Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth

[Thomas Mortagne]

On Thu, Sep 24, 2015 at 4:09 AM, Debajit Adhikary  wrote:
> Thanks for the clarification, Thomas.
>
> Does LDAP group syncing work with Trusted LDAP?
>
> (I am able to log in using Trusted LDAP, and can see my LDAP details like
> full-name and email address show up, but I am not able to get LDAP
> group_mapping to work at all — so I'd like to confirm if it would work with
> Trusted LDAP in the first place)

Yep as far as I know it works. It's the exact same code than standard
LDAP, basically most of Trusted LDAP job is to call standard LDA P
authenticator with the right setting depending on REMOTE_USER domain.

>
>
>
> On Tue, Sep 22, 2015 at 11:59 PM, Thomas Mortagne > wrote:
>
>> On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikary 
>> wrote:
>> > Thanks, I was able to set it up successfully.
>> >
>> > I want to check if the currently logged-in user ($xwiki.getUser()) is a
>> > member of a particular LDAP group. What is the best way to do this with
>> the
>> > "Trusted LDAP" setup?
>> >
>> > *Option 1:*
>> > I could map the LDAP groups to XWiki groups.
>>
>> That would be the easiest I think.
>>
>> >
>> > *Option 2:*
>> > Can I do this dynamically without having to map the LDAP groups? (i.e. is
>> > there an easy way to check if a user belongs to an LDAP group without
>> > having to map the LDAP group to an XWiki group?)
>>
>> There is some more or less hidden APIs you can use for that (basically
>> the tools used by the authenticator to synchronize LDAP Groups and
>> XWiki Groups) but it's really not been written with Velocity scripting
>> in mind.
>>
>> You can look at
>>
>> https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280
>> for an example of how to setup those tools (in Groovy for example).
>> Then you can use APIs like XWikiLDAPUtils#getGroupMembers.
>>
>> >
>> >
>> > On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne <
>> thomas.morta...@xwiki.com
>> >> wrote:
>> >
>> >> If you have an authenticator in front of XWiki that populate the
>> >> REMOTE_USER request property you could use
>> >>
>> >>
>> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
>> >> which has been designed specifically for this use case.
>> >>
>> >> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary 
>> >> wrote:
>> >> > I have an XWiki setup that uses Kerberos for authentication.
>> >> >
>> >> > I would like to continue using Kerberos, but use LDAP groups for
>> >> > controlling page access rights.
>> >> >
>> >> > How could I do this?
>> >> >
>> >> > (If you could point me in the right direction, or to any appropriate
>> >> > documentation, that would be a big help)
>> >> >
>> >> > Thanks in advance
>> >> > —Debajit
>> >> > ___
>> >> > users mailing list
>> >> > users@xwiki.org
>> >> > http://lists.xwiki.org/mailman/listinfo/users
>> >>
>> >>
>> >>
>> >> --
>> >> Thomas Mortagne
>> >> ___
>> >> users mailing list
>> >> users@xwiki.org
>> >> http://lists.xwiki.org/mailman/listinfo/users
>> >>
>> > ___
>> > users mailing list
>> > users@xwiki.org
>> > http://lists.xwiki.org/mailman/listinfo/users
>>
>>
>>
>> --
>> Thomas Mortagne
>> ___
>> users mailing list
>> users@xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users



-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth

[Thomas Mortagne]

On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikary  wrote:
> Thanks, I was able to set it up successfully.
>
> I want to check if the currently logged-in user ($xwiki.getUser()) is a
> member of a particular LDAP group. What is the best way to do this with the
> "Trusted LDAP" setup?
>
> *Option 1:*
> I could map the LDAP groups to XWiki groups.

That would be the easiest I think.

>
> *Option 2:*
> Can I do this dynamically without having to map the LDAP groups? (i.e. is
> there an easy way to check if a user belongs to an LDAP group without
> having to map the LDAP group to an XWiki group?)

There is some more or less hidden APIs you can use for that (basically
the tools used by the authenticator to synchronize LDAP Groups and
XWiki Groups) but it's really not been written with Velocity scripting
in mind.

You can look at
https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280
for an example of how to setup those tools (in Groovy for example).
Then you can use APIs like XWikiLDAPUtils#getGroupMembers.

>
>
> On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne > wrote:
>
>> If you have an authenticator in front of XWiki that populate the
>> REMOTE_USER request property you could use
>>
>> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
>> which has been designed specifically for this use case.
>>
>> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary 
>> wrote:
>> > I have an XWiki setup that uses Kerberos for authentication.
>> >
>> > I would like to continue using Kerberos, but use LDAP groups for
>> > controlling page access rights.
>> >
>> > How could I do this?
>> >
>> > (If you could point me in the right direction, or to any appropriate
>> > documentation, that would be a big help)
>> >
>> > Thanks in advance
>> > —Debajit
>> > ___
>> > users mailing list
>> > users@xwiki.org
>> > http://lists.xwiki.org/mailman/listinfo/users
>>
>>
>>
>> --
>> Thomas Mortagne
>> ___
>> users mailing list
>> users@xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/users
>>
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users



-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth

[Debajit Adhikary]

Thanks for the clarification, Thomas.

Does LDAP group syncing work with Trusted LDAP?

(I am able to log in using Trusted LDAP, and can see my LDAP details like
full-name and email address show up, but I am not able to get LDAP
group_mapping to work at all — so I'd like to confirm if it would work with
Trusted LDAP in the first place)



On Tue, Sep 22, 2015 at 11:59 PM, Thomas Mortagne  wrote:

> On Wed, Sep 23, 2015 at 4:42 AM, Debajit Adhikary 
> wrote:
> > Thanks, I was able to set it up successfully.
> >
> > I want to check if the currently logged-in user ($xwiki.getUser()) is a
> > member of a particular LDAP group. What is the best way to do this with
> the
> > "Trusted LDAP" setup?
> >
> > *Option 1:*
> > I could map the LDAP groups to XWiki groups.
>
> That would be the easiest I think.
>
> >
> > *Option 2:*
> > Can I do this dynamically without having to map the LDAP groups? (i.e. is
> > there an easy way to check if a user belongs to an LDAP group without
> > having to map the LDAP group to an XWiki group?)
>
> There is some more or less hidden APIs you can use for that (basically
> the tools used by the authenticator to synchronize LDAP Groups and
> XWiki Groups) but it's really not been written with Velocity scripting
> in mind.
>
> You can look at
>
> https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-core/xwiki-platform-ldap/xwiki-platform-ldap-authenticator/src/main/java/com/xpn/xwiki/user/impl/LDAP/XWikiLDAPAuthServiceImpl.java#L280
> for an example of how to setup those tools (in Groovy for example).
> Then you can use APIs like XWikiLDAPUtils#getGroupMembers.
>
> >
> >
> > On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne <
> thomas.morta...@xwiki.com
> >> wrote:
> >
> >> If you have an authenticator in front of XWiki that populate the
> >> REMOTE_USER request property you could use
> >>
> >>
> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
> >> which has been designed specifically for this use case.
> >>
> >> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary 
> >> wrote:
> >> > I have an XWiki setup that uses Kerberos for authentication.
> >> >
> >> > I would like to continue using Kerberos, but use LDAP groups for
> >> > controlling page access rights.
> >> >
> >> > How could I do this?
> >> >
> >> > (If you could point me in the right direction, or to any appropriate
> >> > documentation, that would be a big help)
> >> >
> >> > Thanks in advance
> >> > —Debajit
> >> > ___
> >> > users mailing list
> >> > users@xwiki.org
> >> > http://lists.xwiki.org/mailman/listinfo/users
> >>
> >>
> >>
> >> --
> >> Thomas Mortagne
> >> ___
> >> users mailing list
> >> users@xwiki.org
> >> http://lists.xwiki.org/mailman/listinfo/users
> >>
> > ___
> > users mailing list
> > users@xwiki.org
> > http://lists.xwiki.org/mailman/listinfo/users
>
>
>
> --
> Thomas Mortagne
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth

[Debajit Adhikary]

Thanks, I was able to set it up successfully.

I want to check if the currently logged-in user ($xwiki.getUser()) is a
member of a particular LDAP group. What is the best way to do this with the
"Trusted LDAP" setup?

*Option 1:*
I could map the LDAP groups to XWiki groups.

*Option 2:*
Can I do this dynamically without having to map the LDAP groups? (i.e. is
there an easy way to check if a user belongs to an LDAP group without
having to map the LDAP group to an XWiki group?)


On Fri, Sep 18, 2015 at 12:47 AM, Thomas Mortagne  wrote:

> If you have an authenticator in front of XWiki that populate the
> REMOTE_USER request property you could use
>
> http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
> which has been designed specifically for this use case.
>
> On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary 
> wrote:
> > I have an XWiki setup that uses Kerberos for authentication.
> >
> > I would like to continue using Kerberos, but use LDAP groups for
> > controlling page access rights.
> >
> > How could I do this?
> >
> > (If you could point me in the right direction, or to any appropriate
> > documentation, that would be a big help)
> >
> > Thanks in advance
> > —Debajit
> > ___
> > users mailing list
> > users@xwiki.org
> > http://lists.xwiki.org/mailman/listinfo/users
>
>
>
> --
> Thomas Mortagne
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

Re: [xwiki-users] Using LDAP for page access rights with Kerberos auth

[Thomas Mortagne]

If you have an authenticator in front of XWiki that populate the
REMOTE_USER request property you could use
http://extensions.xwiki.org/xwiki/bin/view/Extension/XWiki+Authenticator+Trusted+LDAP
which has been designed specifically for this use case.

On Fri, Sep 18, 2015 at 3:05 AM, Debajit Adhikary  wrote:
> I have an XWiki setup that uses Kerberos for authentication.
>
> I would like to continue using Kerberos, but use LDAP groups for
> controlling page access rights.
>
> How could I do this?
>
> (If you could point me in the right direction, or to any appropriate
> documentation, that would be a big help)
>
> Thanks in advance
> —Debajit
> ___
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users



-- 
Thomas Mortagne
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users

[xwiki-users] Using LDAP for page access rights with Kerberos auth

[Debajit Adhikary]

I have an XWiki setup that uses Kerberos for authentication.

I would like to continue using Kerberos, but use LDAP groups for
controlling page access rights.

How could I do this?

(If you could point me in the right direction, or to any appropriate
documentation, that would be a big help)

Thanks in advance
—Debajit
___
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users