Hi Igor, I have just analysed the ldap module and implemented a substitude. There is only very little documentation on the existing component yet that I know of. Here is the summary of my research in this respect: com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl: First of all, this component is used just for authentication only. It does not implement support for roles / groups yet. Example of settings for this component that work for me are the following. I have added comments to giving some some kind of explanation as I interpret their behavior from my research. Any corrections or enhancements are, of course, welcome from anyone. # LDAP authenticator class (it is called for deciding who can log in) xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl # basic switch to get this class called at all # Turn LDAP authentication on - otherwise XWiki authenticates against its database xwiki.authentication.ldap=1 # standard LDAP settings: # LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=dsmaster xwiki.authentication.ldap.port=389 # LDAP login, empty = anonymous access, otherwise specify full dn # {0} is replaced with the username, {1} with the password - if you want to use the users credentials to connect to LDAP xwiki.authentication.ldap.bind_DN=cn={0},department=USER,... xwiki.authentication.ldap.bind_pass={1} # if necessary search for the LDAP user using this DN xwiki.authentication.ldap.base_DN=o=MP # default: checklevel =2 # checklevel 0 => LDAP connection login to LDAP is sufficient # checklevel 1 => login & username located, attributes loaded # checklevel 2 => + compare password for user (e.g. necessary if the LDAP bind didn't use the user's credentials) xwiki.authentication.ldap.check_level=1 # specifies the LDAP attribute containg the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=cn #When a user that is authenticated, but does not exist in XWiki logs in an account is created in XWiki. Only at that time the given mapping is used to set XWiki #user fields based on the values of the user in the LDAP system. # retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) # name is used to identify the user in XWiki # ldap_dn=dn -- dn is set by the code with the LDAP dn of the user and assigning it to ldap_dn caches the dn in XWiki.user object for faster access xwiki.authentication.ldap.fields_mapping=name=cn,last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn I have just finished implementing an impovement to this module (you can find it in JIRA as XWIKI-1079) but it is not fully tested. In short its features are: - A mapping of LDAP groups to XWiki groups - synchronisation of LDAP attribute and groups at login - caching of LDAP group members for a time - limit access to XWiki to members of an LDAP group (some more items are in the text with the JIRA issue.) Here is an example of how the settings for the new authenticator look like: # new LDAP authenticator xwiki.authentication.authclass=com.xpn.xwiki.ldap.authentication.LDAPAuthentcater # Turn LDAP authentication on - otherwise only XWiki authentication xwiki.authentication.ldap=1 # LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=... xwiki.authentication.ldap.port=389 # LDAP login, empty = anonymous access, otherwise specify full dn # {0} is replaced with the username, {1} with the password xwiki.authentication.ldap.base_DN= xwiki.authentication.ldap.bind_pass= # example: #xwiki.authentication.ldap.bind_DN=cn={0},department=USER,... #xwiki.authentication.ldap.bind_pass={1} # only members of the following group will be verified in the LDAP # otherwise only users that are found after searching starting from the base_DN xwiki.authentication.ldap.group=cn=developer,... # base DN for searches xwiki.authentication.ldap.base_DN= # specifies the LDAP attribute containg the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=cn # retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn # ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for faster access, # the XWiki user name is always the login name and does not need to be set # on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. xwiki.authentication.ldap.update_user=1 # mapps XWiki groups to LDAP groups, (Starting with _1) xwiki.authentication.ldap.group_mapping_1=XWikiAdminGroup=cn=AdminRole,ou=... xwiki.authentication.ldap.group_mapping_2=Organisation=cn=testers,ou=... # create : synchronize group membership only when the user is first created, always: synchronize on every login xwiki.authentication.ldap.mode_group_sync=always Also, maybe useful to some readers are further xwiki.cfg settings for the authentication: Other parameters used by the authentication (with their defaults): #xwiki.authentication.realname=XWiki # explicitly for forms #xwiki.authentication.defaultpage=/bin/view/Main/WebHome #xwiki.authentication.loginpage=/bin/login/XWiki/XWikiLogin #xwiki.authentication.logoutpage=/bin/logout/XWiki/XWikiLogout #xwiki.authentication.errorpage=/bin/loginerror/XWiki/XWikiLogin #xwiki.authentication.cookiepath #xwiki.authentication.cookielife #xwiki.authentication.protection #xwiki.authentication.useip #xwiki.authentication.encryptionalgorithm #xwiki.authentication.encryptionmode #xwiki.authentication.encryptionpadding #xwiki.authentication.loginsubmitpage=/loginsubmit/XWiki/XWikiLogin I cannot give you an explanation to these settings, but maybe someone else can. Finally, it would be great if you could help, test the new com.xpn.xwiki.ldap.authentication.LDAPAuthentcater component in a variety of environments, since it appear that it could also be useful to you. Regards, Gunter Hi people, I am using XWiki with LDAP authentication, and its fine, but I can't figure out how to make the authorization process. Inside xwik.cfg I have a key (xwiki.authentication.ldap.fields_mapping) where I make the ldap mapping for xwiki, so I map xwiki "name" for my ldap return key and so one, what I need to know is what's the xwiki key that I have to map my ldap role field? Or I need to use something else to configure Roles? If someone has the link for the doc that explains it, please send me. Please if anyone don't understand my question, tell me, I will try to express myself better :-) Regards, Igor Regis ------------------------------------------------------------------------------- Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. -------------------------------------------------------------------------------