|
[
Permlink
| « Hide
]
Gunter Leeb added a comment - 12/Apr/07 16:04
Contains the sources as well as the compiled jars to be tested easily by placing the entire classes directory into the WEB_INF. There is also a extensivly documented xwiki.cfg with example settings for the LDAP Authenticator.
I have now added support for SSL.
Now there are 2 additional parameters:
xwiki.authentication.ldap.groupcache_expiration Hi,
I've tested it with 1.0 rc3 and fixed few things:
The property is:
And now it works for Active Directory too. Anyway, good work, Gunter ! You added authorization synchronization to the LDAP login module, I mean it should be included in the main distribution. In this upload, I merged some bug fixes, the ssl code and Jiri's changes together.
Found a bug, that a partial user name is accepted. This update fixes this issues as well as implements a cleaner handling if a LDAP Query returns more than one result.
Hi,
Currently, I am testing to integrate xwiki (1.0 or 1.1 milestones 2) with the LDAP authentication (Lotus Domino). To do that, I add the files in the zip (from this site) with the last authenticater.java (compiled to have the authenticater.class). But I have a problem, the "CN" field is componed like this : "firstname lastname" (with a space). To fix it, I created a variable "origin_user" that contains the good format used for queries with the LDAP server. Now, the authentication LDAP seems to be good (the capture of the ldap request proves it) but I have this error in my xwiki.log (or my catalina.out) and I can't access to the xwiki (i always come back on the identification form) without being authentified : ================================================================================================================ Wrapped Exception: java.lang.NullPointerException Is it a bug ? Or is there something wrong in my conf : I don't know what I can do now. It would be great if you could help me. Thank you very much for having time on my problem. PS : sorry for my english, it's a little normal I am french. Good morning,
I come back to give some information about the LDAPAuthenticater class. To debug, i activated the debug mode (in the log4j.properties). Because of that, I could have more elements to understand why it didn't work. In the class LDAPAuthenticater, i have called the function "runtimeTest" with the context of the authentication form and i have got this message in the log : =============================================================================================================== I work on a xwiki-1.0 (I do my test in a xwiki-1.1-milestones2 too). When I test to authenticate me (without the call of runtime), the error is the same as my first post (problem with the XWiki.CreateUser). I am not a java killer so I don't know if I would manage to fix it. Perhapps, there is no bug and I don't use the class properly ? Hi "simple user",
Great that you use my LDAPAuthenticater! First of all, I am not anywhere an expert in XWiki. I'd like to give you some information on this strange runtimeTest method: At one time during my experiments with XWiki, I found that the XWiki original createuser method (pre- 1.0R) returned an exception, for me inexplicable. What I found, is that if I call this method in the beginning and let it fail with an exception there, later on, the second time, when the code really wants to create a user, it will work. Some time later and with 1.0R, it worked for me, I just added a switch and left the code in. (I never figured out the real issue because of an old state of XWiki source code – and it finally worked What the "Testcode failed - ignore exception" means, is that a very simple createUser call to XWiki failed the first time. This exception can be ignored, expecting the call to createUser later on to succeed. Does it create the XWiki user that you intend to create. The logs should be sufficently detailed if it fails somewhere in the LDAPAuthenticator. Best of my knowledge the LDAPAuthenticater calls XWiki.createUser with correct parameters (and that they should be correct is fairly obvious). We would need someone of the XWiki gurus to have a look at this issue. Gunter One more thing, about your original issue. You may not need to use the cn attribute at all. If your Domino LDAP contains some other attribute which contains the user name as you want it, you can also have LDAPAuthenticater locate a user based on this attribute.
Good afternoon,
Sorry, not to put my real name, firstname, I thought that my pseudo will be used to sign the posts. You can call me "Simply" (pseudo) or Matthieu (my firstname). I come back again to report a bug about the authentication with the attribute mail (yes I must use it, unfortunately). This is the log that I have collected : As you can see it, my user has been truncated at the first '.', the orginal user was "simple.test@testdomain", this code is the guilty : ================================================================================================================= For the moment, it's not very important because the user creation doesn't work any more. For this problem, I put some new information (LOG): ================================================================================================================= For thes results, I use the xwiki.cfg, here : ================================================================================================================= I give you all this, one for the bug with the mail and for another reason, if you can see a problem in the log display or in my configuration, it will be fantastic because it'is not normal if for you it works and not for me. Thanks. PS : bouarf, it's very difficult to speak / write in English. Yo,
To conclude my experience, I have recoded the class Authenticate (in fact, I have adapted what you do in my case). There is some problem in the original code (your class) for example :
Thanks a lot for your work, it was interesting for me to code in java (but I prefer my beloved Python). Hi!
I'm trying to get my xWiki configured so it could be possible to use login credentials from external AD (I do not have access to LDAP configuration files, I can only edit my xWiki). I changed some code in xwiki.cfg, and now I can login to xWiki, but the only thing I see is my surname in the upper corner and an error: "You are not allowed to view this page...". Mike that's what this extension does: use ldap groups instead of xwiki groups...
Hi Gunter,
Thanks a lot for this. What's the state of this extension? I'd like to commit in xwiki core but I'm no LDAP expert. Is it finished? From the comments it seems there are some open issues? Thanks Updated LDAPAuthenticater.class, as per June the 18th, 2007, compiled with the original Cache.jar included in ldap.zip and libraries from XWiki 1.2.
../xwiki/WEB-INF/lib/xwiki-core-1.2.jar Hi Vincent
I tried to email Gunter some time ago to ask about this patch, but I couldn't get a hold of him. It looks like he has left the company under whose employment he coded this stuff, and he also moved to another country. No idea whether he is still interested in XWiki or not. Thanks, Hi Tobias,
Thanks for the heads up. Then I guess we need to finish this without him. Anyone tried Ricardo's last modification? Also, Ricardo and all, do you know if the patch is complete and can be applied as is or are there still some missing things before it can be applied to xwiki's source code? Thanks Vincent, all,
On my side, there are still a number of issues I've not checked yet. I don't know if they are misconfiguration of my xwiki.cfg or "real" issues with the code. I'm still trying to understand how does the extension work (I'm new to Java, new to Maven, new to Eclipse,...) even though I think the work flow is clear in the original code posted by Gunter. I think you can not rely on me at this moment to decide if the patch can be applied to xwiki's source code. I keep working and posting here my results. BTW, I can only test against eDirectory installations here, but if somebody can offer a connection to other LDAP enabled directory I am ready to try with it. Thanks. Cheers, Ricardo All,
Has there been any update on this issue? I am currently evaluating several FOSS wiki's, and being able to set permissions based on LDAP groups is a crucial requirement. Has this functionality been included in the 1.3 Milestone release that went out recently? I would be happy to test against my LDAP configuration if necessary. Thanks, Hi Jimmy,
I've got some good news for you. Thomas Mortagne is working on implementing LDAP groups for XWiki and on applying this patch. It should be ready for version 1.3M2 (i.e. for the 15th of February). I'm pretty sure Thomas would love to get your help for testing what he's coding right now and as soon as he's got something working. We're all pretty new to LDAP here so the more testers the better. Thanks for the offer. Hi,
As Vincent said I'm looking for adding groups support to XWiki LDAP and for now I'm fixing some problems in this patch about XWiki api use, documentation etc. As soon as I will finish the cleaning I will repost it as a real patch in this issue then continue work and testing based on it. I'm not a LDAP expert so it takes some times (in fact it's the first time I'm using it), sorry Thanks, new_ldap_auth.patch : here a first cleaned patch of previous implementations
It's here mainly for review as a did not tested yet and I'm pretty sure I broke things but feel free to test anyway Next step is finish checkstyles fixes to be fully XWiki Checkstyle compliant and create some unit tests to test it. 20080207-new_ldap_auth.patch:
Thomas,
Thanks for the update. I will attempt to add the patch and test it out against my LDAP configuration. Unfortunately, I'm not an LDAP expert either I had another question that I will post here, but probably belongs elsewhere. Why won't XWiki allow usernames to contain a period, (i.e. firstname.lastname)? My client uses a naming convention similar to this for their usernames, so it is important that we carry over support for this in the Wiki product we choose. Browsing through the source code I have noticed that you check to see if the username begins with "XWiki.". Instead of checking to see if there is a period in the username, could the code be modified to be more specific. For example, instead of: userName.indexOf("."); could this code be modifed to something like: if(userName.beginsWith("XWiki.")) { ... } Obviously, I am new to XWiki so there is probably a good reason for this restriction on usernames, but I was just hoping to get some clarification and possibly a workaround so we can support our client's needs. Thanks again for all of your help. Jimmy About names with dots, the problem is that the username will be used as a document name. And for the moment, a document name cannot include dots, as dots are used as the separator between the space name and the document name. And for the moment there is no working escape strategy possible, as the escapes/unescapes in XWiki are pretty messed up.
(A solution would be to accept dots in the displayed name, but use an escape when working with the name inside the code, but as I said, the escapes don't work well in XWiki) You are right that it's a problem but as Sergiu said it's difficult yet to manage user name containing point in a general way because in XWiki all is wiki page and "." is a separator.
Now in the LDAP particular case, as the login entered by the user is not directly used as wiki page but is used to access LDAP, I could look at this and see if something can be done. But for now the target is to clean and correctly tests this patch to replace actual LDAP authentication service thanks to Gunter 20080208-new_ldap_auth.patch : lets call it morning build
 :
Starting now to test and write some unit tests. It seems that this implementation never create groups in XWiki database and read a xwiki.cfg parameter listing groups names mapping between ldap and XWiki (unless I did not understood somthing).
Is the people that already tested it can confirm this ? In that case do you think is enought or de we really need to dynamically get users groups and sync them in XWiki database like we do for users ? Any way this will have to be done sooner or latter but as I don't use LDAP a lot I'm asking if the way it's working actually is totally useless or can be correct for a first LDAP groups support implementation. 20080211-new_ldap_auth.patch:
Hi
This is a very critical feature for us to use XWiki in our organization. I am willing to test the patches against our corporate Microsft Active Directory. However, not being a Java developer myself, it would be very useful to have a compiled jar to help me do this. Any help would be great. 20080212-new_ldap_auth.zip: contains
I'm not sure I was clear in the previous comment : when I say patched xwiki-core I mean xwiki-core jar containing this patch modifications.
Hi Thomas,
I copied the xwiki-core.jar over the existing xwiki-core-1.2.1.jar in WEB-INF/lib and restarted Tomcat. However, the same issue still persists. Looks like the users are not being created locally even now. Let me know if i need to do anything differently. Hi,
Do you have anything in xwiki.log file ? XWiki.zip file attached by Gunter contains more details on possible configuration (except for LDAPAuthenticater which I renamed in XWikiLDAPAuthServiceImpl).
I just committed the new experimental LDAP authentication service in xwiki trunk (1.3-SNAPSHOT) for more people to be able to test it. You will find the last build in http://maven.xwiki.org/snapshots/com/xpn/xwiki/platform/xwiki-core/1.3-SNAPSHOT/
 as soon as Team City will build it.
I have problem with apacheds+maven to launch integration tests so I'm workling on it now to be able to add more tests and commit them. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Improvement
Closed
Major
LDAP Authentication
.