Version 35.1 by Thomas Mortagne on 2016/04/25 13:25

Hide last authors
Manuel Smeria 31.2 1 Here you can find some detailed uses cases of LDAP authentication configuration:
Thomas Mortagne 1.1 2
Manuel Smeria 31.2 3 {{toc/}}
Thomas Mortagne 1.1 4
Manuel Smeria 31.2 5 = Active Directory =
Thomas Mortagne 4.1 6
Manuel Smeria 31.3 7 Here are the values of the properties you need to set if your LDAP server implementation is Microsoft Active Directory:
Thomas Mortagne 23.1 8
Manuel Smeria 31.1 9 * **ldap_server**: name/IP of AD server machine
10 * **ldap_port**: port //(e.g. 389)//
11 * **ldap_base_DN**: name of root DN //(e.g. dc=ad,dc=company,dc=com)//
12 * **ldap_bind_DN**: domain{0} //(e.g. ad{0} where {0} will be replaced by username during validation)//
13 * **ldap_bind_pass**: {1} //(where {1} will be replaced by password during validation)//
14 * **ldap_UID_attr**: sAMAccountName
15 * **ldap_fields_mapping**: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
16
Thomas Mortagne 23.1 17 Example:
Manuel Smeria 31.1 18
19 {{code}}
Thomas Mortagne 23.1 20 xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
21 xwiki.authentication.ldap=1
22 xwiki.authentication.ldap.server=adserver
23 xwiki.authentication.ldap.port=389
24 xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
25 xwiki.authentication.ldap.bind_DN=subdomain\\{0}
26 xwiki.authentication.ldap.bind_pass={1}
27 xwiki.authentication.ldap.UID_attr=sAMAccountName
28 xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
Manuel Smeria 31.1 29 {{/code}}
Thomas Mortagne 23.1 30
Manuel Smeria 31.2 31 = Apple Open Directory Server =
Thomas Mortagne 23.1 32
Manuel Smeria 31.3 33 In order to set this up your **xwiki.cfg** file should have the attributes below set like this:
Thomas Mortagne 23.1 34
Manuel Smeria 31.1 35 {{code}}
Thomas Mortagne 23.1 36 xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=sub,dc=domain,dc=tld
37 xwiki.authentication.ldap.bind_pass={1}
38 xwiki.authentication.ldap.UID_attr=uid
39 xwiki.authentication.ldap.group_classes=apple-group
40 xwiki.authentication.ldap.group_memberfields=memberUid,uid
Manuel Smeria 31.1 41 {{/code}}
Thomas Mortagne 23.1 42
Manuel Smeria 31.3 43 Note that if you set it up like this the users logging will need the right to list group members in LDAP server.
Thomas Mortagne 23.1 44
Manuel Smeria 31.2 45 = Open Directory Server (OpenDS) =
bougie 26.1 46
Manuel Smeria 31.3 47 Here are the values of the properties you need to set if you would like to **authorize only members of a group to log-in**. In this case, the group is cn=xwiki,ou=roles,dc=domain,dc=tld
bougie 26.1 48
Manuel Smeria 31.1 49 {{code}}
bougie 26.1 50 xwiki.authentication.ldap.server=ldap.domain.tld
51 xwiki.authentication.ldap.port=389
bougie 27.1 52
bougie 26.1 53 xwiki.authentication.ldap.bind_DN=
54 xwiki.authentication.ldap.bind_pass=
bougie 27.1 55
bougie 26.1 56 xwiki.authentication.ldap.base_DN=ou=people,dc=domain,dc=tld
57 xwiki.authentication.ldap.UID_attr=cn
bougie 27.1 58
bougie 26.1 59 xwiki.authentication.ldap.group_classes=groupOfNames
60 xwiki.authentication.ldap.group_memberfields=memberUid
bougie 27.1 61 xwiki.authentication.ldap.user_group=cn=xwiki,ou=roles,dc=domain,dc=tld
Manuel Smeria 31.1 62 {{/code}}
bougie 26.1 63
Manuel Smeria 31.3 64 **bind_DN** and **bind_pass** are both empty. The connection to the LDAP server will be anonymous. With OpenDS an anonymous connection can read some needed attributes like userPassword, home, etc.
bougie 27.2 65
Manuel Smeria 31.2 66 = Generic =
Thomas Mortagne 23.1 67
Thomas Mortagne 35.1 68 == I want to have LDAP on ##subwiki1## but not on ##subwiki2##
69
70 Each wiki can have it's own LDAP setup. When LDAP fail on a subwiki it fallback on main wiki.
71
72 Two possibilities:
73
74 === Disable LDAP by default for all wikis and then enable it only in wikis where you want it
75
76 * disable LDAP at xwiki.cfg level (which is the default configuration for all wikis)(((
77 {{code language="properties"}}
78 xwiki.authentication.ldap=0
79 {{/code}})))
80 *enable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]].
81
82 === Enable LDAP by default for all wikis and then disable it only on wikis where you don't want it
83
84 * enable LDAP at xwiki.cfg level (which is the default configuration for all wikis)(((
85 {{code language="properties"}}
86 xwiki.authentication.ldap=1
87 {{/code}})))
88 * disable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]].
89
90 {{warning}}
91 Righs now the authenticator always fallback on main wiki when LDAP is disabled or does not work on subwiki. That mean it's not possible to have LDAP auth working when logging in from main wiki but and failing when logging in from a subwiki. In such a case you will be logged with a global user (main wiki user), same as if you were accessing main wiki and then subwiki in the same session.
92
93 But what you can do in this case is to not allow main wiki users from accessing the subwiki which will essentially have the same result.
94 {{/warning}}
95
Manuel Smeria 31.2 96 == I want to be able to reuse LDAP users membership in XWiki ==
Thomas Mortagne 8.1 97
Manuel Smeria 31.3 98 E.g. if you want all the LDAP users of the group ##cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas## to be automatically added in the XWiki group ##XWiki.XWikiAdminGroup## when the user logs in, set:
Manuel Smeria 31.1 99
100 {{code}}
Thomas Mortagne 8.1 101 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas
Manuel Smeria 31.1 102 {{/code}}
Thomas Mortagne 8.1 103
Manuel Smeria 31.3 104 If you want to add more mapping add them separated by ##|##:
Manuel Smeria 31.1 105
106 {{code}}
Thomas Mortagne 8.1 107 xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas|\
108 XWiki.OtherXWikiGroup=HMS Victory,ou=crews,ou=groups,o=sevenSeas
Manuel Smeria 31.1 109 {{/code}}
Thomas Mortagne 8.1 110
Manuel Smeria 31.2 111 == My users are not located in the same organization unit ==
Thomas Mortagne 4.1 112
Manuel Smeria 31.1 113 So you can't use the ##xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP## pattern.
Thomas Mortagne 4.1 114
Thomas Mortagne 22.1 115 The trick here is to to connect to LDAP with a user able to list LDAP users (and groups if you want to do membership synchronization).
Thomas Mortagne 21.1 116
Manuel Smeria 31.3 117 To handle that LDAP authentication automatically searches for the user's DN trying to match the provided login with ##xwiki.authentication.ldap.UID_attr## attribute value. So simply set an existing administrator DN (or any other LDAP user with the right to search in the whole LDAP server) at ##xwiki.authentication.ldap.bind_DN## and its password at ##xwiki.authentication.ldap.bind_pass##. LDAP authentication will use it to connect to the LDAP server, search for the provided user and bind the found DN with the provided password to validate it.
Thomas Mortagne 4.1 118
Manuel Smeria 31.3 119 For example if you have an admin user with the DN = "cn=Administrator,dc=mydomain,dc=org" and password "pass" set:
Manuel Smeria 31.1 120
121 {{code}}
Thomas Mortagne 4.1 122 xwiki.authentication.ldap.bind_DN=cn=Administrator,dc=mydomain,dc=org
123 xwiki.authentication.ldap.bind_pass=pass
Manuel Smeria 31.1 124 {{/code}}
steel 5.1 125
Manuel Smeria 31.2 126 == My users are not located on the same server ==
steel 5.1 127
Manuel Smeria 31.3 128 E.g. if you use several subdomains and the users are defined separately in each subdomain. This will likely be the case when you have a configuration like this:
steel 5.1 129
Manuel Smeria 31.1 130 {{code}}
steel 5.1 131 sub1.somedomain.com
132 sub2.somedomain.com
133 sub3.somedomain.com
134 ...
Manuel Smeria 31.1 135 {{/code}}
steel 5.1 136
137 XWiki cannot search in multiple domains (as of XWiki 1.5).
138
Manuel Smeria 31.2 139 === Approach 1: Configure group membership login ===
steel 5.1 140
Manuel Smeria 31.3 141 One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.
steel 6.1 142
Manuel Smeria 31.3 143 {{info}}
144 The group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.
145 {{/info}}
Thomas Mortagne 15.1 146
Manuel Smeria 31.3 147 == I'm in a multiwiki environment and I want my LDAP users to register only on the main wiki ==
Thomas Mortagne 15.1 148
Vincent Massol 32.2 149 Each wiki can have its own LDAP configuration (even enable/disable LDAP) in the ##XWiki.XWikiPreference## page (edit it in [[objects mode>>platform:Features.PageEditing||anchor="HAdvancedMode"]]. See [[How to navigate to a page>>xwiki:FAQ.How can I navigate to a given page]]). What you can find in the ##xwiki.cfg## configuration file is just the default LDAP configuration and it can be overridden in subwikis.
Thomas Mortagne 17.1 150
Manuel Smeria 31.3 151 When the LDAP authenticator fails to authenticate to a wiki it will try in the main wiki.
Manuel Smeria 31.1 152
Manuel Smeria 31.3 153 In order to forbid LDAP authentication to create users on subwikis you can use one of the following ways:
Manuel Smeria 31.1 154
Vincent Massol 32.2 155 * disable LDAP in **xwiki.cfg** and enable it in the main wiki by choosing "Yes" in the "Ldap" field of ##XWiki.XWikiPreference## page object
156 * disable LDAP in every sub-wikis by choosing "No" in the "Ldap" field of ##XWiki.XWikiPreference## page object
AceSlash 30.1 157
Manuel Smeria 31.2 158 == I want to allow access to users depending on a specific attribute on their LDAP entry ==
AceSlash 30.1 159
160 For example, suppose you want to prevent access to the wiki for deactivated users, and you have an attribute in LDAP showing the current status of the user.
161
162 Typically, you may have this kind of attribute:
163
Manuel Smeria 31.1 164 * For Zimbra based LDAP, an active account has this attribute: **zimbraAccountStatus=active**
165 * For ActiveDirectory, a deactivated account has this attribute: **userAccountControl:1.2.840.113556.1.4.803:=2**
166 * Or you can have your own attribute in your private schema, for example: **accountstatus=active**
167
Manuel Smeria 31.3 168 In this case, you just have to modify the **xwiki.authentication.ldap.user_group** value by putting the filter corresponding to what you want. Using the same example as above, you'll have:
AceSlash 30.1 169
jean coury 33.1 170 * For Zimbra based LDAP:(((
Manuel Smeria 31.1 171 {{code}}
172 xwiki.authentication.ldap.user_group=(zimbraAccountStatus=active)
173 {{/code}}
Manuel Smeria 31.3 174 )))
jean coury 33.1 175 * For ActiveDirectory:(((
Manuel Smeria 31.1 176 {{code}}
177 xwiki.authentication.ldap.user_group=(!(userAccountControl:1.2.840.113556.1.4.803:=2))
178 {{/code}}
Manuel Smeria 31.3 179 )))
jean coury 33.1 180 * For a private attribute:(((
Manuel Smeria 31.1 181 {{code}}
182 xwiki.authentication.ldap.user_group=(accountstatus=active)
183 {{/code}}
Manuel Smeria 31.3 184 )))
Manuel Smeria 31.1 185
Manuel Smeria 31.3 186 You can of course use any kind of filter. For instance, you can check if the account is active and has any other attribute, like an attribute listing the different services the user can access:
Manuel Smeria 31.1 187
188 {{code}}
189 xwiki.authentication.ldap.user_group=(&(accountstatus=active)(allowedservice=xwiki))
190 {{/code}}

Get Connected