Last modified by Thomas Mortagne on 2023/09/04 09:29

<
From version < 22.1 >
edited by Thomas Mortagne
on 2010/01/14 17:48
To version < 24.1 >
edited by Thomas Mortagne
on 2010/01/20 12:17
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -4,8 +4,48 @@
4 4  
5 5  #toc("" "" "")
6 6  
7 -1.1 I want to be able to reuse LDAP users membership in XWiki
7 +1.1 Active Directory
8 8  
9 +Here are values of the properties you need to set if your LDAP server implementation is Miscrosoft Active Directory:
10 + - *ldap_server*: name/IP of AD server machine
11 + - *ldap_port*: port ~~(e.g. 389)~~
12 + - *ldap_base_DN*: name of root DN ~~(e.g. dc=ad,dc=company,dc=com)~~
13 + - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~
14 + - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~
15 + - *ldap_UID_attr*: sAMAccountName
16 + - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
17 +
18 +Example:
19 +{code}
20 +xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
21 +xwiki.authentication.ldap=1
22 +xwiki.authentication.ldap.server=adserver
23 +xwiki.authentication.ldap.port=389
24 +xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
25 +xwiki.authentication.ldap.bind_DN=subdomain\\{0}
26 +xwiki.authentication.ldap.bind_pass={1}
27 +xwiki.authentication.ldap.UID_attr=sAMAccountName
28 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
29 +{code}
30 +
31 +1.1 Apple Open Directory Server
32 +
33 +In order to set this up your xwiki.cfg file should have the attributes below set like this:
34 +
35 +{code}
36 +xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=sub,dc=domain,dc=tld
37 +xwiki.authentication.ldap.bind_pass={1}
38 +xwiki.authentication.ldap.UID_attr=uid
39 +xwiki.authentication.ldap.group_classes=apple-group
40 +xwiki.authentication.ldap.group_memberfields=memberUid,uid
41 +{code}
42 +
43 +Note that if you set it up like this the users logging will need to right to list groups members in LDAP server.
44 +
45 +1.1 Generic
46 +
47 +1.1.1 I want to be able to reuse LDAP users membership in XWiki
48 +
9 9  e.g. if you want that all the LDAP users of group <tt>cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas</tt> to be automatically added in XWiki group <tt>XWiki.XWikiAdminGroup</tt> when the user log in, set:
10 10  {code}
11 11  xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas
... ... @@ -18,8 +18,9 @@
18 18  {code}
19 19  
20 20  #warning("The xwiki groups have to already exist")
21 -1.1 My users are not located in the same organization unit
22 22  
62 +1.1.1 My users are not located in the same organization unit
63 +
23 23  So you can't use the <tt>xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP</tt> pattern.
24 24  
25 25  The trick here is to to connect to LDAP with a user able to list LDAP users (and groups if you want to do membership synchronization).
... ... @@ -32,11 +32,8 @@
32 32  xwiki.authentication.ldap.bind_pass=pass
33 33  {code}
34 34  
76 +1.1.1 My users are not located on the same server
35 35  
36 -
37 -
38 -1.1 My users are not located on the same server
39 -
40 40  e.g. if you use several subdomains and the users are defined seperately in each subdomain. This will likely be the case when you have a configuration like this:
41 41  
42 42  {code}
... ... @@ -48,26 +48,13 @@
48 48  
49 49  XWiki cannot search in multiple domains (as of XWiki 1.5).
50 50  
51 -1.1.1 Approach 1: Configure group membership login
89 +1.1.1.1 Approach 1: Configure group membership login
52 52  One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki's to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.\\
53 53  Take care that the group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.
54 54  
55 -1.1 I want to use XWiki with an Apple Open Directory Server
56 56  
57 -In order to set this up your xwiki.cfg file should have the attributes below set like this:
94 +1.1.1 I'm in multiwiki environment and I want my LDAP users to registered only on main wiki
58 58  
59 -{code}
60 -xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=sub,dc=domain,dc=tld
61 -xwiki.authentication.ldap.bind_pass={1}
62 -xwiki.authentication.ldap.UID_attr=uid
63 -xwiki.authentication.ldap.group_classes=apple-group
64 -xwiki.authentication.ldap.group_memberfields=memberUid,uid
65 -{code}
66 -
67 -Note that if you set it up like this the users logging will need to right to list groups members in LDAP server.
68 -
69 -1.1 I'm in multiwiki environment and I want my LDAP users to registered only on main wiki
70 -
71 71  Each wiki can have it's own LDAP configuration (even enable/disable LDAP) in XWiki.XWikiPreference page (edit it with object editor). What you can find in the xwiki.cfg file is just the default LDAP configuration.
72 72  
73 73  When LDAP authenticator fail to authenticate to a wiki it will try in the main wiki.
... ... @@ -76,7 +76,3 @@
76 76  * disable LDAP in xwiki.cfg and enable it in the main wiki by choosing "Yes" in the "Ldap" field of XWiki.XWikiPreference page object
77 77  or
78 78  * disable LDAP in every sub-wikis by choosing "No" in the "Ldap" field of XWiki.XWikiPreference page object
79 -
80 -
81 -
82 -

Get Connected