Changes for page User Authentication

Last modified by Simon Urli on 2023/12/11

From version 27.3
edited by Vincent Massol
on 2008/12/30
Change comment: Added links to interfaces
To version 30.1
edited by hexC0DE
on 2009/12/01
Change comment: i believe the mail=mail value to be in error for a microsoft active directory. it did not work for me until i changed it to email=mail. only then did it start pulling the email value correctly. (using xwiki v2.0.3) thanks!

Summary

Details

Page properties
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.VincentMassol
1 +XWiki.hexC0DE
Content
... ... @@ -100,7 +100,7 @@
100 100   - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~
101 101   - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~
102 102   - *ldap_UID_attr*: sAMAccountName
103 - - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
103 + - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
104 104  
105 105  Example:
106 106  {code}
... ... @@ -112,7 +112,7 @@
112 112  xwiki.authentication.ldap.bind_DN=subdomain\\{0}
113 113  xwiki.authentication.ldap.bind_pass={1}
114 114  xwiki.authentication.ldap.UID_attr=sAMAccountName
115 -xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
115 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,email=mail,ldap_dn=dn
116 116  {code}
117 117  
118 118  The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in.
... ... @@ -136,6 +136,7 @@
136 136  log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
137 137  {code}
138 138  
139 +
139 139  1.1 eXo Authentication
140 140  
141 141  The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
... ... @@ -163,6 +163,22 @@
163 163  xwiki.authentication.groupclass = com.acme.MyCustomGroupService
164 164  {code}
165 165  
167 +1.1.1 Custom Authentication using a Groovy script in a wiki page
168 +
169 +Start by specifying you want to use the Groovy Authenticator:
170 +
171 +{code}
172 +xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
173 +{code}
174 +
175 +Then add another configuration parameter to specify in which wiki page the authenticator is:
176 +
177 +{code}
178 +xwiki.authentication.groovy.pagename = MySpace.MyPage
179 +{code}
180 +
181 +Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
182 +
166 166  1.1 Authentication parameters
167 167  
168 168  You can set each of these parameters by setting:
... ... @@ -248,3 +248,158 @@
248 248  
249 249  If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
250 250  
268 +
269 +
270 +2 JBoss SPNEGO (Kerberos in combination with LDAP)
271 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
272 +The authenication already happend by using the SPNEGO module (JAAS).
273 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
274 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
275 +I hope you can adopt this code or that you can use it for your own projects.
276 +
277 +The configuration of ldap;
278 +{code}
279 +xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
280 +xwiki.authentication.ldap=1
281 +xwiki.authentication.ldap.server=<ad-server>
282 +xwiki.authentication.ldap.port=389
283 +xwiki.authentication.ldap.base_DN=<OU=Users,...............>
284 +#use a fixed user to attach to the ldap database,
285 +#the password is not provided with the SSOLdapAuthenicationImpl
286 +xwiki.authentication.ldap.bind_DN=<domain>\\<user>
287 +xwiki.authentication.ldap.bind_pass=<password>
288 +#Microsoft AD configuration
289 +xwiki.authentication.ldap.UID_attr=sAMAccountName
290 +xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
291 +xwiki.authentication.ldap.group_memberfields=member,uniqueMember
292 +#LDAP group mapping
293 +xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
294 + XWiki.XWikiAllGroup=CN=WIKI_User,...........
295 +
296 +{code}
297 +The java code
298 +{code}
299 +package com.wiki.sso;
300 +
301 +
302 +import org.apache.commons.logging.Log;
303 +import org.apache.commons.logging.LogFactory;
304 +
305 +import com.xpn.xwiki.XWikiContext;
306 +import com.xpn.xwiki.XWikiException;
307 +import com.xpn.xwiki.user.api.XWikiUser;
308 +import com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl;
309 +
310 +import java.security.Principal;
311 +
312 +public class SSOLdapAuthenicationImpl extends XWikiLDAPAuthServiceImpl {
313 + /**
314 + * Logging tool.
315 + */
316 + private static final Log LOG = LogFactory.getLog(SSOLdapAuthenicationImpl.class);
317 +
318 +
319 + public XWikiUser checkAuth(XWikiContext context) throws XWikiException {
320 + String user = getRemoteUser(context);
321 + if ((user != null) || !user.equals("")) {
322 + if (LOG.isInfoEnabled())
323 + LOG.info("Launching create user for " + user);
324 + if ( authenticate(user, context) != null ) {
325 + if (LOG.isInfoEnabled())
326 + LOG.info("Create user done for " + user);
327 + user = "XWiki." + user;
328 + context.setUser(user);
329 + System.out.println("User is set to:" + user);
330 + return new XWikiUser(user);
331 + } else {
332 + LOG.error( "User " + user + " can't be authenticated against ldap" );
333 + }
334 + }
335 + return super.checkAuth(context);
336 + }
337 +
338 + /**
339 + * We cannot authenticate locally since we need to trust the app server for
340 + * authentication
341 + *
342 + * @param username
343 + * @param password
344 + * @param context
345 + * @return
346 + * @throws XWikiException
347 + */
348 + public XWikiUser checkAuth(String username, String password,
349 + String rememberme, XWikiContext context) throws XWikiException {
350 + String user = getRemoteUser(context);
351 + if ((user == null) || user.equals("")) {
352 + return super.checkAuth(username, password, rememberme, context);
353 + }
354 + return checkAuth(context);
355 + }
356 +
357 + private String getRemoteUser(XWikiContext context) {
358 + String userName = context.getRequest().getHttpServletRequest()
359 + .getRemoteUser();
360 + if (userName != null) {
361 + // only take the front of the username@domain
362 + String[] elements = userName.split("@", 2);
363 + userName = elements[0];
364 + }
365 + return userName;
366 + }
367 +
368 + public Principal authenticate(String login, XWikiContext context) throws XWikiException
369 + {
370 + if (LOG.isTraceEnabled()) {
371 + LOG.trace("Starting LDAP authentication");
372 + }
373 +
374 + /*
375 + * TODO: Put the next 4 following "if" in common with XWikiAuthService to ensure coherence This method was
376 + * returning null on failure so I preserved that behaviour, while adding the exact error messages to the context
377 + * given as argument. However, the right way to do this would probably be to throw XWikiException-s.
378 + */
379 +
380 + if (login == null) {
381 + // If we can't find the username field then we are probably on the login screen
382 +
383 + if (LOG.isDebugEnabled()) {
384 + LOG.debug("The provided user is null."
385 + + " We don't try to authenticate, it probably means the user is in non logged mode.");
386 + }
387 +
388 + return null;
389 + }
390 +
391 + // Check for empty usernames
392 + if (login.equals("")) {
393 + context.put("message", "nousername");
394 +
395 + if (LOG.isDebugEnabled()) {
396 + LOG.debug("LDAP authentication failed: login empty");
397 + }
398 +
399 + return null;
400 + }
401 +
402 + // If we have the context then we are using direct mode
403 + // then we should specify the database
404 + // This is needed for virtual mode to work
405 + Principal principal = null;
406 +
407 + // Try authentication against ldap
408 + principal = ldapAuthenticate(login, "", context);
409 +
410 + if (LOG.isDebugEnabled()) {
411 + if (principal != null) {
412 + LOG.debug("LDAP authentication succeed with principal [" + principal.getName() + "]");
413 + } else {
414 + LOG.debug("LDAP authentication failed for user [" + login + "]");
415 + }
416 + }
417 +
418 + return principal;
419 + }
420 +}
421 +{code}
422 +

Get Connected