Hi Laurent,
This is a bug I think, by default bind is used to validate user
credential (AFAIK that's the only way which is working for all LDAP
servers) and should rebind to the proxy after that.
But you can force LDAP authenticator to use simple user/pass data
comparison instead of bind using option
xwiki.authentication.ldap.validate_password=1
xwiki.authentication.ldap.password_field=<password field name>
where <password field name> is the name to the filed containing the password.
On Mon, Apr 20, 2009 at 12:27, ratso rizo <ratso.rizo(a)gmail.com> wrote:
Hi,
We are facing issue integrating XWiki against our enterprise LDAP
directories.
The fact is that we can't implement the LDAP group-mapping feature
(xwiki.authentication.ldap.group_mapping)
because xwiki tries to retrieve groups members using the xwiki
logged/authenticated user
who has no access right on the LDAP groups entries.
That's why we configured xwiki to use a "proxy" ldap account
(ldap_dn/ldap_pass) which has
the required access privileges to query the whole ldap.
But unfortunately, Xwiki binds first using this proxy account and
then binds again using the logged user credentials before
actually searching for the mapped groups members.
Please find below the ldap requests made by xwiki I caught using a network
sniffer tool:
1. xwiki binds against the ldap server using the "proxy" account
(bind_dn/bind_pass)
2. xwiki get all members of the "ldap.user_group" xwiki parameter (it works
since still connected with the proxy account)
3. xwiki binds using the credentials provided by the user
4. xwiki search for the user information (ldap.fields_mapping)
5. xwiki get the "ldap.group_mapping" members --> returns no entry
Unfortunatly we are not in charge of the ldap servers administration and we
are not able to change
their configuration and grant read access on the groups entries to all the
users.
Is there any parameter to force xwiki to perform ldap queries (expect to
authenticate the user) using the
proxy account (credential defined in ldap_dn/ldap_pass)?
XWiki should bind first using the users credential to authenticate the user
and then perform
all other required ldap requests using the proxy account.
We are currently evaluating the last stable release 1.8 (but applies to
previous release as well) and
group mapping feature is highly needed.
Any help will be greatly welcome.
Thank you in advance.
Regards,
Laurent
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne