Hi all,
I finally managed to finish the first version of the long awaited
email notification plugin :)
downloads, installation instructions and link to the svn repository can
be found there:
http://www.jkraemer.net/maven/xwiki/plugins/emailnotify-plugin/index.html
I also put this link and some words about the current status on
xwiki.org:
http://www.xwiki.org/xwiki/bin/view/Dev/EmailNotification
I must admit that I did not invest much time into testing this, so
handle with care. Especially I have no idea how it performs under
load, i.e. a lot of changes and/or a lot of subscribers. There may well
be room for optimizations in this area. As I'm pretty occupied with my
day time job these days I just wanted to get the plugin to a working
state quickly - suggestions, patches, bug reports are always welcome.
One problem that sometimes occured in my testing (using a fresh install
of xwiki 0.9.543 and a fresh db, together with tomcat 5.5.4 and jdk
1.5.0) is that the links I integrated into the more actions menu for
subscribing/unsubscribing don't show up after editing a page. they still
show up on other pages, but they don't anymore on the page just edited.
It's just like an old version of the menu is shown.
I tried putting the links into the toolbar to the right instead - same
problem. Doea anybody have an idea what could be causing this weird
behaviour ?
So long,
Jens
--
Jens Krämer
jk(a)jkraemer.net
Hi Jiri,
>
> >The fact I didn't only bind the user to check the password is that in
> some
> >case where directory structure is complex I can't guess the DN out of the
> >user name...
>
> Active directory allows more ways to authenticate user when binding:
> - Distinguished Name (only works with simple bind)
> - NT account name (domain\samAccountName) (always works with simple or
> secure bind)
> - UserPrincipalName (user(a)domain.com) (always works with simple or
> secure bind IF it is defined; is not required attribute)
> - sAMAcountName (user) (only works with AD secure bind)
Thanks for this information.
>
>
> >Anyway if in your case DN can be guessed out of user name, I think not
> >setting ldap_bind_DN could do the trick
>
> I cannot guess full DN because it consists of a company personal ID.
> What I use is the domain\samAccountName way where samAccountName
> equals to XWiki user name. Because the account name is combined name
> DOMAIN + "\" + USERNAME it would be nice if there is a new parameter
> introduced e.g. ldap_bind_addomain which will be then used when
> constructing userDN before using in the Bind method.
> Another problem of using a dedicated ldap_bind_DN (comparing to using
> of the user's DN only) is the need to have a special system account on
> AD which I can hardly imagine I will get it approved by our sys
> admins.
>
What about using a template like in java.text.Format object for ldap_bind_DN
and ldap_bind_Password, user and password being parameters
ldap_bind_DN = "DOMAIN\\{0}"
ldap_bind_pass = "{1}"
This way we only use one parameter to define binding strategy.
In this case we still need to make a search to find DN in case we need to
create the user in XWiki. Or we can also use a simple format such as :
ldap_DN_format="CN={0},CN=Users,DC=domain,DC=com"
>
> >And beside I'll investigate into adding proper AD support (guess I'll
> have
> >to install WS2003
>
> I don't think there is another possibility than the introducing of a
> SSL stack, which is unnecessary overhead if you need just
> authentication and not changing of password, IMHO.
>
You're right, but in the future we may want to provide Xwiki > LDAP
synchronization
>
> >As I don't want to bind twice, I use comparison of
> >password (so I don't really read password).
>
> Even for this comparison I get "attribute not find" from AD. I also
> was trying a more attributes names like "unicodePwd" but no success...
>
>
> >As for CreateUserFromLDAP, it's a very first version, and I'm looking for
> >comments about it.
>
> What would be interesting is to add a support of plugging custom
> mapping logic. We will need it for extracting a substring of an LDAP
> attribute and assigning user to a XWiki group based on LDAP grouping.
>
For mapping LDAP/AD groups to XWiki group, I kind of postponed this task as
it not so easy to provide a general LDAP solution. There is no memberOf
field in Open-LDAP for exemple, so in AD it is easier to find which groups a
user belong (using his memberOf field).
>
> Thank you,
> Jiri.
>
>
> On Thu, 28 Apr 2005 22:35:08 +0200, you wrote:
>
> >Hi Jiri
> >The fact I didn't only bind the user to check the password is that in
> some
> >case where directory structure is complex I can't guess the DN out of the
> >user name, so I first need to make a search, binding anonymously or with
> >binding DN/password. As I don't want to bind twice, I use comparison of
> >password (so I don't really read password).
> >Anyway if in your case DN can be guessed out of user name, I think not
> >setting ldap_bind_DN could do the trick, maybe with some minor
> modification
> >to the code. If you could send me the patch you made I can find a way to
> >make it "clean".
> >And beside I'll investigate into adding proper AD support (guess I'll
> have
> >to install WS2003).
> >As for CreateUserFromLDAP, it's a very first version, and I'm looking for
> >comments about it.
> >
> >Alexis KARTMANN
> >email : alexis(a)kartmann.com
> >Blog : http://www.kartmann.com
> >ICQ : 258922616
> >Yahoo : akartmann
> >MSN : alexis(a)kartmann.com
> >AIM : alexkartmann
> >Jabber : akartmann(a)jabber.fr
> >Spype : alexkartmann
> >
> >
> >-----Message d'origine-----
> >De : Jiri Luzny [mailto:jiri.luzny@seznam.cz]
> >Envoyé : jeudi 28 avril 2005 21:40
> >? : xwiki-dev(a)objectweb.org
> >Objet : Re: [xwiki-dev] LDAP integration status
> >
> >Hi Alexis,
> >
> >I'm testing the LDAP stuff with Active Directory and it is *almost*
> >working fine. ;-)
> >
> >The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try
> >to read "userPassword" in order to check the password. As I understood
> >from reading of various articles, Active Directory requires a strong
> >encryption even for a read-only access to the "userPassword"
> >("unicodePwd") attribute. Here are some links:
> >
> >http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133
> >http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html
> >
> >Is there any specific reason why you cannot just simply rely on bind()
> >with either DN or username and password to authenticate the user? I
> >commented out the userPassword check and assigned return value of
> >Bind() method to the result (not using ldap_bind_DN at all) and it is
> >working fine.
> >
> >Anyway, thanks for this piece of code (especially the newly committed
> >CreateUserFromLDAP() feature is cool).
> >
> >Jiri.
> >
> >
> >
> >
> >On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
> >
> >>Hi,
> >>I'm working on LDAP integration.
> >>The current status is:
> >>- Password can be checked against LDAP server using different
> strategies.
> >>- User must exist in XWiki database.
> >>These functions are available for SVN version on openweb, but not of
> latest
> >>binary release. I still need to provide documentation on how-to use it.
> >>I have plans to had:
> >>- Automatic transfer of user from LDAP to XWiki first time a user
> connects.
> >>- Update of user fields from LDAP to XWiki.
> >>- Mass transfer/update from LDAP to XWiki.
> >>If you're willing to build latest version I can provide you help testing
> >>this on your environment. I only tested with Open-LDAP server and I'm
> >>curious to learn how it works with other servers.
> >>
> >>Alexis KARTMANN
> >>email : alexis(a)kartmann.com
> >>Blog : http://www.kartmann.com
> >>Jabber : akartmann(a)jabber.fr
> >>
> >>
> >>-----Message d'origine-----
> >>De : Jiri Luzny [mailto:jiri.luzny@seznam.cz]
> >>Envoyé : mercredi 27 avril 2005 15:28
> >>? : xwiki-dev(a)objectweb.org
> >>Objet : [xwiki-dev] LDAP integration status
> >>
> >>Hi,
> >>
> >>as we plan to integrate XWiki user management with Active Directory in
> >>our company, I'm curious what is the status of LDAP Integration. Is it
> >>testable? If so, I would be happy to become a beta tester for this ;-)
> >>
> >>Jiri.
> >>
> >>
> >>
> >
> >
> >
>
