Active Directory Application

Authenticate users against an Active Directory server (LDAP). Note that this is a paying application.

administration.png
CategoryApplication
Active Installs66
Rating
7 Votes
LicenseGNU Lesser General Public License 2.1
SourcesIssues

Active Directory application represents one of the many User Authentication mechanisms available in XWiki and it uses the information from an Active Directory server.

A connection needs to be set between XWiki and Active Directory in order to synchronize their users and groups. Active Directory users will be able to authenticate in XWiki and a dedicated XWiki user will be created at the first login.

In order to use this application, follow the Installation guide and then configure it from the Wiki Administration

The following image is an overview of the Active Directory application. To find out more about how to use and configure the application please read the Documentation.

administration.png

Before starting this configuration guide, make sure that you already have an Active Directory server configured and you understand how it works.

Connection settings

The Check connection button helps to check in real time that the authentication credentials are correct.

connectionSettings.png

FieldDescriptionDefault 
Active Directory server addressThe address (IP or domain name) of the server to connect to. For example, 127.0.0.1 would be used for a server that is located on the same machine where XWiki is installed.127.0.0.1
Active Directory server portThe port to connect to. For example, 389 would be used if the server is running on the standard LDAP port.389
Active Directory user dnThe bind login (user distinguish name) to connect to the server with. This can be left empty for anonymous access to the server. If the server is not configured to accept anonymous access, then the full DN of a user with proper access rights must be provided. For example, cn=admin,dc=example,dc=com is how a user DN should look.N/A
Active Directory passwordThis can be left empty for anonymous access to the server. This is the password for the previous defined Active Directory User DN and should be used together.N/A

Configuration

The Active Directory application comes with a set of default values configured, so the user only needs to specify the Base DN and the setup is done.

configuration.png

FieldDescriptionDefault 
Active Directory Base DNThe Base DN is the root of the tree containing the users and where the server performs the search. E.g. dc=example,dc=com.N/A

Advanced

In order to provide a custom configuration to the application, click on Show Advanced Configuration and start exploring all the available options.

advanced.png

advanced1.png

FieldDescriptionDefault
Enable the Active Directory authenticationEnable the Active Directory authentication for this wiki, otherwise only XWiki authentication will work. If enabled and configured properly, an XWiki user will be created whenever an Active Directory user visits the wiki for the first time.Yes
Enable the XWiki authenticationEnable the XWiki authentication for this wiki, as a fallback solution. Without this setting you will be unable to log into XWiki with local accounts. Also, if Active Directory authentication fails for any reason, the XWiki DB authentication will be tried with the same credentials.Yes
Active Directory UID attribute nameSpecifies the Active Directory attribute containing the identifier to be used as the XWiki user name.sAMAccountName
Active Directory user fields mappingSet a link between an XWiki user property that needs to store the data from an Active Directory user field. For example, first_name->givenName (first_name belongs to XWiki.XWikiUsers class and givenName to Active Directory user profile) last_name=sn,first_name=givenName,
email=mail,company=company,
comment=comment,phone=mobile
Active Directory groups mappingSet a link between an XWiki group that needs to store, as members, ther users belonging to an Active Directory group. For example, XWiki.XWikiAdminGroup->cn=marketing,ou=groups,dc=example. By default, all the users are added into XWiki.XWikiAllGroup.N/A

advanced2.png

FieldDescriptionDefault
Allow Active Directory authentication only to certain groupThis field can be used to provide authentication rights only to the members of an Active Directory group. If this is empty, no restriction will be applied and all the users from the Base DN will be able to authenticate. To configure use the full DN of the group: cn=developers,ou=groups,o=XWiki,c=FR.N/A
 Forbid Active Directory  authentication to certain groupThis field can be used to deny authentication rights to the members of an Active Directory group. The users that are members of the following group can't authenticate. To configure use the full DN of the group: cn=designers,ou=groups,o=XWiki,c=FR./N/A
Update user from Active Directory after loginIf this property is enabled, the XWiki user data will be updated from Active Directory on every login of the user, otherwise the mapping will be done only once, when the user is created.Yes
Update user photo from Active DirectoryIf this property is enabled, the XWiki avatar will be updated from Active Directory on every login of the user, otherwise the photo will not be updated.No
Active Directory groups cache expirationTime in seconds after which the list of members in a group is refreshed from Active Directory.21600 (6 hours)
When to synchronize the Active Directory groupsThe groups will be synchronized by default on every authentication of a user. For example, if an Active Directory user is moved to a different group, at the next login it will be moved in XWiki in the right group.At each authentication
of a user

FAQ

What attribute from AD will be used as login name in XWiki?

By default the sAMAccountName will be used to login in XWiki. This value can be updated on the Active Directory UID attribute name  configuration.

ActiveDirectory-sAMAccountName.png

On the Active Directory server side the sAMAccountName value can be retrieved using the Attribute tab.
ActiveDirectory-edit-sAMAccountName.png

How can the AD groups be mapped to the XWiki groups?

The mapping can be configured from the Administration section Show Advanced Configuration > Active Directory Group Mapping. The users are added to the groups upon login, the groups are not synchronized automatically.

AD-mapping.png

How to retrieve the DN of a group from Active Directory?

The DN can be retrieved from Active Directory using the Attribute Editor under the group properties.

AD-group.png

Is the user information from AD updated instantly on the XWiki profile?

The user information is not synchronized automatically, the user needs to logout and login to have his profile updated.

Is the Active Directory Application compatible with SSO?

The application is not compatible with an SSO configuration that contains a Trusted authentication framework.

Does the application support LDAPS?

Yes, to use the Active Directory app with LDAPS you need to:

  • go to the Active Directory application and change the Active Directory Server Port value from 389 to 636.
  • go to the xwiki.cfg file and change the value for the SSL connection to LDAP server from 0 to 1:
#-# SSL connection to LDAP server
#-# - 0: normal
#-# - 1: SSL
#-# The default is 0
xwiki.authentication.ldap.ssl=1

How to display more logs for the application?

When working on the configuration of the Active Directory application it could help to display more logs on the server side:

  • Open the "Global Administration: Logging" section
  • Search for "ldap"
  • Set the log level to DEBUG 

LDAP-logging.png

Installation Steps

This paid extensions requires XWiki 8.4 or above. In order to install the extension, follow the next steps inside your XWiki instance (on cloud or on premise).

Navigate to the Extension Manager

In the Applications Panel click on "More Applications..." and then "Install new applications...". Alternatively navigate directly to the Administration and select the "Extensions" section.

step1.png

Install the Extension

Search for the extension you wish to install and use the Install button to install it.

step2.png

Get a License

Navigate to the "Licenses" section of the Administration, fill your details, look for the extension you just installed in the live table and click the buttons to get a trial license or to buy a license.

step3.png

Install the License

If you have selected a trial license then you're good and there's nothing else to do. Your trial license is automatically installed.

However if you've selected to buy a license you'll be redirected to a page to perform the payment. At the end you need to come back to the "Licenses" administration section and click on the "Check for Updates" button. This will download and apply the license you bought.

Use the Extension

Start using the Extension! Refer to the extension's documentation to know how to use it.

Installing in subwikis

Each (sub)wiki can have its own UI for configuring LDAP and thus it's possible to have different settings per wiki. The only restriction is that the Active Directory application must be installed first in the main wiki before it can be installed in other subwikis.

Options

The price is per year and varies depending on the support level and the number of users.

Support / Users 10 25 50 100 250 500 1000 2500 5000 10000 20000
Silver
Active Directory Application is part of the XWiki Pro package. Purchasing this package you will benefit from more extensions at a better price. Check the full offer in XWiki Pro!

Benefits

What do you get when you purchase an XWiki extension?

1 year license

By purchasing an XWiki extension license, you'll benefit from it during one year.

Free updates

You benefit from all the extension updates during one year. You are always up to date.

Support included

If you are facing an issue, you can reach the XWiki support. Our team is always available to help.

How to Buy

To buy, install this extension from inside your XWiki instance and follow the instructions.

Release notes

v1.6.5

Update the Licensing dependency to version 1.14.4

v1.6.4

Update the Licensing dependency to version 1.14.3.

v1.6.3

Update the Licensing dependency to version 1.14.1.

v1.6.2

Update the Licensing dependency to version 1.13.9.
Update the LDAP Application dependency to version 9.4.

v1.6.1

Update the LDAP Application dependency to version 9.3.7.

v1.6

Bugs fixed:
#6 Success message misspelled.
#7 Connection error is not expandable.
#12 The resetGroupCache() method is never called.

Improvements:
#8 Use the full content to display the configuration.
#9 Store the default configuration values when the configuration document is created.
#10 Improve documentation in the administration section.
#11 Remove the '- - -' value from the Boolean properties.

v1.5.9

Update the Licensing dependency to version 1.13.8.
Update the LDAP Application dependency to version 9.3.6.

v1.5.8

Update the Licensing dependency to version 1.13.4.

v1.5.7

Update the Licensing dependency to version 1.13.3.
Update the LDAP Application dependency to version 9.3.5.

v1.5.6

Update the Licensing dependency to version 1.13.2.
Update the LDAP Application dependency to version 9.3.2.

v1.5.5

Bugs fixed:
#4 Password field can't be filled in.

Update the Licensing dependency to version 1.13.1.
Update the LDAP Application dependency to version 9.2.6.

v1.5.4

Update the Licensing dependency to version 1.13.

v1.5.3

Update the Licensing dependency to version 1.12.2.

v1.5.2

Update the Licensing dependency to version 1.12.1.

v1.5.1

Update the Licensing dependency to version 1.11.

v1.5

Bug fixed: Active Directory's connection parameters are not properly escaped.
Update the Licensing dependency to version 1.8.
Improve the way the message about no valid license is displayed.

v1.4

Update the Licensing dependency to version 1.7.

v1.3

Update the Licensing dependency to version 1.6.

v1.2.6

Update the Licensing dependency to version 1.5.4.
Update the parent version to 8.5.
Update the LDAP Application dependency to version 9.2.5.

v1.2.5

Update the Licensing dependency to version 1.4.4.

v1.2.4

Update the Licensing dependency to version 1.4.3.

v1.2.3

Update the Licensing dependency to version 1.4.2.

v1.2.2

Update the Licensing dependency to version 1.4.1.
Update the LDAP Application dependency to version 9.2.4.

v1.2.1

Update the Licensing dependency to version 1.4.

v1.2

Update the LDAP Application dependency to version 9.2.
Update the Licensing dependency to version 1.2.
Provide default values for existing properties.
Mark in the UI the default values that will be used.
Set the sAMAccountName as default uid attribute name.
Map by default all the AD attributes that are matching an XWiki user property.
Simplify the UI by splitting the Configuration into simple and advanced.
The following translations have been updated:

  • English
  • French

v1.1

Initial paid version.
Introduced the Check connection button for live validation of authentication credentials.
Enable the AD Authenticator automatically and without editing xwiki.cfg.
Enable local users by default when AD is active.

Extension details

This information is only displayed to Administrators. Your users can't see this tab.

License

  • GNU Lesser General Public License 2.1

Sources

Issues

Type

  • xar

Developed by

Compatibility

  • Requires XWiki 8.4 or above.
Installable with the Extension Manager

Dependencies

  • org.xwiki.rendering:xwiki-rendering-macro-message 8.4
  • org.xwiki.platform:xwiki-platform-rendering-macro-include 8.4
  • org.xwiki.platform:xwiki-platform-rendering-macro-velocity 8.4
  • org.xwiki.contrib.ldap:ldap-api 9.4
  • com.xwiki.activedirectory:application-activedirectory-api 1.6.5
  • com.xwiki.licensing:application-licensing-licensor-api 1.14.4
  • org.xwiki.rendering:xwiki-rendering-macro-html 8.4
Tags:
Created by Administrator on 2016/09/28 15:11
XWiki SAS Copyright © 2019