Wiki source code of Authentication
Version 11.2 by kjain9 on 2008/02/27
Hide last authors
| author | version | line-number | content |
|---|---|---|---|
 |
1.1 | 1 | 1 User Authentication |
| 2 | |||
 |
1.18 | 3 | XWiki supports several different authentication mechanisms for authenticating users: |
| |
1.1 | 4 | #toc("" "" "") |
| 5 | |||
| 6 | The form authentication is the default mechanism. | ||
| 7 | |||
 |
11.1 | 8 | #info("Note that currently XWiki allows only one method of authentication to be enabled at a time which. This will probably be improved in the future.") |
| |
1.1 | 9 | |
| 10 | 1.1 Form Authentication | ||
| 11 | |||
| 12 | TODO | ||
| 13 | |||
| 14 | 1.1 LDAP Authentication | ||
| |
6.1 | 15 | #warning("New experimental service since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]") |
| |
1.1 | 16 | |
| |
1.2 | 17 | 1.1.1 Generic LDAP configuration |
| |
1.1 | 18 | |
| |
1.2 | 19 | In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows: |
| 20 | {code} | ||
| |
7.1 | 21 | ## Turn LDAP authentication on - otherwise only XWiki authentication |
| 22 | ## 0 : disable | ||
| 23 | ## 1 : enable | ||
| |
1.2 | 24 | xwiki.authentication.ldap=1 |
| |
7.1 | 25 | |
| 26 | ## set LDAP as authentication service | ||
| |
11.2 | 27 | xwiki.authentication.ldap.authclass=com.xpn.xwiki.ldap.authentication.XWikiLDAPAuthServiceImpl |
| |
1.2 | 28 | {code} |
| 29 | |||
| |
2.1 | 30 | You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties: |
| |
1.2 | 31 | |
| |
6.1 | 32 | {code:none} |
| 33 | ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) | ||
| 34 | xwiki.authentication.ldap.server=156.58.101.204 | ||
| |
1.1 | 35 | xwiki.authentication.ldap.port=389 |
| |
6.1 | 36 | |
| 37 | ## LDAP login, empty = anonymous access, otherwise specify full dn | ||
| 38 | ## {0} is replaced with the username, {1} with the password | ||
| |
1.1 | 39 | xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP |
| 40 | xwiki.authentication.ldap.bind_pass={1} | ||
| |
6.1 | 41 | |
| 42 | ## only members of the following group will be verified in the LDAP | ||
| 43 | ## otherwise only users that are found after searching starting from the base_DN | ||
| 44 | xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US | ||
| 45 | |||
| 46 | ## base DN for searches | ||
| 47 | xwiki.authentication.ldap.base_DN= | ||
| 48 | department=USER,department=INFORMATIK,department=1230,o=MP | ||
| 49 | |||
| 50 | ## specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) | ||
| 51 | xwiki.authentication.ldap.UID_attr=cn | ||
| 52 | |||
| 53 | ## retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) | ||
| 54 | xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn | ||
| 55 | |||
| 56 | # on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. | ||
| 57 | xwiki.authentication.ldap.update_user=1 | ||
| 58 | |||
| 59 | ## maps XWiki groups to LDAP groups, separator is "|" | ||
| 60 | xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\ | ||
| 61 | XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US | ||
| 62 | |||
| 63 | ## time in seconds after which the list of members in a group is refreshed from LDAP (default=3600*6) | ||
| 64 | xwiki.authentication.ldap.groupcache_expiration=21800 | ||
| 65 | |||
| 66 | ## - create : synchronize group membership only when the user is first created | ||
| 67 | ## - always: synchronize on every login | ||
| 68 | xwiki.authentication.ldap.mode_group_sync=always | ||
| 69 | |||
| 70 | ## if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials | ||
| 71 | xwiki.authentication.ldap.trylocal=1 | ||
| |
8.1 | 72 | |
| 73 | ## SSL connection to LDAP server | ||
| 74 | ## 0 : normal | ||
| 75 | ## 1 : SSL | ||
| 76 | xwiki.authentication.ldap.ssl=1 | ||
| 77 | |||
| 78 | ## The keystore file to use in SSL connection | ||
| 79 | xwiki.authentication.ldap.ssl.keystore= | ||
| |
1.1 | 80 | {code} |
| |
3.1 | 81 | |
| |
9.1 | 82 | #* |
| |
3.1 | 83 | #info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the class editor and adding the following fields: |
| |
6.1 | 84 | * ldap |
| |
3.1 | 85 | * ldap_server |
| 86 | * ldap_port | ||
| 87 | * ldap_check_level | ||
| 88 | * ldap_base_DN | ||
| 89 | * ldap_bind_DN | ||
| 90 | * ldap_bind_pass | ||
| 91 | * ldap_UID_attr | ||
| |
6.1 | 92 | * ldap_fields_mapping |
| 93 | * ldap_update_user | ||
| 94 | * ldap_group_mapping | ||
| 95 | * ldap_groupcache_expiration | ||
| 96 | * ldap_mode_group_sync | ||
| |
8.1 | 97 | * ldap_trylocal |
| 98 | * ldap_ssl | ||
| 99 | * ldap_ssl.keystore") | ||
| |
9.1 | 100 | *# |
| 101 | |||
| |
1.3 | 102 | 1.1.1 LDAP Configuration for Active Directory |
| |
1.1 | 103 | |
| |
1.3 | 104 | Here are values of the properties you need to set if your LDAP server implementation is Miscrosoft Active Directory: |
| 105 | - *ldap_server*: name/IP of AD server machine | ||
| 106 | - *ldap_port*: port ~~(e.g. 389)~~ | ||
| 107 | - *ldap_check_level*: 1 | ||
| 108 | - *ldap_base_DN*: name of root DN ~~(e.g. dc=ad,dc=company,dc=com)~~ | ||
| 109 | - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~ | ||
| 110 | - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~ | ||
| 111 | - *ldap_UID_attr*: sAMAccountName | ||
| 112 | - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn | ||
| 113 | |||
| |
1.19 | 114 | Example: |
| 115 | {code} | ||
| 116 | xwiki.authentication.ldap=1 | ||
| 117 | xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl | ||
| 118 | xwiki.authentication.ldap.server=adserver | ||
| 119 | xwiki.authentication.ldap.check_level=1 | ||
| 120 | xwiki.authentication.ldap.port=389 | ||
| 121 | xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix | ||
| 122 | xwiki.authentication.ldap.bind_DN=subdomain\\{0} | ||
| 123 | xwiki.authentication.ldap.bind_pass={1} | ||
| 124 | xwiki.authentication.ldap.UID_attr=sAMAccountName | ||
| 125 | xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn | ||
| 126 | {code} | ||
| |
1.3 | 127 | |
| |
1.19 | 128 | The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in. |
| 129 | |||
| 130 | |||
| 131 | The exact details of this configuration will vary based on your server configuration. It may not be necessary to prefix the username (represented by {0}) with the subdomain. | ||
| 132 | |||
| 133 | For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right. | ||
| 134 | |||
| 135 | This java client, [LDAP Browser/Editor > http://www-unix.mcs.anl.gov/~gawor/ldap/] is a handy tool for checking your configuration. | ||
| 136 | |||
| 137 | |||
| |
1.1 | 138 | 1.1 eXo Authentication |
| 139 | |||
| 140 | The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~. | ||
| 141 | |||
| 142 | 1.1 Custom Authentication | ||
| 143 | |||
| 144 | This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following: | ||
| 145 | # Implement the XWikiAuthService interface. | ||
| 146 | # Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example: | ||
| 147 | |||
| 148 | {code} | ||
| 149 | xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService | ||
| 150 | {code} | ||
| 151 | |||
| |
4.1 | 152 | Note, that you also can implement own right management service by implementing XWikiRightService interface: |
| 153 | {code} | ||
| |
5.1 | 154 | xwiki.authentication.rightsclass = com.acme.MyCustomRightsService |
| |
4.1 | 155 | {code} |
| 156 | |||
| |
5.1 | 157 | and group service by implementing XWikiGroupService and setting ~~xwiki.authentication.groupclass~~ property. |
| |
4.1 | 158 | |
| 159 | |||
| 160 | |||
| 161 | |||
| |
5.1 | 162 | |
| |
1.14 | 163 | 1.1 Authentication parameters |
| 164 | |||
| 165 | You can set each of these parameters by setting: | ||
| 166 | |||
| 167 | {code} | ||
| 168 | xwiki.authentication.~~param_name~~=~~param_value~~ | ||
| 169 | {code} | ||
| 170 | |||
| 171 | {table} | ||
| 172 | Name | Optional | Allowed values | Default value | Description | ||
| |
1.15 | 173 | encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values. |
| 174 | validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with. | ||
| |
1.14 | 175 | cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out |
| 176 | cookielife | Yes | Number | 14 | Number of days cookies take to expire | ||
| 177 | cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~ | ||
| |
1.17 | 178 | default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set |
| |
1.15 | 179 | encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies |
| 180 | encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies | ||
| 181 | encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies | ||
| |
1.17 | 182 | errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in |
| 183 | loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in | ||
| 184 | loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ? | ||
| 185 | logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out | ||
| |
1.15 | 186 | realname | Yes | String | XWiki | Sets the realm name (should be ~~realmname~~???) |
| |
1.16 | 187 | protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality |
| |
1.15 | 188 | unauthorized_code | Yes | ? | ? | ? |
| |
1.14 | 189 | useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login. |
| 190 | {table} | ||
| |
1.15 | 191 | # Only required if protection = encryption or all (default) |
| 192 | # Only required if protection = validation or all (default) | ||
| |
1.16 | 193 | |
| |
1.17 | 194 | |
| |
1.18 | 195 | |
| |
10.1 | 196 | |
| |
11.1 | 197 |
