LDAP groups for XWiki-permission without static mapping

Help / Discuss
,
#1

Hi. Is it in fact possible to use LDAP groups (listed below /xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=Groups) without having a static mapping like in xwiki.authentication.ldap.group_mapping? Regularly new groups get created in our LDAP sever and updating the mapping in the XWiki config file by hand to reflect those changes seems a tedious work :slight_smile: .
I’ve tried with LDAP Authenticator without success. Or would I need to use the paid Active Directory Application for that?

Our groups are all below ou=groups,dc=example,dc=com.

An example group entry looks like:

uid=mygroup,ou=groups,dc=example,dc=com
uid: mygroup
gidNumber: 2148
mail: mygroup@example.com
objectClass: top
objectClass: uidObject
objectClass: posixGroup
objectClass: groupOfNames
objectClass: extensibleObject
cn: mygroup
description: My description for group mygroup
memberUid: tom
memberUid: harry

Warm regards and thanks for the good ,

Tom

#2

The LDAP authenticator does not support a dynamic list of groups right now.

#3

Thanks for the swift reply. Do you know if this is planned for the near future or if the Active Directory Application offers this option?

#4

It’s not part of the roadmap currently, no.

I don’t think so, no, as the Active Directory is internally using the LDAP authenticator for the actual authentication.

If you have some Java knowledge and might want to try to work on that, I guess the place to start would be to implement a version of XWikiLDAPUtils#syncGroupsMembership that takes a list of groups instead of a mapping and call the right method depending on the configuration from XWikiLDAPAuthServiceImpl#syncGroupsMembership.

Of course one of the company offering services on XWiki would also be happy to add this feature for you.