On Mon, Jun 28, 2010 at 18:39, John Cavanaugh <[email protected]> wrote: > Folks, > > > > Im looking for some assistance here in getting LDAP configured properly. > In the past Ive successfully enabled LDAP for other applications we use > (Coverity, XPlanner, Hudson, Reviewboard), but XWiki has proven to be quite > difficult. > > > > I am trying to configure & connect with the following > > . to a generic LDAP server (ie. Not active directory) > > . In our particular instance uid is the manner in which people login > and this uid happens to be a fully qualified email address > > . I want people to login with this uid ([email protected]) > > . I would like to use an ldap filter to determine who can login > > > > > > I have been able to login with the configuration below as a proof of concept > to prove SSL is working etc. But there are several things here blocking me > from moving forward, Im hoping there is a way to reconfigure or file a > defect/enhancement to get the implementation changed. > > > > . The xwiki.authentication.ldap.exclude_group & > xwiki.authentication.ldap.user_group. We dont have a group in ou=Groups > that has all the people in our organization so there no way to use the > user_group field. Is there some way to instead use a filter query.
No that is not supported. But patches are welcomed ;) > > . The xwiki.authentication.ldap.UID_attr field, seems like I should > want to leave it as cn but I was unable to get it to work unless I set it to > uid, because it appears that the queries into LDAP are hardcoded to use cn > otherwise. But using uid as the username in XWiki creates accounts like > firstnamelastn...@hpcom where all the .'s have been eliminated. The description in xwiki.cfg is actually not very good. UID_attr is not used to choose the XWiki user name, the XWiki user name is always created based on what user provided in the login form. UID_attr is used to search the user in LDAP server or manage LDAP group membership. > Unfortunately with the strategy employed here there is no way to ensure that > the username mapping is unique because just dropping the .'s can lead to > conflicts, consider for example the following uid's, [email protected] > and [email protected] both get reduced to johnch...@foocom. I know you > are thinking, geez that will never happen. Unfortunately with lots of > employees, we have LOTS of multiple names (we must have like 20+ Tom > Smith's, etc) so all these corner cases do in fact crop up. Actually you are wrong, this taken into account and you are not supposed to have technical conflicts: each created XWiki user contains it's LDAP DN in an object and when a user with the same uid after cleaning tries to connect the LDAP DN is used to ensure it's the right profile and if not an incremented counter will be appended to the new XWiki profile name. Note: This DN is also used to be able to change a user DN without changing it's XWiki uid or when you start using LDAP in a XWiki that used to be "standard" and you want some of the existing use profiles to be linked to LDAP. > > . Also it appears that once you configure ldap, you cant add local > users thru the ui. I like to use local users for the occasional group > account or machine accounts. That is supposed to work perfectly. That's why you have the xwiki.authentication.ldap.trylocal property in xwiki.cfg > > > > At this point with all these challenges as much as I want to I cant roll out > xwiki to our org. Any help on these issues would be much appreciated. > > > > > > As I reference I would suggest taking a look at Hudson CI. Configuring > Hudson to use LDAP is *very* simple & covers all the features Ive ever > needed in the past. As an example I can configure the user search filter > to be "(&(&(objectClass=person)(hpOrganizationChartAcronym=C_OR))(uid={0}))" > to do the filtering by group etc. > > > > > > ############################################################################ > ############################# > > #-# new LDAP authentication service > > xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthSer > viceImpl > > > > #-# Turn LDAP authentication on - otherwise only XWiki authentication > > #-# 0: disable > > #-# 1: enable > > xwiki.authentication.ldap=1 > > > > #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) > > xwiki.authentication.ldap.server=ldap.hp.com > > xwiki.authentication.ldap.port=636 > > > > #-# LDAP login, empty = anonymous access, otherwise specify full dn > > #-# {0} is replaced with the username, {1} with the password > > xwiki.authentication.ldap.bind_DN= > > xwiki.authentication.ldap.bind_pass= > > > > #-# Force to check password after LDAP connection > > #-# 0: disable > > #-# 1: enable > > xwiki.authentication.ldap.validate_password=0 > > > > #-# base DN for searches > > xwiki.authentication.ldap.base_DN=o=hp.com > > > > #-# Specifies the LDAP attribute containing the identifier to be used as the > XWiki name (default=cn) > > xwiki.authentication.ldap.UID_attr=uid > > > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > > #-# Specifies the LDAP attribute containing the password to be used "when > xwiki.authentication.ldap.validate_password" is set to 1 > > xwiki.authentication.ldap.password_field=userPassword > > > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > > #-# The potential LDAP groups classes. Separated by commas. > > xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueName > s,dynamicGroup,dynamicGroupAux,groupWiseDistributionList > > > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > > #-# The potential names of the LDAP groups fields containings the members. > Separated by commas. > > xwiki.authentication.ldap.group_memberfields=member,uniqueMember > > > > #-# retrieve the following fields from LDAP and store them in the XWiki user > object (xwiki-attribute=ldap-attribute) > > xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName, > email=uid,phone=telephoneNumber > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# on every login update the mapped attributes from LDAP to XWiki otherwise > this happens only once when the XWiki account is created. > > xwiki.authentication.ldap.update_user=1 > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# mapps XWiki groups to LDAP groups, separator is "|" > > xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=cscr-build- > admins,ou=Groups,o=hp.com > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# time in s after which the list of members in a group is refreshed from > LDAP (default=3600*6) > > xwiki.authentication.ldap.groupcache_expiration=21800 > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# - create : synchronize group membership only when the user is first > created > > #-# - always: synchronize on every login > > xwiki.authentication.ldap.mode_group_sync=always > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# if ldap authentication fails for any reason, try XWiki DB authentication > with the same credentials > > xwiki.authentication.ldap.trylocal=1 > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# SSL connection to LDAP server > > #-# 0: normal > > #-# 1: SSL > > xwiki.authentication.ldap.ssl=1 > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# The keystore file to use in SSL connection > > xwiki.authentication.ldap.ssl.keystore=/usr/share/tomcat5/.keystore > > > > #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] > > #-# The java secure provider used in SSL connection > > xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.P > rovider > > > > #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] > > #-# if ldap authentication fails for any reason, try XWiki DB authentication > with the same credentials > > xwiki.authentication.ldap.trylocal=1 > > > > ############################################################################ > ############################# > > > > > > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users > -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
