Folks,
Im looking for some assistance here in getting LDAP configured properly.
In the past Ive successfully enabled LDAP for other applications we use
(Coverity, XPlanner, Hudson, Reviewboard), but XWiki has proven to be quite
difficult.
I am trying to configure & connect with the following
. to a generic LDAP server (ie. Not active directory)
. In our particular instance uid is the manner in which people login
and this uid happens to be a fully qualified email address
. I want people to login with this uid (firstname.lastname(a)foo.com)
. I would like to use an ldap filter to determine who can login
I have been able to login with the configuration below as a proof of concept
to prove SSL is working etc. But there are several things here blocking me
from moving forward, Im hoping there is a way to reconfigure or file a
defect/enhancement to get the implementation changed.
. The xwiki.authentication.ldap.exclude_group &
xwiki.authentication.ldap.user_group. We dont have a group in ou=Groups
that has all the people in our organization so there no way to use the
user_group field. Is there some way to instead use a filter query.
. The xwiki.authentication.ldap.UID_attr field, seems like I should
want to leave it as cn but I was unable to get it to work unless I set it to
uid, because it appears that the queries into LDAP are hardcoded to use cn
otherwise. But using uid as the username in XWiki creates accounts like
firstnamelastname@hpcom where all the .'s have been eliminated.
Unfortunately with the strategy employed here there is no way to ensure that
the username mapping is unique because just dropping the .'s can lead to
conflicts, consider for example the following uid's, john.c.hase(a)foo.com
and john.chase(a)foo.com both get reduced to johnchase@foocom. I know you
are thinking, geez that will never happen. Unfortunately with lots of
employees, we have LOTS of multiple names (we must have like 20+ Tom
Smith's, etc) so all these corner cases do in fact crop up.
. Also it appears that once you configure ldap, you cant add local
users thru the ui. I like to use local users for the occasional group
account or machine accounts.
At this point with all these challenges as much as I want to I cant roll out
xwiki to our org. Any help on these issues would be much appreciated.
As I reference I would suggest taking a look at Hudson CI. Configuring
Hudson to use LDAP is *very* simple & covers all the features Ive ever
needed in the past. As an example I can configure the user search filter
to be
"(&(&(objectClass=person)(hpOrganizationChartAcronym=C_OR))(uid={0}))"
to do the filtering by group etc.
############################################################################
#############################
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer
viceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=ldap.hp.com
xwiki.authentication.ldap.port=636
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN=
xwiki.authentication.ldap.bind_pass=
#-# Force to check password after LDAP connection
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap.validate_password=0
#-# base DN for searches
xwiki.authentication.ldap.base_DN=o=hp.com
#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=uid
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password" is set to 1
xwiki.authentication.ldap.password_field=userPassword
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueName
s,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,
email=uid,phone=telephoneNumber
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki account is created.
xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=cscr-build-
admins,ou=Groups,o=hp.com
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed from
LDAP (default=3600*6)
xwiki.authentication.ldap.groupcache_expiration=21800
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0: normal
#-# 1: SSL
xwiki.authentication.ldap.ssl=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
xwiki.authentication.ldap.ssl.keystore=/usr/share/tomcat5/.keystore
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P
rovider
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
############################################################################
#############################