Changes for page User Authentication

Last modified by Thomas Mortagne on 2023/04/28

<
From version < 34.1 >
edited by Silvia Macovei
on 2010/03/04
To version < 33.1 >
edited by Thomas Mortagne
on 2010/01/20
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.SilviaRusu
1 +XWiki.ThomasMortagne
Syntax
... ... @@ -1,1 +1,1 @@
1 -XWiki 2.0
1 +XWiki 1.0
Content
... ... @@ -1,30 +1,24 @@
1 -= User Authentication =
1 +1 User Authentication
2 2  
3 3  XWiki supports several different authentication mechanisms for authenticating users:
4 +#toc("" "" "")
4 4  
5 -{{toc start="" depth="" numbered=""/}}
6 -
7 7  The form authentication is the default mechanism.
8 8  
9 -{{info}}
10 -Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
11 -{{/info}}
8 +#info("Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.")
12 12  
13 -== Form Authentication ==
10 +1.1 Form Authentication
14 14  
15 15  TODO
16 16  
17 -== LDAP Authentication ==
14 +1.1 LDAP Authentication
18 18  
19 -{{warning}}
20 -New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
21 -{{/warning}}
16 +#warning("New LDAP implementation since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
22 22  
23 -=== Generic LDAP configuration ===
18 +1.1.1 Generic LDAP configuration
24 24  
25 -In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
26 -
27 -{{code}}
20 +In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
21 +{code}
28 28  ## Turn LDAP authentication on - otherwise only XWiki authentication
29 29  ## 0 : disable
30 30  ## 1 : enable
... ... @@ -32,11 +32,12 @@
32 32  
33 33  ## set LDAP as authentication service
34 34  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
35 -{{/code}}
36 36  
37 -You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
30 +{code}
38 38  
39 -{{code language="none"}}
32 +You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
33 +
34 +{code:none}
40 40  ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
41 41  xwiki.authentication.ldap.server=156.58.101.204
42 42  xwiki.authentication.ldap.port=389
... ... @@ -92,142 +92,131 @@
92 92  
93 93  ## The keystore file to use in SSL connection
94 94  xwiki.authentication.ldap.ssl.keystore=
95 -{{/code}}
90 +{code}
96 96  
97 -{{info}}
98 -You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace
99 -{{/info}}
92 +#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")
100 100  
101 101  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
102 102  
103 103  Here are some LDAP client for checking your configuration:
97 +* [Apache Directory Studio>http://directory.apache.org/studio/]
98 +* [LDAP Browser/Editor>http://www-unix.mcs.anl.gov/~gawor/ldap/]
104 104  
105 -* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
106 -* [[LDAP Browser/Editor>>http://www-unix.mcs.anl.gov/gawor/ldap/]]
100 +1.1.1 Detailed use cases
107 107  
108 -=== Detailed use cases ===
102 +See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.
109 109  
110 -See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
104 +1.1.1 Enable LDAP debug log
111 111  
112 -=== Enable LDAP debug log ===
113 -
114 -See [[AdminGuide.Logging]]. The specific targets for LDAP authentication are:
115 -
116 -{{code}}
106 +See [AdminGuide.Logging]. The specific targets for LDAP authentication are:
107 +{code}
117 117  log4j.logger.com.xpn.xwiki.plugin.ldap=debug
118 118  log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
119 -{{/code}}
110 +{code}
120 120  
121 -== eXo Authentication ==
122 122  
123 -The eXo authentication is used automatically by adding/editing the //xwiki.exo=1// property in //WEB-INF/xwiki.cfg//.
113 +1.1 eXo Authentication
124 124  
125 -== Custom Authentication ==
115 +The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
126 126  
117 +1.1 Custom Authentication
118 +
127 127  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
120 +# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
121 +# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
128 128  
129 -1. Implement the [[XWikiAuthService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java]] interface.
130 -1. Edit the //WEB-INF/xwiki.cfg// file and add a //xwiki.authentication.authclass// property pointing to your class. For example:
131 -
132 -{{code}}
123 +{code}
133 133  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
134 -{{/code}}
125 +{code}
135 135  
136 -Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
127 +Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
137 137  
138 -Note, that you also can implement own right management service by implementing [[XWikiRightService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java]] interface:
139 -
140 -{{code}}
129 +Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
130 +{code}
141 141  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
142 -{{/code}}
132 +{code}
143 143  
144 -and Group Service by implementing [[XWikiGroupService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]]:
134 +and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
145 145  
146 -{{code}}
136 +{code}
147 147  xwiki.authentication.groupclass = com.acme.MyCustomGroupService
148 -{{/code}}
138 +{code}
149 149  
150 -=== Custom Authentication using a Groovy script in a wiki page ===
140 +1.1.1 Custom Authentication using a Groovy script in a wiki page
151 151  
152 152  Start by specifying you want to use the Groovy Authenticator:
153 153  
154 -{{code}}
144 +{code}
155 155  xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
156 -{{/code}}
146 +{code}
157 157  
158 158  Then add another configuration parameter to specify in which wiki page the authenticator is:
159 159  
160 -{{code}}
150 +{code}
161 161  xwiki.authentication.groovy.pagename = MySpace.MyPage
162 -{{/code}}
152 +{code}
163 163  
164 164  Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
165 165  
166 -== Authentication parameters ==
156 +1.1 Authentication parameters
167 167  
168 168  You can set each of these parameters by setting:
169 169  
170 -{{code}}
160 +{code}
171 171  xwiki.authentication.~~param_name~~=~~param_value~~
172 -{{/code}}
162 +{code}
173 173  
174 -|=Name|=Optional|=Allowed values|=Default value|=Description
175 -|encryptionKey|No(1)|?|n/a|Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
176 -|validationKey|No(2)|?|n/a|Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
177 -|cookiedomains|Yes|String|Server host name|Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
178 -|cookielife|Yes|Number|14|Number of days cookies take to expire
179 -|cookiepath|Yes|String|/|The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ///xwiki//
180 -|default_page|Yes|String|/bin/view/ Main/WebHome|Page to redirect to if xredirect parameter is not set
181 -|encryptionalgorithm|Yes|?|?|Set the Encryption Algorithm used to encrypt and decrypt cookies
182 -|encryptionmode|Yes|?|?|Set the Encryption Mode used to encrypt and decrypt cookies
183 -|encryptionpadding|Yes|?|?|Set the Encryption Padding used to encrypt and decrypt cookies
184 -|errorpage|Yes|String|/bin/loginerror/ XWiki/XWikiLogin|Page to redirect to if there is an error logging in
185 -|loginpage|Yes|String|/bin/login/ XWiki/XWikiLogin|Page to redirect to when not logged in
186 -|loginsubmitpage|Yes|String|/loginsubmit/ XWiki/XWikiLogin|?
187 -|logoutpage|Yes|String|/bin/logout/ XWiki/XWikiLogout|Page to redirect to after logged out
188 -|realmname|Yes|String|XWiki|Sets the realm name
189 -|protection|Yes|all, validation, encryption, none|all|Protection level for the "remember me" cookie functionality
190 -|unauthorized_code|Yes|?|?|?
191 -|useip|Yes|true / false|true|Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
164 +{table}
165 +Name | Optional | Allowed values | Default value | Description
166 +encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
167 +validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
168 +cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
169 +cookielife | Yes | Number | 14 | Number of days cookies take to expire
170 +cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
171 +default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set
172 +encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies
173 +encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies
174 +encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies
175 +errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in
176 +loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in
177 +loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?
178 +logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out
179 +realmname | Yes | String | XWiki | Sets the realm name
180 +protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality
181 +unauthorized_code | Yes | ? | ? | ?
182 +useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
183 +{table}
184 +# Only required if protection = encryption or all (default)
185 +# Only required if protection = validation or all (default)
192 192  
193 -1. Only required if protection = encryption or all (default)
194 -1. Only required if protection = validation or all (default)
187 +1.1 Kerberos SSO Authentication
195 195  
196 -== Kerberos SSO Authentication ==
189 +#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
197 197  
198 -{{warning}}
199 -This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
200 -{{/warning}}
201 -
202 202  The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
203 203  
204 204  First of all you need to create a principal and keytab for the webserver:
205 -
206 -{{code}}
194 +{code}
207 207  # kadmin
208 208  kadmin> addprinc -randkey HTTP/wiki.example.com
209 209  kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
210 210  kadmin> quit
211 -{{/code}}
199 +{code}
212 212  
213 213  Make sure the keytab has the right permissions and ownership:
214 -
215 -{{code}}
202 +{code}
216 216  chown www-data:www-data /etc/apache2/ssl/wiki.keytab
217 217  chmod 400 /etc/apache2/ssl/wiki.keytab
218 -{{/code}}
205 +{code}
219 219  
220 220  Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
221 -
222 -{{code}}
208 +{code}
223 223  aptitude install libapache2-mod-auth-kerb
224 -{{/code}}
225 -
210 +{code}
226 226  Of course the installation procedure varies per Linux distribution.
227 227  
228 228  If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
229 -
230 -{{code}}
214 +{code}
231 231  <Location /xwiki/>
232 232   AuthType Kerberos
233 233   AuthName "Kerberos Login"
... ... @@ -238,29 +238,33 @@
238 238   KrbSaveCredentials on
239 239   require valid-user
240 240  </Location>
241 -{{/code}}
225 +{code}
242 242  
243 243  Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
244 -
245 -{{code}}
228 +{code}
246 246  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
247 -{{/code}}
230 +{code}
248 248  
249 249  Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
250 250  
251 251  Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
252 -
253 -{{code}}
235 +{code}
254 254  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
255 -{{/code}}
237 +{code}
256 256  
257 -If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
239 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
258 258  
259 -2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
260 260  
261 -The configuration of ldap;
262 262  
263 -{{code}}
243 +2 JBoss SPNEGO (Kerberos in combination with LDAP)
244 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
245 +The authenication already happend by using the SPNEGO module (JAAS).
246 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
247 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
248 +I hope you can adopt this code or that you can use it for your own projects.
249 +
250 +The configuration of ldap;
251 +{code}
264 264  xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
265 265  xwiki.authentication.ldap=1
266 266  xwiki.authentication.ldap.server=<ad-server>
... ... @@ -277,11 +277,10 @@
277 277  #LDAP group mapping
278 278  xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
279 279   XWiki.XWikiAllGroup=CN=WIKI_User,...........
280 -{{/code}}
281 281  
269 +{code}
282 282  The java code
283 -
284 -{{code}}
271 +{code}
285 285  package com.wiki.sso;
286 286  
287 287  
... ... @@ -404,4 +404,5 @@
404 404   return principal;
405 405   }
406 406  }
407 -{{/code}}
394 +{code}
395 +
XWiki.XWikiComments[0]
Comment
... ... @@ -1,4 +1,3 @@
1 1  Can anyone explain, how to build user's wikiname from LDAP fields? I suppose ldap_UID_attr or ldap_fields_mapping should do the job.
2 2  
3 -I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES
4 -morism in the upper-right conner, but I beleive it should be MorisMoss.
3 +I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES\\morism in the upper-right conner, but I beleive it should be MorisMoss.
XWiki.XWikiComments[1]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
1 +I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
XWiki.XWikiComments[2]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[3]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[4]
Comment
... ... @@ -1,1 +1,4 @@
1 -Is the example AD configuration above the right way to do things? My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form. If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously. I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
1 +Is the example AD configuration above the right way to do things?
2 +My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form.
3 +If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously.
4 +I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
XWiki.XWikiComments[5]
Comment
... ... @@ -1,1 +1,3 @@
1 -I need to use Sun Access Manager to authenticate users against global web SSO. I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ... Isn't this public or should i retrieve whole sources and build the doc by myself ?
1 +I need to use Sun Access Manager to authenticate users against global web SSO.
2 +I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ...
3 +Isn't this public or should i retrieve whole sources and build the doc by myself ?
XWiki.XWikiComments[6]
Comment
... ... @@ -1,1 +1,2 @@
1 -I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..." I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!
1 +I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..."
2 +I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!

Get Connected