LDAP authentication - attribute mapping

Hi there

Happy new year and good health to all.

Personally, I like the idea to login via the email address instead of an arbitrary user name. And yes, I’m aware that the mail address of a user might change … but this also applies to names (like marriage). This all depends on who is using the wiki (internal, public, …)

As it is not possible to create a user with an @ in the username with xwiki, I thought maybe it is possible to emulate this via LDAP?


As the authentication using the email address will probably work out, I’m not sure how this will then be mapped to an xwiki user?

There are two scenario on first sight:
(1) User already exists in xwiki
(2) User does not exist in xwiki upon first login

For the first case, one will probably need to manually populate the UID for that user in the Wiki.LDAPProfileClass UID if this is still used that way … and if this accepts an email address …

Just didn’t see how this then will be translated to a xwiki object in case the user does not already exists in xwiki but in LDAP? Does someone has some insight on this? Thomas :wink:

Although depending on the LDAP server in use, as of
some cases suggest to use the “cn” or “uid”. From what I know, some directories do NOT enforce uniqueness on those attributes - how is this handled? Is in this case the DN compared or what is the DN used for?

Further, uid and cn might contain characters that are not supported as username in xwiki either - what happens then?

IMHO, one approach might be to replace the @ with a supported character like “_” for the users created (maybe something like that already happens for other non supported characters)?

Best regards


You mean with the standard user creation UI ? AFAIK @ should work well in a user profile page name and the LDAP authenticator does not remove it right now.

By default the email will be used stripped from the following characters: ’ ', ‘.’ and ‘/’.

You you can decide to use something else for the page name if you want using xwiki.authentication.ldap.userPageName property.

The authenticator does not care about the actual user profile page name, it just generate one similar to the uid by default but it could be anything since the authenticator only cares about what the LDAPProfileClass object contains to find already existing user.

The authenticator assume the uid is unique and won’t change. If you still want to change it, update the one located in the XWiki user profile (in the LDAPProfileClass object) and it should be fine.


thank you for your swift reply!

Yes, as of the warning message if the username contains anything

Invalid username provided. Please use only letters from the latin alphabet, numbers, and the underscore character ‘_’.

Thanks for the hint to userPageName setting which can be handy … as of the example in the documentation, where is the domain variable filled (${domain}-${uid})?. uid is obvious, domain not so. Is this related to “remoteUserParser” and/or remoteUserMapping? Didn’t really understand that mapping part yet … I’ll hopefully find some time in February to setup xwiki 9 and an ldap to play around …

Best regards

Yes this part is not the most basic one :slight_smile: This is actually a multi LDAP servers setup (like users coming from different AD domains) and yes by default domain is not set (unless you start set this up).

I see … if a single LDAP contains eMail addresses from various domains, would that be possible to handle correctly? Like the same LDAP directory will return user1@domain1.com, user1@domain2.com, user1@domain3.com … e.g. is the mapping of the “domain” variable done based on the multi LDAP setup or could the domain be set dynamically based on the email address of the user in question (for example using the “remoteUserParser”?)

If the authenticator is accessing only one LDAP server then it usually does not make much sense to setup remoteUserParser (at least that’s what it was designed for). That being said you could use this to parse the input login (the email in your case) and have different LDAP setup depending on the email domain (even if all the setups happen to access LDAP server which have the same IP and port :slight_smile: ).

Okey, my concern is more in the direction of user page creation … given the sample from the previous posts, then this would read:


But here, the domain part will be empty as per your previous post. Assuming the single directory contains users with different email domains (as from above user1@domain1.com, user1@domain2.com, user1@domain3.com), it would be cool to have the email domain as part of page name …

This would require splitting the supplied uid (which in this case would be the email) into the user and domain part … or would the uid = userdomain1com by default, which would be OK for me too …

As I said you can cut the login using remoteUserParser (you even have a mail based example). You just need to configure it so that it always access the same LDAP server if you have only one (even i the authenticator think it’s several servers).

Not sure if I fully understand, but if @domain is a large / unpredictable number, this appears not to be feasible … maybe I make it more complex than it has to be … :wink:

If I only configure 1 LDAP server that handles all email address domains, will this work? Or would I be forced to add a filter for every domain?

Actually you need to know the domain if you want to associate it with some specific configuration but if you don’t then the authentication will use default one.

For example something like the following should be quite close to your use case (did not tested it):

## Cut each mail in two groups
## Indicate which group is associated to what
## Re-define the user page name