External database authentication

I have a database which is used for authentication against our webapp. I am using the XWikiJDBCAuthenticator plugin I found on github. After some customization I have gotten it to work with bcrypt. My question is I have 2 groups of users each which need a specific set of permissions to wiki pages that they are permitted to see. I was wondering what the best approach to achieve this would be? As of right now users go t a default group called “Users” but that’s not going to work. I would need a User group 1 and a User group 2.

Thanks

After some customization I have gotten it to work with bcrypt.

Was that before Petr add support for password hashing ? See documentaion for authentication.jdbc.password_hasher property in GitHub - xwiki-contrib/xwiki-authenticator-jdbc: XWiki authenticator based on custom database trough JDBC API.

If by “customization” you mean writing a PasswordHasher component then it would be nice to contribute it in xwiki-authenticator-jdbc/src/main/java/org/xwiki/contrib/authentication/jdbc/internal at master · xwiki-contrib/xwiki-authenticator-jdbc · GitHub :wink:

Back to your issue now.

If the information to separate user can be found in your database then I would say a good approach could be to do like the LDAP authenticator and automatically update user membership when he logs in based on some configuration: if column group equals 1 then put the user in XWiki.Group1 otherwise put him in group XWiki.Group2 and cleanup if the user is in a XWiki group it’s not supposed to anymore. The group might no be fully accurate if one of the users don’t come for a long time (and so does not update the group) but if it’s only about rights checking then it’s not much of an issue.

yes, I used that password hasher and wrote a component for bcrypt which I will share. I was also looking into the LDAP method for the groups which seems like the way to go, I am new to xwiki so figuring out how to put it all together proves to be another task in its self.

Thank you

Still stuck on this, would I need to enable the LDAP plugin to use the group mapping options? The user database I authenticate to has the appropriate group stored in it that I plan on mapping directly to xwiki.

Thanks

LDAP is just here for inspiration and you can only have one authenticator at a time anyway. Also the code in the LDAP authenticator is not really designed to be reused for other use case so it would not help you much.

ok, so it will require some manual intervention on my behalf, probably with in the XwikijdbcAuthentication script I imagine.

Yes you will have to actually implement this feature in the JDBC authenticator itself, there is not really any generic code you would reuse right now.

alright, I will look at LDAP and try to figure out how it was implemented there and then try to implement it in the XwikiJDBCAuthticator.

Thank you

In the meantime: https://forum.xwiki.org/t/jdbc-authenticator-1-1-released :wink:

1 Like

excellent, one more question, with in the xwiki.cfg there is an option for

xwiki.authentication.ldap.group_mapping

which I am sure is specific to the ldap plugin but what about the group_mapping part of it? Is that a native option that is recognized by xwiki?

The syntax which is used for the values of xwiki.authentication.ldap.group_mapping is specific to the LDAP plugin.

However xwiki.cfg is an old thing and LDAP had to do its own syntax but xwiki.properties support much more types of properties among which java.util.Propertie which is pretty much a Map (except that it’s possible to have several entries with the same key). See velocity.tools for an example of the syntax.

ok, thanks again. I’ll take a look.

so using velocity.tools it looks like you can add a member to a group based on some condition. I am thinking maybe adding a custom field to the XWikiUsers as an xobject which gets added by the authentication select query, might be easier than trying to write a new custom field.