Changes for page User Authentication

Last modified by Thomas Mortagne on 2023/04/28

From version < 34.2 >

edited by Silvia Macovei
on 2010/03/04

To version < 33.1 >

edited by Thomas Mortagne
on 2010/01/20

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (4 modified, 0 added, 0 removed)
Objects (7 modified, 0 added, 0 removed)

Details

Page properties

Title

...	...	@@ -1,1 +1,0 @@
1		-User Authentication

Author

@@ -1,1 +1,1 @@
--XWiki.SilviaRusu
++XWiki.ThomasMortagne

Syntax

@@ -1,1 +1,1 @@
--XWiki 2.0
++XWiki 1.0

Content

@@ -1,28 +1,24 @@
++1 User Authentication
++
  XWiki supports several different authentication mechanisms for authenticating users:
++#toc("" "" "")
--{{toc/}}
--
  The form authentication is the default mechanism.
--{{info}}
--Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
--{{/info}}
++#info("Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.")
--= Form Authentication =
++1.1 Form Authentication
  TODO
--= LDAP Authentication =
++1.1 LDAP Authentication
--{{warning}}
--New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
--{{/warning}}
++#warning("New LDAP implementation since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
--== Generic LDAP configuration ==
++1.1.1 Generic LDAP configuration
--In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
--
--{{code}}
++In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
++{code}
  ## Turn LDAP authentication on - otherwise only XWiki authentication
  ## 0 : disable
  ## 1 : enable
@@ -30,11 +30,12 @@
  ## set LDAP as authentication service
  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
--{{/code}}
--You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
++{code}
--{{code language="none"}}
++You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
++
++{code:none}
  ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
  xwiki.authentication.ldap.server=156.58.101.204
  xwiki.authentication.ldap.port=389
@@ -90,142 +90,131 @@
  ## The keystore file to use in SSL connection
  xwiki.authentication.ldap.ssl.keystore=
--{{/code}}
++{code}
--{{info}}
--You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace "xwiki.authentication.ldap." by "ldap_". For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##
--{{/info}}
++#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")
  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
  Here are some LDAP client for checking your configuration:
++* [Apache Directory Studio>http://directory.apache.org/studio/]
++* [LDAP Browser/Editor>http://www-unix.mcs.anl.gov/~gawor/ldap/]
--* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
--* [[LDAP Browser/Editor>>http://www-unix.mcs.anl.gov/gawor/ldap/]]
++1.1.1 Detailed use cases
--== Detailed use cases ==
++See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.
--See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
++1.1.1 Enable LDAP debug log
--== Enable LDAP debug log ==
--
--See [[AdminGuide.Logging]]. The specific targets for LDAP authentication are:
--
--{{code}}
++See [AdminGuide.Logging]. The specific targets for LDAP authentication are:
++{code}
  log4j.logger.com.xpn.xwiki.plugin.ldap=debug
  log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
--{{/code}}
++{code}
--= eXo Authentication =
--The eXo authentication is used automatically by adding/editing the //xwiki.exo=1// property in //WEB-INF/xwiki.cfg//.
++1.1 eXo Authentication
--= Custom Authentication =
++The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
++1.1 Custom Authentication
++
  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
++# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
++# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
--1. Implement the [[XWikiAuthService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java]] interface.
--1. Edit the //WEB-INF/xwiki.cfg// file and add a //xwiki.authentication.authclass// property pointing to your class. For example:
--
--{{code}}
++{code}
  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
--{{/code}}
++{code}
--Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
++Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
--Note, that you also can implement own right management service by implementing [[XWikiRightService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java]] interface:
--
--{{code}}
++Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
++{code}
  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
--{{/code}}
++{code}
--and Group Service by implementing [[XWikiGroupService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]]:
++and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
--{{code}}
++{code}
  xwiki.authentication.groupclass = com.acme.MyCustomGroupService
--{{/code}}
++{code}
--== Custom Authentication using a Groovy script in a wiki page ==
++1.1.1 Custom Authentication using a Groovy script in a wiki page
  Start by specifying you want to use the Groovy Authenticator:
--{{code}}
++{code}
  xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
--{{/code}}
++{code}
  Then add another configuration parameter to specify in which wiki page the authenticator is:
--{{code}}
++{code}
  xwiki.authentication.groovy.pagename = MySpace.MyPage
--{{/code}}
++{code}
  Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
--= Authentication parameters ===
++1.1 Authentication parameters
  You can set each of these parameters by setting:
--{{code}}
++{code}
  xwiki.authentication.~~param_name~~=~~param_value~~
--{{/code}}
++{code}
--|=Name|=Optional|=Allowed values|=Default value|=Description
--|encryptionKey|No(1)|?|n/a|Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
--|validationKey|No(2)|?|n/a|Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
--|cookiedomains|Yes|String|Server host name|Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
--|cookielife|Yes|Number|14|Number of days cookies take to expire
--|cookiepath|Yes|String|/|The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ///xwiki//
--|default_page|Yes|String|/bin/view/ Main/WebHome|Page to redirect to if xredirect parameter is not set
--|encryptionalgorithm|Yes|?|?|Set the Encryption Algorithm used to encrypt and decrypt cookies
--|encryptionmode|Yes|?|?|Set the Encryption Mode used to encrypt and decrypt cookies
--|encryptionpadding|Yes|?|?|Set the Encryption Padding used to encrypt and decrypt cookies
--|errorpage|Yes|String|/bin/loginerror/ XWiki/XWikiLogin|Page to redirect to if there is an error logging in
--|loginpage|Yes|String|/bin/login/ XWiki/XWikiLogin|Page to redirect to when not logged in
--|loginsubmitpage|Yes|String|/loginsubmit/ XWiki/XWikiLogin|?
--|logoutpage|Yes|String|/bin/logout/ XWiki/XWikiLogout|Page to redirect to after logged out
--|realmname|Yes|String|XWiki|Sets the realm name
--|protection|Yes|all, validation, encryption, none|all|Protection level for the "remember me" cookie functionality
--|unauthorized_code|Yes|?|?|?
--|useip|Yes|true / false|true|Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
++{table}
++Name | Optional | Allowed values | Default value | Description
++encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
++validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
++cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
++cookielife | Yes | Number | 14 | Number of days cookies take to expire
++cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
++default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set
++encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies
++encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies
++encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies
++errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in
++loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in
++loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?
++logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out
++realmname | Yes | String | XWiki | Sets the realm name
++protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality
++unauthorized_code | Yes | ? | ? | ?
++useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
++{table}
++# Only required if protection = encryption or all (default)
++# Only required if protection = validation or all (default)
--1. Only required if protection = encryption or all (default)
--1. Only required if protection = validation or all (default)
++1.1 Kerberos SSO Authentication
--= Kerberos SSO Authentication =
++#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
--{{warning}}
--This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
--{{/warning}}
--
  The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
  First of all you need to create a principal and keytab for the webserver:
--
--{{code}}
++{code}
  # kadmin
  kadmin> addprinc -randkey HTTP/wiki.example.com
  kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
  kadmin> quit
--{{/code}}
++{code}
  Make sure the keytab has the right permissions and ownership:
--
--{{code}}
++{code}
  chown www-data:www-data /etc/apache2/ssl/wiki.keytab
  chmod 400 /etc/apache2/ssl/wiki.keytab
--{{/code}}
++{code}
  Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
--
--{{code}}
++{code}
  aptitude install libapache2-mod-auth-kerb
--{{/code}}
--
++{code}
  Of course the installation procedure varies per Linux distribution.
  If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
--
--{{code}}
++{code}
  <Location /xwiki/>
    AuthType Kerberos
    AuthName "Kerberos Login"
@@ -236,29 +236,33 @@
    KrbSaveCredentials on
    require valid-user
  </Location>
--{{/code}}
++{code}
  Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
--
--{{code}}
++{code}
  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
--{{/code}}
++{code}
  Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
  Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
--
--{{code}}
++{code}
  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
--{{/code}}
++{code}
--If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
++If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
--2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
--The configuration of ldap:
--{{code}}
++2 JBoss SPNEGO (Kerberos in combination with LDAP)
++I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
++The authenication already happend by using the SPNEGO module (JAAS).
++After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
++The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
++I hope you can adopt this code or that you can use it for your own projects.
++
++The configuration of ldap;
++{code}
  xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
  xwiki.authentication.ldap=1
  xwiki.authentication.ldap.server=<ad-server>
@@ -275,11 +275,10 @@
  #LDAP group mapping
  xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
                                          XWiki.XWikiAllGroup=CN=WIKI_User,...........
--{{/code}}
++{code}
  The java code
--
--{{code}}
++{code}
  package com.wiki.sso;
@@ -402,4 +402,5 @@
          return principal;
      }
  }
--{{/code}}
++{code}
++

XWiki.XWikiComments[0]

Comment

@@ -1,4 +1,3 @@
  Can anyone explain, how to build user's wikiname from LDAP fields? I suppose ldap_UID_attr or ldap_fields_mapping should do the job.
--I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES
--morism in the upper-right conner, but I beleive it should be MorisMoss.
++I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES\\morism in the upper-right conner, but I beleive it should be MorisMoss.

XWiki.XWikiComments[1]

Comment

@@ -1,1 +1,1 @@
--I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
++I had a similar experience.  I configured the LDAP authentication to go against Active Directory.  While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory.  For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.

XWiki.XWikiComments[2]

Comment

@@ -1,1 +1,1 @@
--I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
++I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case.  Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.

XWiki.XWikiComments[3]

Comment

@@ -1,1 +1,1 @@
--I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
++I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case.  Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.

XWiki.XWikiComments[4]

Comment

@@ -1,1 +1,4 @@
--Is the example AD configuration above the right way to do things? My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form. If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously. I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
++Is the example AD configuration above the right way to do things?
++My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form.
++If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously.
++I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.

XWiki.XWikiComments[5]

Comment

@@ -1,1 +1,3 @@
--I need to use Sun Access Manager to authenticate users against global web SSO. I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ... Isn't this public or should i retrieve whole sources and build the doc by myself ?
++I need to use Sun Access Manager to authenticate users against global web SSO.
++I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ...
++Isn't this public or should i retrieve whole sources and build the doc by myself ?

XWiki.XWikiComments[6]

Comment

@@ -1,1 +1,2 @@
--I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..." I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!
++I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..."
++I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!

Changes for page User Authentication

Summary

Details

Quick Links

Navigation

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected