I have performed the following steps:
* Installed the LDAP Admin Application on the subwiki.
* Changed the LDAP BASE_DN to point to a different location than the main
wiki . ( OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com ) as
opposed to ( OU=All Users,DC=mycompanyt,DC=com) on the main.
* Created a new group in my AD called "maintenance_wiki" that has a
membership of users that I wish to authenticate against (as there is the odd
user that I want to authenticate that will not reside in the
OU=Accounting,OU=myBranch,OU=All Users,DC=mycompanyt,DC=com branch).
* Changed the "Restricted To Group" setting in the LDAP application to
point to my new maintenance_wiki group.
* Restarted the tomcat services.
After turning LDAP logging on and performing some tests it appears that If I
log on with a user that does not exist in the "maintenance_wiki" group it will
next try to authenticate using the Main Wiki's search DN as opposed to the more
granular one that I have defined in the Subwiki. So instead of getting an
"Invalid Credentials" message, which I was hoping for, it instead creates the
user in the main wiki and lets the user into the subwiki with the message
"ERROR you are not allowed to view this document or perform this action".
What I was hoping would happen is that the subwiki would only authenticate
users from the search DN defined in the subwiki or that belong in the group
that I defined, and not create accounts for users that exist in the main wiki's
search DN. Is this possible?
Kelly Steinke
Software Developer/System Support
STEEL-CRAFT DOOR PRODUCTS LTD.
13504 St. Albert Trail
Edmonton, AB T5L 4P4
Bus: 780.453.3761 ext.3310
Fax: 780.454.1584
Toll Free: 1.800.463.3667
www.steel-craft.ca
Information contained in this communication may be confidential and is intended
only for the use of the individual(s) named above. If you are not the named
addressee you should not disseminate, distribute or copy this e-mail. If you
have received this e-mail in error please notify the sender.
----- Original Message -----
From: "Thomas Mortagne" <[email protected]>
To: "XWiki Users" <[email protected]>
Sent: Tuesday, December 31, 2013 12:27:47 AM
Subject: Re: [xwiki-users] subwiki ldap authentication
Yes you have only one xwiki.cfg which contains the default
configuration for each wiki but "You can also setup the LDAP
configuration in the XWiki.XWikiPreferences page by going to the
object editor. Simply replace xwiki.authentication.ldap. with ldap_.
For example xwiki.authentication.ldap.base_DN becomes ldap_base_DN."
You can install
http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP+Application
which is doing exactly that (modifying XWikiPreferences page) in the
wikis you want to modify.
On Tue, Dec 31, 2013 at 12:52 AM, Kelly Steinke <[email protected]>
wrote:
> Hi all,
>
> I just recently upgraded to 5.3 and have now created a sub wiki for the first
> time. My main wiki is configured to authenticate using LDAP and has a base
> search DN set to an OU called "AllUsers". In Active Directory the AllUsers OU
> contains several sub OU's which separate users according to branch,
> department ect. Having the LDAP set up to search the AllUsers OU allows for
> anyone in our company to use the main wiki by logging in with their network
> credentials and works great.
>
> When I created the sub wiki, I went through the wizard and selected to only
> have local users be available in it, as this sub wiki is to be used and
> administrated by a specific department only. What I would like to achieve now
> is to have the users of the sub wiki be authenticated using a different
> search base than that of the main wiki (aka the OU that contains only users
> for that department).
>
> So instead of using the following, which is defined in the xwiki.cfg:
>
> xwiki.authentication.ldap.base_DN=OU=All Users,DC=mycompanyt,DC=com
>
> The sub wiki would use this for authentication:
>
> xwiki.authentication.ldap.base_DN=OU=Accounting,OU=myBranch,OU=All
> Users,DC=mycompanyt,DC=com
>
> I read in the documentation " Use cases of configuration to authenticate
> users with LDAP " that each wiki in a multiwiki environment can have its own
> LDAP configuration, however I am unable to determine how to do this, as there
> is only one xwiki.cfg file that contains my LDAP configuration and there is
> no mention of any LDAP settings in the xwiki.preferences page of the sub
> wiki.
>
> any help is greatly appreciated!
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/users
--
Thomas Mortagne
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
