Changes for page User Authentication

Last modified by Simon Urli on 2023/12/11

From version 34.2
edited by Silvia Macovei
on 2010/03/04
Change comment: Fixed Title; Fixed TOC
To version 33.1
edited by Thomas Mortagne
on 2010/01/20
Change comment: There is no comment for this version

Summary

Details

Page properties
Title
... ... @@ -1,1 +1,0 @@
1 -User Authentication
Author
... ... @@ -1,1 +1,1 @@
1 -XWiki.SilviaRusu
1 +XWiki.ThomasMortagne
Syntax
... ... @@ -1,1 +1,1 @@
1 -XWiki 2.0
1 +XWiki 1.0
Content
... ... @@ -1,28 +1,24 @@
1 +1 User Authentication
2 +
1 1  XWiki supports several different authentication mechanisms for authenticating users:
4 +#toc("" "" "")
2 2  
3 -{{toc/}}
4 -
5 5  The form authentication is the default mechanism.
6 6  
7 -{{info}}
8 -Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.
9 -{{/info}}
8 +#info("Note that currently XWiki allows only one method of authentication to be enabled at a time. This will probably be improved in the future.")
10 10  
11 -= Form Authentication =
10 +1.1 Form Authentication
12 12  
13 13  TODO
14 14  
15 -= LDAP Authentication =
14 +1.1 LDAP Authentication
16 16  
17 -{{warning}}
18 -New LDAP implementation since XWiki Platform 1.3M2, see [[previous LDAP authentication service documentation>>AuthenticationLdapOld]]
19 -{{/warning}}
16 +#warning("New LDAP implementation since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]")
20 20  
21 -== Generic LDAP configuration ==
18 +1.1.1 Generic LDAP configuration
22 22  
23 -In order to enable the LDAP support you have to change the authentication method in //WEB-INF/xwiki.cfg// as follows:
24 -
25 -{{code}}
20 +In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows:
21 +{code}
26 26  ## Turn LDAP authentication on - otherwise only XWiki authentication
27 27  ## 0 : disable
28 28  ## 1 : enable
... ... @@ -30,11 +30,12 @@
30 30  
31 31  ## set LDAP as authentication service
32 32  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl
33 -{{/code}}
34 34  
35 -You can setup the LDAP configuration in the //xwiki.cfg// file by filling the following properties:
30 +{code}
36 36  
37 -{{code language="none"}}
32 +You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties:
33 +
34 +{code:none}
38 38  ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
39 39  xwiki.authentication.ldap.server=156.58.101.204
40 40  xwiki.authentication.ldap.port=389
... ... @@ -90,142 +90,131 @@
90 90  
91 91  ## The keystore file to use in SSL connection
92 92  xwiki.authentication.ldap.ssl.keystore=
93 -{{/code}}
90 +{code}
94 94  
95 -{{info}}
96 -You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace "xwiki.authentication.ldap." by "ldap_". For example ##xwiki.authentication.ldap.base_DN## becomes ##ldap_base_DN##
97 -{{/info}}
92 +#info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the object editor. Simply replace \"xwiki.authentication.ldap.\" by \"ldap_\". For example <tt>xwiki.authentication.ldap.base_DN</tt> become <tt>ldap_base_DN</tt>")
98 98  
99 99  For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
100 100  
101 101  Here are some LDAP client for checking your configuration:
97 +* [Apache Directory Studio>http://directory.apache.org/studio/]
98 +* [LDAP Browser/Editor>http://www-unix.mcs.anl.gov/~gawor/ldap/]
102 102  
103 -* [[Apache Directory Studio>>http://directory.apache.org/studio/]]
104 -* [[LDAP Browser/Editor>>http://www-unix.mcs.anl.gov/gawor/ldap/]]
100 +1.1.1 Detailed use cases
105 105  
106 -== Detailed use cases ==
102 +See [LDAP configuration uses cases>LDAPAuthenticationUseCases] for some detailed use cases.
107 107  
108 -See [[LDAP configuration uses cases>>LDAPAuthenticationUseCases]] for some detailed use cases.
104 +1.1.1 Enable LDAP debug log
109 109  
110 -== Enable LDAP debug log ==
111 -
112 -See [[AdminGuide.Logging]]. The specific targets for LDAP authentication are:
113 -
114 -{{code}}
106 +See [AdminGuide.Logging]. The specific targets for LDAP authentication are:
107 +{code}
115 115  log4j.logger.com.xpn.xwiki.plugin.ldap=debug
116 116  log4j.logger.com.xpn.xwiki.user.impl.LDAP=debug
117 -{{/code}}
110 +{code}
118 118  
119 -= eXo Authentication =
120 120  
121 -The eXo authentication is used automatically by adding/editing the //xwiki.exo=1// property in //WEB-INF/xwiki.cfg//.
113 +1.1 eXo Authentication
122 122  
123 -= Custom Authentication =
115 +The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~.
124 124  
117 +1.1 Custom Authentication
118 +
125 125  This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following:
120 +# Implement the [XWikiAuthService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java] interface.
121 +# Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example:
126 126  
127 -1. Implement the [[XWikiAuthService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiAuthService.java]] interface.
128 -1. Edit the //WEB-INF/xwiki.cfg// file and add a //xwiki.authentication.authclass// property pointing to your class. For example:
129 -
130 -{{code}}
123 +{code}
131 131  xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService
132 -{{/code}}
125 +{code}
133 133  
134 -Here's a [[tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/]].
127 +Here's a [tutorial on implementing a custom authentication class for authenticating against Oracle's SSO>http://bodez.wordpress.com/2008/10/15/xwiki-user-authentication-with-oracle-sso/].
135 135  
136 -Note, that you also can implement own right management service by implementing [[XWikiRightService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java]] interface:
137 -
138 -{{code}}
129 +Note, that you also can implement own right management service by implementing [XWikiRightService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiRightService.java] interface:
130 +{code}
139 139  xwiki.authentication.rightsclass = com.acme.MyCustomRightsService
140 -{{/code}}
132 +{code}
141 141  
142 -and Group Service by implementing [[XWikiGroupService>>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]]:
134 +and Group Service by implementing [XWikiGroupService>http://svn.xwiki.org/svnroot/xwiki/platform/core/trunk/xwiki-core/src/main/java/com/xpn/xwiki/user/api/XWikiGroupService.java]:
143 143  
144 -{{code}}
136 +{code}
145 145  xwiki.authentication.groupclass = com.acme.MyCustomGroupService
146 -{{/code}}
138 +{code}
147 147  
148 -== Custom Authentication using a Groovy script in a wiki page ==
140 +1.1.1 Custom Authentication using a Groovy script in a wiki page
149 149  
150 150  Start by specifying you want to use the Groovy Authenticator:
151 151  
152 -{{code}}
144 +{code}
153 153  xwiki.authentication.authclass = com.xpn.xwiki.user.impl.xwiki.GroovyAuthServiceImpl
154 -{{/code}}
146 +{code}
155 155  
156 156  Then add another configuration parameter to specify in which wiki page the authenticator is:
157 157  
158 -{{code}}
150 +{code}
159 159  xwiki.authentication.groovy.pagename = MySpace.MyPage
160 -{{/code}}
152 +{code}
161 161  
162 162  Then in a wiki page put some Groovy code that returns a XWikiAuthService object.
163 163  
164 -= Authentication parameters ===
156 +1.1 Authentication parameters
165 165  
166 166  You can set each of these parameters by setting:
167 167  
168 -{{code}}
160 +{code}
169 169  xwiki.authentication.~~param_name~~=~~param_value~~
170 -{{/code}}
162 +{code}
171 171  
172 -|=Name|=Optional|=Allowed values|=Default value|=Description
173 -|encryptionKey|No(1)|?|n/a|Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
174 -|validationKey|No(2)|?|n/a|Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
175 -|cookiedomains|Yes|String|Server host name|Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
176 -|cookielife|Yes|Number|14|Number of days cookies take to expire
177 -|cookiepath|Yes|String|/|The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ///xwiki//
178 -|default_page|Yes|String|/bin/view/ Main/WebHome|Page to redirect to if xredirect parameter is not set
179 -|encryptionalgorithm|Yes|?|?|Set the Encryption Algorithm used to encrypt and decrypt cookies
180 -|encryptionmode|Yes|?|?|Set the Encryption Mode used to encrypt and decrypt cookies
181 -|encryptionpadding|Yes|?|?|Set the Encryption Padding used to encrypt and decrypt cookies
182 -|errorpage|Yes|String|/bin/loginerror/ XWiki/XWikiLogin|Page to redirect to if there is an error logging in
183 -|loginpage|Yes|String|/bin/login/ XWiki/XWikiLogin|Page to redirect to when not logged in
184 -|loginsubmitpage|Yes|String|/loginsubmit/ XWiki/XWikiLogin|?
185 -|logoutpage|Yes|String|/bin/logout/ XWiki/XWikiLogout|Page to redirect to after logged out
186 -|realmname|Yes|String|XWiki|Sets the realm name
187 -|protection|Yes|all, validation, encryption, none|all|Protection level for the "remember me" cookie functionality
188 -|unauthorized_code|Yes|?|?|?
189 -|useip|Yes|true / false|true|Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
164 +{table}
165 +Name | Optional | Allowed values | Default value | Description
166 +encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values.
167 +validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with.
168 +cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out
169 +cookielife | Yes | Number | 14 | Number of days cookies take to expire
170 +cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~
171 +default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set
172 +encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies
173 +encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies
174 +encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies
175 +errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in
176 +loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in
177 +loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ?
178 +logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out
179 +realmname | Yes | String | XWiki | Sets the realm name
180 +protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality
181 +unauthorized_code | Yes | ? | ? | ?
182 +useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login.
183 +{table}
184 +# Only required if protection = encryption or all (default)
185 +# Only required if protection = validation or all (default)
190 190  
191 -1. Only required if protection = encryption or all (default)
192 -1. Only required if protection = validation or all (default)
187 +1.1 Kerberos SSO Authentication
193 193  
194 -= Kerberos SSO Authentication =
189 +#warning("This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!")
195 195  
196 -{{warning}}
197 -This implementation of SSO is currently under review see: http://jira.xwiki.org/jira/browse/XWIKI-2496 . The class which is described in this segment of documentation, AppServerTrustedKerberosAuthServiceImpl, is not part of the default XWiki distribution!
198 -{{/warning}}
199 -
200 200  The following is an example of mod_auth_kerb for Apache being used to easily implement Xwiki authentication of users via by HTTP Negotiate on a linux server. This example assumes you already have a working Apache2 HTTPD and Apache Tomcat setup with mod_jk.
201 201  
202 202  First of all you need to create a principal and keytab for the webserver:
203 -
204 -{{code}}
194 +{code}
205 205  # kadmin
206 206  kadmin> addprinc -randkey HTTP/wiki.example.com
207 207  kadmin> ktadd -k /etc/apache2/ssl/wiki.keytab HTTP/wiki.example.com
208 208  kadmin> quit
209 -{{/code}}
199 +{code}
210 210  
211 211  Make sure the keytab has the right permissions and ownership:
212 -
213 -{{code}}
202 +{code}
214 214  chown www-data:www-data /etc/apache2/ssl/wiki.keytab
215 215  chmod 400 /etc/apache2/ssl/wiki.keytab
216 -{{/code}}
205 +{code}
217 217  
218 218  Install mod_auth_kerb in your linux installation. On Debian or Ubuntu this would be achieved by running:
219 -
220 -{{code}}
208 +{code}
221 221  aptitude install libapache2-mod-auth-kerb
222 -{{/code}}
223 -
210 +{code}
224 224  Of course the installation procedure varies per Linux distribution.
225 225  
226 226  If your xwiki installation is mounted in Apache HTTPD under /xwiki, add the following to the virtual host configuration:
227 -
228 -{{code}}
214 +{code}
229 229  <Location /xwiki/>
230 230   AuthType Kerberos
231 231   AuthName "Kerberos Login"
... ... @@ -236,29 +236,33 @@
236 236   KrbSaveCredentials on
237 237   require valid-user
238 238  </Location>
239 -{{/code}}
225 +{code}
240 240  
241 241  Make sure Apache Tomcat uses the authentication performed by Apache HTTPD with the "tomcatAuthentication" property in the connector description (which is in the server.xml file of Apache Tomcat):
242 -
243 -{{code}}
228 +{code}
244 244  <Connector port="8009" address="127.0.0.1" enableLookups="false" tomcatAuthentication="false" redirectPort="8443" protocol="AJP/1.3" />
245 -{{/code}}
230 +{code}
246 246  
247 247  Place the authkerb.jar jar in the WEB-INF/lib directory of Xwiki in Apache Tomcat.
248 248  
249 249  Have Xwiki use the authentication module by changing the "xwiki.authentication.authclass" property in WEB-INF/lib/xwiki.cfg file.
250 -
251 -{{code}}
235 +{code}
252 252  xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.AppServerTrustedKerberosAuthServiceImpl
253 -{{/code}}
237 +{code}
254 254  
255 -If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https:~/~/" for all secured connections or "example.com" for all example.com subdomains.
239 +If you use Firefox, do not forget to whitelist the xwiki URL for HTTP Negotiate in about:config with the "network.negotiate-auth.trusted-uris" property. possible values for this propperty include (without the quotes): "https://" for all secured connections or "example.com" for all example.com subdomains.
256 256  
257 -2 JBoss SPNEGO (Kerberos in combination with LDAP) I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user. The authenication already happend by using the SPNEGO module (JAAS). After that I'm using the ldap synchronisation feature to make sure that the user is up to date. The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server. I hope you can adopt this code or that you can use it for your own projects.
258 258  
259 -The configuration of ldap:
260 260  
261 -{{code}}
243 +2 JBoss SPNEGO (Kerberos in combination with LDAP)
244 +I changed the code of the XWikiLDAPAuthServiceImpl to be able to detect the sso user.
245 +The authenication already happend by using the SPNEGO module (JAAS).
246 +After that I'm using the ldap synchronisation feature to make sure that the user is up to date.
247 +The combination leads to an automatic login in the xwiki and the user rights are controlled in the Active Directory server.
248 +I hope you can adopt this code or that you can use it for your own projects.
249 +
250 +The configuration of ldap;
251 +{code}
262 262  xwiki.authentication.authclass=com.wiki.sso.SSOLdapAuthenicationImpl
263 263  xwiki.authentication.ldap=1
264 264  xwiki.authentication.ldap.server=<ad-server>
... ... @@ -275,11 +275,10 @@
275 275  #LDAP group mapping
276 276  xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=CN=WIKI_Admin,............|\
277 277   XWiki.XWikiAllGroup=CN=WIKI_User,...........
278 -{{/code}}
279 279  
269 +{code}
280 280  The java code
281 -
282 -{{code}}
271 +{code}
283 283  package com.wiki.sso;
284 284  
285 285  
... ... @@ -402,4 +402,5 @@
402 402   return principal;
403 403   }
404 404  }
405 -{{/code}}
394 +{code}
395 +
XWiki.XWikiComments[0]
Comment
... ... @@ -1,4 +1,3 @@
1 1  Can anyone explain, how to build user's wikiname from LDAP fields? I suppose ldap_UID_attr or ldap_fields_mapping should do the job.
2 2  
3 -I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES
4 -morism in the upper-right conner, but I beleive it should be MorisMoss.
3 +I managed to login with AD credentials, and now I have DENHOLM_INDUSTRIES\\morism in the upper-right conner, but I beleive it should be MorisMoss.
XWiki.XWikiComments[1]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
1 +I had a similar experience. I configured the LDAP authentication to go against Active Directory. While the authentication uses Active Directory, all of the other data that XWiki uses doesn't leverage the values from Active Directory. For example, the name displayed in the top-right corner is that from the XWiki user account, not the displayName from activeDirectory.
XWiki.XWikiComments[2]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[3]
Comment
... ... @@ -1,1 +1,1 @@
1 -I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
1 +I had hoped setting up XWiki 1.0RC3 with LDAP/ActiveDirectory authentication meant that users present in my directory would automatically be able to log into XWiki; however, this is not the case. Users from LDAP/AD can't log in until I first register reate an XWiki User for them under the same name.
XWiki.XWikiComments[4]
Comment
... ... @@ -1,1 +1,4 @@
1 -Is the example AD configuration above the right way to do things? My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form. If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously. I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
1 +Is the example AD configuration above the right way to do things?
2 +My understanding is that the bind_DN and bind_pass are for setting the username and password XWiki will use to connect to the LDAP server in order to do a search, then the UID_attr field is searched for the username entered on the form.
3 +If that is correct then the bind_dn and bind_pass should either be hardcoded to a special AD user with restricted privileges, or left blank to bind anonymously.
4 +I have tried the first of these: XWiki then seems to 'authenticate OK' whatever username/password I enter on the form even if the user does not exist in AD at all.
XWiki.XWikiComments[5]
Comment
... ... @@ -1,1 +1,3 @@
1 -I need to use Sun Access Manager to authenticate users against global web SSO. I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ... Isn't this public or should i retrieve whole sources and build the doc by myself ?
1 +I need to use Sun Access Manager to authenticate users against global web SSO.
2 +I'm trying to build a new authentication module, but I can't find XWikiAuthService Javadoc ...
3 +Isn't this public or should i retrieve whole sources and build the doc by myself ?
XWiki.XWikiComments[6]
Comment
... ... @@ -1,1 +1,2 @@
1 -I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..." I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!
1 +I can login using AD credentials, but the only thing I see in my xWiki is an error: "You are not allowed to view this page..."
2 +I can't register the LDAP user in xWiki too, because in our AD our login format is name.surname!

Get Connected