Thanks for you prompt reply Thomas. I really appreciate that. The issue XWIKI-2518 that
you pointed out was exactly the solution I was thinking of. Meanwhile, I think that
setting up the super group X should satisfy our needs.
Just curiously, why is it difficult to define xwiki group consisting of subgroups and
individuals? I thought that is already the way it works.
Thanks
Milind
----- Original Message ----
From: Thomas Mortagne
<thomas.mortagne(a)xwiki.com>
To: XWiki Users <users(a)xwiki.org>
Sent: Tue, December 15, 2009 2:29:53 PM
Subject: Re: [xwiki-users] Limitng registered users list to Ldap (Active Directory)
groups mapped to XWiki groups
On Tue, Dec 15, 2009 at 20:36, Milind Kamble wrote:
Hi.
I am evaluating XWiki's LDAP-based authentication capabilities. The
intention is to have a locked-locked-light wiki instance for my group in a large
AD-based corporate environment. The LDAP documentation in xwiki.cfg clarifies
how to map LDAP groups to XWiki groups. However, for ease of ACL administration,
I would like to treat only users belonging to
xwiki.authentication.ldap.group_mapping as "registered" users and the rest of
the users within the corporation as "Guests".
Is there any way of achieving this mapping?
Presently, I have setup LDAP config to authenticate any user within the
corporation using
xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc.
This causes every user to be treated as a registered user (after successful
authentication of course).
The only work around I can see is to have an AD group (say X) that contains
all
the mapped groups specified in xwiki.authentication.ldap.group_mapping, but
that requires X to be updated in sync with changes made to
xwiki.authentication.ldap.group_mapping. If I can avoid the need for setting and
maintaining X, that would be nice.
Currently there is no other way i can think of, see
http://jira.xwiki.org/jira/browse/XWIKI-2518
Note that generally in LDAP you can put groups into groups so you only
need to put the groups you have in group_mapping in your LDAP X group
so that maintain it should not be to painful. The good thing is that
it's very clear in your LDAP who has the right to access to the wiki
and you can exceptionally add a user that is not part of the mapping
groups which is more complex to support at XWiki level.
Thanks,
Milind
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users