[xwiki-users] Authenticating to AD/LDAP

Neil Sedger xwiki-users at moley.org.uk
Fri Aug 10 11:49:07 CEST 2007 

 > Effectively,binding to ActiveDirectory as the user
 > attempting to authenticate to XWiki.

Yes, I've seen the same here.

But is this the way it is supposed to work?

The documentation at:
http://www.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HLDAPConfigurationforActiveDirectory
says:
'The bind_DN and bind_pass fields contain the username and password for 
binding to the LDAP server in order to search, which will not 
necessarily be the same credentials as the user logging in.'

But the example given does not use it in this way, contradicting those 
words below it.


I'm happy to fix whichever bit of that documentation is wrong, or raise 
a bug report if people believe it should work as quoted above and 
currently doesn't?


Brian, have you tried the other way? For me it 'auth OK's everything but 
I could well have misconfigured the UID_attr or fields_mapping. Or there 
could be something funny with the setup of the AD server I'm using.


Cheers
Neil


Brian J. Sayatovic wrote:
> I set this up at work, and if recall correctly, I let the bind_DN be 
> that of the authenticating user logging into XWiki, and likewise for 
> their password.  Effectively,binding to ActiveDirectory as the user 
> attempting to authenticate to XWiki.
> 
> Regards,
> Brian.
> 
> Neil Sedger wrote:
>> Is the example AD configuration in the Wiki the right way to do things?
>>
>> My understanding is that the bind_DN and bind_pass are for setting the 
>> username and password XWiki will use to connect to the LDAP server in 
>> order to do a search, then the UID_attr field is searched for the 
>> username entered on the form.
>>
>> If that is correct then the bind_dn and bind_pass should either be 
>> hardcoded to a special AD user with restricted privileges, or left 
>> blank to bind anonymously. (I see no mention of anonymous binding?)
>>
>> For the first of these XWiki connects to AD ok but then seems to 
>> 'authenticate OK' whatever username/password I enter on the form even 
>> if the user does not exist in AD at all. Is this a bug?
>>
>> I can't seem to get anonymous binding to work - if I leave bind_dn and 
>> bind_pass empty or comment out the entries entirely I always get the 
>> 'LDAP Bind failed with Exception Invalid Credentials' error message. 
>> My LDAP server does allow anonymous binding - I've tested this in LDAP 
>> Browser.
>>
>>
>> Cheers
>> Neil
>>
>> ------------------------------------------------------------------------
>>
>>
>> --
>> You receive this message as a subscriber of the xwiki-users at objectweb.org mailing list.
>> To unsubscribe: mailto:xwiki-users-unsubscribe at objectweb.org
>> For general help: mailto:sympa at objectweb.org?subject=help
>> ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
>>   
>

More information about the users mailing list