Hi, as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-) Jiri.
Hi Jiri, Alex can probably better answer, but I believe it is testable.. All unit tests work.. I was going to test it as I need to deliver it to IRCAD. There is only Authentication yet (no groups), and there is no interface in the preferences to configure the LDAP server. You need the following string fields in the preferences: *ldap_server **ldap_bind_DN **ldap_bind_pass (as a password field) **ldap_base_DN* Ludovic Jiri Luzny a écrit :
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
------------------------------------------------------------------------
-- You receive this message as a subscriber of the [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers. Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected] -----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 À : [email protected] Objet : [xwiki-dev] LDAP integration status Hi, as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-) Jiri.
Hi Alexis, Good! I have got the latest SVN version already build so I will try to run the tests against our ActiveDirectory server. I'm quite new in LDAP/ActriveDirectory field so it will take me some time to learn how to connect, authenticate to ActriveDirectory etc.. I'll let you know once I have any issues related to your implementation.
- Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki.
Those are very cool features we would definitively like to utilize! Thank you, Jiri. On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected]
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 ? : [email protected] Objet : [xwiki-dev] LDAP integration status
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
Hi Alexis, I'm testing the LDAP stuff with Active Directory and it is *almost* working fine. ;-) The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try to read "userPassword" in order to check the password. As I understood from reading of various articles, Active Directory requires a strong encryption even for a read-only access to the "userPassword" ("unicodePwd") attribute. Here are some links: http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133 http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html Is there any specific reason why you cannot just simply rely on bind() with either DN or username and password to authenticate the user? I commented out the userPassword check and assigned return value of Bind() method to the result (not using ldap_bind_DN at all) and it is working fine. Anyway, thanks for this piece of code (especially the newly committed CreateUserFromLDAP() feature is cool). Jiri. On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected]
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 ? : [email protected] Objet : [xwiki-dev] LDAP integration status
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
Hi Jiri The fact I didn't only bind the user to check the password is that in some case where directory structure is complex I can't guess the DN out of the user name, so I first need to make a search, binding anonymously or with binding DN/password. As I don't want to bind twice, I use comparison of password (so I don't really read password). Anyway if in your case DN can be guessed out of user name, I think not setting ldap_bind_DN could do the trick, maybe with some minor modification to the code. If you could send me the patch you made I can find a way to make it "clean". And beside I'll investigate into adding proper AD support (guess I'll have to install WS2003). As for CreateUserFromLDAP, it's a very first version, and I'm looking for comments about it. Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com ICQ : 258922616 Yahoo : akartmann MSN : [email protected] AIM : alexkartmann Jabber : [email protected] Spype : alexkartmann -----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : jeudi 28 avril 2005 21:40 À : [email protected] Objet : Re: [xwiki-dev] LDAP integration status Hi Alexis, I'm testing the LDAP stuff with Active Directory and it is *almost* working fine. ;-) The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try to read "userPassword" in order to check the password. As I understood from reading of various articles, Active Directory requires a strong encryption even for a read-only access to the "userPassword" ("unicodePwd") attribute. Here are some links: http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133 http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html Is there any specific reason why you cannot just simply rely on bind() with either DN or username and password to authenticate the user? I commented out the userPassword check and assigned return value of Bind() method to the result (not using ldap_bind_DN at all) and it is working fine. Anyway, thanks for this piece of code (especially the newly committed CreateUserFromLDAP() feature is cool). Jiri. On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected]
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 ? : [email protected] Objet : [xwiki-dev] LDAP integration status
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
Hi Alexis, Shouldn't you bind to the directory to find the DN, then log-out and try to log in using the DN and the password ? If I remember correctly, this is the way it was done at Netscape. It should work even when the password is encrypted. Ludovic Alexis KARTMANN a écrit :
Hi Jiri The fact I didn't only bind the user to check the password is that in some case where directory structure is complex I can't guess the DN out of the user name, so I first need to make a search, binding anonymously or with binding DN/password. As I don't want to bind twice, I use comparison of password (so I don't really read password). Anyway if in your case DN can be guessed out of user name, I think not setting ldap_bind_DN could do the trick, maybe with some minor modification to the code. If you could send me the patch you made I can find a way to make it "clean". And beside I'll investigate into adding proper AD support (guess I'll have to install WS2003). As for CreateUserFromLDAP, it's a very first version, and I'm looking for comments about it.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com ICQ : 258922616 Yahoo : akartmann MSN : [email protected] AIM : alexkartmann Jabber : [email protected] Spype : alexkartmann
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : jeudi 28 avril 2005 21:40 À : [email protected] Objet : Re: [xwiki-dev] LDAP integration status
Hi Alexis,
I'm testing the LDAP stuff with Active Directory and it is *almost* working fine. ;-)
The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try to read "userPassword" in order to check the password. As I understood from reading of various articles, Active Directory requires a strong encryption even for a read-only access to the "userPassword" ("unicodePwd") attribute. Here are some links:
http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133 http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html
Is there any specific reason why you cannot just simply rely on bind() with either DN or username and password to authenticate the user? I commented out the userPassword check and assigned return value of Bind() method to the result (not using ldap_bind_DN at all) and it is working fine.
Anyway, thanks for this piece of code (especially the newly committed CreateUserFromLDAP() feature is cool).
Jiri.
On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected]
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 ? : [email protected] Objet : [xwiki-dev] LDAP integration status
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
------------------------------------------------------------------------
-- You receive this message as a subscriber of the [email protected] mailing list. To unsubscribe: mailto:[email protected] For general help: mailto:[email protected]?subject=help ObjectWeb mailing lists service home page: http://www.objectweb.org/wws
-- Ludovic Dubost XPertNet: http://www.xpertnet.fr/ Blog: http://www.ludovic.org/blog/ XWiki: http://www.xwiki.com Skype: ldubost AIM: nvludo Yahoo: ludovic
It should work with most servers, but some servers connect anonymously in case binding fails. It means that any login/password should work. So checking password is needed for some server. Anyway I think the best way is to separate option for DN construction and password check. DN can be constructed either: - Search with anonymous binding. Currently supported. - Search with binding. Currently supported. - Stored in XWiki. Currently supported. - Trivial by using username (should work with AD). It has to be done. Password can be checked either : - Check password with binding or anonymous binding. Currently supported. - Maybe find a way to do it with Active directory? - Try binding with DN/password. Only supported if DN is stored in Xwiki. Can be added as an option for other cases. This way we should cover all cases. Any thoughts about that? Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com ICQ : 258922616 Yahoo : akartmann MSN : [email protected] AIM : alexkartmann Jabber : [email protected] Spype : alexkartmann -----Message d'origine----- De : Ludovic Dubost [mailto:[email protected]] Envoyé : vendredi 29 avril 2005 01:06 À : [email protected] Cc : 'Jiri Luzny' Objet : Re: [xwiki-dev] LDAP integration status Hi Alexis, Shouldn't you bind to the directory to find the DN, then log-out and try to log in using the DN and the password ? If I remember correctly, this is the way it was done at Netscape. It should work even when the password is encrypted. Ludovic
Anyway I think the best way is to separate option for DN construction and password check.
[+1]
It should work with most servers, but some servers connect anonymously in case binding fails. It means that any login/password should work.
This is true for the AD if you pass empty either DN or password, but even for this case the first time when you try to invoke a method on a LDAP search result you get: LDAPException: Operations Error (1) Operations Error LDAPException: Server Message: 00000000: LdapErr: DSID-0C0905FF, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece
- Trivial by using username (should work with AD). It has to be done.
To be precise: domain/username On Fri, 29 Apr 2005 01:26:13 +0200, you wrote:
It should work with most servers, but some servers connect anonymously in case binding fails. It means that any login/password should work. So checking password is needed for some server. Anyway I think the best way is to separate option for DN construction and password check.
DN can be constructed either: - Search with anonymous binding. Currently supported. - Search with binding. Currently supported. - Stored in XWiki. Currently supported. - Trivial by using username (should work with AD). It has to be done.
Password can be checked either : - Check password with binding or anonymous binding. Currently supported. - Maybe find a way to do it with Active directory? - Try binding with DN/password. Only supported if DN is stored in Xwiki. Can be added as an option for other cases.
This way we should cover all cases. Any thoughts about that?
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com ICQ : 258922616 Yahoo : akartmann MSN : [email protected] AIM : alexkartmann Jabber : [email protected] Spype : alexkartmann
-----Message d'origine----- De : Ludovic Dubost [mailto:[email protected]] Envoyé : vendredi 29 avril 2005 01:06 ? : [email protected] Cc : 'Jiri Luzny' Objet : Re: [xwiki-dev] LDAP integration status
Hi Alexis,
Shouldn't you bind to the directory to find the DN, then log-out and try to log in using the DN and the password ? If I remember correctly, this is the way it was done at Netscape. It should work even when the password is encrypted.
Ludovic
The fact I didn't only bind the user to check the password is that in some case where directory structure is complex I can't guess the DN out of the user name...
Active directory allows more ways to authenticate user when binding: - Distinguished Name (only works with simple bind) - NT account name (domain\samAccountName) (always works with simple or secure bind) - UserPrincipalName ([email protected]) (always works with simple or secure bind IF it is defined; is not required attribute) - sAMAcountName (user) (only works with AD secure bind)
Anyway if in your case DN can be guessed out of user name, I think not setting ldap_bind_DN could do the trick
I cannot guess full DN because it consists of a company personal ID. What I use is the domain\samAccountName way where samAccountName equals to XWiki user name. Because the account name is combined name DOMAIN + "\" + USERNAME it would be nice if there is a new parameter introduced e.g. ldap_bind_addomain which will be then used when constructing userDN before using in the Bind method. Another problem of using a dedicated ldap_bind_DN (comparing to using of the user's DN only) is the need to have a special system account on AD which I can hardly imagine I will get it approved by our sys admins.
And beside I'll investigate into adding proper AD support (guess I'll have to install WS2003
I don't think there is another possibility than the introducing of a SSL stack, which is unnecessary overhead if you need just authentication and not changing of password, IMHO.
As I don't want to bind twice, I use comparison of password (so I don't really read password).
Even for this comparison I get "attribute not find" from AD. I also was trying a more attributes names like "unicodePwd" but no success...
As for CreateUserFromLDAP, it's a very first version, and I'm looking for comments about it.
What would be interesting is to add a support of plugging custom mapping logic. We will need it for extracting a substring of an LDAP attribute and assigning user to a XWiki group based on LDAP grouping. Thank you, Jiri. On Thu, 28 Apr 2005 22:35:08 +0200, you wrote:
Hi Jiri The fact I didn't only bind the user to check the password is that in some case where directory structure is complex I can't guess the DN out of the user name, so I first need to make a search, binding anonymously or with binding DN/password. As I don't want to bind twice, I use comparison of password (so I don't really read password). Anyway if in your case DN can be guessed out of user name, I think not setting ldap_bind_DN could do the trick, maybe with some minor modification to the code. If you could send me the patch you made I can find a way to make it "clean". And beside I'll investigate into adding proper AD support (guess I'll have to install WS2003). As for CreateUserFromLDAP, it's a very first version, and I'm looking for comments about it.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com ICQ : 258922616 Yahoo : akartmann MSN : [email protected] AIM : alexkartmann Jabber : [email protected] Spype : alexkartmann
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : jeudi 28 avril 2005 21:40 ? : [email protected] Objet : Re: [xwiki-dev] LDAP integration status
Hi Alexis,
I'm testing the LDAP stuff with Active Directory and it is *almost* working fine. ;-)
The problem is in LDAPAuthServiceImpl.checkUserPassword() when you try to read "userPassword" in order to check the password. As I understood from reading of various articles, Active Directory requires a strong encryption even for a read-only access to the "userPassword" ("unicodePwd") attribute. Here are some links:
http://forum.java.sun.com/thread.jspa?threadID=592611&messageID=3100133 http://mail.jabber.org/pipermail/jadmin/2002-January/003278.html
Is there any specific reason why you cannot just simply rely on bind() with either DN or username and password to authenticate the user? I commented out the userPassword check and assigned return value of Bind() method to the result (not using ldap_bind_DN at all) and it is working fine.
Anyway, thanks for this piece of code (especially the newly committed CreateUserFromLDAP() feature is cool).
Jiri.
On Wed, 27 Apr 2005 16:05:52 +0200, you wrote:
Hi, I'm working on LDAP integration. The current status is: - Password can be checked against LDAP server using different strategies. - User must exist in XWiki database. These functions are available for SVN version on openweb, but not of latest binary release. I still need to provide documentation on how-to use it. I have plans to had: - Automatic transfer of user from LDAP to XWiki first time a user connects. - Update of user fields from LDAP to XWiki. - Mass transfer/update from LDAP to XWiki. If you're willing to build latest version I can provide you help testing this on your environment. I only tested with Open-LDAP server and I'm curious to learn how it works with other servers.
Alexis KARTMANN email : [email protected] Blog : http://www.kartmann.com Jabber : [email protected]
-----Message d'origine----- De : Jiri Luzny [mailto:[email protected]] Envoyé : mercredi 27 avril 2005 15:28 ? : [email protected] Objet : [xwiki-dev] LDAP integration status
Hi,
as we plan to integrate XWiki user management with Active Directory in our company, I'm curious what is the status of LDAP Integration. Is it testable? If so, I would be happy to become a beta tester for this ;-)
Jiri.
participants (3)
-
Alexis KARTMANN -
Jiri Luzny -
Ludovic Dubost