Description

Goal

Be able to check for authentication on several different LDAP servers.

Proposal

• store LDAP servers descriptors in objects instead of xwiki.cfg
• each descriptor can extends another
• ldap server and authentication configuration should be two different things

descriptor

XWiki.LDAPAuthenticationCLass

• enabled
• sync users (boolean)
• sync groups
• try local
• check password
• scope
  • local (the wiki)
  • global (the whole farm)

XWiki.LDAPServerCLass

• pretty name
• parent
• enabled
• host
• port
• bind user
• bind password
• base DN
• uid field name
• password field name
• ssl (boolean)
• ssl keystore
• ssl secure provider

XWiki.LDAPServerGroupClassCLass

• pretty name
• group classe name
• group member field name

XWiki.LDAPServerAllowedGroupsCLass

• pretty name
• DN

XWiki.LDAPServerForbiddenGroupsCLass

• pretty name
• DN

XWiki.LDAPServerUserFieldMappingCLass

• pretty name
• LDAP user field name
• XWiki profile field name

XWiki.LDAPServerGroupMappingCLass

• pretty name
• LDAP group DN
• XWiki group

login UI

The main issue is what LDAP server to choose to authenticate. By default it could of course try them all but that's not great for performances.

An authenticator should have the possibility the expose which parameters it needs too authenticate. That would allow LDAP authenticator to ask for the LDAP server to use.