Two Questions about LDAP Auhtenticator

Hi,

i hope some LDAP Authenticator (free) Programmer or Expert can help me. Currently we Authenticate our Users via LDAP on Port 389 (without encryption). This works wonderful. Our XWIKI version is. 11.10.10.

Now we must reconfigure our LDAP Authenticator so it will Encrypt the LDAP-Communication

For this there are 2 Ways how it can achieved:

1.) Use LDAP via Port 389 with SASL and LDAP Encryption or (the Better Way):
2.) Use LDAPs via Port 636

Now my Questions:
To the Point 1 i culdn´t find a thing in the Info-Site https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/ how to activate this. Ist that Maybe default activated?

To Point 2 (Use LDAPs via Port 636) had i tried to reconfigure the xwiki.cfg with this Parameters:
changed: xwiki.authentication.ldap.port=636 (from 389)
and added the line: xwiki.authentication.ldap.ssl=1

But Unfortunatelly with this Parameters LDAPs didn´t work (no Login possible).

I reconfigured other Applications, and they work fine.

Maybe a hint:
On this Site (https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/) is explained that i must additinal add a Keystore File (Truststore). But is that really necessary? Other Linux-Applications don´t need that. And for my colleagues i will implement that so easy as possible. Not that someone exchanges the certificate on the Domaincontrollers and doesn’t think about to change it on the XWiki Server.

I thank you very much for your help.

With best regards

Knight01

hi @Knight01

LDAPs is the way to go.

I think you have to adapt the settings below in xwiki.cfg to your needs and add your ldap-cert, which is bound on the ldap-server to port 636, to the java keystore like this: https://docs.oracle.com/cd/E19509-01/820-3399/ggfrj/index.html

#-# [Since 1.3M2]
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
# xwiki.authentication.ldap.ssl=0

#-# [Since 1.3M2]
#-# The keystore file to use in SSL connection
# xwiki.authentication.ldap.ssl.keystore=

#-# [Since 1.5M1]
#-# The java secure provider used in SSL connection
#-# The default is com.sun.net.ssl.internal.ssl.Provider
# xwiki.authentication.ldap.ssl.secure_provider=com.sun.net.ssl.internal.ssl.Provider

Remember to change your ldap connection from port 389 to 636 afterwards.

#-# LDAP Server (Active Directory, eDirectory, OpenLDAP, etc.)
#-# The default host is localhost
xwiki.authentication.ldap.server=localhost
#-# The default port is 389 (636 if xwiki.authentication.ldap.ssl is enabled)
xwiki.authentication.ldap.port=636

Hi Jwielsch,

thank you for your quick response.

As in my Post written, i don´t understand why and we will not use fixed Certificates on Client Site for something that. Espacially in other Applications like Snipe-IT etc. s LDAPS working without keystore files and fixed DomainControler Certificates.

It would be great if that works in Xwiki so easily to. Has anyone a clue i this is possible or how to do it with LDAP via Port 389 with SASL and LDAP Encryption?

With best regards

Knight01

I can’t answer that. Sorry.

SASL is, IMHO, not the right way. At last Microsoft set new requirements for connecting to active directory and they are going the tls\ssl way.