Details
-
Bug
-
Resolution: Cannot Reproduce
-
Major
-
None
-
1.8.3, 1.9
-
None
-
Mac OS X Server 10.5.6
-
ldap,access,rights,privileges
-
Unknown
-
Description
I have set up XWiki to use LDAP for the user source, and can successfully login with my LDAP users.
However, it seems that LDAP users are not given the access that is given to the groups they are members of. The LDAP groups seem to map correctly to the XWiki groups, and the users are shown as members of those groups, but they cannot do anything unless they are a mapped to an XWiki default group (such as XWiki.XWikiAdmin or XWiki.XWikiAllGroup
The LDAP part of my configuration is here:
#-# new LDAP authentication service xwiki.authentication.authclass=com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl #-# Turn LDAP authentication on - otherwise only XWiki authentication #-# 0: disable #-# 1: enable xwiki.authentication.ldap=1 #-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) xwiki.authentication.ldap.server=127.0.0.1 xwiki.authentication.ldap.port=389 #-# LDAP login, empty = anonymous access, otherwise specify full dn #-# {0} is replaced with the username, {1} with the password xwiki.authentication.ldap.bind_DN=uid={0},cn=users,dc=subdomain,dc=domain,dc=tld xwiki.authentication.ldap.bind_pass={1} #-# Force to check password after LDAP connection #-# 0: disable #-# 1: enable xwiki.authentication.ldap.validate_password=0 #-# only members of the following group will be verified in the LDAP #-# otherwise only users that are found after searching starting from the base_DN # xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US #-# [Since 1.5RC1, XWikiLDAPAuthServiceImpl] #-# only users not member of the following group can autheticate # xwiki.authentication.ldap.exclude_group=cn=admin,ou=groups,o=MegaNova,c=US #-# base DN for searches xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=tld #-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) xwiki.authentication.ldap.UID_attr=uid #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# Specifies the LDAP attribute containing the password to be used "when xwiki.authentication.ldap.validate_password" is set to 1 # xwiki.authentication.ldap.password_field=userPassword #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential LDAP groups classes. Separated by commas. xwiki.authentication.ldap.group_classes=apple-group #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The potential names of the LDAP groups fields containings the members. Separated by commas. xwiki.authentication.ldap.group_memberfields=memberUid #-# retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. xwiki.authentication.ldap.update_user=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# mapps XWiki groups to LDAP groups, separator is "|" xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=admin,cn=groups,dc=subdomain,dc=domain,dc=tld|\ XWiki.group_2=cn=group2,cn=groups,dc=subdomain,dc=domain,dc=tld|\ XWiki.group1=cn=group1,cn=groups,dc=subdomain,dc=domain,dc=tld #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# time in s after which the list of members in a group is refreshed from LDAP (default=3600*6) xwiki.authentication.ldap.groupcache_expiration=60 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# - create : synchronize group membership only when the user is first created #-# - always: synchronize on every login xwiki.authentication.ldap.mode_group_sync=always #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials xwiki.authentication.ldap.trylocal=1 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# SSL connection to LDAP server #-# 0: normal #-# 1: SSL # xwiki.authentication.ldap.ssl=0 #-# [Since 1.3M2, XWikiLDAPAuthServiceImpl] #-# The keystore file to use in SSL connection # xwiki.authentication.ldap.ssl.keystore= #-# [Since 1.5M1, XWikiLDAPAuthServiceImpl] #-# The java secure provider used in SSL connection # xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider
My LDAP directory looks like this:
dc=tld | dc=domain | dc=subdomain |\ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ | \ cn=users cn=groups uid=user1 cn=group1 uid=user2 cn=group2
A typical user entry has the following attributes:
# dignan, users, subdomain.domain.tld dn: uid=dignan,cn=users,dc=subdomain,dc=domain,dc=tld objectClass: uidNumber: apple-generateduid: apple-mcxflags: loginShell: userPassword: uid: cn: authAuthority: gidNumber: givenName: sn: apple-user-homeurl: homeDirectory: mail:
A typical group entry has the following attributes:
# group2, groups, subdomain.domain.tld dn: cn=group2,cn=groups,dc=subdomain,dc=domain,dc=tld objectClass: gidNumber: apple-generateduid: apple-ownerguid: apple-group-services: apple-serviceslocator: apple-group-realname: cn: description: apple-group-memberguid: memberUid: