On Tue, Jun 29, 2010 at 11:45, John Cavanaugh <cavanaugh...@hp.com> wrote:
>>> .         The xwiki.authentication.ldap.exclude_group &
>>> xwiki.authentication.ldap.user_group.   We dont have a group in
>>> ou=Groups that has all the people in our organization so there no way
>>> to use the user_group field.   Is there some way to instead use a filter 
>>> query.
>>No that is not supported. But patches are welcomed ;)
> Bummer.
>>> .         The xwiki.authentication.ldap.UID_attr field, seems like I
>>> should want to leave it as cn but I was unable to get it to work
>>> unless I set it to uid, because it appears that the queries into LDAP
>>> are hardcoded to use cn otherwise.   But using uid as the username in
>>> XWiki creates accounts like firstnamelastn...@hpcom where all the .'s have 
>>> been eliminated.
>>The description in xwiki.cfg is actually not very good. UID_attr is not used 
>>to choose the XWiki user name, the XWiki user name is always created based on 
>>what user provided in the login form. UID_attr is used to search the user in 
>>LDAP server or manage LDAP group membership.
> Ahh, ok, that makes more sense.  Thanks.
> Is there any way to configure the algorithm used for creating the xwiki user 
> name?    Personally I would prefer something that replaced the .'s with _'s 
> or something, but I guess it is what it is...

Not yet but should not be too hard to do. Again patches welcomed ;)

>>> Unfortunately with the strategy employed here there is no way to
>>> ensure that the username mapping is unique because just dropping the
>>> .'s can lead to conflicts, consider for example the following uid's,
>>> john.c.h...@foo.com and john.ch...@foo.com both get reduced to
>>> johnch...@foocom.   I know you are thinking, geez that will never
>>> happen.   Unfortunately with lots of employees, we have LOTS of
>>> multiple names (we must have like 20+ Tom Smith's, etc) so all these corner 
>>> cases do in fact crop up.
>>Actually you are wrong, this taken into account and you are not supposed to 
>>have technical conflicts: each created XWiki user contains it's LDAP DN in an 
>>object and when a user with the same uid after cleaning tries to connect the 
>>LDAP DN is used to ensure it's the right profile and if not an incremented 
>>counter will be appended to the new XWiki profile name.
>>Note: This DN is also used to be able to change a user DN without changing 
>>it's XWiki uid or when you start using LDAP in a XWiki that used to be 
>>"standard" and you want some of the existing use profiles to be linked to 
> Is there some way to look at this ldap_dn object and/or edit it??   I looked 
> at the object data for the user that I could see in the ui but didnt find it, 
> Im probably not looking in the correct place.

You have to edit the LDAP user profile with object editor. See

>>> .         Also it appears that once you configure ldap, you cant add
>>> local users thru the ui.   I like to use local users for the
>>> occasional group account or machine accounts.
>>That is supposed to work perfectly. That's why you have the 
>>xwiki.authentication.ldap.trylocal property in xwiki.cfg
> So local accounts that were created before I connected the system to ldap 
> work just fine for logins.   But I cant seem to create new local accounts, in 
> looking at the logs it seems like it is trying to direct everything to ldap.  
>  Is there something I need to do to tell xwiki to create a local account??

Creating a user in the UI just mean creating a page with the name of
the user and put an user object in it, there is absolutely no way for
LDAP authenticator to have any influence on that.

How are you creating theses accounts ? When you created an account do
you see it in the list of accounts ? Is there anything in the log when
you create theses accounts ?

> --
> John Cavanaugh
> _______________________________________________
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users

Thomas Mortagne
users mailing list

Reply via email to