29 Mar
2016
29 Mar
'16
2:56 p.m.
On Tue, Mar 29, 2016 at 2:13 PM, Mark Sack <mark.sack(a)secti.al.gov.br> wrote:
Thanks for the suggestion. Unfortunately, it looks
like I will need a lot
more hand holding to figure out whether or not I can use the trusted ldap
authenticator as you suggest.
1. I found the following comment in xwiki.cfg
#-# Used by some authenticators (like
com.xpn.xwiki.user.impl.xwiki.AppServerTrustedAuthServiceImpl)
But I didn't find that the string anywhere else in the files in WEB-INF.
So I'm not sure if I'm using that particular
authenticator. Is it the default? How does one select a specific
authenticator?
I don't understand, XWiki don't magically see it's behind CAS and talk
to it. By default you just have standard XWiki login form.
You must have indicated a custom authenticator in xwiki.cfg with the
property xwiki.authentication.authclass to have SSO working. See
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HContain…
for more details.
2. In the readme for the extension
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap/blob/mast…
the configuration examples all seem to refer to authentication using
LDAP (and the name of the extension implies that
it is intended for LDAP). But in my configuration, xwiki isn't talking
to LDAP - it is instead talking to a CAS server which
in turn talks to Active Directory (using the LDAP protocol). As a
consequence, LDAP authentication is disabled in
xwiki.cfg. Instead my xwiki.cfg file has the following line:
xwiki.authentication.authclass=org.xwiki.contrib.authentication.cas.XWikiCASAuthenticator
Is it true that this extension can be used for CAS authentication as
well as LDAP?
As explained in
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap/blob/mast…
this authenticator trust the application server and then only get more
information from LDAP. It does no authenticate itself but it do know
about LDAPProfileClass object, user synchronization and membership
synchronization, etc. If you want to reuse LDAPProfileClass object you
don't really have much choice since other non LDAP related
authenticators have absolutely no idea what is this object and won't
look at it.
Another possibility is to use
http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
which seems to be designed for CAS but I can't tell you how well it's
working (and I doubt it reuses LDAPProfileClass).
3. The extension appears to rely on regexp for transformation/translation of
the user ID. I inadvertently omitted one detail
from my description of the problem. The mapping from LDAP/CAS user ID to
xwiki ID is not as simple as replacing a
period with an underscore. Here, people sometimes have multiple surnames
or use a second given name in
to a surname. As an example, my name might be 'Mark Thomas Jones Sack'.
And in xwiki I might have created a
user with the ID 'mark_sack'. But in Active Directory, the ID might be
'mark.thomas' or 'mark.jones'. For a mapping
such as this from 'mark.jones' to 'mark_sack', I think I would need a
separate field (like LDAPProfileClass provides)
instead of just a regexp expression.
CAS itself must have a way to map its id to LDAP entry as otherwise I
don't see how it would work. There is most probably some rule you can
come up with to find what CAS gives you on LDAP side.
Anyway you should probably try first with
http://extensions.xwiki.org/xwiki/bin/view/Extension/Authenticator+Jasig+CAS
which is probably more optimized than a trusted+LDAP authenticator for
your use case.
Regards
Mark
--
View this message in context:
http://xwiki.475771.n2.nabble.com/Jasig-CAS-authentication-and-users-with-p…
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne