Old LDAP Authentication (before XWiki Platform 1.3M2)
Generic LDAP configuration
In order to enable the LDAP support you have to change the authentication method in WEB-INF/xwiki.cfg as follows:
You can setup the LDAP configuration in the xwiki.cfg file by filling the following properties:
- xwiki.authentication.ldap.server
- LDAP server, either an IP address or a host name (for example: localhost)
- xwiki.authentication.ldap.port
- LDAP server port number. Typical value is 389.
- xwiki.authentication.ldap.check_level
- The default value is 2 if this property is not defined. Here are the possible values
- checklevel 0: LDAP connection login to LDAP is sufficient
- checklevel 1: Login & username located, attributes loaded
- checklevel 2: Compare password for user (e.g. necessary if the LDAP bind didn't use the user's credentials)
- The default value is 2 if this property is not defined. Here are the possible values
- xwiki.authentication.ldap.base_DN
- xwiki.authentication.ldap.bind_DN
- xwiki.authentication.ldap.bind_pass
- xwiki.authentication.ldap.UID_attr
- xwiki.authentication.ldap.fields_mapping
Example:
xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl
xwiki.authentication.ldap.server=dsmaster
xwiki.authentication.ldap.check_level=1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=department=USER,department=INFORMATIK,department=1230,o=MP
xwiki.authentication.ldap.bind_DN=cn={0},department=USER,department=INFORMATIK,department=1230,o=MP
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=uid
LDAP Configuration for Active Directory
Here are values of the properties you need to set if your LDAP server implementation is Miscrosoft Active Directory:
- ldap_server: name/IP of AD server machine
- ldap_port: port (e.g. 389)
- ldap_check_level: 1
- ldap_base_DN: name of root DN (e.g. dc=ad,dc=company,dc=com)
- ldap_bind_DN: domain{0} (e.g. ad{0}, where {0} will be replaced by username during validation)
- ldap_bind_pass: {1} (where {1} will be replaced by password during validation)
- ldap_UID_attr: sAMAccountName
- ldap_fields_mapping: name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
Example:
xwiki.authentication.ldap.authclass=com.xpn.xwiki.user.impl.LDAP.LDAPAuthServiceImpl
xwiki.authentication.ldap.server=adserver
xwiki.authentication.ldap.check_level=1
xwiki.authentication.ldap.port=389
xwiki.authentication.ldap.base_DN=dc=subdomain,dc=domain,dc=suffix
xwiki.authentication.ldap.bind_DN=subdomain\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.authentication.ldap.fields_mapping=name=sAMAccountName,last_name=sn,first_name=givenName,fullname=displayName,mail=mail,ldap_dn=dn
The bind_DN and bind_pass fields contain the username and password for binding to the LDAP server in order to search, which will not necessarily be the same credentials as the user logging in.
The exact details of this configuration will vary based on your server configuration. It may not be necessary to prefix the username (represented by {0}) with the subdomain.
For testing purposes, you may wish to omit the "ldap.fields_mapping" field, to test the authentication first, and then add it later to get the mappings right.
