Last modified by Thomas Mortagne on 2023/09/04 09:29

<
From version < 37.1 >
edited by Pascal Bastien
on 2016/11/03 18:05
To version < 38.1 >
edited by Thomas Mortagne
on 2016/11/04 09:42
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -xwiki:XWiki.pbas
1 +xwiki:XWiki.ThomasMortagne
Content
... ... @@ -63,26 +63,27 @@
63 63  
64 64  = Generic =
65 65  
66 -== I want to have LDAP on ##subwiki1## but not on ##subwiki2##
66 +== I want to have LDAP on ##subwiki1## but not on ##subwiki2## ==
67 67  
68 68  Each wiki can have it's own LDAP setup. When LDAP fail on a subwiki it fallback on main wiki.
69 69  
70 70  Two possibilities:
71 71  
72 -=== Disable LDAP by default for all wikis and then enable it only in wikis where you want it
72 +=== Disable LDAP by default for all wikis and then enable it only in wikis where you want it ===
73 73  
74 74  * disable LDAP at xwiki.cfg level (which is the default configuration for all wikis)(((
75 75  {{code language="properties"}}
76 76  xwiki.authentication.ldap=0
77 -{{/code}})))
78 -*enable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]].
77 +{{/code}}
78 +)))*enable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]].
79 79  
80 -=== Enable LDAP by default for all wikis and then disable it only on wikis where you don't want it
80 +=== Enable LDAP by default for all wikis and then disable it only on wikis where you don't want it ===
81 81  
82 82  * enable LDAP at xwiki.cfg level (which is the default configuration for all wikis)(((
83 83  {{code language="properties"}}
84 84  xwiki.authentication.ldap=1
85 -{{/code}})))
85 +{{/code}}
86 +)))
86 86  * disable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]].
87 87  
88 88  {{warning}}
... ... @@ -188,7 +188,9 @@
188 188  {{/code}}
189 189  
190 190  == Use LDAP over SSL (ldaps authentication) ==
192 +
191 191  To adds support for SSL connections to the ldap server you need:
194 +
192 192  * to set (xwiki.authentication.ldap.ssl) parameter in xwiki.cfg(((
193 193  {{code language="properties"}}
194 194  #-# SSL connection to LDAP server
... ... @@ -196,27 +196,24 @@
196 196  #-# - 1: SSL
197 197  #-# The default is 0
198 198  xwiki.authentication.ldap.ssl=1
199 -{{/code}})))
202 +{{/code}}
203 +)))
200 200  * and add to the trust store of the JSSE extension the CA certificate which delivered the SSL certificate of the ldap server.(((
201 201  From the Sun JSSE documentation: The search order for the locating the trust store is:
206 +
202 202  1. <java-home>/lib/security/jssecacerts, then
203 203  1. <java-home>/lib/security/cacerts
204 204  If the file jssecacerts exists, then cacerts is not consulted. So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container:
205 -{{code}}
206 -keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts
207 -{{/code}}
210 +{{code}}keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts{{/code}}
208 208  (answer yes when asked if you want to trust the certificate). I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store.
209 209  Since xwiki 8.3, the default extension repositories use httpS and if the file jssecacerts exists (here fore ldapS) then cacerts is not consulted and extension update (and probably install too) display an error: //unable to find valid certification path to requested target//.
210 210  The problem is:
214 +
211 211  * cacerts containing all certificate/keys (and the one for httpS extension repositories)
212 212  * jssecacerts containing only ldapS certificate
213 213  Then, to use ldapS and extension update, you must import ldapS certicate in existent cacerts file instead to create a new one (and rename it in jssecacerts to not forget it)
214 -{{code}}
215 -cp <java-home>/lib/security/cacerts <java-home>/jre/lib/security/cacerts.ori
218 +{{code language="bash"}}cp <java-home>/lib/security/cacerts <java-home>/jre/lib/security/cacerts.ori
216 216  <java-home>/bin/keytool -import -trustcacerts -alias ca -file /my/path/ToLdapS/cert/MyLdapCertificate.pem -keystore <java-home>/lib/security/cacerts
217 217  mv <java-home>/lib/security/cacerts <java-home>/lib/security/jssecacerts
218 -mv <java-home>/lib/security/cacerts.ori <java-home>/jre/lib/security/cacerts
219 -{{/code}}
221 +mv <java-home>/lib/security/cacerts.ori <java-home>/jre/lib/security/cacerts{{/code}}
220 220  )))
221 -(Source: http://jira.xwiki.org/browse/XWIKI-865)
222 -

Get Connected