I have performed the following steps: * Installed the LDAP Admin Application on the subwiki. * Changed the LDAP BASE_DN to point to a different location than the main wiki . ( OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com ) as opposed to ( OU=All Users,DC=mycompanyt,DC=com) on the main. * Created a new group in my AD called "maintenance_wiki" that has a membership of users that I wish to authenticate against (as there is the odd user that I want to authenticate that will not reside in the OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com branch). * Changed the "Restricted To Group" setting in the LDAP application to point to my new maintenance_wiki group. * Restarted the tomcat services. After turning LDAP logging on and performing some tests it appears that If I log on with a user that does not exist in the "maintenance_wiki" group it will next try to authenticate using the Main Wiki's search DN as opposed to the more granular one that I have defined in the Subwiki. So instead of getting an "Invalid Credentials" message, which I was hoping for, it instead creates the user in the main wiki and lets the user into the subwiki with the message "ERROR you are not allowed to view this document or perform this action". What I was hoping would happen is that the subwiki would only authenticate users from the search DN defined in the subwiki or that belong in the group that I defined, and not create accounts for users that exist in the main wiki's search DN. Is this possible? Kelly Steinke Software Developer/System Support STEEL-CRAFT DOOR PRODUCTS LTD. 13504 St. Albert Trail Edmonton, AB T5L 4P4 Bus: 780.453.3761 ext.3310 Fax: 780.454.1584 Toll Free: 1.800.463.3667 www.steel-craft.ca Information contained in this communication may be confidential and is intended only for the use of the individual(s) named above. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. If you have received this e-mail in error please notify the sender. ----- Original Message ----- From: "Thomas Mortagne" <[email protected]> To: "XWiki Users" <[email protected]> Sent: Tuesday, December 31, 2013 12:27:47 AM Subject: Re: [xwiki-users] subwiki ldap authentication Yes you have only one xwiki.cfg which contains the default configuration for each wiki but "You can also setup the LDAP configuration in the XWiki.XWikiPreferences page by going to the object editor. Simply replace xwiki.authentication.ldap. with ldap_. For example xwiki.authentication.ldap.base_DN becomes ldap_base_DN." You can install http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP+Application which is doing exactly that (modifying XWikiPreferences page) in the wikis you want to modify. On Tue, Dec 31, 2013 at 12:52 AM, Kelly Steinke <[email protected]> wrote:
Hi all,
I just recently upgraded to 5.3 and have now created a sub wiki for the first time. My main wiki is configured to authenticate using LDAP and has a base search DN set to an OU called "AllUsers". In Active Directory the AllUsers OU contains several sub OU's which separate users according to branch, department ect. Having the LDAP set up to search the AllUsers OU allows for anyone in our company to use the main wiki by logging in with their network credentials and works great.
When I created the sub wiki, I went through the wizard and selected to only have local users be available in it, as this sub wiki is to be used and administrated by a specific department only. What I would like to achieve now is to have the users of the sub wiki be authenticated using a different search base than that of the main wiki (aka the OU that contains only users for that department).
So instead of using the following, which is defined in the xwiki.cfg:
xwiki.authentication.ldap.base_DN=OU=All Users,DC=mycompanyt,DC=com
The sub wiki would use this for authentication:
xwiki.authentication.ldap.base_DN=OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com
I read in the documentation " Use cases of configuration to authenticate users with LDAP " that each wiki in a multiwiki environment can have its own LDAP configuration, however I am unable to determine how to do this, as there is only one xwiki.cfg file that contains my LDAP configuration and there is no mention of any LDAP settings in the xwiki.preferences page of the sub wiki.
any help is greatly appreciated!
_______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users