On Tue, Dec 15, 2009 at 21:57, Milind Kamble <[email protected]> wrote: > Thanks for you prompt reply Thomas. I really appreciate that. The issue > XWIKI-2518 that you pointed out was exactly the solution I was thinking of. > Meanwhile, I think that setting up the super group X should satisfy our needs. > > Just curiously, why is it difficult to define xwiki group consisting of > subgroups and individuals? I thought that is already the way it works.
It's not technically very difficult, I just mean it make the configuration more complex. You have to mix LDAP users and groups in the same list in the configuration which is not very good for performance since you have to do a LDAP query for each element to know if its a user or a group or you need to introduce another parameter in LDAP configuration (which already contains a lot) just for the list of users. It's nicer to handle it directly in LDAP because it's already supported in there and it mean you only have to go to LDAP to set authorizations for all applications, no need to change XWiki configuration (plus modify xwiki.cfg file mean restart XWiki). > > Thanks > Milind > > > ----- Original Message ---- >> From: Thomas Mortagne <[email protected]> >> To: XWiki Users <[email protected]> >> Sent: Tue, December 15, 2009 2:29:53 PM >> Subject: Re: [xwiki-users] Limitng registered users list to Ldap (Active >> Directory) groups mapped to XWiki groups >> >> On Tue, Dec 15, 2009 at 20:36, Milind Kamble wrote: >> > Hi. >> > I am evaluating XWiki's LDAP-based authentication capabilities. The >> intention is to have a locked-locked-light wiki instance for my group in a >> large >> AD-based corporate environment. The LDAP documentation in xwiki.cfg clarifies >> how to map LDAP groups to XWiki groups. However, for ease of ACL >> administration, >> I would like to treat only users belonging to >> xwiki.authentication.ldap.group_mapping as "registered" users and the rest of >> the users within the corporation as "Guests". >> > Is there any way of achieving this mapping? >> > >> > Presently, I have setup LDAP config to authenticate any user within the >> corporation using >> > xwiki.authentication.ldap.user_group=cn=workers,ou=etc.etc. >> > >> > This causes every user to be treated as a registered user (after successful >> authentication of course). >> > >> > The only work around I can see is to have an AD group (say X) that contains >> all the mapped groups specified in xwiki.authentication.ldap.group_mapping, >> but >> that requires X to be updated in sync with changes made to >> xwiki.authentication.ldap.group_mapping. If I can avoid the need for setting >> and >> maintaining X, that would be nice. >> >> Currently there is no other way i can think of, see >> http://jira.xwiki.org/jira/browse/XWIKI-2518 >> >> Note that generally in LDAP you can put groups into groups so you only >> need to put the groups you have in group_mapping in your LDAP X group >> so that maintain it should not be to painful. The good thing is that >> it's very clear in your LDAP who has the right to access to the wiki >> and you can exceptionally add a user that is not part of the mapping >> groups which is more complex to support at XWiki level. >> >> > >> > Thanks, >> > Milind >> > >> > >> > >> > _______________________________________________ >> > users mailing list >> > [email protected] >> > http://lists.xwiki.org/mailman/listinfo/users >> > >> >> >> >> -- >> Thomas Mortagne >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/users > > > > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
