8 Feb
2016
8 Feb
'16
3:49 p.m.
Hi Thomas, thanks a lot, that was very quick and extremely helpful
f.
On 02/08/2016 03:48 PM, Thomas Mortagne wrote:
On Mon, Feb 8, 2016 at 3:44 PM, Frank Thommen
<f.thommen(a)dkfz-heidelberg.de> wrote:
--
Frank Thommen | HD-HuB / DKFZ Heidelberg
| f.thommen(a)dkfz-heidelberg.de
| TP3: +49-6221-42-3562 (Mo+Di)
| IPMB: +49-6221-54-5823 (Mi-Do)
Hi Thomas,
thanks a lot
On 02/08/2016 03:34 PM, Thomas Mortagne wrote:
Yes 3 binds since bind is the most standard way to validate a LDAP
user which work with all servers.
xwiki.authentication.ldap.bind_DN and
xwiki.authentication.ldap.bind_pass dont have to be static. It's
usually better to make them dynamic (no ned to put a clear asmin
password in a configuraton file), the only use case where it's should
be static IMO is whan users are not allowed to search or navigate in
to group members.
In the standard xwiki.cfg each field is documented, for example for
user_search_fmt you have:
I've read this, but I wanted to know what happens in the "background" ;-)
#-# LDAP query to search the user in the LDAP
database (in case a
static admin user is provided in
#-# xwiki.authentication.ldap.bind_DN)
#-# {0} is replaced with the user uid field name and {1} with the user
name
#-# The default is ({0}={1})
# xwiki.authentication.ldap.user_search_fmt=({0}={1})
Here is an example: if the LDAP user field containing the uid is "cn"
and you are putting "toto" in the authentication form when you
authenticate, XWiki will execute the following LDAP query to search
for the user DN in the LDAP server: "cn=toto". Then by default (this
is controled by validate_password property)
validate_password=0 in our current setup.
it will validate the
password by executing a LDAP bind with the found DN and the password
you gave it in the authentication form (then it will go back to the
configured bindDN/password to do the synchronization).
Just to make sure I understood correctly: When using static
xwiki.authentication.ldap.bind_DN and xwiki.authentication.ldap.bind_pass
and xwiki.authentication.ldap.validate_password=0, them XWiki does three
binds:
1) first with bind_DN/bind_pass
2) then - to validate password - with the user's DN and provided pw
3) then again with bind_DN/bind_pass for sync
f.
I never saw anyone set a custom query in there (you don't have to set
something when the bind DN is static).
On Mon, Feb 8, 2016 at 3:14 PM, Frank Thommen
<f.thommen(a)dkfz-heidelberg.de> wrote:
--
Frank Thommen | HD-HuB / DKFZ Heidelberg
| f.thommen(a)dkfz-heidelberg.de
| TP3: +49-6221-42-3562 (Mo+Di)
| IPMB: +49-6221-54-5823 (Mi-Do)
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Hi,
can someone explain (or provide links to documentation) how XWiki's LDAP
authentication using "xwiki.authentication.ldap.ldap_user_search_fmt"
works?
I understand, that XWiki binds using xwiki.authentication.ldap.bind_DN
and
xwiki.authentication.ldap.bind_pass (which are configured as static
user),
but how does it then continue to check the user's password against the
one
in the LDAP/DA?
In the configuration examples I found, this parameter is usually not
used,
however in the old installation I'm supposed to migrate it is. I need to
find out how that works, to decide if we should go on with it or no.
I've
had a look at some of the Java libraries (XWikiLDAPAuthServiceImpl.java
and
XWikiLDAPUtils.java but they didn't help me very much (not being very
proficient in Java). Any hint or link to some more in-depth
documentation
(deeper than
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication but
above
sourcecode level) is highly appreciated.
Cheers
Frank
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users