Last modified by Thomas Mortagne on 2023/09/04 09:29

From version 3.1
edited by Thomas Mortagne
on 2008/07/25 17:30
Change comment: There is no comment for this version
To version 5.1
edited by steel
on 2008/08/14 12:59
Change comment: There is no comment for this version



Page properties
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.ThomasMortagne
1 +xwiki:XWiki.steel
... ... @@ -3,3 +3,33 @@
3 3  Here you can find some detailed uses cases of LDAP authentication configuration.
4 4  
5 5  #toc("" "" "")
6 +
7 +1.1 My users are not located in the same organization unit
8 +
9 +So you can use the <tt>xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP</tt> pattern.
10 +
11 +To handle that LDAP authentication automatically search for user DN trying to match the provided login with <tt>xwiki.authentication.ldap.UID_attr</tt> attribute value. So simply set an existing administration (or any other LDAP user with the right to search in the whole LDAP server) user DN at <tt>xwiki.authentication.ldap.bind_DN</tt> and its password at <tt>xwiki.authentication.ldap.bind_pass</tt>. LDAP authentication will user it to connect to LDAP server, search for provided user and bind found DN with provided password to validate it.
12 +
13 +For example if you have an an admin user with DN "cn=Administrator,dc=mydomain,dc=org" and password "pass" set:
14 +{code}
15 +xwiki.authentication.ldap.bind_DN=cn=Administrator,dc=mydomain,dc=org
16 +xwiki.authentication.ldap.bind_pass=pass
17 +{code}
18 +
19 +1.1 My users are not located on the same server
20 +
21 +e.g. if you use several subdomains and the users are defined seperately in each subdomain. This will likely be the case when you have a configuration like this:
22 +
23 +{code}
27 +...
28 +{code}
29 +
30 +XWiki cannot search in multiple domains (as of XWiki 1.5).
31 +
32 +1.1.1 Approach 1: Configure group membership login
33 +One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki's to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.
34 +Take care that the group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.
35 +

Get Connected