Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth
On Thu, Sep 24, 2015 at 4:09 AM, Debajit Adhikarywrote: > Thanks for the clarification, Thomas. > > Does LDAP group syncing work with Trusted LDAP? > > (I am able to log in using Trusted LDAP, and can see my LDAP details like > full-name and email address show up, but I am not able to get LDAP > group_mapping to work at all — so I'd like to confirm if it would work with > Trusted LDAP in the first place) Yep as far as I know it works. It's the exact same code than standard LDAP, basically most of Trusted LDAP job is to call standard LDA P authenticator with the right setting depending on REMOTE_USER domain. > > > > On Tue, Sep 22, 2015 at 11:59 PM, Thomas Mortagne > wrote: > >> On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikary >> wrote: >> > Thanks, I was able to set it up successfully. >> > >> > I want to check if the currently logged-in user ($xwiki.getUser()) is a >> > member of a particular LDAP group. What is the best way to do this with >> the >> > "Trusted LDAP" setup? >> > >> > *Option 1:* >> > I could map the LDAP groups to XWiki groups. >> >> That would be the easiest I think. >> >> > >> > *Option 2:* >> > Can I do this dynamically without having to map the LDAP groups? (i.e. is >> > there an easy way to check if a user belongs to an LDAP group without >> > having to map the LDAP group to an XWiki group?) >> >> There is some more or less hidden APIs you can use for that (basically >> the tools used by the authenticator to synchronize LDAP Groups and >> XWiki Groups) but it's really not been written with Velocity scripting >> in mind. >> >> You can look at >> >> https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280 >> for an example of how to setup those tools (in Groovy for example). >> Then you can use APIs like XWikiLDAPUtils#getGroupMembers. >> >> > >> > >> > On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne < >> thomas.morta...@xwiki.com >> >> wrote: >> > >> >> If you have an authenticator in front of XWiki that populate the >> >> REMOTE_USER request property you could use >> >> >> >> >> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP >> >> which has been designed specifically for this use case. >> >> >> >> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary >> >> wrote: >> >> > I have an XWiki setup that uses Kerberos for authentication. >> >> > >> >> > I would like to continue using Kerberos, but use LDAP groups for >> >> > controlling page access rights. >> >> > >> >> > How could I do this? >> >> > >> >> > (If you could point me in the right direction, or to any appropriate >> >> > documentation, that would be a big help) >> >> > >> >> > Thanks in advance >> >> > —Debajit >> >> > ___ >> >> > users mailing list >> >> > users@xwiki.org >> >> > http://lists.xwiki.org/mailman/listinfo/users >> >> >> >> >> >> >> >> -- >> >> Thomas Mortagne >> >> ___ >> >> users mailing list >> >> users@xwiki.org >> >> http://lists.xwiki.org/mailman/listinfo/users >> >> >> > ___ >> > users mailing list >> > users@xwiki.org >> > http://lists.xwiki.org/mailman/listinfo/users >> >> >> >> -- >> Thomas Mortagne >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth
On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikarywrote: > Thanks, I was able to set it up successfully. > > I want to check if the currently logged-in user ($xwiki.getUser()) is a > member of a particular LDAP group. What is the best way to do this with the > "Trusted LDAP" setup? > > *Option 1:* > I could map the LDAP groups to XWiki groups. That would be the easiest I think. > > *Option 2:* > Can I do this dynamically without having to map the LDAP groups? (i.e. is > there an easy way to check if a user belongs to an LDAP group without > having to map the LDAP group to an XWiki group?) There is some more or less hidden APIs you can use for that (basically the tools used by the authenticator to synchronize LDAP Groups and XWiki Groups) but it's really not been written with Velocity scripting in mind. You can look at https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280 for an example of how to setup those tools (in Groovy for example). Then you can use APIs like XWikiLDAPUtils#getGroupMembers. > > > On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne > wrote: > >> If you have an authenticator in front of XWiki that populate the >> REMOTE_USER request property you could use >> >> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP >> which has been designed specifically for this use case. >> >> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary >> wrote: >> > I have an XWiki setup that uses Kerberos for authentication. >> > >> > I would like to continue using Kerberos, but use LDAP groups for >> > controlling page access rights. >> > >> > How could I do this? >> > >> > (If you could point me in the right direction, or to any appropriate >> > documentation, that would be a big help) >> > >> > Thanks in advance >> > —Debajit >> > ___ >> > users mailing list >> > users@xwiki.org >> > http://lists.xwiki.org/mailman/listinfo/users >> >> >> >> -- >> Thomas Mortagne >> ___ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth
Thanks for the clarification, Thomas. Does LDAP group syncing work with Trusted LDAP? (I am able to log in using Trusted LDAP, and can see my LDAP details like full-name and email address show up, but I am not able to get LDAP group_mapping to work at all — so I'd like to confirm if it would work with Trusted LDAP in the first place) On Tue, Sep 22, 2015 at 11:59 PM, Thomas Mortagnewrote: > On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikary > wrote: > > Thanks, I was able to set it up successfully. > > > > I want to check if the currently logged-in user ($xwiki.getUser()) is a > > member of a particular LDAP group. What is the best way to do this with > the > > "Trusted LDAP" setup? > > > > *Option 1:* > > I could map the LDAP groups to XWiki groups. > > That would be the easiest I think. > > > > > *Option 2:* > > Can I do this dynamically without having to map the LDAP groups? (i.e. is > > there an easy way to check if a user belongs to an LDAP group without > > having to map the LDAP group to an XWiki group?) > > There is some more or less hidden APIs you can use for that (basically > the tools used by the authenticator to synchronize LDAP Groups and > XWiki Groups) but it's really not been written with Velocity scripting > in mind. > > You can look at > > https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280 > for an example of how to setup those tools (in Groovy for example). > Then you can use APIs like XWikiLDAPUtils#getGroupMembers. > > > > > > > On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne < > thomas.morta...@xwiki.com > >> wrote: > > > >> If you have an authenticator in front of XWiki that populate the > >> REMOTE_USER request property you could use > >> > >> > http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP > >> which has been designed specifically for this use case. > >> > >> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary > >> wrote: > >> > I have an XWiki setup that uses Kerberos for authentication. > >> > > >> > I would like to continue using Kerberos, but use LDAP groups for > >> > controlling page access rights. > >> > > >> > How could I do this? > >> > > >> > (If you could point me in the right direction, or to any appropriate > >> > documentation, that would be a big help) > >> > > >> > Thanks in advance > >> > —Debajit > >> > ___ > >> > users mailing list > >> > users@xwiki.org > >> > http://lists.xwiki.org/mailman/listinfo/users > >> > >> > >> > >> -- > >> Thomas Mortagne > >> ___ > >> users mailing list > >> users@xwiki.org > >> http://lists.xwiki.org/mailman/listinfo/users > >> > > ___ > > users mailing list > > users@xwiki.org > > http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth
Thanks, I was able to set it up successfully. I want to check if the currently logged-in user ($xwiki.getUser()) is a member of a particular LDAP group. What is the best way to do this with the "Trusted LDAP" setup? *Option 1:* I could map the LDAP groups to XWiki groups. *Option 2:* Can I do this dynamically without having to map the LDAP groups? (i.e. is there an easy way to check if a user belongs to an LDAP group without having to map the LDAP group to an XWiki group?) On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagnewrote: > If you have an authenticator in front of XWiki that populate the > REMOTE_USER request property you could use > > http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP > which has been designed specifically for this use case. > > On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary > wrote: > > I have an XWiki setup that uses Kerberos for authentication. > > > > I would like to continue using Kerberos, but use LDAP groups for > > controlling page access rights. > > > > How could I do this? > > > > (If you could point me in the right direction, or to any appropriate > > documentation, that would be a big help) > > > > Thanks in advance > > —Debajit > > ___ > > users mailing list > > users@xwiki.org > > http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth
If you have an authenticator in front of XWiki that populate the REMOTE_USER request property you could use http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP which has been designed specifically for this use case. On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikarywrote: > I have an XWiki setup that uses Kerberos for authentication. > > I would like to continue using Kerberos, but use LDAP groups for > controlling page access rights. > > How could I do this? > > (If you could point me in the right direction, or to any appropriate > documentation, that would be a big help) > > Thanks in advance > —Debajit > ___ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
[xwiki-users] Using LDAP for page access rights with Kerberos auth
I have an XWiki setup that uses Kerberos for authentication. I would like to continue using Kerberos, but use LDAP groups for controlling page access rights. How could I do this? (If you could point me in the right direction, or to any appropriate documentation, that would be a big help) Thanks in advance —Debajit ___ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users