Summary

• Page properties (3 modified, 0 added, 0 removed)
• Objects (7 modified, 0 added, 0 removed)
  • XWiki.XWikiComments[0]
  • XWiki.XWikiComments[1]
  • XWiki.XWikiComments[2]
  • XWiki.XWikiComments[3]
  • XWiki.XWikiComments[4]
  • XWiki.XWikiComments[5]
  • XWiki.XWikiComments[6]

Details

Page properties

Author

...	...	@@ -1,1 +1,1 @@
1		-XWiki.ThomasMortagne
	1	+XWiki.SilviaRusu

Syntax

...	...	@@ -1,1 +1,1 @@
1		-XWiki 1.0
	1	+XWiki 2.0

Content

...	...	@@ -1,24 +1,30 @@
1		-1 User Authentication
	1	+= User Authentication =
2	2
3	3	XWiki supports several different authentication mechanisms for authenticating users:
4		-#toc("" "" "")
5	5
	5	+{{toc start="" depth="" numbered=""/}}
	6	+
6	6	The form authentication is the default mechanism.
7	7
8		-#info("Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.")
	9	+{{info}}
	10	+Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
	11	+{{/info}}
9	9
10		-1.1 Form Authentication
	13	+== Form Authentication ==
11	11
12	12	TODO
13	13
14		-1.1 LDAP Authentication
	17	+== LDAP Authentication ==
15	15
16		-#warning("New LDAP implementation since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
	19	+{{warning}}
	20	+New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
	21	+{{/warning}}
17	17
18		-1.1.1 Generic LDAP configuration
	23	+=== Generic LDAP configuration ===
19	19
20		-In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
21		-{code}
	25	+In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
	26	+
	27	+{{code}}
22	22	## Turn LDAP authentication on - otherwise only XWiki authentication
23	23	## 0 : disable
24	24	## 1 : enable
...	...	@@ -26,12 +26,11 @@
26	26
27	27	## set LDAP as authentication service
28	28	xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
	35	+{{/code}}
29	29
30		-{code}
	37	+You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
31	31
32		-You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
33		-
34		-{code:none}
	39	+{{code language="none"}}
35	35	## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
36	36	xwiki.authentication.ldap.server=156.58.101.204
37	37	xwiki.authentication.ldap.port=389
...	...	@@ -87,131 +87,142 @@
87	87
88	88	## The keystore file to use in SSL connection
89	89	xwiki.authentication.ldap.ssl.keystore=
90		-{code}
	95	+{{/code}}
91	91
92		-#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")
	97	+{{info}}
	98	+You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace
	99	+{{/info}}
93	93
94	94	For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
95	95
96	96	Here are some LDAP client for checking your configuration:
97		-* [Apache Directory Studio>http://directory.apache.org/studio/]
98		-* [LDAP Browser/Editor>http://www-unix.mcs.anl.gov/~gawor/ldap/]
99	99
100		-1.1.1 Detailed use cases
	105	+* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
	106	+* [[LDAP Browser/Editor>>http://www-unix.mcs.anl.gov/gawor/ldap/]]
101	101
102		-See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.
	108	+=== Detailed use cases ===
103	103
104		-1.1.1 Enable LDAP debug log
	110	+See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
105	105
106		-See [AdminGuide.Logging]. The specific targets for LDAP authentication are:
107		-{code}
	112	+=== Enable LDAP debug log ===
	113	+
	114	+See [[AdminGuide.Logging]]. The specific targets for LDAP authentication are:
	115	+
	116	+{{code}}
108	108	log4j.logger.com.xpn.xwiki.plugin.ldap=debug
109	109	log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
110		-{code}
	119	+{{/code}}
111	111
	121	+== eXo Authentication ==
112	112
113		-1.1 eXo Authentication
	123	+The eXo authentication is used automatically by adding/editing the //xwiki.exo=1// property in //WEB-INF/xwiki.cfg//.
114	114
115		-The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
	125	+== Custom Authentication ==
116	116
117		-1.1 Custom Authentication
118		-
119	119	This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
120		-# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
121		-# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
122	122
123		-{code}
	129	+1. Implement the [[XWikiAuthService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java]] interface.
	130	+1. Edit the //WEB-INF/xwiki.cfg// file and add a //xwiki.authentication.authclass// property pointing to your class. For example:
	131	+
	132	+{{code}}
124	124	xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
125		-{code}
	134	+{{/code}}
126	126
127		-Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
	136	+Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
128	128
129		-Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
130		-{code}
	138	+Note, that you also can implement own right management service by implementing [[XWikiRightService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java]] interface:
	139	+
	140	+{{code}}
131	131	xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
132		-{code}
	142	+{{/code}}
133	133
134		-and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
	144	+and Group Service by implementing [[XWikiGroupService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]]:
135	135
136		-{code}
	146	+{{code}}
137	137	xwiki.authentication.groupclass = com.acme.MyCustomGroupService
138		-{code}
	148	+{{/code}}
139	139
140		-1.1.1 Custom Authentication using a Groovy script in a wiki page
	150	+=== Custom Authentication using a Groovy script in a wiki page ===
141	141
142	142	Start by specifying you want to use the Groovy Authenticator:
143	143
144		-{code}
	154	+{{code}}
145	145	xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
146		-{code}
	156	+{{/code}}
147	147
148	148	Then add another configuration parameter to specify in which wiki page the authenticator is:
149	149
150		-{code}
	160	+{{code}}
151	151	xwiki.authentication.groovy.pagename = MySpace.MyPage
152		-{code}
	162	+{{/code}}
153	153
154	154	Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
155	155
156		-1.1 Authentication parameters
	166	+== Authentication parameters ==
157	157
158	158	You can set each of these parameters by setting:
159	159
160		-{code}
	170	+{{code}}
161	161	xwiki.authentication.~~param_name~~=~~param_value~~
162		-{code}
	172	+{{/code}}
163	163
164		-{table}
165		-Name | Optional | Allowed values | Default value | Description
166		-encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
167		-validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
168		-cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
169		-cookielife | Yes | Number | 14 | Number of days cookies take to expire
170		-cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
171		-default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set
172		-encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies
173		-encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies
174		-encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies
175		-errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in
176		-loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in
177		-loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?
178		-logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out
179		-realmname | Yes | String | XWiki | Sets the realm name
180		-protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality
181		-unauthorized_code | Yes | ? | ? | ?
182		-useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
183		-{table}
184		-# Only required if protection = encryption or all (default)
185		-# Only required if protection = validation or all (default)
	174	+|=Name|=Optional|=Allowed values|=Default value|=Description
	175	+|encryptionKey|No(1)|?|n/a|Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
	176	+|validationKey|No(2)|?|n/a|Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
	177	+|cookiedomains|Yes|String|Server host name|Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
	178	+|cookielife|Yes|Number|14|Number of days cookies take to expire
	179	+|cookiepath|Yes|String|/|The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ///xwiki//
	180	+|default_page|Yes|String|/bin/view/ Main/WebHome|Page to redirect to if xredirect parameter is not set
	181	+|encryptionalgorithm|Yes|?|?|Set the Encryption Algorithm used to encrypt and decrypt cookies
	182	+|encryptionmode|Yes|?|?|Set the Encryption Mode used to encrypt and decrypt cookies
	183	+|encryptionpadding|Yes|?|?|Set the Encryption Padding used to encrypt and decrypt cookies
	184	+|errorpage|Yes|String|/bin/loginerror/ XWiki/XWikiLogin|Page to redirect to if there is an error logging in
	185	+|loginpage|Yes|String|/bin/login/ XWiki/XWikiLogin|Page to redirect to when not logged in
	186	+|loginsubmitpage|Yes|String|/loginsubmit/ XWiki/XWikiLogin|?
	187	+|logoutpage|Yes|String|/bin/logout/ XWiki/XWikiLogout|Page to redirect to after logged out
	188	+|realmname|Yes|String|XWiki|Sets the realm name
	189	+|protection|Yes|all, validation, encryption, none|all|Protection level for the "remember me" cookie functionality
	190	+|unauthorized_code|Yes|?|?|?
	191	+|useip|Yes|true / false|true|Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
186	186
187		-1.1 Kerberos SSO Authentication
	193	+1. Only required if protection = encryption or all (default)
	194	+1. Only required if protection = validation or all (default)
188	188
189		-#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
	196	+== Kerberos SSO Authentication ==
190	190
	198	+{{warning}}
	199	+This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
	200	+{{/warning}}
	201	+
191	191	The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
192	192
193	193	First of all you need to create a principal and keytab for the webserver:
194		-{code}
	205	+
	206	+{{code}}
195	195	# kadmin
196	196	kadmin> addprinc -randkey HTTP/wiki.example.com
197	197	kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
198	198	kadmin> quit
199		-{code}
	211	+{{/code}}
200	200
201	201	Make sure the keytab has the right permissions and ownership:
202		-{code}
	214	+
	215	+{{code}}
203	203	chown www-data:www-data /etc/apache2/ssl/wiki.keytab
204	204	chmod 400 /etc/apache2/ssl/wiki.keytab
205		-{code}
	218	+{{/code}}
206	206
207	207	Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
208		-{code}
	221	+
	222	+{{code}}
209	209	aptitude install libapache2-mod-auth-kerb
210		-{code}
	224	+{{/code}}
	225	+
211	211	Of course the installation procedure varies per Linux distribution.
212	212
213	213	If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
214		-{code}
	229	+
	230	+{{code}}
215	215	<Location /xwiki/>
216	216	AuthType Kerberos
217	217	AuthName "Kerberos Login"
...	...	@@ -222,33 +222,29 @@
222	222	KrbSaveCredentials on
223	223	require valid-user
224	224	</Location>
225		-{code}
	241	+{{/code}}
226	226
227	227	Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
228		-{code}
	244	+
	245	+{{code}}
229	229	<Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
230		-{code}
	247	+{{/code}}
231	231
232	232	Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
233	233
234	234	Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
235		-{code}
	252	+
	253	+{{code}}
236	236	xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
237		-{code}
	255	+{{/code}}
238	238
239		-If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
	257	+If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
240	240
	259	+2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
241	241
242		-
243		-2 JBoss SPNEGO (Kerberos in combination with LDAP)
244		-I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
245		-The authenication already happend by using the SPNEGO module (JAAS).
246		-After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
247		-The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
248		-I hope you can adopt this code or that you can use it for your own projects.
249		-
250	250	The configuration of ldap;
251		-{code}
	262	+
	263	+{{code}}
252	252	xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
253	253	xwiki.authentication.ldap=1
254	254	xwiki.authentication.ldap.server=<ad-server>
...	...	@@ -265,10 +265,11 @@
265	265	#LDAP group mapping
266	266	xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
267	267	XWiki.XWikiAllGroup=CN=WIKI_User,...........
	280	+{{/code}}
268	268
269		-{code}
270	270	The java code
271		-{code}
	283	+
	284	+{{code}}
272	272	package com.wiki.sso;
273	273
274	274
...	...	@@ -391,5 +391,4 @@
391	391	return principal;
392	392	}
393	393	}
394		-{code}
395		-
	407	+{{/code}}

XWiki.XWikiComments[0]

Comment

...	...	@@ -1,3 +1,4 @@
1	1	Can anyone explain, how to build user's wikiname from LDAP fields? I suppose ldap_UID_attr or ldap_fields_mapping should do the job.
2	2
3		-I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES\\morism in the upper-right conner, but I beleive it should be MorisMoss.
	3	+I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES
	4	+morism in the upper-right conner, but I beleive it should be MorisMoss.

XWiki.XWikiComments[1]

Comment

...	...	@@ -1,1 +1,1 @@
1		-I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
	1	+I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.

XWiki.XWikiComments[2]

Comment

...	...	@@ -1,1 +1,1 @@
1		-I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
	1	+I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.

XWiki.XWikiComments[3]

Comment

...	...	@@ -1,1 +1,1 @@
1		-I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
	1	+I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.

XWiki.XWikiComments[4]

Comment

...	...	@@ -1,4 +1,1 @@
1		-Is the example AD configuration above the right way to do things?
2		-My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form.
3		-If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously.
4		-I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
	1	+Is the example AD configuration above the right way to do things? My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form. If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously. I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.

XWiki.XWikiComments[5]

Comment

...	...	@@ -1,3 +1,1 @@
1		-I need to use Sun Access Manager to authenticate users against global web SSO.
2		-I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ...
3		-Isn't this public or should i retrieve whole sources and build the doc by myself ?
	1	+I need to use Sun Access Manager to authenticate users against global web SSO. I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ... Isn't this public or should i retrieve whole sources and build the doc by myself ?

XWiki.XWikiComments[6]

Comment

...	...	@@ -1,2 +1,1 @@
1		-I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..."
2		-I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!
	1	+I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..." I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!