xwiki.authentication.ldap.bind_DN and xwiki.authentication.ldap.bind_pass dont have to be static. It's usually better to make them dynamic (no ned to put a clear asmin password in a configuraton file), the only use case where it's should be static IMO is whan users are not allowed to search or navigate in to group members. In the standard xwiki.cfg each field is documented, for example for user_search_fmt you have: #-# LDAP query to search the user in the LDAP database (in case a static admin user is provided in #-# xwiki.authentication.ldap.bind_DN) #-# {0} is replaced with the user uid field name and {1} with the user name #-# The default is ({0}={1}) # xwiki.authentication.ldap.user_search_fmt=({0}={1}) Here is an example: if the LDAP user field containing the uid is "cn" and you are putting "toto" in the authentication form when you authenticate, XWiki will execute the following LDAP query to search for the user DN in the LDAP server: "cn=toto". Then by default (this is controled by validate_password property) it will validate the password by executing a LDAP bind with the found DN and the password you gave it in the authentication form (then it will go back to the configured bindDN/password to do the synchronization). I never saw anyone set a custom query in there (you don't have to set something when the bind DN is static). On Mon, Feb 8, 2016 at 3:14 PM, Frank Thommen <f.thommen(a)dkfz-heidelberg.de> wrote: -- Thomas Mortagne

On Mon, Feb 8, 2016 at 3:44 PM, Frank Thommen <f.thommen(a)dkfz-heidelberg.de> wrote: Yes 3 binds since bind is the most standard way to validate a LDAP user which work with all servers. -- Thomas Mortagne