[xwiki-users] Problem with AD authentication in XWiki 1.3
Mihails Agafonovs
_muxa at inbox.lv
Wed Mar 19 10:57:20 CET 2008
Hi!
I've managed to login using AD credentials in version 1.3 (group
mapping is disabled), but the user is not created in any group.
The second problem is, when I enable group mapping, XWiki tries to
log in, but without success. I mean the browser is showing it's
loading, and never stops.
But when I restart tomcat and go to my XWiki page, I'm successfully
logged in and even created in XWikiAllGroup (but it's incorrect,
because according to mapping I should be created in XWikiAdminGroup)!
In group mapping I specify the whole path in AD tree.
Here is my LDAP configuration:
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0 : disable
#-# 1 : enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=my.domain.com
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN={0}
xwiki.authentication.ldap.bind_pass={1}
#-# only members of the following group will be verified in the LDAP
# otherwise only users that are found after searching starting from
the base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# base DN for searches
xwiki.authentication.ldap.base_DN=dc=domain,dc=com
#-# specifies the LDAP attribute containing the identifier to be used
as the XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=cn
#-# retrieve the following fields from LDAP and store them in the
XWiki user object (xwiki-attribute=ldap-attribute)
#-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object
for faster access
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki
otherwise this happens only once when the XWiki account is created.
xwiki.authentication.ldap.update_user=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=ou=admin-group,ou=Users,ou=Riga,ou=LAT,dc=domain,dc=com|
XWiki.XWikiAllGroup=ou=Users,ou=Riga,ou=LAT,dc=domain,dc=com
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed
from LDAP (default=3600*6)
# xwiki.authentication.ldap.groupcache_expiration=21800
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is
first created
#-# - always: synchronize on every login
xwiki.authentication.ldap.mode_group_sync=always
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB
authentication with the same credentials
xwiki.authentication.ldap.trylocal=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0 : normal
#-# 1 : SSL
# xwiki.authentication.ldap.ssl=0
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
Quoting Frantisek Kall : Hi Benjamin
here is our xwiki.cfg file. Superuser hasn't any problem with
wysiwyg
editing, it's only AD users problem.
Frantisek
******************
xwiki.base=../../
xwiki.store.class=com.xpn.xwiki.store.XWikiHibernateStore
xwiki.store.hibernate.path=/WEB-INF/hibernate.cfg.xml
xwiki.store.hibernate.updateschema=1
xwiki.store.hibernate.custommapping=1
xwiki.store.cache=1
xwiki.store.cache.capacity=100
xwiki.store.migration=1
xwiki.monitor=1
# List of active plugins.
xwiki.plugins=
com.xpn.xwiki.monitor.api.MonitorPlugin,
com.xpn.xwiki.plugin.calendar.CalendarPlugin,
com.xpn.xwiki.plugin.feed.FeedPlugin,
com.xpn.xwiki.plugin.ldap.LDAPPlugin,
com.xpn.xwiki.plugin.google.GooglePlugin,
com.xpn.xwiki.plugin.flickr.FlickrPlugin,
com.xpn.xwiki.plugin.mail.MailPlugin,
com.xpn.xwiki.plugin.packaging.PackagePlugin,
com.xpn.xwiki.plugin.query.QueryPlugin,
com.xpn.xwiki.plugin.svg.SVGPlugin,
com.xpn.xwiki.plugin.charts.ChartingPlugin,
com.xpn.xwiki.plugin.fileupload.FileUploadPlugin,
com.xpn.xwiki.plugin.image.ImagePlugin,
com.xpn.xwiki.plugin.captcha.CaptchaPlugin,
com.xpn.xwiki.plugin.userdirectory.UserDirectoryPlugin,
com.xpn.xwiki.plugin.usertools.XWikiUserManagementToolsImpl,
com.xpn.xwiki.plugin.zipexplorer.ZipExplorerPlugin,
com.xpn.xwiki.plugin.autotag.AutoTagPlugin,
com.xpn.xwiki.plugin.lucene.LucenePlugin,
com.xpn.xwiki.plugin.diff.DiffPlugin,
com.xpn.xwiki.plugin.rightsmanager.RightsManagerPlugin,
com.xpn.xwiki.plugin.jodatime.JodaTimePlugin,
com.xpn.xwiki.plugin.scheduler.SchedulerPlugin,
com.xpn.xwiki.plugin.mailsender.MailSenderPlugin,
com.xpn.xwiki.plugin.watchlist.WatchListPlugin
# This parameter allows XWiki to operate in Hosting mode allowing to
create
# multiple wikis having their own database and responding to
different URLs
xwiki.virtual=0
xwiki.virtual.redirect=http://127.0.0.1:9080/xwiki/bin/Main/ThisWikiDoesNotExist
# This parameter will activate the eXo Platform integration
xwiki.exo=0
xwiki.authentication=form
xwiki.authentication.validationKey=totototototototototototototototo
xwiki.authentication.encryptionKey=titititititititititititititititi
xwiki.authentication.cookiedomains=xwiki.com,wiki.fr
# Comment if you want to enable logout only for
/bin/logout/XWiki/XWikiLogout
xwiki.authentication.logoutpage=/[^/]+/logout/*
# Stats configuration allows to globally activate/deactivate stats
module
# It is also possible to choose a different stats service to record
# statistics separately from XWiki.
# Note: Statistics are disabled by default for improved
performances.
xwiki.stats=0
xwiki.stats.default=1
xwiki.stats.class=com.xpn.xwiki.stats.impl.XWikiStatsServiceImpl
xwiki.encoding=UTF-8
xwiki.backlinks=1
xwiki.tags=1
# Use edit comments
xwiki.editcomment=1
# Hide editcomment field and only use Javascript
xwiki.editcomment.hidden=0
# Make edit comment mandatory
xwiki.editcomment.mandatory=0
# Make edit comment suggested (asks 1 time if the comment is empty.
# 1 shows one popup if comment is empty.
# 0 means there is no popup.
# This setting is ignored if mandatory is set
xwiki.editcomment.suggested=0
# GraphViz plugin configuration. The GraphViz plugin is not
configured by
default.
# To enable it, add "com.xpn.xwiki.plugin.graphviz.GraphVizPlugin"
to the
list of plugins
# in the xwiki.plugins property.
# Uncomment and set the locations of the Dot and Neato executables
#xwiki.plugin.graphviz.dotpath=c:/Program
Files/ATT/GraphViz/bin/dot.exe
#xwiki.plugin.graphviz.neatopath=c:/Program
Files/ATT/GraphViz/bin/neato.exe
xwiki.plugin.laszlo.baseurl=/openlaszlo/xwiki/
xwiki.plugin.laszlo.path=c:/Program Files/Apache Software
Foundation/Tomcat
5.0/webapps/openlaszlo/xwiki/
xwiki.plugin.image.cache.capacity=30
xwiki.plugin.captcha=0
# Enable to allow superadmin. It is disabled by default as this
could be a
security breach if
# it were set and you forgot about it.
xwiki.superadminpassword=system
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki
authentication
#-# 0 : disable
#-# 1 : enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=10.0.1.2
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN=CHEMOSVIT\{0}
xwiki.authentication.ldap.bind_pass={1}
#-# only members of the following group will be verified in the LDAP
# otherwise only users that are found after searching starting from
the
base_DN
xwiki.authentication.ldap.user_group=cn=XWikiUsers,ou=XWikiGroups,ou=groups,dc=chemosvit,dc=SK
#-# base DN for searches
xwiki.authentication.ldap.base_DN=dc=chemosvit,dc=sk
#-# specifies the LDAP attribute containing the identifier to be
used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=sAMAccountName
#-# retrieve the following fields from LDAP and store them in the
XWiki user
object (xwiki-attribute=ldap-attribute)
#-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user
object for
faster access
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki
otherwise
this happens only once when the XWiki account is created.
xwiki.authentication.ldap.update_user=1
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=XWikiAdmin,ou=XWikiGroups,ou=Groups,dc=chemosvit,dc=sk|
#
XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is
refreshed from
LDAP (default=3600*6)
# xwiki.authentication.ldap.groupcache_expiration=21800
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is
first
created
#-# - always: synchronize on every login
# xwiki.authentication.ldap.mode_group_sync=always
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB
authentication
with the same credentials
xwiki.authentication.ldap.trylocal=0
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0 : normal
#-# 1 : SSL
# xwiki.authentication.ldap.ssl=0
#-# [SINCE 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-------------------------------------------------------------------------------------
xwiki.authentication.unauthorized_code=200
# This parameter will activate the sectional editing
xwiki.section.edit=1
# Uncomment if you want to ignore requests for unmapped actions, and
simply
display the document
# xwiki.unknownActionResponse=view
# You can configure the toolbars you wish to see in the WYSIWYG
editor by
defining the
# xwiki.wysiwyg.toolbars property.
# When not defined it defaults to:
# xwiki.wysiwyg.toolbars=texttoolbar, listtoolbar, indenttoolbar,
undotoolbar, titletoolbar,
# styletoolbar, horizontaltoolbar,
attachmenttoolbar, macrostoolbar,
# tabletoolbar, tablerowtoolbar,
tablecoltoolbar,
linktoolbar
# The full list of toolbars includes the one defined above and the
following
ones:
# subtoolbar, findtoolbar, symboltoolbar
xwiki.defaultskin=toucan
xwiki.defaultbaseskin=albatross
xwiki.temp.dir=/tmp/xwiki
# xwiki.work.dir=/usr/local/xwiki
# xwiki.plugins.lucene.indexdir=/usr/local/xwiki/lucene
#
xwiki.plugins.lucene.analyzer=org.apache.lucene.analysis.standard.StandardAnalyzer
# xwiki.plugins.lucene.indexinterval=20
xwiki.work.dir=/docudata/xwiki
Benjamin Leung-2 wrote:
Hi Frantisek,
Would you mind sharing the LDAP section of your xwiki.cfg? Because
I want
to confirm something...
In my LDAP/AD configuration, I have to set the --
xwiki.authentication.ldap.user_group -- value to make it work
(contrary to
what the parameter description says).
Thanks!
On Mon, Mar 17, 2008 at 5:08 PM, Frantisek Kall wrote:
I started discussion below. There is something new in this case.
First
I have to say that I made mistake when I wrote we tested ver. 1.2
and
it works with AD well. Working version was 1.1.2 not 1.2.
And also now we have ver. 1.3 working with AD authentication. We
don't know what helped, but my colleague who installed it, tried it
once more, set all things as before and it works. New user is
created
in XWikiAllGroup :-)
But I noticed problem with editing :-( In wiki mode editing is OK,
but when I switch to WYSIWYG mode I'm logged out immediately (I
receive Log-in screen). We are working on it, when I will have
something new I'll report it.
Frantisek
***************
Date: Mon, 17 Mar 2008 21:19:18 +0200
From: Mihails Agafonovs
Subject: Re: [xwiki-users] Problem with AD authentication in XWiki
1.3
To: XWiki Users
Message-ID:
Content-Type: text/plain; charset="windows-1257"
No, it doesn't.
Quoting Thomas Mortagne : On Mon, Mar 17, 2008 at 3:43 PM, Mihails
Agafonovs wrote:
You can try to specify the base_DN (for me it worked). //
base_DN=dc=domain,dc=com
You're also using sAMAccountName. What format does it have?
name.surname?
In our company our sAMAccountName is like name.surname, and it
doesn't work
with XWiki. So I've changed UID_attr to cn.
P.S. I still use version 1.1.2, because it's the only version
working
properly with AD (user is created in XWikiAllGroup). No other
version is
working in my case :)
The new LDAP authenticator (since 1.3) works perfectly with that and
also add group mapping between XWiki and LDAP.
Quoting Frantisek Kall :
A month ago we tested 1.2 ver. XWiki and there wasn't problem to set
up
Active Directory authentication. Now we are going to start XWiki for
enterprise use and we had a problem to setup AD authentication with
1.3 ver.
Can anybody help us?
Frantisek Kall
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
View this message in context:
http://www.nabble.com/Problem-with-AD-authentication-in-XWiki-1.3-tp16089974p16128119.html
Sent from the XWiki- Users mailing list archive at Nabble.com.
_______________________________________________
users mailing list
users at xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Ar cieņu, Mihails
Links:
------
[1] mailto:kaferos at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.xwiki.org/pipermail/users/attachments/20080319/14094c8b/attachment-0001.htm
More information about the users
mailing list