Use cases of configuration to authenticate users with LDAP

Here you can find some detailed uses cases of LDAP authentication configuration.

Invalid macro parameters used for the "toc" macro. Cause: [Failed to validate bean: [must be greater than or equal to 1]]. Click on this message for details.

Active Directory

Here are values of the properties you need to set if your LDAP server implementation is Microsoft Active Directory:

  • ldap_server: name/IP of AD server machine
  • ldap_port: port (e.g. 389)
  • ldap_base_DN: name of root DN (e.g. dc=ad,dc=company,dc=com)
  • ldap_bind_DN: domain{0} (e.g. ad{0} where {0} will be replaced by username during validation)
  • ldap_bind_pass: {1} (where {1} will be replaced by password during validation)
  • ldap_UID_attr: sAMAccountName
  • ldap_fields_mapping: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn

Example:

xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=adserver
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
xwiki.authentication.ldap.bind_DN=subdomain\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn

Apple Open Directory Server

In order to set this up your xwiki.cfg file should have the attributes below set like this:

xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=sub,dc=domain,dc=tld
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=uid
xwiki.authentication.ldap.group_classes=apple-group
xwiki.authentication.ldap.group_memberfields=memberUid,uid

Note that if you set it up like this the users logging will need to right to list groups members in LDAP server.

Open Directory Server (OpenDS)

Here are values of the properties you need to set if you would authorize only member of a group to login in. In this case, the group is cn=xwiki,ou=roles,dc=domain,dc=tld

xwiki.authentication.ldap.server=ldap.domain.tld
xwiki.authentication.ldap.port=389

xwiki.authentication.ldap.bind_DN=
xwiki.authentication.ldap.bind_pass=

xwiki.authentication.ldap.base_DN=ou=people,dc=domain,dc=tld
xwiki.authentication.ldap.UID_attr=cn

xwiki.authentication.ldap.group_classes=groupOfNames
xwiki.authentication.ldap.group_memberfields=memberUid
xwiki.authentication.ldap.user_group=cn=xwiki,ou=roles,dc=domain,dc=tld

bind_DN and bind_pass are both empty. The connection to the LDAP server will be anonymous. With OpenDS, an anonymous connection can read some needed attributes like userPassword, home, ...

Generic

I want to be able to reuse LDAP users membership in XWiki

e.g. if you want that all the LDAP users of group cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas to be automatically added in XWiki group XWiki.XWikiAdminGroup when the user log in, set:

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas

if you want to add more mapping add them separated by |:

xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas|\
                                        XWiki.OtherXWikiGroup=HMS Victory,ou=crews,ou=groups,o=sevenSeas

The xwiki groups have to already exist

My users are not located in the same organization unit

So you can't use the xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP pattern.

The trick here is to to connect to LDAP with a user able to list LDAP users (and groups if you want to do membership synchronization).

To handle that LDAP authentication automatically search for user DN trying to match the provided login with xwiki.authentication.ldap.UID_attr attribute value. So simply set an existing administration (or any other LDAP user with the right to search in the whole LDAP server) user DN at xwiki.authentication.ldap.bind_DN and its password at xwiki.authentication.ldap.bind_pass. LDAP authentication will user it to connect to LDAP server, search for provided user and bind found DN with provided password to validate it.

For example if you have an an admin user with DN "cn=Administrator,dc=mydomain,dc=org" and password "pass" set:

xwiki.authentication.ldap.bind_DN=cn=Administrator,dc=mydomain,dc=org
xwiki.authentication.ldap.bind_pass=pass

My users are not located on the same server

e.g. if you use several subdomains and the users are defined separately in each subdomain. This will likely be the case when you have a configuration like this:

sub1.somedomain.com
sub2.somedomain.com
sub3.somedomain.com
...

XWiki cannot search in multiple domains (as of XWiki 1.5). 

Approach 1: Configure group membership login

One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki's to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.\ Take care that the group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.

I'm in multiwiki environment and I want my LDAP users to registered only on main wiki

Each wiki can have it's own LDAP configuration (even enable/disable LDAP) in XWiki.XWikiPreference page (edit it with object editor). What you can find in the xwiki.cfg file is just the default LDAP configuration.

When LDAP authenticator fail to authenticate to a wiki it will try in the main wiki.

In order to forbid LDAP authentication to create users on subwikis you can use one of the following way:

  • disable LDAP in xwiki.cfg and enable it in the main wiki by choosing "Yes" in the "Ldap" field of XWiki.XWikiPreference page object

or

  • disable LDAP in every sub-wikis by choosing "No" in the "Ldap" field of XWiki.XWikiPreference page object

I want to allow access to users depending on a specific attribute on their LDAP entry

For example, suppose you want to prevent access to the wiki for deactivated users, and you have an attribute in LDAP showing the current status of the user.

Typically, you may have this kind of attribute:

  • For Zimbra based LDAP, an active account has this attribute: zimbraAccountStatus=active
  • For ActiveDirectory, a deactivated account has this attribute: userAccountControl:1.2.840.113556.1.4.803:=2
  • Or you can have your own attribute in your private schema, for example: accountstatus=active

In this case, you just have to modify the xwiki.authentication.ldap.user_group value by putting the filter corresponding to what you want, with the same example as above, you'll have:

  • For Zimbra based LDAP: 
xwiki.authentication.ldap.user_group=(zimbraAccountStatus=active)
  • For ActiveDirectory: 
xwiki.authentication.ldap.user_group=(!(userAccountControl:1.2.840.113556.1.4.803:=2))
  • For a private attribute: 
xwiki.authentication.ldap.user_group=(accountstatus=active)

You can of course use any kind of filter, for instance, you can check if the account is active and has any other attribute, like an attribute listing the different service the user can access:

xwiki.authentication.ldap.user_group=(&(accountstatus=active)(allowedservice=xwiki))
Tags:
    

Get Connected