Actually "Only local users are available in the wiki" is something new in 5.3 and not everything take it into account, LDAP authenticator is one of them. You might want to add your use case to http://jira.xwiki.org/browse/XWIKI-9856 and watch the issue.
On Tue, Jan 7, 2014 at 5:15 PM, Kelly Steinke <kstei...@steel-craft.ca> wrote: > Thanks for your quick response Thomas, I was under the impression that if I > chose to set up the subwiki with the option of "Only local users are > available in the wiki" and then change the base_DN to define where those > local users should be authenticated from, that the subwiki could be used as a > totally separate instance where users could go straight to the login of the > subwiki instead of "requesting to join" from the main wiki. > > With your explanation I see that this is not possible, so I will have to > rethink my strategy. Perhaps by changing permissions on the main wiki spaces > so that the users of my subwiki do not see anything on the main wiki but give > them the ability to request to join the subwiki. I tried this originally but > was running into to many problems, as the request functionality was failing > due to them not being able to send notifications with limited permissions. > > If I have some time perhaps I will look into creating a new patch as you have > suggested. > > > > ----- Original Message ----- > > From: "Thomas Mortagne" <thomas.morta...@xwiki.com> > To: "XWiki Users" <users@xwiki.org> > Sent: Tuesday, January 7, 2014 8:36:00 AM > Subject: Re: [xwiki-users] subwiki ldap authentication > > This is actually a general XWiki behavior: first try to auth on the > current wiki and then on the main wiki and it's true for the LDAP auth > too. Note that this user is supposed to really have been authenticated > and created on main wiki, you should not have a new XWiki user on your > subwiki so you should have the behavior if you log on main wiki and > then go to subwiki (the session keeping the user from main wiki). > > You could create a new feature issue on http://jira.xwiki.org for a > new parameter controlling if the LDAP auth should fallback on main > wiki or not for example (like we have an option to control the > fallback on standard auth) and even better provide a patch if you have > some Java experience (it should not be very hard to do, I can help you > look at the right place if you plan to look at it). > > On Tue, Jan 7, 2014 at 4:25 PM, Kelly Steinke <kstei...@steel-craft.ca> wrote: >> I have performed the following steps: >> >> * Installed the LDAP Admin Application on the subwiki. >> * Changed the LDAP BASE_DN to point to a different location than the main >> wiki . ( OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com ) as >> opposed to ( OU=All Users,DC=mycompanyt,DC=com) on the main. >> * Created a new group in my AD called "maintenance_wiki" that has a >> membership of users that I wish to authenticate against (as there is the odd >> user that I want to authenticate that will not reside in the >> OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com branch). >> * Changed the "Restricted To Group" setting in the LDAP application to point >> to my new maintenance_wiki group. >> * Restarted the tomcat services. >> >> After turning LDAP logging on and performing some tests it appears that If I >> log on with a user that does not exist in the "maintenance_wiki" group it >> will next try to authenticate using the Main Wiki's search DN as opposed to >> the more granular one that I have defined in the Subwiki. So instead of >> getting an "Invalid Credentials" message, which I was hoping for, it instead >> creates the user in the main wiki and lets the user into the subwiki with >> the message "ERROR you are not allowed to view this document or perform this >> action". >> >> What I was hoping would happen is that the subwiki would only authenticate >> users from the search DN defined in the subwiki or that belong in the group >> that I defined, and not create accounts for users that exist in the main >> wiki's search DN. Is this possible? >> >> >> Kelly Steinke >> Software Developer/System Support >> STEEL-CRAFT DOOR PRODUCTS LTD. >> >> 13504 St. Albert Trail >> Edmonton, AB T5L 4P4 >> Bus: 780.453.3761 ext.3310 >> Fax: 780.454.1584 >> Toll Free: 1.800.463.3667 >> >> www.steel-craft.ca >> >> Information contained in this communication may be confidential and is >> intended only for the use of the individual(s) named above. If you are not >> the named addressee you should not disseminate, distribute or copy this >> e-mail. If you have received this e-mail in error please notify the sender. >> ----- Original Message ----- >> >> From: "Thomas Mortagne" <thomas.morta...@xwiki.com> >> To: "XWiki Users" <users@xwiki.org> >> Sent: Tuesday, December 31, 2013 12:27:47 AM >> Subject: Re: [xwiki-users] subwiki ldap authentication >> >> Yes you have only one xwiki.cfg which contains the default >> configuration for each wiki but "You can also setup the LDAP >> configuration in the XWiki.XWikiPreferences page by going to the >> object editor. Simply replace xwiki.authentication.ldap. with ldap_. >> For example xwiki.authentication.ldap.base_DN becomes ldap_base_DN." >> >> You can install >> http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP+Application >> which is doing exactly that (modifying XWikiPreferences page) in the >> wikis you want to modify. >> >> On Tue, Dec 31, 2013 at 12:52 AM, Kelly Steinke <kstei...@steel-craft.ca> >> wrote: >>> Hi all, >>> >>> I just recently upgraded to 5.3 and have now created a sub wiki for the >>> first time. My main wiki is configured to authenticate using LDAP and has a >>> base search DN set to an OU called "AllUsers". In Active Directory the >>> AllUsers OU contains several sub OU's which separate users according to >>> branch, department ect. Having the LDAP set up to search the AllUsers OU >>> allows for anyone in our company to use the main wiki by logging in with >>> their network credentials and works great. >>> >>> When I created the sub wiki, I went through the wizard and selected to only >>> have local users be available in it, as this sub wiki is to be used and >>> administrated by a specific department only. What I would like to achieve >>> now is to have the users of the sub wiki be authenticated using a different >>> search base than that of the main wiki (aka the OU that contains only users >>> for that department). >>> >>> So instead of using the following, which is defined in the xwiki.cfg: >>> >>> xwiki.authentication.ldap.base_DN=OU=All Users,DC=mycompanyt,DC=com >>> >>> The sub wiki would use this for authentication: >>> >>> xwiki.authentication.ldap.base_DN=OU=Accounting,OU=myBranch,OU=All >>> Users,DC=mycompanyt,DC=com >>> >>> I read in the documentation " Use cases of configuration to authenticate >>> users with LDAP " that each wiki in a multiwiki environment can have its >>> own LDAP configuration, however I am unable to determine how to do this, as >>> there is only one xwiki.cfg file that contains my LDAP configuration and >>> there is no mention of any LDAP settings in the xwiki.preferences page of >>> the sub wiki. >>> >>> any help is greatly appreciated! >>> >>> _______________________________________________ >>> users mailing list >>> users@xwiki.org >>> http://lists.xwiki.org/mailman/listinfo/users >> >> >> >> -- >> Thomas Mortagne >> _______________________________________________ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users >> >> _______________________________________________ >> users mailing list >> users@xwiki.org >> http://lists.xwiki.org/mailman/listinfo/users > > > > -- > Thomas Mortagne > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users > > _______________________________________________ > users mailing list > users@xwiki.org > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users
