Hello,
we are trying to allow only user from a certain AD group to authenticate to our wiki.
we have configured on xwiki.xfg the following property:
xwiki.authentication.ldap.user_group=CN=GR_WIKIUSERS,OU=FINANCES,DC=mycompany,DC=com
but even after I remove an user from this group, logon is still allowed…
Any idea or hints why the expected behavior (an user not beloging to the group should not logon) is happening?
Thank you very much for the help!
Hi @Mamorim,
If you remove a user from an AD group, you need to wait for a refresh which takes, in the default configuration, 6 hours. In order to configure this to happen quicker, look at the following configuration in the same xwiki.cfg file:
#-# Time in s after which the list of members in a group is refreshed from LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
Hope it helps,
Alex
Hi @acotiuga ,
thank you very much for the reply.
I will wait untill tomorrow to check if that works…
we are using an old version of ldap extension, as well our wiki…
I will post here the results…
thanks!
Hello,
I can confirm the solution by @acotiuga works, after waiting the period for refresh, the user is denied or accepted the logon based on the AD group membership…
6 hours seem too much if we want to grant access to a new user to use the xwiki, I’ve changed it to 15 minutes, or there is a good reason to keep 6 hours (overload of the tool for shorter periods, for example??)
Thank you very much for the poiner Alex,
cheers