Short description
Authentication on more than one LDAP server. One usergroup per LDAP server for better ACL management (something like usergroup Trusted).
We do have a summer of code project about Extending moin's groups to LDAP and other external sources.
I set up an internal wiki. As it is internal it is only accessible by users logged in. Authentication works fine using an LDAP server. Now I need to involve two more LDAP servers to get other users in.
So this is basically 2 feature requests:
be able to use multiple ldap servers with different configuration - is implemented in 1.7 branch (comes naturally by using auth object init params, not config values). It is completely untested and still needs some volunteers for testing the code in an environment with ldap server(s). If you like to help, try a current 1.7 checkout and report your findings below (or meet me on #moin-dev irc channel). -- ThomasWaldmann 2008-04-05 20:50:19
I have not tried exactly this but ldap and moin_auth. it looks like if ldap is not available current 1.7 rc1 does not request moin_auth.
- be able to query ldap for user groups (using filters)
First of all enabling users on the other LDAP servers to work with the wiki. But not everyone should have the same rights. I would use different LDAP trees and/or filters to manage that. So in the end there would be much more than three LDAP servers in the list. It would be nice to have one group per LDAP server because this way there don't have to be manual usergroups (the list of users is very large).
To all users using more than one LDAP server. Especially larger organizations.
Hi, I would like to help about this. I work on a Microsoft Active Directory environment and we have several Domain Controllers (aka LDAP servers) available. I'm ok to test some things but I need more precision about what and how. I just installed 1.7dev (from hg repository).
- i don't understand the "be able to use multiple ldap servers with different configuration". Here, all my LDAP servers are replicated so each one have the same (LDAP) configuration, or do you speak about something diferent?
- well, I am no ldap user, but I can think of two reasons one might want to use multiple ldap authenticators:
- redundancy: if first ldap server fails, moin will ask the second one and continue to work
- different data: if you run a wiki for multiple departments and every department has its own ldap server, moin can poll both to accept users of both departments
- well, I am no ldap user, but I can think of two reasons one might want to use multiple ldap authenticators:
- to the user groups, i'm really interested in testing this feature because i'm interested in using it:) Just today, presenting the new ldap auth with login possible only for users in a specific LDAP group, and talking about ACL management, someone ask me about using LDAP groups for managing security!
-- EricVeirasGalisson 2008-04-09 15:42:31
Usage of multiple (different content) ldap servers has the problem of duplicate user names:
user JoeSmith on server1
user JoeSmith on server2
- they don't need to be the same person
- we need to have different names for different persons due to ACLs using the names
So we need a good plan first about how to handle this. Just appending some "domain" would be a bit ugly as we usually have home page name == user name. And who wants to have a homepage like "JoeSmith@ldap1"?
Usage of multiple (same content) ldap servers for redundancy could be implemented first.
multiple ldap servers could be used since 1.8 (?)