Hello,
In an XWiki 15.10 LTS install, is there a way to sync users and groups with LDAP?
Up to now we have had users integration ok, ones who were registered in our test install were able to login with their LDAP credentials. When it comes to group creation in LDAP and trying to make such a group appear in XWiki it has not worked.
Is it supposed to be possible and if so how? And if not, would it be considered in a near future?
I am looking into the documentation in several LDAP related pages
After quite some reading and research I realize I need to mention more context:
The LDAP groups and users we want to import to our XWiki test install are manager in a UCS / Univention AD server.
I have read again these two links related to the topic :
https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/OpenID%20Authentication%20with%20UCS/ This one, I’m unsure if relevant, it looks like its meant for XWiki cloud installs, am I wrong?
All in all, when the configuration is done right and complete :
The groups (existing in AD) that you map in the XWiki configuration are supposed to appear in XWiki, with all the users belonging to the given group. Is that right?
The groups (existing in AD) that you map in the XWiki configuration are supposed to appear in XWiki, with all the users belonging to the given group. Is that right?
@jmarkoll, in general I’d say that’s right. The /groups/ portion of the AD import application appears not to paginate its requests (yet). (see this issue in GH.) So that means the number of imported groups are limited to the query size of your LDAP directory server config. IIRC, some LDAP implementations (AD being one, I think) will allow you to override their query limits with a query parameter, as a workaround.
Do make sure you keep the authentication and authorization bits seapate in your mind–and potentially in your installation. For instance, we installed the AD authentication application in order to install most recent LDAP import bits. But then we had to uninstall the authentication module (keeping the LDAP import dependencies) in order to allow our OIDC authentication application to work properly.
@lanedsmu thank you very much!
We have configured manually in xwiki.cfg, so no extension involved.
When you say in general that's right, well we don’t have that many spaces, and my question is more about how XWiki will replicate what comes from the UCS AD after mappings are done?
If I create a test group XYZ in AD with a few test users, and then configure a mapping for this test group XWZ in xwiki.cfg:
→ will the XYZ test group have to be created manually in XWiki, and then its users will appear ?
→ or once the configuration done, (if done the right way), and after the servers are restarted, would the XYZ test group created in the AD appear by itself in XWiki, along with its belonging users?