Changes for page Use cases of configuration to authenticate users with LDAP
Last modified by Thomas Mortagne on 2023/09/04 09:29
Change comment:
There is no comment for this version
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -xwiki:XWiki. pbas1 +xwiki:XWiki.ThomasMortagne - Content
-
... ... @@ -63,26 +63,27 @@ 63 63 64 64 = Generic = 65 65 66 -== I want to have LDAP on ##subwiki1## but not on ##subwiki2## 66 +== I want to have LDAP on ##subwiki1## but not on ##subwiki2## == 67 67 68 68 Each wiki can have it's own LDAP setup. When LDAP fail on a subwiki it fallback on main wiki. 69 69 70 70 Two possibilities: 71 71 72 -=== Disable LDAP by default for all wikis and then enable it only in wikis where you want it 72 +=== Disable LDAP by default for all wikis and then enable it only in wikis where you want it === 73 73 74 74 * disable LDAP at xwiki.cfg level (which is the default configuration for all wikis)((( 75 75 {{code language="properties"}} 76 76 xwiki.authentication.ldap=0 77 -{{/code}} )))78 -*enable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]]. 77 +{{/code}} 78 +)))*enable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]]. 79 79 80 -=== Enable LDAP by default for all wikis and then disable it only on wikis where you don't want it 80 +=== Enable LDAP by default for all wikis and then disable it only on wikis where you don't want it === 81 81 82 82 * enable LDAP at xwiki.cfg level (which is the default configuration for all wikis)((( 83 83 {{code language="properties"}} 84 84 xwiki.authentication.ldap=1 85 -{{/code}}))) 85 +{{/code}} 86 +))) 86 86 * disable it only in subwikis where we want it: can be done by directly editing XWiki.XWikiReference document with object editor (http://ldapwiki.mydomain.org/xwiki/bin/edit/XWiki/XWikiPreferences?editor=objet) or using [[extensions:Extension.LDAP Application]]. 87 87 88 88 {{warning}} ... ... @@ -188,7 +188,9 @@ 188 188 {{/code}} 189 189 190 190 == Use LDAP over SSL (ldaps authentication) == 192 + 191 191 To adds support for SSL connections to the ldap server you need: 194 + 192 192 * to set (xwiki.authentication.ldap.ssl) parameter in xwiki.cfg((( 193 193 {{code language="properties"}} 194 194 #-# SSL connection to LDAP server ... ... @@ -196,27 +196,24 @@ 196 196 #-# - 1: SSL 197 197 #-# The default is 0 198 198 xwiki.authentication.ldap.ssl=1 199 -{{/code}}))) 202 +{{/code}} 203 +))) 200 200 * and add to the trust store of the JSSE extension the CA certificate which delivered the SSL certificate of the ldap server.((( 201 201 From the Sun JSSE documentation: The search order for the locating the trust store is: 206 + 202 202 1. <java-home>/lib/security/jssecacerts, then 203 203 1. <java-home>/lib/security/cacerts 204 204 If the file jssecacerts exists, then cacerts is not consulted. So in order to make it work you have to create a trust store named jssecacerts with the following command and place it in the suitable directory of the JRE or JDK used by your container: 205 -{{code}} 206 -keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts 207 -{{/code}} 210 +{{code}}keytool -import -trustcacerts -alias ca -file cacert.crt -keystore jssecacerts{{/code}} 208 208 (answer yes when asked if you want to trust the certificate). I read on the web the default password for cacerts is 'changeit' so I used that, I didn't try yet with another password for the trust store. 209 209 Since xwiki 8.3, the default extension repositories use httpS and if the file jssecacerts exists (here fore ldapS) then cacerts is not consulted and extension update (and probably install too) display an error: //unable to find valid certification path to requested target//. 210 210 The problem is: 214 + 211 211 * cacerts containing all certificate/keys (and the one for httpS extension repositories) 212 212 * jssecacerts containing only ldapS certificate 213 213 Then, to use ldapS and extension update, you must import ldapS certicate in existent cacerts file instead to create a new one (and rename it in jssecacerts to not forget it) 214 -{{code}} 215 -cp <java-home>/lib/security/cacerts <java-home>/jre/lib/security/cacerts.ori 218 +{{code language="bash"}}cp <java-home>/lib/security/cacerts <java-home>/jre/lib/security/cacerts.ori 216 216 <java-home>/bin/keytool -import -trustcacerts -alias ca -file /my/path/ToLdapS/cert/MyLdapCertificate.pem -keystore <java-home>/lib/security/cacerts 217 217 mv <java-home>/lib/security/cacerts <java-home>/lib/security/jssecacerts 218 -mv <java-home>/lib/security/cacerts.ori <java-home>/jre/lib/security/cacerts 219 -{{/code}} 221 +mv <java-home>/lib/security/cacerts.ori <java-home>/jre/lib/security/cacerts{{/code}} 220 220 ))) 221 -(Source: http://jira.xwiki.org/browse/XWIKI-865) 222 -