Page last modified 23:46, 10 Jul 2008 by peterf
Permalink: http://tinyurl.com/5cq5km
MindTouch Developer Center > MindTouch Deki > Authentication > LdapAuthentication
LdapAuthentication
Table of contents
- 1. Overview
- 1.1.1.1. Configuration
- 1.1.1.2. Features
- 2. Implementation Notes
- 3. Known issues
- 4. Development log for official service
- 5. Development log for beta service
- 6. Current Beta Release
- 6.1.1.1. Installing the Beta Release
- 6.1.1.2. Testing the Beta Release
Overview
Assembly: mindtouch.deki.services
Class: MindTouch.Deki.Services.LdapAuthenticationService
SID: sid://mindtouch.com/2007/05/ldap-authentication
Configuration
| Name | Type | Description |
| bindingdn | string | The DN to use for binding to LDAP. Use $1 to substitute with user name. Enter a DN of a specific user if also providing a bindingpw. ActiveDirectory example: $1@sd.mindtouch.com OpenLdap example: CN=$1,DC=sd,DC=mindtouch,DC=com |
| bindingpw | string | Optional password for binding. Combined with a valid bindingdn account, queries to this service can be done without requiring credentials. |
| displayname-pattern | string? | Returns a friendlier name that can be customized by ldap attributes. Example: {sn}, {givenname} |
| ssl | bool? | Use LDAPS mode. This requires your LDAP server to be running with SSL and for the certificate to be recognized on the machine running this LDAP service. (default: false) |
| ssl-ignore-cert-errors | bool? | Allows you to use self signed or expired certificates. This should only be used for testing. (default: false) |
| hostname | string | Hostname or ip of domain controller or ldap server |
| searchbase | string | The distinguished name (DN) of the domain. For example: 'DC=sd,DC=mindtouch,DC=com' |
| timeout | int? | Timeout for directory operations in milliseconds |
| userquery | string | The search query to use for looking up users. Use $1 to substitute with user name. ActiveDirectory example: samAccountName=$1 OpenLdap example: cn=$1 |
| groupquery | string? | LDAP query for group lookup by name. $1 is replaced by username. Default: (&(objectCategory=group)(cn=$1)) |
| groupmembershipquery | string? | Use a custom query to return the groups a user belongs to where $1 is the username. Only use this if you're having issues returning groups that a user belongs to. OpenLDAP example: (&(uniqueMember=$1)(objectClass=groupOfUniqueNames)) |
| groupqueryall | string? | LDAP query for looking up all groups. Default: (objectCategory=group) |
| groupmembersattribute | string? | LDAP attribute for looking up members of a group. Default: memberof (works for AD). Use groupmembership for eDirectory |
| usernameattribute | string? | LDAP attribute for retrieving a users account name. Provide an attribute to always use rather then trying a series of common attributes. Default: attempts to use sAMAccountName -> uid -> name -> cn. |
| groupnameattribute | string? | LDAP attribute for retrieving a group name. Provide an attribute to always use rather then trying a series of common attributes. Default: attempts to use sAMAccountName -> uid -> name -> cn. |
| verboselogging | bool? | Will output more details to the log as TRACE level. Warning: usernames+passwords are included as well. Default: false |
Features
| Name | Description |
| DELETE: | Stop service |
| GET:authenticate | Authenticate a user with the directory. |
| GET:groups/{group} | Retrieve verbose information about a given group. |
| GET:groups | Retrieve all groups found in the directory. |
| GET:users/{user} | Retrieve information about a given user. |
Implementation Notes
Use this service to authenticate with a corporate directory server using LDAP (e.g. Windows Active Directory, Novell eDirectory, OpenLDAP, etc.).
Refer to the howto for instructions
Known issues
LDAPS (encrypted LDAP) is not yet supported- Nested groups not supported. Only groups that a user is immediately a member of are recognized.
OpenLDAP are not resolving group memberships since there is typically no memberOf or groupMembership attribute.- Multi domain / forests are not supported
Anonymous/Proxy binding not supported.
| Bug# | Summary | Status | Opened By | Assigned To | Severity |
|---|---|---|---|---|---|
| #3038 | Security hole: each user from Active Directory can login to system (user’s group is not imported) | assigned | DmitryA | AaronF | major |
| #2736 | LDAP Authentication Unexpected username | new | mahavishnu | major |
Development log for official service
Source code: https://svn.mindtouch.com/source/pub...Authentication LdapClient.cs LdapService.cs
| Revision | Date | Author | Message |
|---|---|---|---|
| r9263 | 7/1/2008 8:49:19 PM | maximm | Merged beta ldap service changes up to r9206 into stable * Including Mono.Security.dll for LDAPS |
| r8820 | 5/31/2008 4:07:18 PM | steveb | Deki Wiki (trunk): * redist: updated redistributable files * misc: * updated all occurrences of 'MindTouch Deki Wiki' to 'MindTouch Deki' * extended all copyright notices to 2008 |
| r8763 | 5/29/2008 6:06:42 PM | steveb | Deki Wiki (trunk): * misc: removed an extra space from the default copyright notice Tools: * DekiExt.php: added 'protocol' attribute to <uri> element * GoogleAppEngine: added sample application |
| r7249 | 2/11/2008 5:10:46 AM | steveb | Deki Wiki (trunk): * updated Dream binaries (culture invariant fixes) * Misc: InvariantCulture clean-up for Regex, String.Compare, String.StartsWith, String.EndsWith, String.IndexOf * DekiWiki-Nav.cs: uses DreamContext.Culture to sort entries in a culture-specific way |
| r7137 | 1/30/2008 8:21:08 PM | maximm | Deki-Api LDAP services * Added two new settings to act as overrides for the default behavior of searching common attributes (sAMAccountName -> uid -> name -> cn) to determine a name: usernameattribute: LDAP attribute for retrieving a users account name groupnameattribute: LDAP attribute for retrieving a group name |
Development log for beta service
Source code: https://svn.mindtouch.com/source/pub...ouch.deki.ldap
| Revision | Date | Author | Message |
|---|---|---|---|
| r9206 | 6/30/2008 11:02:33 PM | maximm | Deki LDAP service * Removed the connection attempt upon service startup * Added support for SSL binds new settings: "ssl", "bool?", "Use LDAPS mode. This requires your LDAP server to be running with SSL and for the certificate to be recognized on the machine running this LDAP service. (default: false)" "ssl-ignore-cert-errors", "bool?", "Allows you to use self signed or expired certificates. This should only be used for testing. (default: false)" |
| r8685 | 5/23/2008 12:28:10 AM | maximm | Deki LDAP beta BUGFIX 3964: Groups with '#' symbol don't function properly for AD |
| r8666 | 5/22/2008 12:51:31 AM | maximm | Deki LDAP service * Refactored authentication and binding to fix lookups when a bindingdn+bindingpw is configured. * Better error handling and more verbose output for failures |
| r8513 | 5/12/2008 9:04:35 PM | maximm | Merged LDAP changes from SSO branch into trunk's beta LDAP service * Added proxy bind support (ldap lookup queries can use configured credentials rather than running under user-provided credentials) * Added config setting "bindingpw": Optional password for binding. Combined with a valid bindingdn account, anonymous queries to this service can be done without credentials This allows login via mod_ntlm/mod_sspi to perform ldap lookups without having a password in order to sync groups. GET: users/{username} and GET: groups can now be queried anonymously if the wiki admin configures a valid bindingdn and bindingpw for the LDAP service * more verbose logging on binding * Deki now relies on using GET: authenticate for all external auth providers in order to authenticate a user and return user details instead of GET: users/{username} NOTE: This may be a BREAKING CHANGE for your custom written auth provider. |
| r8483 | 5/8/2008 10:33:54 PM | maximm | Deki LDAP service (beta) * removed live SIDs from service |
| r8467 | 5/7/2008 9:01:55 PM | maximm | Deki LDAP service * Changed SID (temporarily) to sid://mindtouch.com/2007/05/BETA/ldap-authentication * Added service setting: groupmembershipquery. If defined, the query will be used to get the groups that a given user belongs to rather than relying on the memberOf or other attribute of the user. |
| r8466 | 5/7/2008 8:57:53 PM | maximm | LDAP Service * Moved the ldap service out into its own assembly |
Current Beta Release
Note for current beta ldap users: All changes introduced by the beta are included in the official ldap service included in 8.05.2. It's recommended that if you're setup to use the beta that you simply change the SID to the stable service after upgrading to 8.05.2: sid://mindtouch.com/2007/05/ldap-authentication
A big thanks to all of you brave and patient beta users providing feedback in the LDAP forum making this possible!
(following instructions and notes kept for posterity sakes (or until 8.05.2 is officially released))
- Discuss here: http://forums.opengarden.org/showthread.php?t=2681
- Use SID: sid://mindtouch.com/2007/05/BETA/ldap-authentication
- New config setting: groupmembershipquery
- Use a custom query to return the groups a user belongs to where $1 is the username. For example: (&(uniqueMember=$1)(objectClass=groupOfUniqueNames))
- New config setting: bindingpw
- Combined with a configured username in bindingdn, allows anonymous user+group queries to be performed on the LDAP service. This will be handy for future NTLM support, periodic group sync, and ldap setup where the full DN of a user has to be looked up before authentication can be performed since the bindingdn cannot be a simple template.
Installing the Beta Release
- Make sure you're running the latest version of Deki (8.05) or from latest in SVN trunk.
- Download the attached extension and place it into your Deki's bin/services directory ( /var/www/dekiwiki/bin/services ).
- Restart dekiwiki (/etc/init.d/dekiwiki restart)
- Update the SID of your current LDAP service to the above. Alternatively, you can add this beta service and run them side by side but your user names will conflict and new users will have a 1 appended and your current groups will not work for the beta service. Replacing the SID of the existing service is the simplest way to go.
Testing the Beta Release
Determine the URI to your ldap service from service management screen. Then append the above functions to lookup user and group info.
- OpenLDAP/eDirectory group membership issue:
- Make sure you defined a query for the groupmembershipquery setting such as the one above.
- Ensure that when going to http://hostname/@api/deki/services/x/users/username that the correct groups are listed within <groups>
- Anonymous LDAP queries
- Configure a bindingdn and bindingpw of a known user and ensure that user and group lookups do not require credentials from the client. Ensure that authenticate still works as before.
- Tag page
-
- What links here
Files 1
| File | Size | Date | Attached by | |||
|---|---|---|---|---|---|---|
 | | mindtouch.deki.ldap.dll Compiled by smunaut. Info here: http://forums.opengarden.org/showpost.php?p=15584&postcount=17 | 27.5 kB | 17:42, 10 Jun 2008 | MaxM | Actions |
Images 0
Viewing 1 of 1 comments: view all
#1
pc1oad1etter says:
Restart dekiwiki (/etc/init.d/dekiwiki restart) --> dekihost restart
Posted 21:13, 8 May 2008
Viewing 1 of 1 comments: view all
You must login to post a comment.
Powered by MindTouch Deki Enterprise Edition v.8.08 RC2