Hide last authors
Thomas Mortagne 3.1 1 1 Use cases of configuration to authenticate users with LDAP
Thomas Mortagne 1.1 2
3 Here you can find some detailed uses cases of LDAP authentication configuration.
4
5 #toc("" "" "")
Thomas Mortagne 4.1 6
Thomas Mortagne 23.1 7 1.1 Active Directory
8
Raluca Moisa 28.3 9 Here are values of the properties you need to set if your LDAP server implementation is Microsoft Active Directory:
Thomas Mortagne 23.1 10 - *ldap_server*: name/IP of AD server machine
11 - *ldap_port*: port ~~(e.g. 389)~~
12 - *ldap_base_DN*: name of root DN ~~(e.g. dc=ad,dc=company,dc=com)~~
13 - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~
14 - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~
15 - *ldap_UID_attr*: sAMAccountName
16 - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
17
18 Example:
19 {code}
20 xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
21 xwiki.authentication.ldap=1
22 xwiki.authentication.ldap.server=adserver
23 xwiki.authentication.ldap.port=389
24 xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
25 xwiki.authentication.ldap.bind_DN=subdomain\\{0}
26 xwiki.authentication.ldap.bind_pass={1}
27 xwiki.authentication.ldap.UID_attr=sAMAccountName
28 xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
29 {code}
30
31 1.1 Apple Open Directory Server
32
33 In order to set this up your xwiki.cfg file should have the attributes below set like this:
34
35 {code}
36 xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=sub,dc=domain,dc=tld
37 xwiki.authentication.ldap.bind_pass={1}
38 xwiki.authentication.ldap.UID_attr=uid
39 xwiki.authentication.ldap.group_classes=apple-group
40 xwiki.authentication.ldap.group_memberfields=memberUid,uid
41 {code}
42
43 Note that if you set it up like this the users logging will need to right to list groups members in LDAP server.
44
David Hymonnet 27.2 45 1.1 Open Directory Server (OpenDS)
David Hymonnet 26.1 46
Raluca Moisa 28.4 47 Here are values of the properties you need to set if you would *authorize only member of a group to login in*.
David Hymonnet 26.1 48 In this case, the group is cn=xwiki,ou=roles,dc=domain,dc=tld
49
50 {code}
51 xwiki.authentication.ldap.server=ldap.domain.tld
52 xwiki.authentication.ldap.port=389
David Hymonnet 27.1 53
David Hymonnet 26.1 54 xwiki.authentication.ldap.bind_DN=
55 xwiki.authentication.ldap.bind_pass=
David Hymonnet 27.1 56
David Hymonnet 26.1 57 xwiki.authentication.ldap.base_DN=ou=people,dc=domain,dc=tld
58 xwiki.authentication.ldap.UID_attr=cn
David Hymonnet 27.1 59
David Hymonnet 26.1 60 xwiki.authentication.ldap.group_classes=groupOfNames
61 xwiki.authentication.ldap.group_memberfields=memberUid
David Hymonnet 27.1 62 xwiki.authentication.ldap.user_group=cn=xwiki,ou=roles,dc=domain,dc=tld
David Hymonnet 26.1 63 {code}
64
Raluca Moisa 28.3 65 *bind_DN* and *bind_pass* are both empty. The connection to the LDAP server will be anonymous. With OpenDS, an anonymous connection can read some needed attributes like userPassword, home, ...
David Hymonnet 27.2 66
Thomas Mortagne 23.1 67 1.1 Generic
68
Thomas Mortagne 24.1 69 1.1.1 I want to be able to reuse LDAP users membership in XWiki
Thomas Mortagne 8.1 70
Thomas Mortagne 9.1 71 e.g. if you want that all the LDAP users of group <tt>cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas</tt> to be automatically added in XWiki group <tt>XWiki.XWikiAdminGroup</tt> when the user log in, set:
Thomas Mortagne 8.1 72 {code}
73 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas
74 {code}
75
76 if you want to add more mapping add them separated by <tt>|</tt>:
77 {code}
78 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas|\
79 XWiki.OtherXWikiGroup=HMS Victory,ou=crews,ou=groups,o=sevenSeas
80 {code}
81
Thomas Mortagne 10.1 82 #warning("The xwiki groups have to already exist")
Thomas Mortagne 23.1 83
Thomas Mortagne 24.1 84 1.1.1 My users are not located in the same organization unit
Thomas Mortagne 4.1 85
Thomas Mortagne 7.1 86 So you can't use the <tt>xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP</tt> pattern.
Thomas Mortagne 4.1 87
Thomas Mortagne 22.1 88 The trick here is to to connect to LDAP with a user able to list LDAP users (and groups if you want to do membership synchronization).
Thomas Mortagne 21.1 89
Thomas Mortagne 4.1 90 To handle that LDAP authentication automatically search for user DN trying to match the provided login with <tt>xwiki.authentication.ldap.UID_attr</tt> attribute value. So simply set an existing administration (or any other LDAP user with the right to search in the whole LDAP server) user DN at <tt>xwiki.authentication.ldap.bind_DN</tt> and its password at <tt>xwiki.authentication.ldap.bind_pass</tt>. LDAP authentication will user it to connect to LDAP server, search for provided user and bind found DN with provided password to validate it.
91
92 For example if you have an an admin user with DN "cn=Administrator,dc=mydomain,dc=org" and password "pass" set:
93 {code}
94 xwiki.authentication.ldap.bind_DN=cn=Administrator,dc=mydomain,dc=org
95 xwiki.authentication.ldap.bind_pass=pass
96 {code}
steel 5.1 97
Thomas Mortagne 24.1 98 1.1.1 My users are not located on the same server
steel 5.1 99
Raluca Moisa 28.3 100 e.g. if you use several subdomains and the users are defined separately in each subdomain. This will likely be the case when you have a configuration like this:
steel 5.1 101
102 {code}
103 sub1.somedomain.com
104 sub2.somedomain.com
105 sub3.somedomain.com
106 ...
107 {code}
108
109 XWiki cannot search in multiple domains (as of XWiki 1.5).
110
Thomas Mortagne 24.1 111 1.1.1.1 Approach 1: Configure group membership login
steel 6.1 112 One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki's to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.\\
steel 5.1 113 Take care that the group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.
114
steel 6.1 115
Thomas Mortagne 24.1 116 1.1.1 I'm in multiwiki environment and I want my LDAP users to registered only on main wiki
Thomas Mortagne 15.1 117
Thomas Mortagne 16.1 118 Each wiki can have it's own LDAP configuration (even enable/disable LDAP) in XWiki.XWikiPreference page (edit it with object editor). What you can find in the xwiki.cfg file is just the default LDAP configuration.
Thomas Mortagne 15.1 119
Thomas Mortagne 17.1 120 When LDAP authenticator fail to authenticate to a wiki it will try in the main wiki.
121
Thomas Mortagne 19.1 122 In order to forbid LDAP authentication to create users on subwikis you can use one of the following way:
Thomas Mortagne 20.1 123 * disable LDAP in xwiki.cfg and enable it in the main wiki by choosing "Yes" in the "Ldap" field of XWiki.XWikiPreference page object
124 or
125 * disable LDAP in every sub-wikis by choosing "No" in the "Ldap" field of XWiki.XWikiPreference page object

Get Connected