Hi Jiri,
>
> >The fact I didn't only bind the user to check the password is that in
> some
> >case where directory structure is complex I can't guess the DN out of the
> >user name...
>
> Active directory allows more ways to authenticate user when binding:
> - Distinguished Name (only works with simple bind)
> - NT account name (domain\samAccountName) (always works with simple or
> secure bind)
> - UserPrincipalName (user(a)domain.com) (always works with simple or
> secure bind IF it is defined; is not required attribute)
> - sAMAcountName (user) (only works with AD secure bind)
Thanks for this information.
>
>
> >Anyway if in your case DN can be guessed out of user name, I think not
> >setting ldap_bind_DN could do the trick
>
> I cannot guess full DN because it consists of a company personal ID.
> What I use is the domain\samAccountName way where samAccountName
> equals to XWiki user name. Because the account name is combined name
> DOMAIN + "\" + USERNAME it would be nice if there is a new parameter
> introduced e.g. ldap_bind_addomain which will be then used when
> constructing userDN before using in the Bind method.
> Another problem of using a dedicated ldap_bind_DN (comparing to using
> of the user's DN only) is the need to have a special system account on
> AD which I can hardly imagine I will get it approved by our sys
> admins.
>
What about using a template like in java.text.Format object for ldap_bind_DN
and ldap_bind_Password, user and password being parameters
ldap_bind_DN = "DOMAIN\\{0}"
ldap_bind_pass = "{1}"
This way we only use one parameter to define binding strategy.
In this case we still need to make a search to find DN in case we need to
create the user in XWiki. Or we can also use a simple format such as :
ldap_DN_format="CN={0},CN=Users,DC=domain,DC=com"
>
> >And beside I'll investigate into adding proper AD support (guess I'll
> have
> >to install WS2003
>
> I don't think there is another possibility than the introducing of a
> SSL stack, which is unnecessary overhead if you need just
> authentication and not changing of password, IMHO.
>
You're right, but in the future we may want to provide Xwiki > LDAP
synchronization
>
> >As I don't want to bind twice, I use comparison of
> >password (so I don't really read password).
>
> Even for this comparison I get "attribute not find" from AD. I also
> was trying a more attributes names like "unicodePwd" but no success...
>
>
> >As for CreateUserFromLDAP, it's a very first version, and I'm looking for
> >comments about it.
>
> What would be interesting is to add a support of plugging custom
> mapping logic. We will need it for extracting a substring of an LDAP
> attribute and assigning user to a XWiki group based on LDAP grouping.
>
For mapping LDAP/AD groups to XWiki group, I kind of postponed this task as
it not so easy to provide a general LDAP solution. There is no memberOf
field in Open-LDAP for exemple, so in AD it is easier to find which groups a
user belong (using his memberOf field).
>
> Thank you,
> Jiri.
>
>
> On Thu, 28 Apr 2005 22:35:08 +0200, you wrote:
>
> >Hi Jiri
> >The fact I didn't only bind the user to check the password is that in
> some
> >case where directory structure is complex I can't guess the DN out of the
> >user name, so I first need to make a search, binding anonymously or with
> >binding DN/password. As I don't want to bind twice, I use comparison of
> >password (so I don't really read password).
> >Anyway if in your case DN can be guessed out of user name, I think not
> >setting ldap_bind_DN could do the trick, maybe with some minor
> modification
> >to the code. If you could send me the patch you made I can find a way to
> >make it "clean".
> >And beside I'll investigate into adding proper AD support (guess I'll
> have
> >to install WS2003).
> >As for CreateUserFromLDAP, it's a very first version, and I'm looking for
> >comments about it.
> >
> >Alexis KARTMANN
> >email : alexis(a)kartmann.com
> >Blog : http://www.kartmann.com
> >ICQ : 258922616
> >Yahoo : akartmann
> >MSN : alexis(a)kartmann.com
> >AIM : alexkartmann
> >Jabber : akartmann(a)jabber.fr
> >Spype : alexkartmann
> >
> >
> >-----Message d'origine-----
> >De : Jiri Luzny [mailto:jiri.luzny@seznam.cz]
> >Envoyé : jeudi 28 avril 2005 21:40
> >? : xwiki-dev(a)objectweb.org
> >Objet : Re: [xwiki-dev] LDAP integration status
> >
> >Hi Alexis,
> >
> >I'm testing the LDAP stuff with Active Directory and it is *almost*
> >working fine. ;-)
> >
> >The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try
> >to read "userPassword" in order to check the password. As I understood
> >from reading of various articles, Active Directory requires a strong
> >encryption even for a read-only access to the "userPassword"
> >("unicodePwd") attribute. Here are some links:
> >
> >http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133
> >http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html
> >
> >Is there any specific reason why you cannot just simply rely on bind()
> >with either DN or username and password to authenticate the user? I
> >commented out the userPassword check and assigned return value of
> >Bind() method to the result (not using ldap_bind_DN at all) and it is
> >working fine.
> >
> >Anyway, thanks for this piece of code (especially the newly committed
> >CreateUserFromLDAP() feature is cool).
> >
> >Jiri.
> >
> >
> >
> >
> >On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
> >
> >>Hi,
> >>I'm working on LDAP integration.
> >>The current status is:
> >>- Password can be checked against LDAP server using different
> strategies.
> >>- User must exist in XWiki database.
> >>These functions are available for SVN version on openweb, but not of
> latest
> >>binary release. I still need to provide documentation on how-to use it.
> >>I have plans to had:
> >>- Automatic transfer of user from LDAP to XWiki first time a user
> connects.
> >>- Update of user fields from LDAP to XWiki.
> >>- Mass transfer/update from LDAP to XWiki.
> >>If you're willing to build latest version I can provide you help testing
> >>this on your environment. I only tested with Open-LDAP server and I'm
> >>curious to learn how it works with other servers.
> >>
> >>Alexis KARTMANN
> >>email : alexis(a)kartmann.com
> >>Blog : http://www.kartmann.com
> >>Jabber : akartmann(a)jabber.fr
> >>
> >>
> >>-----Message d'origine-----
> >>De : Jiri Luzny [mailto:jiri.luzny@seznam.cz]
> >>Envoyé : mercredi 27 avril 2005 15:28
> >>? : xwiki-dev(a)objectweb.org
> >>Objet : [xwiki-dev] LDAP integration status
> >>
> >>Hi,
> >>
> >>as we plan to integrate XWiki user management with Active Directory in
> >>our company, I'm curious what is the status of LDAP Integration. Is it
> >>testable? If so, I would be happy to become a beta tester for this ;-)
> >>
> >>Jiri.
> >>
> >>
> >>
> >
> >
> >
>
Hi,
as we plan to integrate XWiki user management with Active Directory in
our company, I'm curious what is the status of LDAP Integration. Is it
testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
Hi All,
The Cruisecontrol build server is now setup and the build currently passes.
Currently tests failures don't make the build fail because there are
some tests that fail for cruisecontrol setup reasons.
See results at http://build.xpertnet.biz
LDAP fails because there is no LDAP server setup. The Servlet
authentication fail because there is a issue when running these tests on
the Linux build machine (on Windows it works). This must be due to a
cookie issue in the test environnement. Other tests need to be looked at.
Builds are only redone if there are SVN changes.
email notifications to the developers list are not yet setup. This
should be the case pretty soon.
Ludovic
--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic
Hi,
Here is a summary of UBS's evaluation of XWiki versus other wiki tools.
I've responded to them.
It's very interesting for us to have other people's view on XWiki.
Ludovic
--
Ludovic Dubost
XPertNet: http://www.xpertnet.fr/
Blog: http://www.ludovic.org/blog/
XWiki: http://www.xwiki.com
Skype: ldubost AIM: nvludo Yahoo: ludovic
