[xwiki-users] New users and LDAP

Hi, I'm trying to implement xwiki for the first time in our environment. We have an OpenLDAP server that I would like to use for authentication. I have been able to get xwiki to authenticate via LDAP for users that already exist in the xwiki database, but there are a few things that still are not right. 1. I can not log in to xwiki unless the user already exists in the xwiki database. This would not be a problem (and in fact is probably prefered) except... 2. When xwiki is configured to use LDAP, I can not add a user to the database. I also can not change xwiki group membership or permissions for any user when xwiki is configured for LDAP. Everything related to users seems to be locked while xwiki is on LDAP. 3. Users can authenticate using their LDAP password or the password that is stored in the xwiki database. I know that has to do with the 'xwiki.authentication.ldap.trylocal=1' setting, but without that it, the login form gives no feedback as to why the login failed. ex. "Wrong user name" etc. Right now it seems to me that the only way for me to add a new user to xwiki would be to: 1. take xwiki off LDAP 2. add user to xwiki database 3. set permissions 4. put xwiki back on LDAP There has to be an easier way to do this. Some of the threads I've been reading indicate that users are automatically created when authenticated via LDAP. This would be fine with me as long as the default group had no permissions, and I could later assign the user to the appropriate group. I've included an excerpt from my xwiki.cfg file. Please let me know if I'm doing something wrong. Thanks. FYI my xwiki version number is 1.6.1.13621 ------------------- Excerpt from xwiki.cfg: #------------------------------------------------------------------------------------- # LDAP #------------------------------------------------------------------------------------- #-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=192.168.xxx.xxx xwiki.authentication.ldap.port=389 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password xwiki.authentication.ldap.bind_DN=cn=manager,dc=[domain],dc=[TLD] xwiki.authentication.ldap.bind_pass=xxxxxxxxxxx #-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0 #-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] #-# only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# base DN for searches xwiki.authentication.ldap.base_DN=ou=Users,dc=percipenz,dc=com #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" i$ # xwiki.authentication.ldap.password_field=userPassword #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. # xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDi$ #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. # xwiki.authentication.ldap.group_memberfields=member,uniqueMember #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for faster access xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki accou$ xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is "|" # xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\ # XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) # xwiki.authentication.ldap.groupcache_expiration=21800 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login # xwiki.authentication.ldap.mode_group_sync=always #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# 0: normal #-# 1: SSL # xwiki.authentication.ldap.ssl=0 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore= #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider -- View this message in context: http://n2.nabble.com/New-users-and-LDAP-tp1482130p1482130.html Sent from the XWiki- Users mailing list archive at Nabble.com.