<
From version < 95.1 >
edited by Vincent Massol
on 2017/10/02
To version < 97.1 >
edited by Thomas Mortagne
on 2018/02/09
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.ThomasMortagne
Content
... ... @@ -48,243 +48,15 @@
48 48  
49 49  = LDAP Authentication =
50 50  
51 -{{info}}
52 -Since 7.4 it's recommended to use the new [[LDAP Authenticator extension>>extensions:Extension.LDAP.Authenticator]] instead of the core one.
51 +== Active Directory ==
53 53  
54 -If you're using Active Directory you could also check the [[Active Directory Application>>https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication]] which is a paying application dedicated to simplifying the integration of Active Directory with XWiki.
53 +If you're looking to connect XWiki to an Active Directory server, you currently have 2 options:
55 55  
56 -The following documentation is for the core LDAP authenticator which has been removed in 8.3.
57 -{{/info}}
55 +* Using the manual and generic approach using the [[LDAP Authenticator extension>>extensions:Extension.LDAP.Authenticator]]
56 +* Using the dedicated [[Active Directory Application>>https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication]] which is a paying application dedicated to simplifying the integration of Active Directory with XWiki.
58 58  
59 -If you are going to use the [[LDAP Admin Extension>>extensions:Extension.LDAP.Application]], which makes it easier to configure LDAP, then you only need to uncomment xwiki.authentication.authclass property and //nothing// else. Unlike editing xwiki.cfg, which requires you to redeploy the XWiki webapp, LDAP Extension allows you to make changes without restarting.
58 +The deprecated LDAP core LDAP authenticator (for XWiki < 7.4) can be found on [[OldLDAPAuthenticator]].
60 60  
61 -== Generic LDAP configuration ==
62 -
63 -In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
64 -
65 -{{code language="properties"}}
66 -#-# LDAP authentication service
67 -# xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
68 -
69 -#-# Turn LDAP authentication on - otherwise only XWiki authentication
70 -#-# - 0: disable
71 -#-# - 1: enable
72 -#-# The default is 0
73 -# xwiki.authentication.ldap=1
74 -{{/code}}
75 -
76 -You can setup the LDAP configuration in the **xwiki.cfg** file by filling the following properties:
77 -
78 -{{code language="properties"}}
79 -#-# Turn LDAP authentication on - otherwise only XWiki authentication
80 -#-# - 0: disable
81 -#-# - 1: enable
82 -#-# The default is 0
83 -# xwiki.authentication.ldap=1
84 -
85 -#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
86 -xwiki.authentication.ldap.server=127.0.0.1
87 -xwiki.authentication.ldap.port=389
88 -
89 -#-# LDAP login, empty = anonymous access, otherwise specify full dn
90 -#-# {0} is replaced with the user name, {1} with the password
91 -xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
92 -xwiki.authentication.ldap.bind_pass={1}
93 -
94 -#-# The Base DN used in LDAP searches
95 -xwiki.authentication.ldap.base_DN=
96 -
97 -#-# LDAP query to search the user in the LDAP database (in case a static admin user is provided in
98 -#-# xwiki.authentication.ldap.bind_DN)
99 -#-# {0} is replaced with the user uid field name and {1} with the user name
100 -#-# The default is ({0}={1})
101 -# xwiki.authentication.ldap.user_search_fmt=({0}={1})
102 -
103 -#-# Only members of the following group can authenticate.
104 -#-# The following kind of groups are supported:
105 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
106 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
107 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter)
108 -# xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
109 -
110 -#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
111 -#-# Only users not member of the following group can authenticate.
112 -#-# The following kind of groups are supported:
113 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
114 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
115 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter)
116 -# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
117 -
118 -#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name
119 -#-# The default is cn
120 -# xwiki.authentication.ldap.UID_attr=cn
121 -
122 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
123 -#-# The potential LDAP groups classes. Separated by commas.
124 -# xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList,posixGroup,apple-group
125 -
126 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
127 -#-# The potential names of the LDAP groups fields containings the members. Separated by commas.
128 -# xwiki.authentication.ldap.group_memberfields=member,uniqueMember,memberUid
129 -
130 -#-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
131 -xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
132 -
133 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
134 -#-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki
135 -#-# account is created.
136 -#-# - 0: only when creating user
137 -#-# - 1: at each authentication
138 -#-# The default is 0
139 -xwiki.authentication.ldap.update_user=1
140 -
141 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
142 -#-# On every login update photo from LDAP to XWiki avatar otherwise photo will not be updated.
143 -#-# - 0: never
144 -#-# - 1: at each authentication
145 -#-# The default is 0
146 -# xwiki.authentication.ldap.update_photo=0
147 -
148 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
149 -#-# Profile attachment name which will be used to save LDAP photo.
150 -#-# The default is ldapPhoto
151 -# xwiki.authentication.ldap.photo_attachment_name=ldapPhoto
152 -
153 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
154 -#-# Specifies the LDAP attribute containing the binary photo
155 -#-# The default is thumbnailPhoto
156 -# xwiki.authentication.ldap.photo_attribute=thumbnailPhoto
157 -
158 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
159 -#-# Maps XWiki groups to LDAP groups, separator is "|".
160 -#-# The following kind of groups are supported:
161 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
162 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
163 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter),
164 -#-# | character in the filter need to be escaped with backslash (\).
165 -#-#
166 -#-# Here is an example:
167 -# xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
168 -# XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
169 -# XWiki.Organisation=(cn=testers)
170 -
171 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
172 -#-# Time in s after which the list of members in a group is refreshed from LDAP
173 -#-# The default is 21600 (6 hours)
174 -# xwiki.authentication.ldap.groupcache_expiration=21600
175 -
176 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
177 -#-# - create : synchronize group membership only when the user is first created
178 -#-# - always: synchronize on every login
179 -#-# The default is always
180 -# xwiki.authentication.ldap.mode_group_sync=always
181 -
182 -#-# [Since 7.2M3, XWikiLDAPAuthServiceImpl]
183 -#-# Indicate groups members should be resolved in case they are subgroups.
184 -#-# Doing so can be very expensive so it should be disabled if you know there is no subgroups
185 -#-# (or if you don't care about them).
186 -#-# If the group is actually a filter it will always be resolved since it does not make sense left alone.
187 -#-# - 0: disable
188 -#-# - 1: enable
189 -#-# The default is 1
190 -# xwiki.authentication.ldap.group_sync_resolve_subgroups=0
191 -
192 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
193 -#-# If ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
194 -#-# - 0: disable
195 -#-# - 1: enable
196 -#-# The default is 0
197 -xwiki.authentication.ldap.trylocal=1
198 -
199 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
200 -#-# SSL connection to LDAP server
201 -#-# - 0: normal
202 -#-# - 1: SSL
203 -#-# The default is 0
204 -# xwiki.authentication.ldap.ssl=0
205 -
206 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
207 -#-# The keystore file to use in SSL connection
208 -# xwiki.authentication.ldap.ssl.keystore=
209 -
210 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
211 -#-# The java secure provider used in SSL connection
212 -#-# The default is com.sun.net.ssl.internal.ssl.Provider
213 -# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
214 -
215 -#-# Bypass standard LDAP bind validation by doing a direct password comparison.
216 -#-# If you don't know what you do, don't use that. It's covering very rare and bad use cases.
217 -#-# - 0: disable
218 -#-# - 1: enable
219 -#-# The default is 0
220 -# xwiki.authentication.ldap.validate_password=0
221 -
222 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
223 -#-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password"
224 -#-# is set to 1
225 -# xwiki.authentication.ldap.password_field=userPassword
226 -
227 -#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
228 -#-# The maximum number of milliseconds the client waits for any operation under these constraints to complete.
229 -#-# The default is 1000
230 -# xwiki.authentication.ldap.timeout=1000
231 -
232 -#-# [Since 6.3M1, XWikiLDAPAuthServiceImpl]
233 -#-# The maximum number of search results to be returned from a search operation.
234 -#-# The default is 1000
235 -# xwiki.authentication.ldap.maxresults=1000
236 -{{/code}}
237 -
238 -{{info}}
239 -You can also setup the LDAP configuration in the XWiki.XWikiPreferences page by going to the object editor. Simply replace **xwiki.authentication.ldap.** with **ldap_**. For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
240 -{{/info}}
241 -
242 -== LDAP clients ==
243 -
244 -For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
245 -
246 -Here are some LDAP clients for checking your configuration:
247 -
248 -Extensions:
249 -
250 -* [[LDAP query snippet>>snippets:Extension.LDAP Query]]
251 -
252 -Java based and Open Source:
253 -
254 -* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
255 -* [[JXplorer>>http://jxplorer.org/]]
256 -
257 -Windows only:
258 -
259 -* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/info_softerra-ldap-browser.htm]]
260 -
261 -== Detailed use cases ==
262 -
263 -See the [[LDAP configuration uses cases>>Documentation.AdminGuide.LDAPAuthenticationUseCases]] for some detailed use cases.
264 -
265 -== Enable LDAP debug log ==
266 -
267 -See [[Documentation.AdminGuide.Logging]].
268 -
269 -The specific packages to track for LDAP are ##com.xpn.xwiki.plugin.ldap## and ##com.xpn.xwiki.user.impl.LDAP##.
270 -
271 -Starting with XWiki 4.2 we added a new [[Logging UI>>extensions:Extension.Logging Application]] from the Administration section, which allows logging to be enabled at runtime, directly from the UI, without the need to restart the wiki.
272 -
273 -In XWiki 3.4 you need to add the following in ##WEB-INF/classes/logback.xml##:
274 -
275 -{{code}}
276 -<!-- LDAP debugging -->
277 -<logger name="com.xpn.xwiki.plugin.ldap" level="trace"/>
278 -<logger name="com.xpn.xwiki.user.impl.LDAP" level="trace"/>
279 -{{/code}}
280 -
281 -Before 3.1, add the following to the log4j configuration file:
282 -
283 -{{code}}
284 -log4j.logger.com.xpn.xwiki.plugin.ldap=trace
285 -log4j.logger.com.xpn.xwiki.user.impl.LDAP=trace
286 -{{/code}}
287 -
288 288  = Custom Authentication =
289 289  
290 290  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:

Get Connected