Change comment:
There is no comment for this version
Summary
-
Page properties (2 modified, 0 added, 0 removed)
Details
- Page properties
-
- Author
-
... ... @@ -1,1 +1,1 @@ 1 -XWiki. VincentMassol1 +XWiki.jek - Content
-
... ... @@ -264,3 +264,158 @@ 264 264 265 265 If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains. 266 266 267 + 268 + 269 +2 JBoss SPNEGO (Kerberos in combination with LDAP) 270 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. 271 +The authenication already happend by using the SPNEGO module (JAAS). 272 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date. 273 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. 274 +I hope you can adopt this code or that you can use it for your own projects. 275 + 276 +The configuration of ldap; 277 +{code} 278 +xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl 279 +xwiki.authentication.ldap=1 280 +xwiki.authentication.ldap.server=<ad-server> 281 +xwiki.authentication.ldap.port=389 282 +xwiki.authentication.ldap.base_DN=<OU=Users,...............> 283 +#use a fixed user to attach to the ldap database, 284 +#the password is not provided with the SSOLdapAuthenicationImpl 285 +xwiki.authentication.ldap.bind_DN=<domain>\\<user> 286 +xwiki.authentication.ldap.bind_pass=<password> 287 +#Microsoft AD configuration 288 +xwiki.authentication.ldap.UID_attr=sAMAccountName 289 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn 290 +xwiki.authentication.ldap.group_memberfields=member,uniqueMember 291 +#LDAP group mapping 292 +xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\ 293 + XWiki.XWikiAllGroup=CN=WIKI_User,........... 294 + 295 +{code} 296 +The java code 297 +{code} 298 +package com.wiki.sso; 299 + 300 + 301 +import org.apache.commons.logging.Log; 302 +import org.apache.commons.logging.LogFactory; 303 + 304 +import com.xpn.xwiki.XWikiContext; 305 +import com.xpn.xwiki.XWikiException; 306 +import com.xpn.xwiki.user.api.XWikiUser; 307 +import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl; 308 + 309 +import java.security.Principal; 310 + 311 +public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl { 312 + /** 313 + * Logging tool. 314 + */ 315 + private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class); 316 + 317 + 318 + public XWikiUser checkAuth(XWikiContext context) throws XWikiException { 319 + String user = getRemoteUser(context); 320 + if ((user != null) || !user.equals("")) { 321 + if (LOG.isInfoEnabled()) 322 + LOG.info("Launching create user for " + user); 323 + if ( authenticate(user, context) != null ) { 324 + if (LOG.isInfoEnabled()) 325 + LOG.info("Create user done for " + user); 326 + user = "XWiki." + user; 327 + context.setUser(user); 328 + System.out.println("User is set to:" + user); 329 + return new XWikiUser(user); 330 + } else { 331 + LOG.error( "User " + user + " can't be authenticated against ldap" ); 332 + } 333 + } 334 + return super.checkAuth(context); 335 + } 336 + 337 + /** 338 + * We cannot authenticate locally since we need to trust the app server for 339 + * authentication 340 + * 341 + * @param username 342 + * @param password 343 + * @param context 344 + * @return 345 + * @throws XWikiException 346 + */ 347 + public XWikiUser checkAuth(String username, String password, 348 + String rememberme, XWikiContext context) throws XWikiException { 349 + String user = getRemoteUser(context); 350 + if ((user == null) || user.equals("")) { 351 + return super.checkAuth(username, password, rememberme, context); 352 + } 353 + return checkAuth(context); 354 + } 355 + 356 + private String getRemoteUser(XWikiContext context) { 357 + String userName = context.getRequest().getHttpServletRequest() 358 + .getRemoteUser(); 359 + if (userName != null) { 360 + // only take the front of the username@domain 361 + String[] elements = userName.split("@", 2); 362 + userName = elements[0]; 363 + } 364 + return userName; 365 + } 366 + 367 + public Principal authenticate(String login, XWikiContext context) throws XWikiException 368 + { 369 + if (LOG.isTraceEnabled()) { 370 + LOG.trace("Starting LDAP authentication"); 371 + } 372 + 373 + /* 374 + * TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was 375 + * returning null on failure so I preserved that behaviour, while adding the exact error messages to the context 376 + * given as argument. However, the right way to do this would probably be to throw XWikiException-s. 377 + */ 378 + 379 + if (login == null) { 380 + // If we can't find the username field then we are probably on the login screen 381 + 382 + if (LOG.isDebugEnabled()) { 383 + LOG.debug("The provided user is null." 384 + + " We don't try to authenticate, it probably means the user is in non logged mode."); 385 + } 386 + 387 + return null; 388 + } 389 + 390 + // Check for empty usernames 391 + if (login.equals("")) { 392 + context.put("message", "nousername"); 393 + 394 + if (LOG.isDebugEnabled()) { 395 + LOG.debug("LDAP authentication failed: login empty"); 396 + } 397 + 398 + return null; 399 + } 400 + 401 + // If we have the context then we are using direct mode 402 + // then we should specify the database 403 + // This is needed for virtual mode to work 404 + Principal principal = null; 405 + 406 + // Try authentication against ldap 407 + principal = ldapAuthenticate(login, "", context); 408 + 409 + if (LOG.isDebugEnabled()) { 410 + if (principal != null) { 411 + LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]"); 412 + } else { 413 + LOG.debug("LDAP authentication failed for user [" + login + "]"); 414 + } 415 + } 416 + 417 + return principal; 418 + } 419 +} 420 +{code} 421 +
