<
From version < 28.1 >
edited by Vincent Massol
on 2009/05/18
To version < 29.1 >
edited by jek
on 2009/06/28
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.jek
Content
... ... @@ -264,3 +264,158 @@
264 264  
265 265  If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
266 266  
267 +
268 +
269 +2 JBoss SPNEGO (Kerberos in combination with LDAP)
270 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
271 +The authenication already happend by using the SPNEGO module (JAAS).
272 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
273 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
274 +I hope you can adopt this code or that you can use it for your own projects.
275 +
276 +The configuration of ldap;
277 +{code}
278 +xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
279 +xwiki.authentication.ldap=1
280 +xwiki.authentication.ldap.server=<ad-server>
281 +xwiki.authentication.ldap.port=389
282 +xwiki.authentication.ldap.base_DN=<OU=Users,...............>
283 +#use a fixed user to attach to the ldap database,
284 +#the password is not provided with the SSOLdapAuthenicationImpl
285 +xwiki.authentication.ldap.bind_DN=<domain>\\<user>
286 +xwiki.authentication.ldap.bind_pass=<password>
287 +#Microsoft AD configuration
288 +xwiki.authentication.ldap.UID_attr=sAMAccountName
289 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
290 +xwiki.authentication.ldap.group_memberfields=member,uniqueMember
291 +#LDAP group mapping
292 +xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
293 + XWiki.XWikiAllGroup=CN=WIKI_User,...........
294 +
295 +{code}
296 +The java code
297 +{code}
298 +package com.wiki.sso;
299 +
300 +
301 +import org.apache.commons.logging.Log;
302 +import org.apache.commons.logging.LogFactory;
303 +
304 +import com.xpn.xwiki.XWikiContext;
305 +import com.xpn.xwiki.XWikiException;
306 +import com.xpn.xwiki.user.api.XWikiUser;
307 +import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl;
308 +
309 +import java.security.Principal;
310 +
311 +public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl {
312 + /**
313 + * Logging tool.
314 + */
315 + private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class);
316 +
317 +
318 + public XWikiUser checkAuth(XWikiContext context) throws XWikiException {
319 + String user = getRemoteUser(context);
320 + if ((user != null) || !user.equals("")) {
321 + if (LOG.isInfoEnabled())
322 + LOG.info("Launching create user for " + user);
323 + if ( authenticate(user, context) != null ) {
324 + if (LOG.isInfoEnabled())
325 + LOG.info("Create user done for " + user);
326 + user = "XWiki." + user;
327 + context.setUser(user);
328 + System.out.println("User is set to:" + user);
329 + return new XWikiUser(user);
330 + } else {
331 + LOG.error( "User " + user + " can't be authenticated against ldap" );
332 + }
333 + }
334 + return super.checkAuth(context);
335 + }
336 +
337 + /**
338 + * We cannot authenticate locally since we need to trust the app server for
339 + * authentication
340 + *
341 + * @param username
342 + * @param password
343 + * @param context
344 + * @return
345 + * @throws XWikiException
346 + */
347 + public XWikiUser checkAuth(String username, String password,
348 + String rememberme, XWikiContext context) throws XWikiException {
349 + String user = getRemoteUser(context);
350 + if ((user == null) || user.equals("")) {
351 + return super.checkAuth(username, password, rememberme, context);
352 + }
353 + return checkAuth(context);
354 + }
355 +
356 + private String getRemoteUser(XWikiContext context) {
357 + String userName = context.getRequest().getHttpServletRequest()
358 + .getRemoteUser();
359 + if (userName != null) {
360 + // only take the front of the username@domain
361 + String[] elements = userName.split("@", 2);
362 + userName = elements[0];
363 + }
364 + return userName;
365 + }
366 +
367 + public Principal authenticate(String login, XWikiContext context) throws XWikiException
368 + {
369 + if (LOG.isTraceEnabled()) {
370 + LOG.trace("Starting LDAP authentication");
371 + }
372 +
373 + /*
374 + * TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was
375 + * returning null on failure so I preserved that behaviour, while adding the exact error messages to the context
376 + * given as argument. However, the right way to do this would probably be to throw XWikiException-s.
377 + */
378 +
379 + if (login == null) {
380 + // If we can't find the username field then we are probably on the login screen
381 +
382 + if (LOG.isDebugEnabled()) {
383 + LOG.debug("The provided user is null."
384 + + " We don't try to authenticate, it probably means the user is in non logged mode.");
385 + }
386 +
387 + return null;
388 + }
389 +
390 + // Check for empty usernames
391 + if (login.equals("")) {
392 + context.put("message", "nousername");
393 +
394 + if (LOG.isDebugEnabled()) {
395 + LOG.debug("LDAP authentication failed: login empty");
396 + }
397 +
398 + return null;
399 + }
400 +
401 + // If we have the context then we are using direct mode
402 + // then we should specify the database
403 + // This is needed for virtual mode to work
404 + Principal principal = null;
405 +
406 + // Try authentication against ldap
407 + principal = ldapAuthenticate(login, "", context);
408 +
409 + if (LOG.isDebugEnabled()) {
410 + if (principal != null) {
411 + LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]");
412 + } else {
413 + LOG.debug("LDAP authentication failed for user [" + login + "]");
414 + }
415 + }
416 +
417 + return principal;
418 + }
419 +}
420 +{code}
421 +

Get Connected