Re: [xwiki-users] LDAP challenges...

29 Jun 2010

...
   .         The
xwiki.authentication.ldap.exclude_group & 
 xwiki.authentication.ldap.user_group.   We dont have a group in 
 ou=Groups that has all the people in our organization so there no way 
 to use the user_group field.   Is there some way to instead use a filter query. 
No that is not supported. But patches are welcomed ;) 
Bummer.  

...
   .         The
xwiki.authentication.ldap.UID_attr field, seems like I 
 should want to leave it as cn but I was unable to get it to work 
 unless I set it to uid, because it appears that the queries into LDAP 
 are hardcoded to use cn otherwise.   But using uid as the username in 
 XWiki creates accounts like firstnamelastname@hpcom where all the .'s have been
eliminated. 
The description in xwiki.cfg is actually not very good. UID_attr is not used to choose the
XWiki user name, the XWiki user name is always created based on what user provided in the
login form. UID_attr is used to search the user in LDAP server or manage LDAP group
membership. 
Ahh, ok, that makes more sense.  Thanks.

Is there any way to configure the algorithm used for creating the xwiki user name?   
Personally I would prefer something that replaced the .'s with _'s or something,
but I guess it is what it is...

...
   Unfortunately
with the strategy employed here there is no way to 
 ensure that the username mapping is unique because just dropping the 
 .'s can lead to conflicts, consider for example the following uid's,  
 john.c.hase(a)foo.com and john.chase(a)foo.com both get reduced to 
 johnchase@foocom.   I know you are thinking, geez that will never 
 happen.   Unfortunately with lots of employees, we have LOTS of 
 multiple names (we must have like 20+ Tom Smith's, etc) so all these corner cases do
in fact crop up. 
Actually you are wrong, this taken into account and you are not supposed to have technical
conflicts: each created XWiki user contains it's LDAP DN in an object and when a user
with the same uid after cleaning tries to connect the LDAP DN is used to ensure it's
the right profile and if not an incremented counter will be appended to the new XWiki
profile name.

Note: This DN is also used to be able to change a user DN without changing it's XWiki
uid or when you start using LDAP in a XWiki that used to be "standard" and you
want some of the existing use profiles to be linked to LDAP.

Is there some way to look at this ldap_dn object and/or edit it??   I looked at the object
data for the user that I could see in the ui but didnt find it, Im probably not looking in
the correct place.

...
   .         Also
it appears that once you configure ldap, you cant add 
 local users thru the ui.   I like to use local users for the 
 occasional group account or machine accounts. 
That is supposed to work perfectly. That's why you have the
xwiki.authentication.ldap.trylocal property in xwiki.cfg 
So local accounts that were created before I connected the system to ldap work just fine
for logins.   But I cant seem to create new local accounts, in looking at the logs it
seems like it is trying to direct everything to ldap.   Is there something I need to do to
tell xwiki to create a local account??

--
John Cavanaugh

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [xwiki-users] LDAP challenges...