Hi,
Having XWiki 1.0B3, I ran into 3 issues around LDAP (we use Novell
eDirectory).
Before, I would like to say that XWiki runs fine against eDirectory
through the LDAP interface! (It was a little bit tricky to set up and it
would be great if someone could write up some more detailed
documentation on it.)
Here are the configuration parameter that I used:
xwiki.authentication.ldap=1
xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl
xwiki.authentication.ldap.server=dsmaster
xwiki.authentication.ldap.check_level=1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=department=USER,department=INFORMATIK,department=1230,o=MP
xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=uid
....
1. In our LDAP structure (about 2000 employees) the users that should
have access to XWiki are in multiple department nodes in the LDAP
structure. Thus, I cannot specify a single pattern of the kind
cn={0},department=USER,department=INFORMATIK,department=1230,o=MP for
authentication.
How could I specify users from different departments to have access to
XWiki? (E.g. can I specify multiple xwiki.authentication.ldap.bind_DN
lines?)
2. We cannot allow ALL users in the LDAP structure to have access to
XWiki. We would like to specify an LDAP group for all users that have
access to XWiki. How could we configure this? Our eDirectory allows
annonymous browsing.
(It is not the probably harder issue that we would want to use a LDAP
groups for page access rights. I am talking about the simpler issues of
just controlling the list of users that have access to XWiki from an
identity system behind LDAP.)
3. Current behavior is, that
1. I can login with a user/pwd authenticated against
LDAP/eDirectory. If the user does not already exist in XWiki, the user
appears to be created.
2. A user, created in XWiki CANNOT Login anymore, if he/she is not
an LDAP user. (Why is that?)
3. The old passwords do not work anymore for users with a matching
entry in XWiki and LDAP. (ok)
Why can't I add user per hand if I use LDAP? This would at least allow
some Workaround for some departments.
Can I hope for XWiki 1.0 to include the handling of an LDAP group for
authentication?
I have read a blog mentioning LDAP group support being planned for 1.0.
Is this still the case?
Regards,
G Leeb
-------------------------------------------------------------------------------
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.
-------------------------------------------------------------------------------