[xwiki-users] Limitng registered users list to Ldap (Active Directory) groups mapped to XWiki groups
15 Dec
2009
15 Dec
'09
8:36 p.m.
Hi.
I am evaluating XWiki's LDAP-based authentication capabilities. The intention is to
have a locked-locked-light wiki instance for my group in a large AD-based corporate
environment. The LDAP documentation in xwiki.cfg clarifies how to map LDAP groups to XWiki
groups. However, for ease of ACL administration, I would like to treat only users
belonging to xwiki.authentication.ldap.group_mapping as "registered" users and
the rest of the users within the corporation as "Guests".
Is there any way of achieving this mapping?
Presently, I have setup LDAP config to authenticate any user within the corporation using
xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc.
This causes every user to be treated as a registered user (after successful authentication
of course).
The only work around I can see is to have an AD group (say X) that contains all the mapped
groups specified in xwiki.authentication.ldap.group_mapping, but that requires X to be
updated in sync with changes made to xwiki.authentication.ldap.group_mapping. If I can
avoid the need for setting and maintaining X, that would be nice.
Thanks,
Milind
15 Dec
15 Dec
9:29 p.m.
On Tue, Dec 15, 2009 at 20:36, Milind Kamble <mbkads(a)yahoo.com> wrote:
Hi.
I am evaluating XWiki's LDAP-based authentication capabilities. The intention is to
have a locked-locked-light wiki instance for my group in a large AD-based corporate
environment. The LDAP documentation in xwiki.cfg clarifies how to map LDAP groups to XWiki
groups. However, for ease of ACL administration, I would like to treat only users
belonging to xwiki.authentication.ldap.group_mapping as "registered" users and
the rest of the users within the corporation as "Guests".
Is there any way of achieving this mapping?
Presently, I have setup LDAP config to authenticate any user within the corporation
using
xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc.
This causes every user to be treated as a registered user (after successful
authentication of course).
The only work around I can see is to have an AD group (say X) that contains all the
mapped groups specified in xwiki.authentication.ldap.group_mapping, but that requires X to
be updated in sync with changes made to xwiki.authentication.ldap.group_mapping. If I can
avoid the need for setting and maintaining X, that would be nice.
Currently there is no other way i can think of, see
http://jira.xwiki.org/jira/browse/XWIKI-2518
Note that generally in LDAP you can put groups into groups so you only
need to put the groups you have in group_mapping in your LDAP X group
so that maintain it should not be to painful. The good thing is that
it's very clear in your LDAP who has the right to access to the wiki
and you can exceptionally add a user that is not part of the mapping
groups which is more complex to support at XWiki level.
Thanks,
Milind
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
9:57 p.m.
Thanks for you prompt reply Thomas. I really appreciate that. The issue XWIKI-2518 that
you pointed out was exactly the solution I was thinking of. Meanwhile, I think that
setting up the super group X should satisfy our needs.
Just curiously, why is it difficult to define xwiki group consisting of subgroups and
individuals? I thought that is already the way it works.
Thanks
Milind
----- Original Message ----
From: Thomas Mortagne
<thomas.mortagne(a)xwiki.com>
To: XWiki Users <users(a)xwiki.org>
Sent: Tue, December 15, 2009 2:29:53 PM
Subject: Re: [xwiki-users] Limitng registered users list to Ldap (Active Directory)
groups mapped to XWiki groups
On Tue, Dec 15, 2009 at 20:36, Milind Kamble wrote:
Hi.
I am evaluating XWiki's LDAP-based authentication capabilities. The
intention is to have a locked-locked-light wiki instance for my group in a large
AD-based corporate environment. The LDAP documentation in xwiki.cfg clarifies
how to map LDAP groups to XWiki groups. However, for ease of ACL administration,
I would like to treat only users belonging to
xwiki.authentication.ldap.group_mapping as "registered" users and the rest of
the users within the corporation as "Guests".
Is there any way of achieving this mapping?
Presently, I have setup LDAP config to authenticate any user within the
corporation using
xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc.
This causes every user to be treated as a registered user (after successful
authentication of course).
The only work around I can see is to have an AD group (say X) that contains
all
the mapped groups specified in xwiki.authentication.ldap.group_mapping, but
that requires X to be updated in sync with changes made to
xwiki.authentication.ldap.group_mapping. If I can avoid the need for setting and
maintaining X, that would be nice.
Currently there is no other way i can think of, see
http://jira.xwiki.org/jira/browse/XWIKI-2518
Note that generally in LDAP you can put groups into groups so you only
need to put the groups you have in group_mapping in your LDAP X group
so that maintain it should not be to painful. The good thing is that
it's very clear in your LDAP who has the right to access to the wiki
and you can exceptionally add a user that is not part of the mapping
groups which is more complex to support at XWiki level.
Thanks,
Milind
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
10:06 p.m.
On Tue, Dec 15, 2009 at 21:57, Milind Kamble <mbkads(a)yahoo.com> wrote:
Thanks for you prompt reply Thomas. I really
appreciate that. The issue XWIKI-2518 that you pointed out was exactly the solution I was
thinking of. Meanwhile, I think that setting up the super group X should satisfy our
needs.
Just curiously, why is it difficult to define xwiki group consisting of subgroups and
individuals? I thought that is already the way it works.
It's not technically very difficult, I just mean it make the
configuration more complex. You have to mix LDAP users and groups in
the same list in the configuration which is not very good for
performance since you have to do a LDAP query for each element to know
if its a user or a group or you need to introduce another parameter in
LDAP configuration (which already contains a lot) just for the list of
users. It's nicer to handle it directly in LDAP because it's already
supported in there and it mean you only have to go to LDAP to set
authorizations for all applications, no need to change XWiki
configuration (plus modify xwiki.cfg file mean restart XWiki).
Thanks
Milind
----- Original Message ----
--
Thomas Mortagne
From: Thomas Mortagne
<thomas.mortagne(a)xwiki.com>
To: XWiki Users <users(a)xwiki.org>
Sent: Tue, December 15, 2009 2:29:53 PM
Subject: Re: [xwiki-users] Limitng registered users list to Ldap (Active Directory)
groups mapped to XWiki groups
On Tue, Dec 15, 2009 at 20:36, Milind Kamble wrote:
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
Hi.
I am evaluating XWiki's LDAP-based authentication capabilities. The
intention is to have a locked-locked-light wiki instance for my group in a large
AD-based corporate environment. The LDAP documentation in xwiki.cfg clarifies
how to map LDAP groups to XWiki groups. However, for ease of ACL administration,
I would like to treat only users belonging to
xwiki.authentication.ldap.group_mapping as "registered" users and the rest of
the users within the corporation as "Guests".
Is there any way of achieving this mapping?
Presently, I have setup LDAP config to authenticate any user within the
corporation using
xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc.
This causes every user to be treated as a registered user (after successful
authentication of course).
The only work around I can see is to have an AD group (say X) that contains
all
the mapped groups specified in xwiki.authentication.ldap.group_mapping, but
that requires X to be updated in sync with changes made to
xwiki.authentication.ldap.group_mapping. If I can avoid the need for setting and
maintaining X, that would be nice.
Currently there is no other way i can think of, see
http://jira.xwiki.org/jira/browse/XWIKI-2518
Note that generally in LDAP you can put groups into groups so you only
need to put the groups you have in group_mapping in your LDAP X group
so that maintain it should not be to painful. The good thing is that
it's very clear in your LDAP who has the right to access to the wiki
and you can exceptionally add a user that is not part of the mapping
groups which is more complex to support at XWiki level.
Thanks,
Milind
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
5426
days inactive
5426
days old
3 comments
2 participants
participants (2)
-
Milind Kamble -
Thomas Mortagne