I am asked to set up a multi-domain AD-login with the LDAPAuthenticator, and the users want to login as domain\username
to be able to distinguish between the two domains.
The LDAP Configuration section contains an example for the user@domain
notation, which after mixing in the AD specific configuration looks like:
xwiki.authentication.ldap.bind_DN=DEFAULTDOMAIN\\{0}
xwiki.authentication.ldap.bind_pass={1}
xwiki.authentication.ldap.remoteUserParser=(.+)@(.+)
xwiki.authentication.ldap.remoteUserMapping.1=uid
xwiki.authentication.ldap.remoteUserMapping.2=domain,ldap_server,ldap_base_DN,ldap_bind_DN
xwiki.authentication.ldap.remoteUserMapping=ldap_server=MYDOMAIN=my.domain.com|MYDOMAIN2=my.domain2.com
xwiki.authentication.ldap.remoteUserMapping.ldap_base_DN=MYDOMAIN=dc=my,dc=domain,dc=com|MYDOMAIN2=dc=my,dc=domain2,dc=com
xwiki.authentication.ldap.remoteUserMapping.ldap_bind_DN=MYDOMAIN={0}|MYDOMAIN2={0}
Now I changed the user pattern to:
xwiki.authentication.ldap.remoteUserParser=(.+)\\\\(.+)
(so the first part matches the domain and the second one the user name)
and then swapped the other remoteUser
configuration settings:
xwiki.authentication.ldap.remoteUserMapping.2=uid
xwiki.authentication.ldap.remoteUserMapping.1=domain,ldap_server,ldap_base_DN,ldap_bind_DN
I thought that should work, but it does not; every time a user tries to log in with “domain\login”, the authentication is passed through as domain\\login
to the AD.
I think that doubling of the backslash has something to do with LDAP-escaping the Login-expression, but the AD then refuses to accept the login with the double backslash.
Has anyone gotten a similar setup running? Or is the user@domain
format the way to go, and domain\user
should be avoided?