Wiki source code of Authentication
Version 13.1 by Thomas Mortagne on 2008/03/03
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | 1 User Authentication | ||
| 2 | |||
| 3 | XWiki supports several different authentication mechanisms for authenticating users: | ||
| 4 | #toc("" "" "") | ||
| 5 | |||
| 6 | The form authentication is the default mechanism. | ||
| 7 | |||
| 8 | #info("Note that currently XWiki allows only one method of authentication to be enabled at a time which. This will probably be improved in the future.") | ||
| 9 | |||
| 10 | 1.1 Form Authentication | ||
| 11 | |||
| 12 | TODO | ||
| 13 | |||
| 14 | 1.1 LDAP Authentication | ||
| 15 | #warning("New experimental service since XWiki Platform 1.3M2, see [previous LDAP authentication service documentation>AuthenticationLdapOld]") | ||
| 16 | |||
| 17 | 1.1.1 Generic LDAP configuration | ||
| 18 | |||
| 19 | In order to enable the LDAP support you have to change the authentication method in ~~WEB-INF/xwiki.cfg~~ as follows: | ||
| 20 | {code} | ||
| 21 | ## Turn LDAP authentication on - otherwise only XWiki authentication | ||
| 22 | ## 0 : disable | ||
| 23 | ## 1 : enable | ||
| 24 | xwiki.authentication.ldap=1 | ||
| 25 | |||
| 26 | ## set LDAP as authentication service | ||
| 27 | xwiki.authentication.ldap.authclass=com.xpn.xwiki.ldap.authentication.XWikiLDAPAuthServiceImpl | ||
| 28 | {code} | ||
| 29 | |||
| 30 | You can setup the LDAP configuration in the ~~xwiki.cfg~~ file by filling the following properties: | ||
| 31 | |||
| 32 | {code:none} | ||
| 33 | ## LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.) | ||
| 34 | xwiki.authentication.ldap.server=156.58.101.204 | ||
| 35 | xwiki.authentication.ldap.port=389 | ||
| 36 | |||
| 37 | ## LDAP login, empty = anonymous access, otherwise specify full dn | ||
| 38 | ## {0} is replaced with the username, {1} with the password | ||
| 39 | xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP | ||
| 40 | xwiki.authentication.ldap.bind_pass={1} | ||
| 41 | |||
| 42 | #-# Force to check password after LDAP connection | ||
| 43 | #-# 0: disable | ||
| 44 | #-# 1: enable | ||
| 45 | xwiki.authentication.ldap.validate_password=0 | ||
| 46 | |||
| 47 | ## only members of the following group will be verified in the LDAP | ||
| 48 | ## otherwise only users that are found after searching starting from the base_DN | ||
| 49 | xwiki.authentication.ldap.user_group=cn=developers,ou=groups,o=MegaNova,c=US | ||
| 50 | |||
| 51 | ## base DN for searches | ||
| 52 | xwiki.authentication.ldap.base_DN= | ||
| 53 | department=USER,department=INFORMATIK,department=1230,o=MP | ||
| 54 | |||
| 55 | ## specifies the LDAP attribute containing the identifier to be used as the XWiki name (default=cn) | ||
| 56 | xwiki.authentication.ldap.UID_attr=cn | ||
| 57 | |||
| 58 | ## retrieve the following fields from LDAP and store them in the XWiki user object (xwiki-attribute=ldap-attribute) | ||
| 59 | xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=fullName,email=mail,ldap_dn=dn | ||
| 60 | |||
| 61 | # on every login update the mapped attributes from LDAP to XWiki otherwise this happens only once when the XWiki account is created. | ||
| 62 | xwiki.authentication.ldap.update_user=1 | ||
| 63 | |||
| 64 | ## maps XWiki groups to LDAP groups, separator is "|" | ||
| 65 | xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groups,o=MegaNova,c=US|\ | ||
| 66 | XWiki.Organisation=cn=testers,ou=groups,o=MegaNova,c=US | ||
| 67 | |||
| 68 | ## time in seconds after which the list of members in a group is refreshed from LDAP (default=3600*6) | ||
| 69 | xwiki.authentication.ldap.groupcache_expiration=21800 | ||
| 70 | |||
| 71 | ## - create : synchronize group membership only when the user is first created | ||
| 72 | ## - always: synchronize on every login | ||
| 73 | xwiki.authentication.ldap.mode_group_sync=always | ||
| 74 | |||
| 75 | ## if ldap authentication fails for any reason, try XWiki DB authentication with the same credentials | ||
| 76 | xwiki.authentication.ldap.trylocal=1 | ||
| 77 | |||
| 78 | ## SSL connection to LDAP server | ||
| 79 | ## 0 : normal | ||
| 80 | ## 1 : SSL | ||
| 81 | xwiki.authentication.ldap.ssl=1 | ||
| 82 | |||
| 83 | ## The keystore file to use in SSL connection | ||
| 84 | xwiki.authentication.ldap.ssl.keystore= | ||
| 85 | {code} | ||
| 86 | |||
| 87 | #* | ||
| 88 | #info("You can also setup the LDAP configuration in XWiki.XWikiPreferences page by going to the class editor and adding the following fields: | ||
| 89 | * ldap | ||
| 90 | * ldap_server | ||
| 91 | * ldap_port | ||
| 92 | * ldap_check_level | ||
| 93 | * ldap_base_DN | ||
| 94 | * ldap_bind_DN | ||
| 95 | * ldap_bind_pass | ||
| 96 | * ldap_validate_password | ||
| 97 | * ldap_UID_attr | ||
| 98 | * ldap_fields_mapping | ||
| 99 | * ldap_update_user | ||
| 100 | * ldap_group_mapping | ||
| 101 | * ldap_groupcache_expiration | ||
| 102 | * ldap_mode_group_sync | ||
| 103 | * ldap_trylocal | ||
| 104 | * ldap_ssl | ||
| 105 | * ldap_ssl.keystore") | ||
| 106 | *# | ||
| 107 | |||
| 108 | 1.1.1 LDAP Configuration for Active Directory | ||
| 109 | |||
| 110 | Here are values of the properties you need to set if your LDAP server implementation is Miscrosoft Active Directory: | ||
| 111 | - *ldap_server*: name/IP of AD server machine | ||
| 112 | - *ldap_port*: port ~~(e.g. 389)~~ | ||
| 113 | - *ldap_check_level*: 1 | ||
| 114 | - *ldap_base_DN*: name of root DN ~~(e.g. dc=ad,dc=company,dc=com)~~ | ||
| 115 | - *ldap_bind_DN*: domain\{0\} ~~(e.g. ad\{0\} where \{0\} will be replaced by username during validation)~~ | ||
| 116 | - *ldap_bind_pass*: \{1\} ~~(where \{1\} will be replaced by password during validation)~~ | ||
| 117 | - *ldap_UID_attr*: sAMAccountName | ||
| 118 | - *ldap_fields_mapping*: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn | ||
| 119 | |||
| 120 | Example: | ||
| 121 | {code} | ||
| 122 | xwiki.authentication.ldap=1 | ||
| 123 | xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl | ||
| 124 | xwiki.authentication.ldap.server=adserver | ||
| 125 | xwiki.authentication.ldap.check_level=1 | ||
| 126 | xwiki.authentication.ldap.port=389 | ||
| 127 | xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix | ||
| 128 | xwiki.authentication.ldap.bind_DN=subdomain\\{0} | ||
| 129 | xwiki.authentication.ldap.bind_pass={1} | ||
| 130 | xwiki.authentication.ldap.UID_attr=sAMAccountName | ||
| 131 | xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn | ||
| 132 | {code} | ||
| 133 | |||
| 134 | The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in. | ||
| 135 | |||
| 136 | |||
| 137 | The exact details of this configuration will vary based on your server configuration. It may not be necessary to prefix the username (represented by {0}) with the subdomain. | ||
| 138 | |||
| 139 | For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right. | ||
| 140 | |||
| 141 | This java client, [LDAP Browser/Editor > http://www-unix.mcs.anl.gov/~gawor/ldap/] is a handy tool for checking your configuration. | ||
| 142 | |||
| 143 | |||
| 144 | |||
| 145 | |||
| 146 | 1.1 eXo Authentication | ||
| 147 | |||
| 148 | The eXo authentication is used automatically by adding/editing the ~~xwiki.exo=1~~ property in ~~WEB-INF/xwiki.cfg~~. | ||
| 149 | |||
| 150 | 1.1 Custom Authentication | ||
| 151 | |||
| 152 | This allows plugging to any existing authentication mechanism such as SiteMinder, etc. To configure a custom authentication do the following: | ||
| 153 | # Implement the XWikiAuthService interface. | ||
| 154 | # Edit the ~~WEB-INF/xwiki.cfg~~ file and add a ~~xwiki.authentication.authclass~~ property pointing to your class. For example: | ||
| 155 | |||
| 156 | {code} | ||
| 157 | xwiki.authentication.authclass = com.acme.MyCustomAuthenticationService | ||
| 158 | {code} | ||
| 159 | |||
| 160 | Note, that you also can implement own right management service by implementing XWikiRightService interface: | ||
| 161 | {code} | ||
| 162 | xwiki.authentication.rightsclass = com.acme.MyCustomRightsService | ||
| 163 | {code} | ||
| 164 | |||
| 165 | and group service by implementing XWikiGroupService and setting ~~xwiki.authentication.groupclass~~ property. | ||
| 166 | |||
| 167 | |||
| 168 | |||
| 169 | |||
| 170 | |||
| 171 | 1.1 Authentication parameters | ||
| 172 | |||
| 173 | You can set each of these parameters by setting: | ||
| 174 | |||
| 175 | {code} | ||
| 176 | xwiki.authentication.~~param_name~~=~~param_value~~ | ||
| 177 | {code} | ||
| 178 | |||
| 179 | {table} | ||
| 180 | Name | Optional | Allowed values | Default value | Description | ||
| 181 | encryptionKey | No(1) | ? | n/a | Set the Encryption Key used to create a secret key, the secret key is passed to the Cipher object to be used during encryption and decryption of cookie values. | ||
| 182 | validationKey | No(2) | ? | n/a | Set the Validation Key used to generate hash value; the hash value is stored with the cookie and used to verify that the cookie has not been tampered with. | ||
| 183 | cookiedomains | Yes | String | Server host name | Which host(s) should your cookies be sent to; use only if you want to share cookies across domains, otherwise should be commented out | ||
| 184 | cookielife | Yes | Number | 14 | Number of days cookies take to expire | ||
| 185 | cookiepath | Yes | String | / | The webapp path that XWiki cookies should be sent to; if you have anything else running on your web server, this should be set to ~~/xwiki~~ | ||
| 186 | default_page | Yes | String | /bin/view/ Main/WebHome | Page to redirect to if xredirect parameter is not set | ||
| 187 | encryptionalgorithm | Yes | ? | ? | Set the Encryption Algorithm used to encrypt and decrypt cookies | ||
| 188 | encryptionmode | Yes | ? | ? | Set the Encryption Mode used to encrypt and decrypt cookies | ||
| 189 | encryptionpadding | Yes | ? | ? | Set the Encryption Padding used to encrypt and decrypt cookies | ||
| 190 | errorpage | Yes | String | /bin/loginerror/ XWiki/XWikiLogin | Page to redirect to if there is an error logging in | ||
| 191 | loginpage | Yes | String | /bin/login/ XWiki/XWikiLogin | Page to redirect to when not logged in | ||
| 192 | loginsubmitpage | Yes | String | /loginsubmit/ XWiki/XWikiLogin | ? | ||
| 193 | logoutpage | Yes | String | /bin/logout/ XWiki/XWikiLogout | Page to redirect to after logged out | ||
| 194 | realname | Yes | String | XWiki | Sets the realm name (should be ~~realmname~~???) | ||
| 195 | protection | Yes | all, validation, encryption, none | all | Protection level for the "remember me" cookie functionality | ||
| 196 | unauthorized_code | Yes | ? | ? | ? | ||
| 197 | useip | Yes | true / false | true | Specify to use the IP address when encrypting the cookie data; if IP address changes will need to re-login. | ||
| 198 | {table} | ||
| 199 | # Only required if protection = encryption or all (default) | ||
| 200 | # Only required if protection = validation or all (default) |
