Multiple domains AD/LDAP Auth?

resolver · May 31, 2018, 9:25am

Hi there!

Trying to set up XWiki to use LDAP authentication in multiple domains (parent->child in the same forest).

I have two Active Directory domains:
“domain.local” (parent) and “branch.domain.local” (child)

If I use sAMAccountName as “LDAP UID” and set dn to “CN=users,DC=domain,DC=local” I can login to “domain.local”, but can’t login using “branch.domain.local”.
If I use UserPrincipalName as “LDAP UID” I can login to any AD domain, but I get garbage user names (like user@branchdomainlocal, which is not what I want).

How can I set up XWiki in such a way, so I can login to any domain, and get sAMAccountName as UID?

tmortagne · May 31, 2018, 9:40am

If your users are in different organization units the solution is usually to use a specific user for the bindDN/bindPassword (like some admin user). With such a setup the authenticator will use the bind user and then search for the current user using its uid (doing LDAP request like (sAMAccountName=whateveristhecurrentuseruid)) and then validate the password with the found users DN.

See http://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HMyusersarenotlocatedinthesameorganizationunit for more details.

resolver · May 31, 2018, 9:51am

I’m already using binduser, but it doesn’t work this way.

Any other ideas ?
Can I have some map (e.g. search LDAP by UserPrincipalName but use sAMAccountName as UID)?
Or maybe bind to different servers, depending on user@domain ?

tmortagne · May 31, 2018, 10:00am

Will need a big more details

Are you sure all the users are stored on the same LDAP server ? What base DNare you using, you should make sure it’s common to all users DN.

You should enable debug log and see what happen exactly for users that can’t be found by LDAP search.

rbr · May 31, 2018, 10:01am

Hi,

this is possible, especially with AD. I use the following setup:

Connect to the Global Catalog (GC), i.e a special server of your DCs that knows some basic information of all users in all domains. It is reachable via port 3268 (clear) or 3269 (TLS). You may need to ask your AD guys which server is the GC.
Use a base DN like “DC=domain,DC=local” because LDAP is a tree, that means you can’t go “up” or “side-ways” from your base DN. So you can’t reach “CN=users,DC=branch,DC=domain,DC=local” if you start at “CN=users,DC=domain,DC=local”.

Best regards

rbr

mity-dave · August 14, 2018, 8:38pm

Hi @rbr,
We’re trying to do something similar.
Could you share a screenshot of your xwiki.cfg or ldap settings where you configured the gc map and possibly how you map to an LDAP group in another domain?

Thanks!

rbr · August 15, 2018, 8:47pm

Hi @mity-dave,

Sorry will provide the info tomorrow, but maybe the following is already enough:
This works only if all your domains are in one forest. All domains in a forest share a global catalog (GC) where parts of the information of every object of every domain are replicated read-only. So the GC is part of Active Directory.

If you have multiple forests you will need to query all GCs of the required forests, but that’s an entire different question and will not be answered here.

To contact your GC you need to know which server has this role (ask your AD guys!), let’s assume it’s gc.mydom.local.
The GC uses a special port which is 3268 for clear text, startTLS or 3269 for SSL/TLS.

So in xwiki your config should be like this (for clear text):

xwiki.authentication.ldap.server=gc.mydomain.local
xwiki.authentication.ldap.port=3268

#if all your domains end in .local DC=local should, even empty may work.
xwiki.authentication.ldap.base_DN=“DC=local”

#you have to use a proxy user as bind dn, AD does not allow anonymous bind!
xwiki.authentication.ldap.bind_DN=cn=ldapreader,ou=serviceusers,ou=users,dc=mydomain,dc=local
xwiki.authentication.ldap.bind_pass=secret123!

#I allow to search for username (e.g. jdoe) or userPrincipalName (e.g. jdoe@subdom.mydomain.local) to find user DN.
xwiki.authentication.ldap.user_search_fmt=(|(sAMAccountname={0})(userPrincipalName={0}))

All other options are either default or according to your needs, but with this bare minimum setup you should succeed.

Hope that helps.

tmortagne · August 16, 2018, 7:58am

Note: I updated https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HMyusersarenotlocatedonthesameserver (without much details yet but there is kind of an example in https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/) since what was indicated is not fully true anymore.