Hi,
On Mon, Nov 10, 2008 at 9:41 PM, mtenhoor <mtenhoor(a)percipenz.com> wrote:
Hi, I'm trying to implement xwiki for the first time in our environment. We
have an OpenLDAP server that I would like to use for authentication. I have
been able to get xwiki to authenticate via LDAP for users that already exist
in the xwiki database, but there are a few things that still are not right.
1. I can not log in to xwiki unless the user already exists in the xwiki
database. This would not be a problem (and in fact is probably prefered)
except...
This is not the way XWiki LDAP authentication works, if the user can
authenticate on LDAP server, the user is created and group membership
updated on XWiki side. If it's not the case if think the problem is
that user can not even authenticate on LDAP server and that there is a
configuration problem.
You should enable debug log (see
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableL…).
You will get more details on what append.
2. When xwiki is configured to use LDAP, I can not add a user to the
database. I also can not change xwiki group membership or permissions for
any user when xwiki is configured for LDAP. Everything related to users
seems to be locked while xwiki is on LDAP.
What do you mean ? Do you get an error ? LDAP has no incidence on
rights management unless you use "group_mapping" parameter for group
membership and this option only synchronize when the use logs in.
3. Users can authenticate using their LDAP password or the password that is
stored in the xwiki database. I know that has to do with the
'xwiki.authentication.ldap.trylocal=1' setting, but without that it, the
login form gives no feedback as to why the login failed. ex. "Wrong user
name" etc.
Right now it seems to me that the only way for me to add a new user to xwiki
would be to:
1. take xwiki off LDAP
2. add user to xwiki database
3. set permissions
4. put xwiki back on LDAP
There has to be an easier way to do this. Some of the threads I've been
reading indicate that users are automatically created when authenticated via
LDAP. This would be fine with me as long as the default group had no
permissions, and I could later assign the user to the appropriate group
I've included an excerpt from my xwiki.cfg file. Please let me know if I'm
doing something wrong.
Thanks.
FYI my xwiki version number is 1.6.1.13621
-------------------
Excerpt from xwiki.cfg:
#-------------------------------------------------------------------------------------
# LDAP
#-------------------------------------------------------------------------------------
#-# new LDAP authentication service
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
#-# Turn LDAP authentication on - otherwise only XWiki authentication
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap=1
#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
xwiki.authentication.ldap.server=192.168.xxx.xxx
xwiki.authentication.ldap.port=389
#-# LDAP login, empty = anonymous access, otherwise specify full dn
#-# {0} is replaced with the username, {1} with the password
xwiki.authentication.ldap.bind_DN=cn=manager,dc=[domain],dc=[TLD]
xwiki.authentication.ldap.bind_pass=xxxxxxxxxxx
#-# Force to check password after LDAP connection
#-# 0: disable
#-# 1: enable
xwiki.authentication.ldap.validate_password=0
#-# only members of the following group will be verified in the LDAP
#-# otherwise only users that are found after searching starting from the
base_DN
#
xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
#-# only users not member of the following group can autheticate
# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
#-# base DN for searches
xwiki.authentication.ldap.base_DN=ou=Users,dc=percipenz,dc=com
#-# Specifies the LDAP attribute containing the identifier to be used as the
XWiki name (default=cn)
xwiki.authentication.ldap.UID_attr=uid
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# Specifies the LDAP attribute containing the password to be used "when
xwiki.authentication.ldap.validate_password" i$
# xwiki.authentication.ldap.password_field=userPassword
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential LDAP groups classes. Separated by commas.
#
xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDi$
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The potential names of the LDAP groups fields containings the members.
Separated by commas.
# xwiki.authentication.ldap.group_memberfields=member,uniqueMember
#-# retrieve the following fields from LDAP and store them in the XWiki user
object (xwiki-attribute=ldap-attribute)
#-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for
faster access
xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# on every login update the mapped attributes from LDAP to XWiki otherwise
this happens only once when the XWiki accou$
xwiki.authentication.ldap.update_user=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# mapps XWiki groups to LDAP groups, separator is "|"
#
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\
#
XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# time in s after which the list of members in a group is refreshed from
LDAP (default=3600*6)
# xwiki.authentication.ldap.groupcache_expiration=21800
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# - create : synchronize group membership only when the user is first
created
#-# - always: synchronize on every login
# xwiki.authentication.ldap.mode_group_sync=always
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# if ldap authentication fails for any reason, try XWiki DB authentication
with the same credentials
xwiki.authentication.ldap.trylocal=1
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# SSL connection to LDAP server
#-# 0: normal
#-# 1: SSL
# xwiki.authentication.ldap.ssl=0
#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=
#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
#-# The java secure provider used in SSL connection
#
xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
--
View this message in context:
http://n2.nabble.com/New-users-and-LDAP-tp1482130p1482130.html
Sent from the XWiki- Users mailing list archive at
Nabble.com.
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne