On Thu, Feb 18, 2016 at 4:46 PM, Mark Sack <[email protected]> wrote: > I have an existing instance of xwiki with some users and would like to > convert it to authenticate against an Active Directory server. I tried > setting up a new test instance of xwiki in a VM and was able to get it to > authenticate against AD. But in the test, the user directory was empty > (except for Admin) - so it created a new user at login. I'd appreciate some > help on the next step of configuring the system so that an existing xwiki > user authenticates against an existing AD entry.
The LDAP authenticator maintain a XWiki.LDAPProfileClass object in each user profile containing the LDAP uid and DN. The first thing the authenticator does is to look at this object to check if the user already exist so ideally if you want to reuse the user you already have you will need to add an object in all those users profiles with their LDAP uid in it (DN is not mandatory there, it will update it at first login). There is no existing tool to do that so you will need to write some script (or do it by hand depending on the scale). * you can look at http://platform.xwiki.org/xwiki/bin/view/DevGuide/Scripting for documentation on how to write scripts in general in XWiki * you can look at the end of http://extensions.xwiki.org/xwiki/bin/view/Extension/Create+Page+With+Object for an example of how to add an object in a document * you can find in http://extensions.xwiki.org/xwiki/bin/view/Extension/Query+Module information on how to request documents including an example to get all document with user object in it (i.e. users profiles) > > I configured the test system as follows: > > xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl > xwiki.authentication.ldap=1 > xwiki.authentication.ldap.server=servername > xwiki.authentication.ldap.port=389 > xwiki.authentication.ldap.bind_DN=subdomain\\{0} > xwiki.authentication.ldap.bind_pass={1} > xwiki.authentication.ldap.base_DN=DC=subdomain,DC=domain > xwiki.authentication.ldap.UID_attr=sAMAccountName > xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList > xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn > xwiki.authentication.ldap.update_user=1 > xwiki.authentication.ldap.trylocal=0 > > Other details that may or may not be relevant: > - the AD login IDs contain periods which are not allowed in the xwiki names. > For the xwiki users that already exist, the login names are the same as > those in AD except that the period is replaced by an underscore See what I explained about XWiki.LDAPProfileClass objects in profiles above. I guess you will have to apply this rule to find out the LDAP uid from the XWiki user name in some script. > - there are xwiki 'users' with no corresponding entry in AD. Those xwiki > entries should not be allowed to login. Users created by LDAP authenticator have empty password and users are not allowed to authenticate with empty password so you could do the same for those users. If you add them on LDAP side later they will work. > - the exception to the above point is the Admin user. If I add one of the > users with a corresponding AD entry to the Admin group, would that user be > able to do everything that the Admin user can do? Yes Admin user is not a special user, it just happen to be put part of the XWikiAdminGroup by default in XE. > > A nice to have would be to also bring the AD groupings/organizational units > across to xwiki. Is their an easy way to do this? You can do a mapping between XWiki groups and AD groups. See xwiki.authentication.ldap.group_mapping property. > > > > -- > View this message in context: > http://xwiki.475771.n2.nabble.com/Convert-existing-xwiki-instance-to-Active-Directory-authentication-tp7598029.html > Sent from the XWiki- Users mailing list archive at Nabble.com. > _______________________________________________ > users mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/users -- Thomas Mortagne _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
