Changes for page User Authentication

Last modified by Clemens Robbenhaar on 2023/02/07
<
From version < 96.1 >
edited by Vincent Massol
on 2017/10/02
To version < 98.1 >
edited by Thomas Mortagne
on 2018/02/09
>
Change comment: There is no comment for this version

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.ThomasMortagne
Content
... ... @@ -50,244 +50,17 @@
50 50  
51 51  == Active Directory ==
52 52  
53 -If you're looking to connect XWiki to an Active Directory server, you have 2 options:
53 +If you're looking to connect XWiki to an Active Directory server, you currently have 2 options:
54 54  
55 -* Using the manual and generic approach listed below
55 +* Using the manual and generic approach using the [[LDAP Authenticator extension>>extensions:Extension.LDAP.Authenticator]]
56 56  * Using the dedicated [[Active Directory Application>>https://store.xwiki.com/xwiki/bin/view/Extension/ActiveDirectoryApplication]] which is a paying application dedicated to simplifying the integration of Active Directory with XWiki.
57 57  
58 -== Generic LDAP configuration ==
58 +== Any other LDAP server ==
59 59  
60 -It's recommended to use the [[LDAP Authenticator extension>>extensions:Extension.LDAP.Authenticator]] instead of the core LDAP authenticator.
60 +Use the [[LDAP Authenticator extension>>extensions:Extension.LDAP.Authenticator]].
61 61  
62 -The following documentation is for the core LDAP authenticator which has been removed in 8.3.
62 +The deprecated LDAP core authenticator (for XWiki < 7.4) can be found on [[OldLDAPAuthenticator]].
63 63  
64 -If you are going to use the [[LDAP Admin Extension>>extensions:Extension.LDAP.Application]], which makes it easier to configure LDAP, then you only need to uncomment ##xwiki.authentication.authclass## property and //nothing// else. Unlike editing ##xwiki.cfg##, which requires you to redeploy the XWiki webapp, LDAP Extension allows you to make changes without restarting.
65 -
66 -In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
67 -
68 -{{code language="properties"}}
69 -#-# LDAP authentication service
70 -# xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
71 -
72 -#-# Turn LDAP authentication on - otherwise only XWiki authentication
73 -#-# - 0: disable
74 -#-# - 1: enable
75 -#-# The default is 0
76 -# xwiki.authentication.ldap=1
77 -{{/code}}
78 -
79 -You can setup the LDAP configuration in the **xwiki.cfg** file by filling the following properties:
80 -
81 -{{code language="properties"}}
82 -#-# Turn LDAP authentication on - otherwise only XWiki authentication
83 -#-# - 0: disable
84 -#-# - 1: enable
85 -#-# The default is 0
86 -# xwiki.authentication.ldap=1
87 -
88 -#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
89 -xwiki.authentication.ldap.server=127.0.0.1
90 -xwiki.authentication.ldap.port=389
91 -
92 -#-# LDAP login, empty = anonymous access, otherwise specify full dn
93 -#-# {0} is replaced with the user name, {1} with the password
94 -xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
95 -xwiki.authentication.ldap.bind_pass={1}
96 -
97 -#-# The Base DN used in LDAP searches
98 -xwiki.authentication.ldap.base_DN=
99 -
100 -#-# LDAP query to search the user in the LDAP database (in case a static admin user is provided in
101 -#-# xwiki.authentication.ldap.bind_DN)
102 -#-# {0} is replaced with the user uid field name and {1} with the user name
103 -#-# The default is ({0}={1})
104 -# xwiki.authentication.ldap.user_search_fmt=({0}={1})
105 -
106 -#-# Only members of the following group can authenticate.
107 -#-# The following kind of groups are supported:
108 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
109 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
110 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter)
111 -# xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US
112 -
113 -#-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl]
114 -#-# Only users not member of the following group can authenticate.
115 -#-# The following kind of groups are supported:
116 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
117 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
118 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter)
119 -# xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US
120 -
121 -#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name
122 -#-# The default is cn
123 -# xwiki.authentication.ldap.UID_attr=cn
124 -
125 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
126 -#-# The potential LDAP groups classes. Separated by commas.
127 -# xwiki.authentication.ldap.group_classes=group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList,posixGroup,apple-group
128 -
129 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
130 -#-# The potential names of the LDAP groups fields containings the members. Separated by commas.
131 -# xwiki.authentication.ldap.group_memberfields=member,uniqueMember,memberUid
132 -
133 -#-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute)
134 -xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,email=mail
135 -
136 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
137 -#-# On every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki
138 -#-# account is created.
139 -#-# - 0: only when creating user
140 -#-# - 1: at each authentication
141 -#-# The default is 0
142 -xwiki.authentication.ldap.update_user=1
143 -
144 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
145 -#-# On every login update photo from LDAP to XWiki avatar otherwise photo will not be updated.
146 -#-# - 0: never
147 -#-# - 1: at each authentication
148 -#-# The default is 0
149 -# xwiki.authentication.ldap.update_photo=0
150 -
151 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
152 -#-# Profile attachment name which will be used to save LDAP photo.
153 -#-# The default is ldapPhoto
154 -# xwiki.authentication.ldap.photo_attachment_name=ldapPhoto
155 -
156 -#-# [Since 8.1M2, XWikiLDAPAuthServiceImpl]
157 -#-# Specifies the LDAP attribute containing the binary photo
158 -#-# The default is thumbnailPhoto
159 -# xwiki.authentication.ldap.photo_attribute=thumbnailPhoto
160 -
161 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
162 -#-# Maps XWiki groups to LDAP groups, separator is "|".
163 -#-# The following kind of groups are supported:
164 -#-# * LDAP static groups (users/subgroups are listed statically in the group object)
165 -#-# * [Since 3.3M1] LDAP organization units (users/subgroups are sub object of the provided organization unit)
166 -#-# * [Since 3.3M1] LDAP filter (users/groups are object found in a search with the provided filter),
167 -#-# | character in the filter need to be escaped with backslash (\).
168 -#-#
169 -#-# Here is an example:
170 -# xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=domain,c=com|\
171 -# XWiki.LDAPUsers=ou=groups,o=domain,c=com|\
172 -# XWiki.Organisation=(cn=testers)
173 -
174 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
175 -#-# Time in s after which the list of members in a group is refreshed from LDAP
176 -#-# The default is 21600 (6 hours)
177 -# xwiki.authentication.ldap.groupcache_expiration=21600
178 -
179 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
180 -#-# - create : synchronize group membership only when the user is first created
181 -#-# - always: synchronize on every login
182 -#-# The default is always
183 -# xwiki.authentication.ldap.mode_group_sync=always
184 -
185 -#-# [Since 7.2M3, XWikiLDAPAuthServiceImpl]
186 -#-# Indicate groups members should be resolved in case they are subgroups.
187 -#-# Doing so can be very expensive so it should be disabled if you know there is no subgroups
188 -#-# (or if you don't care about them).
189 -#-# If the group is actually a filter it will always be resolved since it does not make sense left alone.
190 -#-# - 0: disable
191 -#-# - 1: enable
192 -#-# The default is 1
193 -# xwiki.authentication.ldap.group_sync_resolve_subgroups=0
194 -
195 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
196 -#-# If ldap authentication fails for any reason, try XWiki DB authentication with the same credentials
197 -#-# - 0: disable
198 -#-# - 1: enable
199 -#-# The default is 0
200 -xwiki.authentication.ldap.trylocal=1
201 -
202 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
203 -#-# SSL connection to LDAP server
204 -#-# - 0: normal
205 -#-# - 1: SSL
206 -#-# The default is 0
207 -# xwiki.authentication.ldap.ssl=0
208 -
209 -#-# [Since 1.3M2, XWikiLDAPAuthServiceImpl]
210 -#-# The keystore file to use in SSL connection
211 -# xwiki.authentication.ldap.ssl.keystore=
212 -
213 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
214 -#-# The java secure provider used in SSL connection
215 -#-# The default is com.sun.net.ssl.internal.ssl.Provider
216 -# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
217 -
218 -#-# Bypass standard LDAP bind validation by doing a direct password comparison.
219 -#-# If you don't know what you do, don't use that. It's covering very rare and bad use cases.
220 -#-# - 0: disable
221 -#-# - 1: enable
222 -#-# The default is 0
223 -# xwiki.authentication.ldap.validate_password=0
224 -
225 -#-# [Since 1.5M1, XWikiLDAPAuthServiceImpl]
226 -#-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password"
227 -#-# is set to 1
228 -# xwiki.authentication.ldap.password_field=userPassword
229 -
230 -#-# [Since 4.3M1, XWikiLDAPAuthServiceImpl]
231 -#-# The maximum number of milliseconds the client waits for any operation under these constraints to complete.
232 -#-# The default is 1000
233 -# xwiki.authentication.ldap.timeout=1000
234 -
235 -#-# [Since 6.3M1, XWikiLDAPAuthServiceImpl]
236 -#-# The maximum number of search results to be returned from a search operation.
237 -#-# The default is 1000
238 -# xwiki.authentication.ldap.maxresults=1000
239 -{{/code}}
240 -
241 -{{info}}
242 -You can also setup the LDAP configuration in the XWiki.XWikiPreferences page by going to the object editor. Simply replace **xwiki.authentication.ldap.** with **ldap_**. For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##.
243 -{{/info}}
244 -
245 -== LDAP clients ==
246 -
247 -For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
248 -
249 -Here are some LDAP clients for checking your configuration:
250 -
251 -Extensions:
252 -
253 -* [[LDAP query snippet>>snippets:Extension.LDAP Query]]
254 -
255 -Java based and Open Source:
256 -
257 -* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
258 -* [[JXplorer>>http://jxplorer.org/]]
259 -
260 -Windows only:
261 -
262 -* [[Softerra LDAP Browser>>http://www.ldapbrowser.com/info_softerra-ldap-browser.htm]]
263 -
264 -== Detailed use cases ==
265 -
266 -See the [[LDAP configuration uses cases>>Documentation.AdminGuide.LDAPAuthenticationUseCases]] for some detailed use cases.
267 -
268 -== Enable LDAP debug log ==
269 -
270 -See [[Documentation.AdminGuide.Logging]].
271 -
272 -The specific packages to track for LDAP are ##com.xpn.xwiki.plugin.ldap## and ##com.xpn.xwiki.user.impl.LDAP##.
273 -
274 -Starting with XWiki 4.2 we added a new [[Logging UI>>extensions:Extension.Logging Application]] from the Administration section, which allows logging to be enabled at runtime, directly from the UI, without the need to restart the wiki.
275 -
276 -In XWiki 3.4 you need to add the following in ##WEB-INF/classes/logback.xml##:
277 -
278 -{{code}}
279 -<!-- LDAP debugging -->
280 -<logger name="com.xpn.xwiki.plugin.ldap" level="trace"/>
281 -<logger name="com.xpn.xwiki.user.impl.LDAP" level="trace"/>
282 -{{/code}}
283 -
284 -Before 3.1, add the following to the log4j configuration file:
285 -
286 -{{code}}
287 -log4j.logger.com.xpn.xwiki.plugin.ldap=trace
288 -log4j.logger.com.xpn.xwiki.user.impl.LDAP=trace
289 -{{/code}}
290 -
291 291  = Custom Authentication =
292 292  
293 293  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:

About

About

Support

Platform

User Guide

Admin Guide

Developer Guide

Projects

XWiki

Extensions

Other

Contribute

Status

Practices

Under the Hood

Get Involved

Get Connected