Wiki source code of Multi LDAP Servers Support
Last modified by Vincent Massol on 2024/11/19 16:12
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | {{include document="XWiki.DesignClassSheet"/}} | ||
| 2 | |||
| 3 | = Goal = | ||
| 4 | |||
| 5 | Be able to check for authentication on several different LDAP servers. | ||
| 6 | |||
| 7 | = Proposal = | ||
| 8 | |||
| 9 | * store LDAP servers descriptors in objects instead of xwiki.cfg | ||
| 10 | * each descriptor can extends another | ||
| 11 | * ldap server and authentication configuration should be two different things | ||
| 12 | |||
| 13 | == descriptor == | ||
| 14 | |||
| 15 | XWiki.LDAPAuthenticationCLass | ||
| 16 | |||
| 17 | * enabled | ||
| 18 | * sync users (boolean) | ||
| 19 | * sync groups | ||
| 20 | * try local | ||
| 21 | * check password | ||
| 22 | * scope | ||
| 23 | ** local (the wiki) | ||
| 24 | ** global (the whole farm) | ||
| 25 | |||
| 26 | XWiki.LDAPServerCLass | ||
| 27 | |||
| 28 | * pretty name | ||
| 29 | * parent | ||
| 30 | * enabled | ||
| 31 | * host | ||
| 32 | * port | ||
| 33 | * bind user | ||
| 34 | * bind password | ||
| 35 | * base DN | ||
| 36 | * uid field name | ||
| 37 | * password field name | ||
| 38 | * ssl (boolean) | ||
| 39 | * ssl keystore | ||
| 40 | * ssl secure provider | ||
| 41 | |||
| 42 | XWiki.LDAPServerGroupClassCLass | ||
| 43 | |||
| 44 | * pretty name | ||
| 45 | * group classe name | ||
| 46 | * group member field name | ||
| 47 | |||
| 48 | XWiki.LDAPServerAllowedGroupsCLass | ||
| 49 | |||
| 50 | * pretty name | ||
| 51 | * DN | ||
| 52 | |||
| 53 | XWiki.LDAPServerForbiddenGroupsCLass | ||
| 54 | |||
| 55 | * pretty name | ||
| 56 | * DN | ||
| 57 | |||
| 58 | XWiki.LDAPServerUserFieldMappingCLass | ||
| 59 | |||
| 60 | * pretty name | ||
| 61 | * LDAP user field name | ||
| 62 | * XWiki profile field name | ||
| 63 | |||
| 64 | XWiki.LDAPServerGroupMappingCLass | ||
| 65 | |||
| 66 | * pretty name | ||
| 67 | * LDAP group DN | ||
| 68 | * XWiki group | ||
| 69 | |||
| 70 | == login UI == | ||
| 71 | |||
| 72 | The main issue is what LDAP server to choose to authenticate. By default it could of course try them all but that's not great for performances. | ||
| 73 | |||
| 74 | An authenticator should have the possibility the expose which parameters it needs too authenticate. That would allow LDAP authenticator to ask for the LDAP server to use. |
