiki_user_ followed by the name of the XWiki field (first_name, last_name, company, address) must be added in the Export Attributes section. They must point to LemonLDAP field names themselves synchronized to the authentication source (often OpenLDAP). In demo mode, lemonLDAP does not have many available fields, so we synchronized the "cn". 58 58 59 - image:lemonldap-attributes.png61 +Image: lemonldap-attributes.png 60 60 61 - Une fois leschampscréés lavaleur"profile"doitêtre modifiéeansla sectionsOptions/Déclarations(scopes/claims). Ildoitcontenirlalistedeschamps classiques pluslesnouveauxchampsXWiki.Par exemple:63 +Once the fields have been created, the "profile" value must be modified in the Options / Declarations section. It should contain the list of classic fields plus the new XWiki fields. For example: 62 62 63 -n om given_name country first_name last_name email mail xwiki_user_first_name xwiki_user_last_name xwiki_user_company65 +name given_name country first_name last_name email mail xwiki_user_first_name xwiki_user_last_name xwiki_user_company 64 64 65 - image:lemonldap-scopeclaims.png67 +Image: lemonldap-scopeclaims.png 66 66 69 +== Troubleshooting == 70 + 71 +If all goes well when going to XWiki and clicking login, you should be redirected to the lemon ldap authentication screen and after authentication you should be redirected to XWiki and the XWiki user profile created and populated with the profile information. 72 + 73 +In case of problems debugging is possible at XWiki level (in the preferences you can activate logging information for the oidc module) and in LemonLDAP by activating debug logs in the Apache configuration.