Change comment:
i believe the mail=mail value to be in error for a microsoft active directory. it did not work for me until i changed it to email=mail. only then did it start pulling the email value correctly. (using xwiki v2.0.3) thanks!
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki. VincentMassol1 +XWiki.hexC0DE - Content
-
... ... @@ -100,7 +100,7 @@ 100 100 - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~ 101 101 - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~ 102 102 - *ldap_UID_attr*: sAMAccountName 103 - - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn 103 + - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn 104 104 105 105 Example: 106 106 {code} ... ... @@ -112,7 +112,7 @@ 112 112 xwiki.authentication.ldap.bind_DN=subdomain\\{0} 113 113 xwiki.authentication.ldap.bind_pass={1} 114 114 xwiki.authentication.ldap.UID_attr=sAMAccountName 115 -xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn 115 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn 116 116 {code} 117 117 118 118 The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in. ... ... @@ -136,6 +136,7 @@ 136 136 log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug 137 137 {code} 138 138 139 + 139 139 1.1 eXo Authentication 140 140 141 141 The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~. ... ... @@ -163,6 +163,22 @@ 163 163 xwiki.authentication.groupclass = com.acme.MyCustomGroupService 164 164 {code} 165 165 167 +1.1.1 Custom Authentication using a Groovy script in a wiki page 168 + 169 +Start by specifying you want to use the Groovy Authenticator: 170 + 171 +{code} 172 +xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl 173 +{code} 174 + 175 +Then add another configuration parameter to specify in which wiki page the authenticator is: 176 + 177 +{code} 178 +xwiki.authentication.groovy.pagename = MySpace.MyPage 179 +{code} 180 + 181 +Then in a wiki page put some Groovy code that returns a XWikiAuthService object. 182 + 166 166 1.1 Authentication parameters 167 167 168 168 You can set each of these parameters by setting: ... ... @@ -248,3 +248,158 @@ 248 248 249 249 If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains. 250 250 268 + 269 + 270 +2 JBoss SPNEGO (Kerberos in combination with LDAP) 271 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. 272 +The authenication already happend by using the SPNEGO module (JAAS). 273 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date. 274 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. 275 +I hope you can adopt this code or that you can use it for your own projects. 276 + 277 +The configuration of ldap; 278 +{code} 279 +xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl 280 +xwiki.authentication.ldap=1 281 +xwiki.authentication.ldap.server=<ad-server> 282 +xwiki.authentication.ldap.port=389 283 +xwiki.authentication.ldap.base_DN=<OU=Users,...............> 284 +#use a fixed user to attach to the ldap database, 285 +#the password is not provided with the SSOLdapAuthenicationImpl 286 +xwiki.authentication.ldap.bind_DN=<domain>\\<user> 287 +xwiki.authentication.ldap.bind_pass=<password> 288 +#Microsoft AD configuration 289 +xwiki.authentication.ldap.UID_attr=sAMAccountName 290 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn 291 +xwiki.authentication.ldap.group_memberfields=member,uniqueMember 292 +#LDAP group mapping 293 +xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\ 294 + XWiki.XWikiAllGroup=CN=WIKI_User,........... 295 + 296 +{code} 297 +The java code 298 +{code} 299 +package com.wiki.sso; 300 + 301 + 302 +import org.apache.commons.logging.Log; 303 +import org.apache.commons.logging.LogFactory; 304 + 305 +import com.xpn.xwiki.XWikiContext; 306 +import com.xpn.xwiki.XWikiException; 307 +import com.xpn.xwiki.user.api.XWikiUser; 308 +import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl; 309 + 310 +import java.security.Principal; 311 + 312 +public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl { 313 + /** 314 + * Logging tool. 315 + */ 316 + private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class); 317 + 318 + 319 + public XWikiUser checkAuth(XWikiContext context) throws XWikiException { 320 + String user = getRemoteUser(context); 321 + if ((user != null) || !user.equals("")) { 322 + if (LOG.isInfoEnabled()) 323 + LOG.info("Launching create user for " + user); 324 + if ( authenticate(user, context) != null ) { 325 + if (LOG.isInfoEnabled()) 326 + LOG.info("Create user done for " + user); 327 + user = "XWiki." + user; 328 + context.setUser(user); 329 + System.out.println("User is set to:" + user); 330 + return new XWikiUser(user); 331 + } else { 332 + LOG.error( "User " + user + " can't be authenticated against ldap" ); 333 + } 334 + } 335 + return super.checkAuth(context); 336 + } 337 + 338 + /** 339 + * We cannot authenticate locally since we need to trust the app server for 340 + * authentication 341 + * 342 + * @param username 343 + * @param password 344 + * @param context 345 + * @return 346 + * @throws XWikiException 347 + */ 348 + public XWikiUser checkAuth(String username, String password, 349 + String rememberme, XWikiContext context) throws XWikiException { 350 + String user = getRemoteUser(context); 351 + if ((user == null) || user.equals("")) { 352 + return super.checkAuth(username, password, rememberme, context); 353 + } 354 + return checkAuth(context); 355 + } 356 + 357 + private String getRemoteUser(XWikiContext context) { 358 + String userName = context.getRequest().getHttpServletRequest() 359 + .getRemoteUser(); 360 + if (userName != null) { 361 + // only take the front of the username@domain 362 + String[] elements = userName.split("@", 2); 363 + userName = elements[0]; 364 + } 365 + return userName; 366 + } 367 + 368 + public Principal authenticate(String login, XWikiContext context) throws XWikiException 369 + { 370 + if (LOG.isTraceEnabled()) { 371 + LOG.trace("Starting LDAP authentication"); 372 + } 373 + 374 + /* 375 + * TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was 376 + * returning null on failure so I preserved that behaviour, while adding the exact error messages to the context 377 + * given as argument. However, the right way to do this would probably be to throw XWikiException-s. 378 + */ 379 + 380 + if (login == null) { 381 + // If we can't find the username field then we are probably on the login screen 382 + 383 + if (LOG.isDebugEnabled()) { 384 + LOG.debug("The provided user is null." 385 + + " We don't try to authenticate, it probably means the user is in non logged mode."); 386 + } 387 + 388 + return null; 389 + } 390 + 391 + // Check for empty usernames 392 + if (login.equals("")) { 393 + context.put("message", "nousername"); 394 + 395 + if (LOG.isDebugEnabled()) { 396 + LOG.debug("LDAP authentication failed: login empty"); 397 + } 398 + 399 + return null; 400 + } 401 + 402 + // If we have the context then we are using direct mode 403 + // then we should specify the database 404 + // This is needed for virtual mode to work 405 + Principal principal = null; 406 + 407 + // Try authentication against ldap 408 + principal = ldapAuthenticate(login, "", context); 409 + 410 + if (LOG.isDebugEnabled()) { 411 + if (principal != null) { 412 + LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]"); 413 + } else { 414 + LOG.debug("LDAP authentication failed for user [" + login + "]"); 415 + } 416 + } 417 + 418 + return principal; 419 + } 420 +} 421 +{code} 422 +
