On Thu, Feb 18, 2016 at 4:46 PM, Mark Sack <mark.sack(a)secti.al.gov.br> wrote:
I have an existing instance of xwiki with some users
and would like to
convert it to authenticate against an Active Directory server. I tried
setting up a new test instance of xwiki in a VM and was able to get it to
authenticate against AD. But in the test, the user directory was empty
(except for Admin) - so it created a new user at login. I'd appreciate some
help on the next step of configuring the system so that an existing xwiki
user authenticates against an existing AD entry.
The LDAP authenticator maintain a XWiki.LDAPProfileClass object in
each user profile containing the LDAP uid and DN. The first thing the
authenticator does is to look at this object to check if the user
already exist so ideally if you want to reuse the user you already
have you will need to add an object in all those users profiles with
their LDAP uid in it (DN is not mandatory there, it will update it at
first login). There is no existing tool to do that so you will need to
write some script (or do it by hand depending on the scale).
* you can look at
http://platform.xwiki.org/xwiki/bin/view/DevGuide/Scripting for
documentation on how to write scripts in general in XWiki
* you can look at the end of
http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+Page+With+Object
for an example of how to add an object in a document
* you can find in
http://extensions.xwiki.org/xwiki/bin/view/Extension/Query+Module
information on how to request documents including an example to get
all document with user object in it (i.e. users profiles)
I configured the test system as follows:
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
xwiki.authentication.ldap=1
xwiki.authentication.ldap.server=servername
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.bind_DN=subdomain\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.base_DN=DC=subdomain,DC=domain
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
xwiki.authentication.ldap.update_user=1
xwiki.authentication.ldap.trylocal=0
Other details that may or may not be relevant:
- the AD login IDs contain periods which are not
allowed in the xwiki names.
For the xwiki users that already exist, the login names are the same as
those in AD except that the period is replaced by an underscore
See what I explained about XWiki.LDAPProfileClass objects in profiles
above. I guess you will have to apply this rule to find out the LDAP
uid from the XWiki user name in some script.
- there are xwiki 'users' with no
corresponding entry in AD. Those xwiki
entries should not be allowed to login.
Users created by LDAP authenticator have empty password and users are
not allowed to authenticate with empty password so you could do the
same for those users. If you add them on LDAP side later they will
work.
- the exception to the above point is the Admin user.
If I add one of the
users with a corresponding AD entry to the Admin group, would that user be
able to do everything that the Admin user can do?
Yes Admin user is not a special user, it just happen to be put part of
the XWikiAdminGroup by default in XE.
A nice to have would be to also bring the AD groupings/organizational units
across to xwiki. Is their an easy way to do this?
You can do a mapping between XWiki groups and AD groups. See
xwiki.authentication.ldap.group_mapping property.
--
View this message in context:
http://xwiki.475771.n2.nabble.com/Convert-existing-xwiki-instance-to-Active…
Sent from the XWiki- Users mailing list archive at
Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne