LDAP Multiple Domains

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP Multiple Domains

Stefan Woehrer
Hi there,

is there a way XWiki can handle userlogins from different domains?
The users are members of several subdomains, eg: sub1.somedomain.dom, sub2.somedomain.dom, sub3.somedomain.dom, ......

The users from all of these domains need to login. It works perfectly for one domain (if I configure it for example for sub1.somedomain.dom). So how can I config it for more than one domains?

Or is there a way to import a userlist from the active directory? I think I have seen in another post that someone else needs such a feature too, bit it is not implemented right now - is this correct?

Thank you very much in advance!!
Steve
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Multiple Domains

Thomas Mortagne
Administrator
On Thu, Jun 26, 2008 at 11:53 AM, Stefan Woehrer
<[hidden email]> wrote:
>
> Hi there,
>
> is there a way XWiki can handle userlogins from different domains?
> The users are members of several subdomains, eg: sub1.somedomain.dom,
> sub2.somedomain.dom, sub3.somedomain.dom, ......

This depends of you configuration: if all your users are in the same
LDAP server and just  I guess defining base_DN on the entire domain.

If not then XWiki actually support only one LDAP server (you should
add an issue for that at http://jira.xwiki.org).

I may be wrong but isn't possible in LDAP to define a "root" LDAP
server which transparently ask on some others LDAP slave servers ?

>
> The users from all of these domains need to login. It works perfectly for
> one domain (if I configure it for example for sub1.somedomain.dom). So how
> can I config it for more than one domains?
>
> Or is there a way to import a userlist from the active directory? I think I
> have seen in another post that someone else needs such a feature too, bit it
> is not implemented right now - is this correct?

This would not help I think has it would not be possible to get
passwords from LDAP server depends of the implementation and
authentication would always need to be done on LDAP server. Plus you
would lost the synchronization of users informations and membership.

>
> Thank you very much in advance!!
> Steve
> --
> View this message in context: http://www.nabble.com/LDAP-Multiple-Domains-tp18130322p18130322.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Multiple Domains

Stefan Woehrer
Hi,

the users are stored within the subdomains:

sub1.somedomain.dom   -> contains some users
sub2.somedomain.dom   -> contains some users
sub3.somedomain.dom   -> contains some users
...

when configuring xwiki like: base_DN=dc=somedomain,dc=dom
no users are able to login

when configuring xwiki like: base_DN=dc=sub1,dc=somedomain,dc=dom
only users of sub1.somedomain.dom can login

is there any way to make it possible for the users of all three subdomains to log in? for example: if the users would write their subdomains before the loginname? (sub1\username) -> have tried this without success, but maby i made some mistakes...

i would be grateful for any advice ;)
Steve
Reply | Threaded
Open this post in threaded view
|

LDAP Multiple Domains - Workaround

Stefan Woehrer
In reply to this post by Stefan Woehrer
Found out a nice "workaround" (which isn't a real one of course..)

For all who experience the same problem: Create a AD-group that contains all users that have to log into your XWiki. The users can be located in different subdomains / servers. Then set the xwiki.authentication.ldap.user_group parameter to that group (you have to use the full qualified name to the group, not only the group's name).

XWiki will search in the member-Fields of that group. If the user is found as a member, XWiki seems to try a binding with that user, which should work, because the member field contains the full qualified name of that user (inclusive subdomain).

Take care of the xwiki.authentication.ldap.UID_attr parameter, because most likely you'll have it set to "sAMAccountName". However, it can be that in the group-membership fields the user is represented by "cn", so you may have to use the "cn" for the UID_attr and login with the cn instead of the sAMAccountName.

(Shall I put this "guide" somewhere onto the xwiki homepage? Where would be the best place...)

Steve
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Multiple Domains - Workaround

Thomas Mortagne
Administrator
Hi Steve,

Thanks for the tips !

I just created a "LDAP detailed uses cases" page in Administration
Guide to describe this kind of things as LDAP configuration become
more and more complex :
http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCases
Would be great that you add the first one ;)

On Thu, Jul 24, 2008 at 4:59 PM, Stefan Woehrer <[hidden email]> wrote:

>
> Found out a nice "workaround" (which isn't a real one of course..)
>
> For all who experience the same problem: Create a AD-group that contains all
> users that have to log into your XWiki. The users can be located in
> different subdomains / servers. Then set the
> xwiki.authentication.ldap.user_group parameter to that group (you have to
> use the full qualified name to the group, not only the group's name).
>
> XWiki will search in the member-Fields of that group. If the user is found
> as a member, XWiki seems to try a binding with that user, which should work,
> because the member field contains the full qualified name of that user
> (inclusive subdomain).
>
> Take care of the xwiki.authentication.ldap.UID_attr parameter, because most
> likely you'll have it set to "sAMAccountName". However, it can be that in
> the group-membership fields the user is represented by "cn", so you may have
> to use the "cn" for the UID_attr and login with the cn instead of the
> sAMAccountName.
>
> (Shall I put this "guide" somewhere onto the xwiki homepage? Where would be
> the best place...)
>
> Steve
> --
> View this message in context: http://n2.nabble.com/LDAP-Multiple-Domains-tp510482p580443.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Multiple Domains

hel-o
In reply to this post by Thomas Mortagne
Im working on the same problem and i am looking for a workaround if the users are in different LDAP servers.

A possible solution i am thinking of is to use several xwiki instances with different LDAP configurations for each domain (LDAP Server) using the same database.

Is that possible or am i running into big trouble

Thanks
hel

Thomas Mortagne wrote
On Thu, Jun 26, 2008 at 11:53 AM, Stefan Woehrer
<stefan_woehrer@yahoo.de> wrote:
>
> Hi there,
>
> is there a way XWiki can handle userlogins from different domains?
> The users are members of several subdomains, eg: sub1.somedomain.dom,
> sub2.somedomain.dom, sub3.somedomain.dom, ......

This depends of you configuration: if all your users are in the same
LDAP server and just  I guess defining base_DN on the entire domain.

If not then XWiki actually support only one LDAP server (you should
add an issue for that at http://jira.xwiki.org).

I may be wrong but isn't possible in LDAP to define a "root" LDAP
server which transparently ask on some others LDAP slave servers ?

>
> The users from all of these domains need to login. It works perfectly for
> one domain (if I configure it for example for sub1.somedomain.dom). So how
> can I config it for more than one domains?
>
> Or is there a way to import a userlist from the active directory? I think I
> have seen in another post that someone else needs such a feature too, bit it
> is not implemented right now - is this correct?

This would not help I think has it would not be possible to get
passwords from LDAP server depends of the implementation and
authentication would always need to be done on LDAP server. Plus you
would lost the synchronization of users informations and membership.

>
> Thank you very much in advance!!
> Steve
> --
> View this message in context: http://www.nabble.com/LDAP-Multiple-Domains-tp18130322p18130322.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> users@xwiki.org
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
semantic-web.hel.at
hel@hel.at
Reply | Threaded
Open this post in threaded view
|

Re: LDAP Multiple Domains

Thomas Mortagne
Administrator
Hi,

On Tue, Jul 29, 2008 at 10:02 AM, hel-o <[hidden email]> wrote:
>
> Im working on the same problem and i am looking for a workaround if the users
> are in different LDAP servers.
>
> A possible solution i am thinking of is to use several xwiki instances with
> different LDAP configurations for each domain (LDAP Server) using the same
> database.
>
> Is that possible or am i running into big trouble :blush:

You can't do that because cache and database will not be synchronized.

You can try the workaround from Stefan Woehrer. See
http://markmail.org/message/kc6yfzhln7kgbxkj

>
> Thanks
> hel
>
>
> Thomas Mortagne wrote:
>>
>> On Thu, Jun 26, 2008 at 11:53 AM, Stefan Woehrer
>> <[hidden email]> wrote:
>>>
>>> Hi there,
>>>
>>> is there a way XWiki can handle userlogins from different domains?
>>> The users are members of several subdomains, eg: sub1.somedomain.dom,
>>> sub2.somedomain.dom, sub3.somedomain.dom, ......
>>
>> This depends of you configuration: if all your users are in the same
>> LDAP server and just  I guess defining base_DN on the entire domain.
>>
>> If not then XWiki actually support only one LDAP server (you should
>> add an issue for that at http://jira.xwiki.org).
>>
>> I may be wrong but isn't possible in LDAP to define a "root" LDAP
>> server which transparently ask on some others LDAP slave servers ?
>>
>>>
>>> The users from all of these domains need to login. It works perfectly for
>>> one domain (if I configure it for example for sub1.somedomain.dom). So
>>> how
>>> can I config it for more than one domains?
>>>
>>> Or is there a way to import a userlist from the active directory? I think
>>> I
>>> have seen in another post that someone else needs such a feature too, bit
>>> it
>>> is not implemented right now - is this correct?
>>
>> This would not help I think has it would not be possible to get
>> passwords from LDAP server depends of the implementation and
>> authentication would always need to be done on LDAP server. Plus you
>> would lost the synchronization of users informations and membership.
>>
>>>
>>> Thank you very much in advance!!
>>> Steve
>>> --
>>> View this message in context:
>>> http://www.nabble.com/LDAP-Multiple-Domains-tp18130322p18130322.html
>>> Sent from the XWiki- Users mailing list archive at Nabble.com.
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> http://lists.xwiki.org/mailman/listinfo/users
>>>
>>
>>
>>
>> --
>> Thomas Mortagne
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>>
>
> --
> View this message in context: http://n2.nabble.com/LDAP-Multiple-Domains-tp510482p588067.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

FAA time?

xiaoyao1118
In reply to this post by hel-o

 xwiki FAQ   new problems to show how long ?
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: FAA time?

vmassol
Administrator
Hi,

If you're asking how long is the cache setting for the FAQ page at
http://www.xwiki.org/xwiki/bin/view/FAQ/ then the answer is 10000  
seconds (that's about 2.8 hours).

See the bottom of http://www.xwiki.org/xwiki/bin/view/FAQ/?
viewer=code, you'll see a setCacheDuration call. This is how we tell  
xwiki to cache a page.

Thanks
-Vincent

On Jul 29, 2008, at 11:55 AM, xiaoyao1118 wrote:

>
> xwiki FAQ   new problems to show how long ?
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users