[xwiki-users] LDAP challenges...

Folks, Im looking for some assistance here in getting LDAP configured properly. In the past Ive successfully enabled LDAP for other applications we use (Coverity, XPlanner, Hudson, Reviewboard), but XWiki has proven to be quite difficult. I am trying to configure & connect with the following . to a generic LDAP server (ie. Not active directory) . In our particular instance uid is the manner in which people login and this uid happens to be a fully qualified email address . I want people to login with this uid (firstname.lastname(a)foo.com) . I would like to use an ldap filter to determine who can login I have been able to login with the configuration below as a proof of concept to prove SSL is working etc. But there are several things here blocking me from moving forward, Im hoping there is a way to reconfigure or file a defect/enhancement to get the implementation changed. . The xwiki.authentication.ldap.exclude_group & xwiki.authentication.ldap.user_group. We dont have a group in ou=Groups that has all the people in our organization so there no way to use the user_group field. Is there some way to instead use a filter query. . The xwiki.authentication.ldap.UID_attr field, seems like I should want to leave it as cn but I was unable to get it to work unless I set it to uid, because it appears that the queries into LDAP are hardcoded to use cn otherwise. But using uid as the username in XWiki creates accounts like firstnamelastname@hpcom where all the .'s have been eliminated. Unfortunately with the strategy employed here there is no way to ensure that the username mapping is unique because just dropping the .'s can lead to conflicts, consider for example the following uid's, john.c.hase(a)foo.com and john.chase(a)foo.com both get reduced to johnchase@foocom. I know you are thinking, geez that will never happen. Unfortunately with lots of employees, we have LOTS of multiple names (we must have like 20+ Tom Smith's, etc) so all these corner cases do in fact crop up. . Also it appears that once you configure ldap, you cant add local users thru the ui. I like to use local users for the occasional group account or machine accounts. At this point with all these challenges as much as I want to I cant roll out xwiki to our org. Any help on these issues would be much appreciated. As I reference I would suggest taking a look at Hudson CI. Configuring Hudson to use LDAP is *very* simple & covers all the features Ive ever needed in the past. As an example I can configure the user search filter to be "(&(&(objectClass=person)(hpOrganizationChartAcronym=C_OR))(uid={0}))" to do the filtering by group etc. ############################################################################ ############################# #-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer viceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=ldap.hp.com xwiki.authentication.ldap.port=636 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password xwiki.authentication.ldap.bind_DN= xwiki.authentication.ldap.bind_pass= #-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0 #-# base DN for searches xwiki.authentication.ldap.base_DN=o=hp.com #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1 xwiki.authentication.ldap.password_field=userPassword #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueName s,dynamicGroup,dynamicGroupAux,groupWiseDistributionList #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. xwiki.authentication.ldap.group_memberfields=member,uniqueMember #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName, email=uid,phone=telephoneNumber #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is "|" xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=cscr-build- admins,ou=Groups,o=hp.com #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) xwiki.authentication.ldap.groupcache_expiration=21800 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login xwiki.authentication.ldap.mode_group_sync=always #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# 0: normal #-# 1: SSL xwiki.authentication.ldap.ssl=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection xwiki.authentication.ldap.ssl.keystore=/usr/share/tomcat5/.keystore #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P rovider #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1 ############################################################################ #############################