Hi, On Mon, Nov 10, 2008 at 9:41 PM, mtenhoor <[EMAIL PROTECTED]> wrote: > > Hi, I'm trying to implement xwiki for the first time in our environment. We > have an OpenLDAP server that I would like to use for authentication. I have > been able to get xwiki to authenticate via LDAP for users that already exist > in the xwiki database, but there are a few things that still are not right. > > 1. I can not log in to xwiki unless the user already exists in the xwiki > database. This would not be a problem (and in fact is probably prefered) > except...
This is not the way XWiki LDAP authentication works, if the user can authenticate on LDAP server, the user is created and group membership updated on XWiki side. If it's not the case if think the problem is that user can not even authenticate on LDAP server and that there is a configuration problem. You should enable debug log (see http://platform.xwiki.org/xwiki/bin/view/AdminGuide/Authentication#HEnableLDAPdebuglog). You will get more details on what append. > > 2. When xwiki is configured to use LDAP, I can not add a user to the > database. I also can not change xwiki group membership or permissions for > any user when xwiki is configured for LDAP. Everything related to users > seems to be locked while xwiki is on LDAP. What do you mean ? Do you get an error ? LDAP has no incidence on rights management unless you use "group_mapping" parameter for group membership and this option only synchronize when the use logs in. > > 3. Users can authenticate using their LDAP password or the password that is > stored in the xwiki database. I know that has to do with the > 'xwiki.authentication.ldap.trylocal=1' setting, but without that it, the > login form gives no feedback as to why the login failed. ex. "Wrong user > name" etc. > > Right now it seems to me that the only way for me to add a new user to xwiki > would be to: > > 1. take xwiki off LDAP > 2. add user to xwiki database > 3. set permissions > 4. put xwiki back on LDAP > > There has to be an easier way to do this. Some of the threads I've been > reading indicate that users are automatically created when authenticated via > LDAP. This would be fine with me as long as the default group had no > permissions, and I could later assign the user to the appropriate group > > I've included an excerpt from my xwiki.cfg file. Please let me know if I'm > doing something wrong. > > Thanks. > > FYI my xwiki version number is 1.6.1.13621 > > ------------------- > > Excerpt from xwiki.cfg: > > > #------------------------------------------------------------------------------------- > # LDAP > #------------------------------------------------------------------------------------- > > #-# new LDAP authentication service > xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl > > #-# Turn LDAP authentication on - otherwise only XWiki authentication > #-# 0: disable > #-# 1: enable > xwiki.authentication.ldap=1 > > #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) > xwiki.authentication.ldap.server=192.168.xxx.xxx > xwiki.authentication.ldap.port=389 > > #-# LDAP login, empty = anonymous access, otherwise specify full dn > #-# {0} is replaced with the username, {1} with the password > xwiki.authentication.ldap.bind_DN=cn=manager,dc=[domain],dc=[TLD] > xwiki.authentication.ldap.bind_pass=xxxxxxxxxxx > > #-# Force to check password after LDAP connection > #-# 0: disable > #-# 1: enable > xwiki.authentication.ldap.validate_password=0 > > #-# only members of the following group will be verified in the LDAP > #-# otherwise only users that are found after searching starting from the > base_DN > # > xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US > > #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] > #-# only users not member of the following group can autheticate > # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US > > #-# base DN for searches > xwiki.authentication.ldap.base_DN=ou=Users,dc=percipenz,dc=com > > #-# Specifies the LDAP attribute containing the identifier to be used as the > XWiki name (default=cn) > xwiki.authentication.ldap.UID_attr=uid > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > #-# Specifies the LDAP attribute containing the password to be used "when > xwiki.authentication.ldap.validate_password" i$ > # xwiki.authentication.ldap.password_field=userPassword > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > #-# The potential LDAP groups classes. Separated by commas. > # > xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDi$ > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > #-# The potential names of the LDAP groups fields containings the members. > Separated by commas. > # xwiki.authentication.ldap.group_memberfields=member,uniqueMember > > #-# retrieve the following fields from LDAP and store them in the XWiki user > object (xwiki-attribute=ldap-attribute) > #-# ldap_dn=dn -- dn is set by class, caches dn in XWiki.user object for > faster access > xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# on every login update the mapped attributes from LDAP to XWiki otherwise > this happens only once when the XWiki accou$ > xwiki.authentication.ldap.update_user=1 > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# mapps XWiki groups to LDAP groups, separator is "|" > # > xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\ > # > XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# time in s after which the list of members in a group is refreshed from > LDAP (default=3600*6) > # xwiki.authentication.ldap.groupcache_expiration=21800 > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# - create : synchronize group membership only when the user is first > created > #-# - always: synchronize on every login > # xwiki.authentication.ldap.mode_group_sync=always > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# if ldap authentication fails for any reason, try XWiki DB authentication > with the same credentials > xwiki.authentication.ldap.trylocal=1 > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# SSL connection to LDAP server > #-# 0: normal > #-# 1: SSL > # xwiki.authentication.ldap.ssl=0 > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > #-# The keystore file to use in SSL connection > # xwiki.authentication.ldap.ssl.keystore= > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > #-# The java secure provider used in SSL connection > # > xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider > > -- > View this message in context: > http://n2.nabble.com/New-users-and-LDAP-tp1482130p1482130.html > Sent from the XWiki- Users mailing list archive at Nabble.com. > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
