Seeking help with setting up SSO with Kerberos/LDAP

Hello,

i read alot of threads and things all around the documentation and forum. But every explanation is a bit of misleading. Currently I’m running a xwiki installation on unix with nginx as reverse proxy, tomcat and using the ldap authenticator (which is working). The LDAP connects to an active directory. Now we want to make the next step and do automatic authentication through ldap when we enter the page.

The guide here is a bit short and not very detailed: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Authentication/#HKerberosSSOAuthentication

So I’m looking for someone to guide me through it. I even would gift him a coffee :smiley: since everyone likes coffee

I am running XWiki on a Windows-Server and here is how I did it:

  1. Get LDAP Authentication to work

  2. Your Wiki-Server needs to be allowed to use http-authentication (via Browser-GPO)

  3. Your service user (which runs the webserver) has to have an HTTP-entry in his servicePrincipalName-attribute (in AD)

  4. Edit your wiki.cfg:
    Under the following line add the following configuration (and adapt it):
    xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl

    #XWiki Integrated Windows Authentication (IWA) support
    xwiki.authentication.ldap.remoteUserParser=(.+)\\(.+)
    xwiki.authentication.ldap.remoteUserMapping.1=domain
    xwiki.authentication.ldap.remoteUserMapping.2=uid
    xwiki.authentication.ldap=1
    xwiki.authentication.ldap.server=domaincontroller.mydomain.dom
    xwiki.authentication.ldap.port=389
    xwiki.authentication.ldap.base_DN=dc=mydomain,dc=dom
    xwiki.authentication.ldap.bind_DN=mydomain\service-user
    xwiki.authentication.ldap.bind_pass=service-user-password
    xwiki.authentication.ldap.UID_attr=sAMAccountName
    xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName,fullname=displayName,email=mail
    xwiki.authentication.ldap.group_mapping=
    YourXWikiAdminGroup=CN=YourADXWikiAdminGroup,OU=Groups,OU=mySystem,DC=mydomain,DC=dom

  5. Edit your web.xml (this is specifically for the Windows-Server, I think (waffle libraries and such)):
    Under the following lines add the following configuration (and adapt it):
    grafik

grafik

  1. Restart your webserver
  2. Done.

If you want automatic logon through Active Directory, one way (an easy way, I think) is to run your Tomcat instance on a Windows server (like noted in the previous reply). If you are able to go this route, I created some video tutorials that may be helpful:

1 Like

Hey Guys! Thanks a lot for your replies!!! I’m currently waiting to get my VM and then gonna do the steps you mentioned above. Probably we should extend the guide with these information. :slight_smile: