User page name wrongly named after LDAP attributes

Help / Discuss
#1

I have Xwiki 14.6 with LDAP Authenticator 9.7.6

I’m facing a strange situation, where:

  1. two user pages have been correctly named using the LDAP user username;
  2. two other have instead been named with the user lastname and first name
  3. a last one instead (the most recently created) seems the ldap props have not been decoded and has a wrong name

I’m fairly sure (1) & (2) were created when my XWiki was at 14.2.1 (and LDAP Auth maybe at 9.7.5), while (3) is of there days (XWiki 14.6).

These are the parts of the config that should be relevant:

xwiki.cfg:xwiki.authentication.ldap.bind_DN=<LDAP user with admin rights>
xwiki.cfg:xwiki.authentication.ldap.user_search_fmt=(sAMAccountName={1})
xwiki.cfg:xwiki.authentication.ldap.UID_attr=cn
xwiki.cfg:xwiki.authentication.ldap.fields_mapping=last_name=sn,first_name=givenName
xwiki.cfg:xwiki.authentication.ldap.userPageName=${ldap.sAMAccountName}

The sAMAccountName field is where usernames are stored, and for me is like ra…ma… (all lowercase letters), and it worked.

For the last config option, this is what the comment says:

#-# [Since 9.0]
#-# The XWiki page name pattern.
#-# The supported syntax is org.apache.commons.lang3.text.StrSubstitutor one,
#-# see http://commons.apache.org/proper/commons-lang/javadocs/api-3.0/org/apache/commons/lang3/text/StrSubstitutor.html for more details.
#-# Can use:
#-# * the LDAP fields listed in xwiki.authentication.ldap.fields_mapping by prefixing it with "ldap." as in ${ldap.givenName}
#-# The default is "${uid}".
#-# * xwiki.authentication.ldap.remoteUserParser regex groups
#-# * a properties defined in xwiki.authentication.ldap.remoteUserMapping
#-# 
#-# [Since 9.5.5]
#-# The following suffixes can be added:
#-# * "._lowerCase": the lower case version of the string
#-# * "._upperCase": the upper case version of the string 
#-# * "._clean": a version of the string stripped from ".", ":", ",", "@", "^", "/" characters and "\s" (all forms of white spaces).
#-#             It can itself be suffixed with "._lowerCase" and "._upperCase".
#-#
#-# In this example the XWiki user profile page name will be of the form MYDOMAIN-myuid
# xwiki.authentication.ldap.userPageName=${domain}-${uid}

But I’m not sure what that means, I do not want to use the sAMAccountName value in any of the profile fields.

Here’s how the user pages are shows:

immagine

(for case (2) you can see the two capital letters corresponding to the person lastname and first name)

Remove ldap user in xwiki (keep content)
#2

Then why do you indicate in the configuration that it’s cn ?

You might want to look at the example for ActiveDirectory which is documented in Use cases of configuration to authenticate users with LDAP (XWiki.org). If you indicate that the uid is sAMAccountName then that’s what is expected to be typed by used in the login screen and what will used by default as page name.

There is no such variable as ${ldap.sAMAccountName} so that’s literally what you end up with as page name as you can see in your screenshot.

#3

Motivations are a bit hard to recall, since I set them up more than six months ago, but I’ll try.

I found my previous thread asking for support: LDAP authenticator and user names / user pages

I see in the above-mentioned thread that the page name http://.../view/XWiki/<Lastname><Firstname> is what I wanted*, so I guess the two in (1) were created before that thread and the reconfigurations involved.

*: but maybe I’ll change my mind here, I’m thinking about it.

Well… this is the comment about userPageName (from LDAP Authenticator (XWiki.org))

#-# The XWiki page name pattern.
#-# The supported syntax is org.apache.commons.lang3.text.StrSubstitutor one,
#-# see http://commons.apache.org/proper/commons-lang/javadocs/api-3.0/org/apache/commons/lang3/text/StrSubstitutor.html for more details.
#-# Can use:
#-# * the LDAP fields listed in xwiki.authentication.ldap.fields_mapping by prefixing it with "ldap." as in ${ldap.givenName}
#-# * xwiki.authentication.ldap.remoteUserParser regex groups
#-# * a properties defined in xwiki.authentication.ldap.remoteUserMapping
#-# 
#-# The following suffixes can be added:
#-# * "._lowerCase": the lower case version of the string
#-# * "._upperCase": the upper case version of the string 
#-# * "._clean": a version of the string stripped from ".", ":", ",", "@", "^", "/" characters and "\s" (all forms of white spaces).
#-#             It can itself be suffixed with "._lowerCase" and "._upperCase".
#-#
#-# In this example the XWiki user profile page name will be of the form MYDOMAIN-myuid
# xwiki.authentication.ldap.userPageName=${domain}-${uid}
#-#
#-# The default is; "${uid}".
# xwiki.authentication.ldap.userPageName=${uid}

It says I can use

the LDAP fields listed in xwiki.authentication.ldap.fields_mapping by prefixing it with “ldap.” as in ${ldap.givenName}

although I have to admit that the passage:

[…] listed in xwiki.authentication.ldap.fields_mapping […]

is not so clear to me, since I have no idea to what user property I could map that.

However, sAMAccountName is an attribute present in our LDAP where the (local domain) username is stored (and I guess it was fine up to a point, since the first user pages are named after its value); but I as in my last post , I see I left the configuration unfinished.

Can I ask a clarification about:

#-# Specifies the LDAP attribute containing the identifier to be used as the XWiki name
#-# The default is:
# xwiki.authentication.ldap.UID_attr=cn

What exacly is that XWiki name? That’s probably where my doubts started.

#4

That comment predate the introduction of xwiki.authentication.ldap.userPageName and the “XWiki name” here is the user id to be used on XWiki side (so the page name) as the uid used to be used for the page name as well as the field to search for in LDAP. I updated it a bit, hope it’s more clear now.

#5

Thank you.

Nice, I saw it in the extension page and yes it is :slight_smile:

So, to be sure before I mess my users in our production installation :grin:, if I set:

xwiki.cfg:xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.cfg:xwiki.authentication.ldap.userPageName=

User page names (i.e. in URLs) will be like /xwiki/bin/view/XWiki/<sAMAccountName>

While with:

xwiki.cfg:xwiki.authentication.ldap.UID_attr=sAMAccountName
xwiki.cfg:xwiki.authentication.ldap.userPageName=cn

User page names (i.e. in URLs) will be like /xwiki/bin/view/XWiki/<cn> (e.g. /xwiki/bin/view/XWiki/JohnDoe), right?

After I change the configured value of UID_attr, may I incur in any issue like pages with no owner / editor, and such?

Let me ask a clarification about this: are you saying that I should drop the ${ldap.} part and only leave it as
${sAMAccountName}?

#6

No, here you are telling the authenticator that you want an empty page name. You should not set userPageName at all (just comment it).

This makes the page name be literally cn. As indicated in the documentation, if you want to use a variable value you need to use the corresponding syntax ($[}) but you can only use the uid or a variable declared in the mapping right now and I don’t think you have the cn in the mapping.

No. Let me repeat the documentation here:

#-# Can use:
#-# * the LDAP fields listed in xwiki.authentication.ldap.fields_mapping by prefixing it with “ldap.” as in ${ldap.givenName}
#-# * xwiki.authentication.ldap.remoteUserParser regex groups
#-# * a properties defined in xwiki.authentication.ldap.remoteUserMapping

sAMAccountName is none of those in your initial configuration, so you cannot use it whatever syntax you try. Anyway, you don’t need that if you use the sAMAccountName as uid.

#7

Oops, yes of course. Thanks for the notice.

Sure, that was just written too quickly.

About the other paragraphs, thank you, I’m gonna try them ASAP.