LDAP Application

Version 56.1 by Admin on 2021/03/17 12:30

cogUI that makes it easier to configure LDAP
TypeXAR
Category
Developed by

Denis Gervalle, Thomas Mortagne, Alex Cotiuga, XWiki Development Team

Active Installs970
Rating
0 Votes
LicenseGNU Lesser General Public License 2.1
Compatibility

Require XWiki 7.4 or more.

Installable with the Extension Manager

Description

Provides an UI that makes it easier to configure the LDAP Authenticator (instead of having to configure LDAP from the xwiki.cfg file). Also allows to configure LDAP for a given subwiki only, which is not possible from xwiki.cfg.

Usage

As an administrator, visit your wiki's administration area and go to the LDAP section:

ldap-link.png

This application is setting up LDAP for the current wiki only, if you want some LDAP property to apply to the whole farm you should set it in xwiki.cfg (of course you can also set it in each wiki using the application but that's usually a pain).

Enabling LDAP authentication on a wiki

The LDAP application assumes LDAP is enabled as the main authenticator via the bundled XWiki LDAP authenticator. If it's not the case, you will be "welcomed" with the following warning message:

ldap-authenticator-warning.png

In the event you encounter this message, please report to Authenticator documentation in order to enable the LDAP authenticator on your wiki.

You need to make sure you have have the following in your xwiki.cfg file:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

since LDAP Application 8.3 or if you are using older version of the application:

xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl

Uncomment it and then restart XWiki.

There should be no other parts of the LDAP configuration enabled.

Once this is all set up, you can start configuring all other LDAP settings directly into XWiki administrative area. If you are running a farm of wikis (via XWiki Enterprise Manager), you can have different LDAP settings on a per-wiki basis.

The first setting offered allows you to decide if LDAP authentication should be enabled for the wiki at hand. In a single-wiki environment, this option can be used as a switch for LDAP authentication. In a multi-wiki environment this option helps you decide on which wikis should users be created. A classical configuration will be to enable LDAP on the main wiki, and disable it on other wikis, to have users centralized on the main wiki.

See use cases of configuration to authenticate users with LDAP for some examples of the configuration that used the previous method.

ldap-enable.png

Configuring a LDAP connection

When you've decided to enable LDAP authentication on a wiki, you can then let XWiki know how it should connect to the LDAP server via a set of parameters exposed by the LDAP administration UI. Note that those parameters as well as any other parameter below this point are in fact overriding matching properties in xwiki.cfg. This means that if you or the server administrator of your wiki already have configured the LDAP connection in the XWiki configuration file, you can use this application to just override some settings (on a per wiki basis on a farm, for example) or to fill settings that have been ignored in the configuration file (like users and groups mappings for example). If, on the contrary, no LDAP configuration has been established at all in xwiki.cfg on the filesystem (except for setting LDAP as main authenticator), you will then have to fill in sufficient information in the LDAP administration section for the LDAP connection to work properly.

In order to communicate with your LDAP server, XWiki needs to know at least two pieces of information:

  • The address (IP or domain name) of the server and the port to connect to. For example 127.0.0.1 and 389 for a server that would be located on the same machine and running on the standard LDAP port
  • A bind login and password to connect to the server with. This can be left empty for annonymous access to the LDAP server. If you want the user's own login to be used for binding when they connect to XWiki, you can use {0} as placeholder for the user uid field, and {1} for his passsword. See the image below for an example configuration:

ldap-connection

Mapping user properties and groups

A typical use of this LDAP administration UI will be to configure user and groups mappings, as it offers a more visual way to provide this informations. This permits to link fields of user profiles on the LDAP server to fields of the user profile in XWiki, as well as mapping groups or searches on LDAP to XWiki groups. The image below illustrate how you can take advantage of such mappings:

ldap-mappings

Reset Group cache

reset-group-cache.png

The Authenticator usually does react very quickly to changes made in the groups on LDAP side. This is because it maintains a cache for performances reasons.

Trying to reduce the life of that cache is generally a bad idea since it might reduce a lot the performance of the authenticator so what is recommended is to use the "Reset Group Cache" button explicitly when you do modification on LDAP side that you want to see applied right away.

Release Notes

This is the release note of the whole LDAP project. All release notes

9.13.1

The following translations have been updated with this release:

9.13.0

9.12.0

9.11.3

The following translations have been updated with this release:

9.11.2

The following translations have been updated with this release:

9.11.1

More debug log.

9.11.0

9.10.1

9.10

9.9.1

9.9.0

9.8.0

9.7.8

The following translations have been updated with this release:

9.7.7

9.7.6

9.7.5

9.7.4

9.7.3

9.7.2

9.7.1

9.7

...

8.3.x

Convert to contrib extension.

New class for the authenticator:

xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

And in general all classes are similar but have been moved to the new org.xwiki.contrib.ldap package. Old classes still exist in the Legacy Authenticator.

Prerequisites & Installation Instructions

We recommend using the Extension Manager to install this extension (Make sure that the text "Installable with the Extension Manager" is displayed at the top right location on this page to know if this extension can be installed with the Extension Manager). Note that installing Extensions when being offline is currently not supported and you'd need to use some complex manual method.

You can also use the following manual method, which is useful if this extension cannot be installed with the Extension Manager or if you're using an old version of XWiki that doesn't have the Extension Manager:

  1. Log in the wiki with a user having Administration rights
  2. Go to the Administration page and select the Import category
  3. Follow the on-screen instructions to upload the downloaded XAR
  4. Click on the uploaded XAR and follow the instructions
  5. You'll also need to install all dependent Extensions that are not already installed in your wiki

Dependencies

Dependencies for this extension (org.xwiki.contrib.ldap:ldap-ui 9.5.2):

Tags: LDAP
    

Get Connected