29 Jun
2010
29 Jun
'10
11:10 a.m.
On Mon, Jun 28, 2010 at 18:39, John Cavanaugh <cavanaughwww(a)hp.com> wrote:
Folks,
Im looking for some assistance here in getting LDAP configured properly.
In the past Ive successfully enabled LDAP for other applications we use
(Coverity, XPlanner, Hudson, Reviewboard), but XWiki has proven to be quite
difficult.
I am trying to configure & connect with the following
. to a generic LDAP server (ie. Not active directory)
. In our particular instance uid is the manner in which people login
and this uid happens to be a fully qualified email address
. I want people to login with this uid (firstname.lastname(a)foo.com)
. I would like to use an ldap filter to determine who can login
I have been able to login with the configuration below as a proof of concept
to prove SSL is working etc. But there are several things here blocking me
from moving forward, Im hoping there is a way to reconfigure or file a
defect/enhancement to get the implementation changed.
. The xwiki.authentication.ldap.exclude_group &
xwiki.authentication.ldap.user_group. We dont have a group in ou=Groups
that has all the people in our organization so there no way to use the
user_group field. Is there some way to instead use a filter query.
No that is not supported. But patches are welcomed ;)
. The xwiki.authentication.ldap.UID_attr field, seems like I should
want to leave it as cn but I was unable to get it to work unless I set it to
uid, because it appears that the queries into LDAP are hardcoded to use cn
otherwise. But using uid as the username in XWiki creates accounts like
firstnamelastname@hpcom where all the .'s have been eliminated.
The description in xwiki.cfg is actually not very good. UID_attr is
not used to choose the XWiki user name, the XWiki user name is always
created based on what user provided in the login form. UID_attr is
used to search the user in LDAP server or manage LDAP group
membership.
Unfortunately with the strategy employed here there is
no way to ensure that
the username mapping is unique because just dropping the .'s can lead to
conflicts, consider for example the following uid's, john.c.hase(a)foo.com
and john.chase(a)foo.com both get reduced to johnchase@foocom. I know you
are thinking, geez that will never happen. Unfortunately with lots of
employees, we have LOTS of multiple names (we must have like 20+ Tom
Smith's, etc) so all these corner cases do in fact crop up.
Actually you are wrong, this taken into account and you are not
supposed to have technical conflicts: each created XWiki user contains
it's LDAP DN in an object and when a user with the same uid after
cleaning tries to connect the LDAP DN is used to ensure it's the right
profile and if not an incremented counter will be appended to the new
XWiki profile name.
Note: This DN is also used to be able to change a user DN without
changing it's XWiki uid or when you start using LDAP in a XWiki that
used to be "standard" and you want some of the existing use profiles
to be linked to LDAP.
. Also it appears that once you configure ldap, you cant add local
users thru the ui. I like to use local users for the occasional group
account or machine accounts.
That is supposed to work perfectly. That's why you have the
xwiki.authentication.ldap.trylocal property in xwiki.cfg
At this point with all these challenges as much as I want to I cant roll out
xwiki to our org. Any help on these issues would be much appreciated.
As I reference I would suggest taking a look at Hudson CI. Configuring
Hudson to use LDAP is *very* simple & covers all the features Ive ever
needed in the past. As an example I can configure the user search filter
to be
"(&(&(objectClass=person)(hpOrganizationChartAcronym=C_OR))(uid={0}))"
to do the filtering by group etc.
############################################################################
#############################
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer
viceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.hp.com
xwiki.authentication.ldap.port=636
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN=
xwiki.authentication.ldap.bind_pass=
#-# Force to check password after LDAP connection
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap.validate_password=0
#-# base DN for searches
xwiki.authentication.ldap.base_DN=o=hp.com
#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=uid
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password" is set to 1
xwiki.authentication.ldap.password_field=userPassword
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueName
s,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,
email=uid,phone=telephoneNumber
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki account is created.
xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=cscr-build-
admins,ou=Groups,o=hp.com
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed from
LDAP (default=3600*6)
xwiki.authentication.ldap.groupcache_expiration=21800
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0: normal
#-# 1: SSL
xwiki.authentication.ldap.ssl=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
xwiki.authentication.ldap.ssl.keystore=/usr/share/tomcat5/.keystore
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P
rovider
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
############################################################################
#############################
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne