Changes for page Use cases of configuration to authenticate users with LDAP

Summary

• Page properties (2 modified, 0 added, 0 removed)

Details

Page properties

Title

...	...	@@ -1,0 +1,1 @@
	1	+Use cases of configuration to authenticate users with LDAP

Content

...	...	@@ -1,11 +1,9 @@
1		-= Use cases of configuration to authenticate users with LDAP =
	1	+Here you can find some detailed uses cases of LDAP authentication configuration:
2	2
3		-Here you can find some detailed uses cases of LDAP authentication configuration.
	3	+{{toc/}}
4	4
5		-{{toc start="" depth="" numbered=""/}}
	5	+= Active Directory =
6	6
7		-== Active Directory ==
8		-
9	9	Here are values of the properties you need to set if your LDAP server implementation is Microsoft Active Directory:
10	10
11	11	(% style="list-style-type: square" %)
...	...	@@ -31,7 +31,7 @@
31	31	xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
32	32	{{/code}}
33	33
34		-== Apple Open Directory Server ==
	32	+= Apple Open Directory Server =
35	35
36	36	In order to set this up your xwiki.cfg file should have the attributes below set like this:
37	37
...	...	@@ -45,7 +45,7 @@
45	45
46	46	Note that if you set it up like this the users logging will need to right to list groups members in LDAP server.
47	47
48		-== Open Directory Server (OpenDS) ==
	46	+= Open Directory Server (OpenDS) =
49	49
50	50	Here are values of the properties you need to set if you would **authorize only member of a group to login in**. In this case, the group is cn=xwiki,ou=roles,dc=domain,dc=tld
51	51
...	...	@@ -66,9 +66,9 @@
66	66
67	67	**bind_DN** and **bind_pass** are both empty. The connection to the LDAP server will be anonymous. With OpenDS, an anonymous connection can read some needed attributes like userPassword, home, ...
68	68
69		-== Generic ==
	67	+= Generic =
70	70
71		-=== I want to be able to reuse LDAP users membership in XWiki ===
	69	+== I want to be able to reuse LDAP users membership in XWiki ==
72	72
73	73	e.g. if you want that all the LDAP users of group ##cn=HMS Lydia,ou=crews,ou=groups,o=sevenSeas## to be automatically added in XWiki group ##XWiki.XWikiAdminGroup## when the user log in, set:
74	74
...	...	@@ -87,7 +87,7 @@
87	87	The xwiki groups have to already exist
88	88	{{/warning}}
89	89
90		-=== My users are not located in the same organization unit ===
	88	+== My users are not located in the same organization unit ==
91	91
92	92	So you can't use the ##xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP## pattern.
93	93
...	...	@@ -102,7 +102,7 @@
102	102	xwiki.authentication.ldap.bind_pass=pass
103	103	{{/code}}
104	104
105		-=== My users are not located on the same server ===
	103	+== My users are not located on the same server ==
106	106
107	107	e.g. if you use several subdomains and the users are defined separately in each subdomain. This will likely be the case when you have a configuration like this:
108	108
...	...	@@ -115,11 +115,11 @@
115	115
116	116	XWiki cannot search in multiple domains (as of XWiki 1.5).
117	117
118		-==== Approach 1: Configure group membership login ====
	116	+=== Approach 1: Configure group membership login ===
119	119
120	120	One possible solution is to make one (or more) group(s) in your AD and set the group membership to all users that have to have access to your wiki. Then configure XWiki's to only let members of that group log in. If a user wants to log in, XWiki will look up if the user's credentials are found in the group member attributes in AD. With this setting, XWiki will ignore the base_DN search, if a user was found in that group.\ Take care that the group membership attribute in AD (in its default configuration) will contain the CN ("FirstName LastName") - not the sAMAccountName. So your users will have to login with their full name instead of their username.
121	121
122		-=== I'm in multiwiki environment and I want my LDAP users to registered only on main wiki ===
	120	+== I'm in multiwiki environment and I want my LDAP users to registered only on main wiki ==
123	123
124	124	Each wiki can have it's own LDAP configuration (even enable/disable LDAP) in XWiki.XWikiPreference page (edit it with object editor). What you can find in the xwiki.cfg file is just the default LDAP configuration.
125	125
...	...	@@ -133,7 +133,7 @@
133	133
134	134	* disable LDAP in every sub-wikis by choosing "No" in the "Ldap" field of XWiki.XWikiPreference page object
135	135
136		-=== I want to allow access to users depending on a specific attribute on their LDAP entry ===
	134	+== I want to allow access to users depending on a specific attribute on their LDAP entry ==
137	137
138	138	For example, suppose you want to prevent access to the wiki for deactivated users, and you have an attribute in LDAP showing the current status of the user.
139	139