On Thu, Oct 23, 2008 at 11:53 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
Hi,
Sorry to answer only now I had lot's of work and not that much with
Internet access ;)
On Tue, Oct 21, 2008 at 4:04 PM, <ramongb(a)mp.go.gov.br> wrote:
Hi Thomas,
First I would congratulate you guys for such a powerful and top-of-mind tool like Xwiki.
I'm the leader of the team here on my Company in Brazil (a Court government institute)
that is implementing a wiki tool, and my first - and de-facto - choice was Xwiki.
We're on ongoing works on it for integration with our AD infrastucture and it shows to
be a complete and very powerful tool to fulfill our requirements.
This AD integration (and the ACL's Xwiki provides through AD imported groups) is the
decisive feature for our needs. And on this subject, some questions came in mind. I've
installed your last 1.6-SNAPSHOT, that corrects the bug regarding the AD authentication
and seems to work (and log) well. But my question is about reseting the LDAP password
through Xwiki. As I could notice, when I reset
a password from a AD user through
the "Forgot your password" feature,
it doesn't reset the AD user password, but it resets (or creates?) the
user password only in the internal database.
Yes XWiki does not write/modify anything in LDAP server and it as to
remain like this IMO. But you are right there is a problem with
"Forgot your password" feature that should be disabled for LDAP users
on XWiki.
I will investigate this, thanks for the report.
Ok so yes if the user or admin change the user's profile password
there will be two way to login with this user, LDAP or XWiki
"classical" way. But anyway only user himself or admin can change the
user XWiki password so I will disable "Forgot your password" feature
for user containing LDAP object for now, that way user will not make
the mistake.
In the meantime you can remove the page XWiki.ResetPassword to disable it.
The logs show that
it can't
authenticate anymore on the LDAP, but it tries to log on the
Xwiki database and succeeds. Because of this, one can get two
out-of-sync working passwords: one through LDAP (and it permits that
his AD attributes be refreshed on every login - just what we need) and
other through Xwiki database, which does not provide LDAP attributes
refresh (once the authentication fails).
Does the last Xwiki 1.6 have this capability of
password sync'ing? Is it a bug? I know sure that this could be a serious security
breach (once one knows the username of another, the LDAP password can be compromised).
This leads to another questions and we're touch them later. My mails is too big
already :-)
By the way, I'm gonna provide the Brazilian Portuguese translation for the project
:-)
Great !
I'm looking forward to your response.
Thanks in advance,
Ramon Gomes Brandão
I'm forwarding also in users(a)xwiki.org mailing list as this can be
interesting for anyone.
--
Thomas Mortagne
--
Thomas Mortagne