On Sat, Jun 6, 2009 at 6:56 AM, tmortagne (via Nabble) < ml-user+47511-112540235@n2.nabble.com<ml-user%2B47511-112540235@n2.nabble.com> > Hi, > > On Fri, Jun 5, 2009 at 18:33, Andawyr<andawyr@...<http://n2.nabble.com/user/SendEmail.jtp?type=node&node=3035230&i=0>> > > > > We've configured our XWiki instance to use a custom authentication plugin > to > > authenticate via a secure logon cookie. When the user signs in, > information > > pertaining to the user is fetched from Active Directory; note that this > is > > done as part of the plugin, and does not access A/D via XWiki. > > > > However, the side effect of this change is that a user has to access > XWiki > > once to get created in the local user space so they can then be added to > the > > various groups that have been created in the wiki. This is inconvenient > at > > best, and I would like to fix this. > > > > I found an interesting script in this post: > > > > http://n2.nabble.com/LDAP---importing-users-td506206.html#a506207 > > > > that provides a script to query LDAP via XWiki, and populate the local > user > > store with all A/D users. > > > > My question is: can I configure XWiki to use both the custom > authentication > > plugin, *and* configure LDAP access so I can use the above script to > > populate the database? > > > > If the above doesn't work, I can create a perl script that will generate > a > > script that I can put into a Wiki page, but that's not as nice as having > a > > canned script available the wiki that I can run at the click of a mouse. > > > > What you can do is extends the XWikiLDAPAuthServiceImpl authenticator, > do your custom part and let it do the LDAP part. All the methods are > protected so you can easily modify some parts of it's behavior if you > need. That way your custom authenticator is called but it can use the > XWiki standard LDAP authenticator (which will use the same > configuration it would use if it was the "main" authenticator) as a > tool. So, just to be clear, this will perform user searches directly against LDAP? Will there be any harm to manually inserting people into the XWiki user store ahead of implementing the new LDAP auth service class? I need to get users using the wiki asap, and I can't wait until I have the new auth service class implemented.... -- View this message in context: http://n2.nabble.com/Custom-authentication%2C-LDAP-configuration-tp3031494p… Sent from the XWiki- Users mailing list archive at Nabble.com.

tmortagne wrote: Maybe I haven't presented my issue clear enough, since I don't think you quite understand what I'm after. Or, maybe you do and I'm just not grocking your response. let me try again :-) Our current authentication class will do the following: - allow forms based login, if the wiki is accessed from outside the application that creates the SSO login cookie. - if the SSO login cookie exists, use the ID contained in the cookie to validate the user against LDAP. note that the password is not checked, since that has already been done by the containing application. So, when a user signs in for the first time and accesses the wiki, the user will be created in XWiki, and placed into the 'all users' group. On subsequent logins, user information is updated from LDAP. However, to properly configure groups to restrict access to various bits of wiki content, the users all need to sign into the application first before I can add them to the group, since searching as currently implemented does NOT search ldap; rather, it searches the local user database. I need to have user searching go against LDAP directly, so the restriction of forcing users to sign into the application first is not required. I hope that explains what I'm trying to do. -- View this message in context: http://n2.nabble.com/Custom-authentication%2C-LDAP-configuration-tp3031494p… Sent from the XWiki- Users mailing list archive at Nabble.com.