Description

Filtering LDAP - Authenticated Users

The need

A means of more finely discriminating LDAP-authenticated users for Wiki membership.

1. Lift some limitations of the existing LDAPAuthServiceImpl class:
   1. Users from multiple LDAP - containers should be able to login
   2. Not all users from an LDAP - container should be allowed to login
      Initially, a desire has been expressed by XWiki administrators to modify the behavior of the LDAPAuthServiceImpl:

• to refuse entry to users whose DN does not contain an Organization attribute matching a particular pattern or list of values
• to use a different attribute than CommonName from the DN as the Wiki name.

Implementation ideas

To implement the first, it was proposed that a subclass of LDAPAuthServiceImpl would override only the authenticate method, leaving it unchanged except for the addition of a further qualification to the else block of the line that checks that the String returned from getLDAP_DN() is neither null nor empty before testing the password. The returned DN could be checked against a regular expression or a list of values.

Current plan is to rewrite the LDAPAuthServiceImpl module with the following behavior:

1. check Superadmin
2. check if ldap authentication is off => authenticate against db
3. bind to LDAP => if failed try db
4. if group param, verify group membership (& get DN)
5. if no group locate dn_ldap attribute on user
6. if no dn search for user
7. compare pwd
8. if flag check if user exists => create user
9. if flag update user attributes
10. if flag update Xwiki groupmembership
11. on Error try local DB login

Additionally, the LDAP groups should be cached. Also, I intend to load LDAP groups recursivly handling groups in groups.

Additional features include SSL access to the eDirectory.

Code for this proposed functionality is already submitted in JIRA-1079