<
From version < 33.1 >
edited by Thomas Mortagne
on 2010/01/20
To version < 34.1 >
edited by Silvia Macovei
on 2010/03/04
>
Change comment: Document converted from syntax xwiki/1.0 to syntax xwiki/2.0

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.ThomasMortagne
1 +XWiki.SilviaRusu
Syntax
... ... @@ -1,1 +1,1 @@
1 -XWiki 1.0
1 +XWiki 2.0
Content
... ... @@ -1,24 +1,30 @@
1 -1 User Authentication
1 += User Authentication =
2 2  
3 3  XWiki supports several different authentication mechanisms for authenticating users:
4 -#toc("" "" "")
5 5  
5 +{{toc start="" depth="" numbered=""/}}
6 +
6 6  The form authentication is the default mechanism.
7 7  
8 -#info("Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.")
9 +{{info}}
10 +Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
11 +{{/info}}
9 9  
10 -1.1 Form Authentication
13 +== Form Authentication ==
11 11  
12 12  TODO
13 13  
14 -1.1 LDAP Authentication
17 +== LDAP Authentication ==
15 15  
16 -#warning("New LDAP implementation since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
19 +{{warning}}
20 +New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
21 +{{/warning}}
17 17  
18 -1.1.1 Generic LDAP configuration
23 +=== Generic LDAP configuration ===
19 19  
20 -In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
21 -{code}
25 +In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
26 +
27 +{{code}}
22 22  ## Turn LDAP authentication on - otherwise only XWiki authentication
23 23  ## 0 : disable
24 24  ## 1 : enable
... ... @@ -26,12 +26,11 @@
26 26  
27 27  ## set LDAP as authentication service
28 28  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
35 +{{/code}}
29 29  
30 -{code}
37 +You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
31 31  
32 -You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
33 -
34 -{code:none}
39 +{{code language="none"}}
35 35  ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
36 36  xwiki.authentication.ldap.server=156.58.101.204
37 37  xwiki.authentication.ldap.port=389
... ... @@ -87,131 +87,142 @@
87 87  
88 88  ## The keystore file to use in SSL connection
89 89  xwiki.authentication.ldap.ssl.keystore=
90 -{code}
95 +{{/code}}
91 91  
92 -#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")
97 +{{info}}
98 +You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace
99 +{{/info}}
93 93  
94 94  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
95 95  
96 96  Here are some LDAP client for checking your configuration:
97 -* [Apache Directory Studio>http://directory.apache.org/studio/]
98 -* [LDAP Browser/Editor>http://www-unix.mcs.anl.gov/~gawor/ldap/]
99 99  
100 -1.1.1 Detailed use cases
105 +* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
106 +* [[LDAP Browser/Editor>>http://www-unix.mcs.anl.gov/gawor/ldap/]]
101 101  
102 -See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.
108 +=== Detailed use cases ===
103 103  
104 -1.1.1 Enable LDAP debug log
110 +See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
105 105  
106 -See [AdminGuide.Logging]. The specific targets for LDAP authentication are:
107 -{code}
112 +=== Enable LDAP debug log ===
113 +
114 +See [[AdminGuide.Logging]]. The specific targets for LDAP authentication are:
115 +
116 +{{code}}
108 108  log4j.logger.com.xpn.xwiki.plugin.ldap=debug
109 109  log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
110 -{code}
119 +{{/code}}
111 111  
121 +== eXo Authentication ==
112 112  
113 -1.1 eXo Authentication
123 +The eXo authentication is used automatically by adding/editing the //xwiki.exo=1// property in //WEB-INF/xwiki.cfg//.
114 114  
115 -The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
125 +== Custom Authentication ==
116 116  
117 -1.1 Custom Authentication
118 -
119 119  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
120 -# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
121 -# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
122 122  
123 -{code}
129 +1. Implement the [[XWikiAuthService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java]] interface.
130 +1. Edit the //WEB-INF/xwiki.cfg// file and add a //xwiki.authentication.authclass// property pointing to your class. For example:
131 +
132 +{{code}}
124 124  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
125 -{code}
134 +{{/code}}
126 126  
127 -Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
136 +Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
128 128  
129 -Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
130 -{code}
138 +Note, that you also can implement own right management service by implementing [[XWikiRightService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java]] interface:
139 +
140 +{{code}}
131 131  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
132 -{code}
142 +{{/code}}
133 133  
134 -and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
144 +and Group Service by implementing [[XWikiGroupService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]]:
135 135  
136 -{code}
146 +{{code}}
137 137  xwiki.authentication.groupclass = com.acme.MyCustomGroupService
138 -{code}
148 +{{/code}}
139 139  
140 -1.1.1 Custom Authentication using a Groovy script in a wiki page
150 +=== Custom Authentication using a Groovy script in a wiki page ===
141 141  
142 142  Start by specifying you want to use the Groovy Authenticator:
143 143  
144 -{code}
154 +{{code}}
145 145  xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
146 -{code}
156 +{{/code}}
147 147  
148 148  Then add another configuration parameter to specify in which wiki page the authenticator is:
149 149  
150 -{code}
160 +{{code}}
151 151  xwiki.authentication.groovy.pagename = MySpace.MyPage
152 -{code}
162 +{{/code}}
153 153  
154 154  Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
155 155  
156 -1.1 Authentication parameters
166 +== Authentication parameters ==
157 157  
158 158  You can set each of these parameters by setting:
159 159  
160 -{code}
170 +{{code}}
161 161  xwiki.authentication.~~param_name~~=~~param_value~~
162 -{code}
172 +{{/code}}
163 163  
164 -{table}
165 -Name | Optional | Allowed values | Default value | Description
166 -encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
167 -validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
168 -cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
169 -cookielife | Yes | Number | 14 | Number of days cookies take to expire
170 -cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
171 -default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set
172 -encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies
173 -encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies
174 -encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies
175 -errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in
176 -loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in
177 -loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?
178 -logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out
179 -realmname | Yes | String | XWiki | Sets the realm name
180 -protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality
181 -unauthorized_code | Yes | ? | ? | ?
182 -useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
183 -{table}
184 -# Only required if protection = encryption or all (default)
185 -# Only required if protection = validation or all (default)
174 +|=Name|=Optional|=Allowed values|=Default value|=Description
175 +|encryptionKey|No(1)|?|n/a|Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
176 +|validationKey|No(2)|?|n/a|Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
177 +|cookiedomains|Yes|String|Server host name|Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
178 +|cookielife|Yes|Number|14|Number of days cookies take to expire
179 +|cookiepath|Yes|String|/|The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ///xwiki//
180 +|default_page|Yes|String|/bin/view/ Main/WebHome|Page to redirect to if xredirect parameter is not set
181 +|encryptionalgorithm|Yes|?|?|Set the Encryption Algorithm used to encrypt and decrypt cookies
182 +|encryptionmode|Yes|?|?|Set the Encryption Mode used to encrypt and decrypt cookies
183 +|encryptionpadding|Yes|?|?|Set the Encryption Padding used to encrypt and decrypt cookies
184 +|errorpage|Yes|String|/bin/loginerror/ XWiki/XWikiLogin|Page to redirect to if there is an error logging in
185 +|loginpage|Yes|String|/bin/login/ XWiki/XWikiLogin|Page to redirect to when not logged in
186 +|loginsubmitpage|Yes|String|/loginsubmit/ XWiki/XWikiLogin|?
187 +|logoutpage|Yes|String|/bin/logout/ XWiki/XWikiLogout|Page to redirect to after logged out
188 +|realmname|Yes|String|XWiki|Sets the realm name
189 +|protection|Yes|all, validation, encryption, none|all|Protection level for the "remember me" cookie functionality
190 +|unauthorized_code|Yes|?|?|?
191 +|useip|Yes|true / false|true|Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
186 186  
187 -1.1 Kerberos SSO Authentication
193 +1. Only required if protection = encryption or all (default)
194 +1. Only required if protection = validation or all (default)
188 188  
189 -#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
196 +== Kerberos SSO Authentication ==
190 190  
198 +{{warning}}
199 +This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
200 +{{/warning}}
201 +
191 191  The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
192 192  
193 193  First of all you need to create a principal and keytab for the webserver:
194 -{code}
205 +
206 +{{code}}
195 195  # kadmin
196 196  kadmin> addprinc -randkey HTTP/wiki.example.com
197 197  kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
198 198  kadmin> quit
199 -{code}
211 +{{/code}}
200 200  
201 201  Make sure the keytab has the right permissions and ownership:
202 -{code}
214 +
215 +{{code}}
203 203  chown www-data:www-data /etc/apache2/ssl/wiki.keytab
204 204  chmod 400 /etc/apache2/ssl/wiki.keytab
205 -{code}
218 +{{/code}}
206 206  
207 207  Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
208 -{code}
221 +
222 +{{code}}
209 209  aptitude install libapache2-mod-auth-kerb
210 -{code}
224 +{{/code}}
225 +
211 211  Of course the installation procedure varies per Linux distribution.
212 212  
213 213  If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
214 -{code}
229 +
230 +{{code}}
215 215  <Location /xwiki/>
216 216   AuthType Kerberos
217 217   AuthName "Kerberos Login"
... ... @@ -222,33 +222,29 @@
222 222   KrbSaveCredentials on
223 223   require valid-user
224 224  </Location>
225 -{code}
241 +{{/code}}
226 226  
227 227  Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
228 -{code}
244 +
245 +{{code}}
229 229  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
230 -{code}
247 +{{/code}}
231 231  
232 232  Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
233 233  
234 234  Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
235 -{code}
252 +
253 +{{code}}
236 236  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
237 -{code}
255 +{{/code}}
238 238  
239 -If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
257 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
240 240  
259 +2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
241 241  
242 -
243 -2 JBoss SPNEGO (Kerberos in combination with LDAP)
244 -I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
245 -The authenication already happend by using the SPNEGO module (JAAS).
246 -After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
247 -The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
248 -I hope you can adopt this code or that you can use it for your own projects.
249 -
250 250  The configuration of ldap;
251 -{code}
262 +
263 +{{code}}
252 252  xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
253 253  xwiki.authentication.ldap=1
254 254  xwiki.authentication.ldap.server=<ad-server>
... ... @@ -265,10 +265,11 @@
265 265  #LDAP group mapping
266 266  xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
267 267   XWiki.XWikiAllGroup=CN=WIKI_User,...........
280 +{{/code}}
268 268  
269 -{code}
270 270  The java code
271 -{code}
283 +
284 +{{code}}
272 272  package com.wiki.sso;
273 273  
274 274  
... ... @@ -391,5 +391,4 @@
391 391   return principal;
392 392   }
393 393  }
394 -{code}
395 -
407 +{{/code}}
XWiki.XWikiComments[0]
Comment
... ... @@ -1,3 +1,4 @@
1 1  Can anyone explain, how to build user's wikiname from LDAP fields? I suppose ldap_UID_attr or ldap_fields_mapping should do the job.
2 2  
3 -I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES\\morism in the upper-right conner, but I beleive it should be MorisMoss.
3 +I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES
4 +morism in the upper-right conner, but I beleive it should be MorisMoss.
XWiki.XWikiComments[1]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
1 +I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
XWiki.XWikiComments[2]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[3]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[4]
Comment
... ... @@ -1,4 +1,1 @@
1 -Is the example AD configuration above the right way to do things?
2 -My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form.
3 -If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously.
4 -I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
1 +Is the example AD configuration above the right way to do things? My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form. If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously. I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
XWiki.XWikiComments[5]
Comment
... ... @@ -1,3 +1,1 @@
1 -I need to use Sun Access Manager to authenticate users against global web SSO.
2 -I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ...
3 -Isn't this public or should i retrieve whole sources and build the doc by myself ?
1 +I need to use Sun Access Manager to authenticate users against global web SSO. I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ... Isn't this public or should i retrieve whole sources and build the doc by myself ?
XWiki.XWikiComments[6]
Comment
... ... @@ -1,2 +1,1 @@
1 -I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..."
2 -I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!
1 +I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..." I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!

Get Connected