SubWiki: Global users getting registered als local users with LDAP

OezDur · November 14, 2019, 11:49am

Hi All,

we have set up 1 global MainWiki and have set up several SubWikis. We use LDAP Authentification and all works fine on the MainWiki.

What we want:

Have local SubWiki users that can self register on the SubWiki with their LDAP-credentials (and then have no access to the MainWiki, only SubWiki)
Have global users with access to the MainWiki
- have some of these global users have access to a few SubWikis

Users can self register with their LDAP credentials on all Wikis (otherwise no login/reg possible).

Problem Case:

User A is a registered global user on the MainWiki.
An admin adds User A to a SubWiki and in the respective groups.
User A is not logged into the MainWiki currently on his browser (important!)
User A clicks on a link to the SubWiki and gets a login-prompt. Enters LDAP credentials
User A gets registered as a new local user on the SubWiki.

What we want to happen here is:

User A is not logged in any Wiki.
Clicks on a link to a SubWiki.
Enters login-credentials and gets logged in as the global user he is (and was added to the SubWiki).

Are we doing something wrong or is this the intended behavior?

Kind regards

tmortagne · November 14, 2019, 11:57am

You might want to take a look at https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HI27minamultiwikienvironmentandIwantmyLDAPuserstoregisteronlyonthemainwiki.

OezDur · November 14, 2019, 12:02pm

Thx, that would be the fallback-solution if nothing else works.

But we would really like to have the ability to have users register themselfes on SubWikis, while already invited global users not beeing registered twice (like I described on my top post)

tmortagne · November 14, 2019, 12:15pm

If you look at the logic in https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HI27minamultiwikienvironmentandIwantmyLDAPuserstoregisteronlyonthemainwiki you will see that the way it works is that users are not allowed to authenticate on subwiki so they fallback on main wiki. Instead of completely forbid auth on subwiki you could play with user_group and exclude_group properties to filter who can be registered on subwikis and who have to be registered in main wiki.

Now if your users can access several wikis it does not make much sense to me to ever register on subwikis. That would mean they get completely different profiles and have to reconfigure things like the preferences and personal info on each wiki.

OezDur · November 14, 2019, 12:41pm

Thx for your replies,

I will probably reconsider how we handle it now and change to:

Enable LDAP registration only on the main wiki
Have LDAP disabled on subwikis
Distribute the users to the subwikis via adding them there
Auth. users at login against the main-wiki users profiles (= their LDAP credentials)