Hi Thomas,
What if an admin wants to use a trusted authentication (to enable SSO, from
a front-end) but doesn't use LDAP at all? Is it possible to use this
authenticator to simply accept the remote user, comparing it with the
internal XWiki Users DB?
Thanks,
Guillaume
2013/7/3 Thomas Mortagne <thomas.mortagne(a)xwiki.com>
On Wed, Jul 3, 2013 at 2:26 PM, Guillaume Fenollar
<guillaume.fenollar(a)xwiki.com> wrote:
Hi,
Sorry I forgot to talk about the most important thing, I don't know what
I
was thinking about when I wrote my first answer
:-P
About XWiki part, you need to tell your wiki to accept any user that will
be given by Apache front-end, which will authenticate the users with *
libapache2-mod-auth-cas*.
To do this, you need to use a different authenticator, like this one :
https://github.com/xwiki-contrib/xwiki-authenticator-trusted-ldap
Build it and place it in you webapp (xwiki/WEB-INF/lib directory).
No need to build it anymore:
http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Tr…
;)
In *xwiki.cfg*, add this line:
xwiki.authentication.authclass=com.xwiki.authentication.trustedldap.TrustedLDAPAuthServiceImpl
Then, modify your Servlet Container application to leave the
authentication
alone. If you're using tomcat, it's in
you *server.xml*, you need to add
in
each "Connector" block, the following
option:
tomcatAuthentication="false"
Finally, configure your apache server. Here's a minimal conf you can use:
CASLoginURL
https://sso.xwikisas.com/cas/login
CASValidateURL
https://sso.xwikisas.com/cas/serviceValidate
CASValidateServer Off
CASTimeout 28800
CASIdleTimeout 14400
<Location "/xwiki/">
AuthType CAS
AuthName "CAS Server Auth"
CasScope /xwiki
Order allow,deny
require valid-user
Allow from 127.0.0.1
Satisfy Any
</Location>
This should work, after you restart everything (apache and tomcat)
This authenticator is good to use if you're already using CAS with LDAP
authentication (most of cases).
To resume, in this case, you're first authenticating the user through
Apache HTTPd to CAS (you get the login page if you don't have any
session/cookie), then the mod_auth_cas gives tomcat some data (which are
not altered because of tomcatAuthentication="false"), then XWiki use them
to retrieve the info (email, phone number... as you configured it in the
LDAP section of xwiki.cfg) from the LDAP server.
It's not something very trivial, but I tried to make it clear and short,
and I hope you'll understand.
Guillaume Fenollar
2013/7/3 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
> Hi Guillaume
>
> You are happy man :D. I don`t know how to setup XWiki to accept
> authentification from apache CASScope
>
> Pls, :D
>
> Could you share your httpd.conf - CAS part and XWiki config?
>
>
> Thx
>
> Rudolf
>
>
> ----- Pôvodná správa -----
> > Odosielateľ: "Guillaume Fenollar"
<guillaume.fenollar(a)xwiki.com>
> > Príjemca: "XWiki Users" <users(a)xwiki.org>
> > Dátum: 02/07/2013 18:11
> > Predmet: Re: [xwiki-users] XWiki and Jasig CAS integration
> >
> > Hi Rudolf,
> >
> > I'm also trying to get XWiki work with Jasig CAS' SSO. In fact
we're
> using
> > mod_auth_cas for Apache, in front of our XWiki instance. Everything is
> > running smoothly apart from an issue that appears randomly,
sometime...
> the
> > webserver returns no data, and I have to clean my cookies to make it
work
> > again. I'll try to really
investigate this issue next time it happens.
> > There's nothing special to know about XWiki + CAS + mod_auth_cas,
except
> > the CASScope, that is wise to set to
'/xwiki' (or any other name for
> XWiki
> > app, after the root '/'.
> >
> > Don't hesitate to share your experience about CAS + XWiki with us!
> >
> > Guillaume
> >
> >
> > 2013/6/28 Krejci Rudolf Ing. <krejci.r(a)chemosvit.sk>
> >
> > >
> > > Is it possible to integrate Jasig CAS (Central authentification
> Service)
> > > to XWiki?
> > > We are using cas for our web infrastructure ( Lifreray, Alfresco and
> Jira
> > > ) and we would like add XWiki.
> > >
> > >
> > >
> > > Thx
> > >
> > > Rudolf
> > >
> > >
> > >
> > >
> > >
> > >
>
--------------------------------------------------------------------------
> > > Táto správa a všetky pripojené
súbory sú dôverné a určené
> > > výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie
ste
> > > zamýšlaný príjemca alebo ste
dostali tento e-mail omylom, prosím
> upozornite
> > > okamžite odosielateľa a vymažte tento e-mail. Neoprávnené
kopírovanie,
> > > zverejnenie alebo distribúcia tohto
e-mailu, je prísne zakázané.
> > >
> > > This email and any attached file are confidential and intended
solely
> for
> > > the
> > > use of the individual or entity to which they are addressed. If you
are
> > > not the
> > > intended recipient or have received this e-mail by mistake, please
> notify
> > > the
> > > sender immediately and delete this e-mail. Any unauthorized copying,
> > > disclosure
> > > or distribution of this e-mail's content is strictly prohibited.
> > >
>
---------------------------------------------------------------------------
> > >
> > > Pred vytlačením tohto e-mailu myslite na životné prostredie.
> > > Please consider your environmental responsibility before printing
this
> > > e-mail
> > >
> > > _______________________________________________
> > > users mailing list
> > > users(a)xwiki.org
> > >
http://lists.xwiki.org/mailman/listinfo/users
> > >
> > _______________________________________________
> > users mailing list
> > users(a)xwiki.org
> >
http://lists.xwiki.org/mailman/listinfo/users
>
>
>
>
--------------------------------------------------------------------------
> Táto správa a všetky pripojené súbory sú
dôverné a určené
> výhradne osobám alebo organizáciám, ktorým boli adresované. Ak nie ste
> zamýšlaný príjemca alebo ste dostali tento e-mail omylom, prosím
upozornite
> okamžite odosielateľa a vymažte tento e-mail.
Neoprávnené kopírovanie,
> zverejnenie alebo distribúcia tohto e-mailu, je prísne zakázané.
>
> This email and any attached file are confidential and intended solely
for
> the
> use of the individual or entity to which they are addressed. If you are
> not the
> intended recipient or have received this e-mail by mistake, please
notify
> the
> sender immediately and delete this e-mail. Any unauthorized copying,
> disclosure
> or distribution of this e-mail's content is strictly prohibited.
>
---------------------------------------------------------------------------
Pred vytlačením tohto e-mailu myslite na životné prostredie.
Please consider your environmental responsibility before printing this
e-mail
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users