This question about Authentication or Authorisation: Asked
Permit only a subset of users to authenticate with LDAP
Please forgive what may be an obvious question.
Is there a way to limit which LDAP users can access the foswiki? I would like to consider using my university's LDAP server for authentication, but that doesn't mean I want everyone with a valid LDAP entry at the university to have access to my foswiki!
I understand that I can control how the fields returned by the LDAP server are mapped into a
WikiName. Are any resulting
WikiNames not found in the
WikiUsers topic simply denied access? Or would I need to use increased
AccessControl within foswiki itself, assuming every authenticated LDAP user makes it in?
If you don't want foswiki to have access to use all of your LDAP users and groups I believe the {Ldap}{UserBase} and LoginFilter in configure-Extensions-LdapContrib can narrow it down so that Foswiki doesn't see all of your LDAP database. Base could be something like OU=!Wikiusers,DC=company,DC=net
You can limit who has access to each web from the corresponding "Web"/WebPreferences topic. Unless you set WEB or TOPIC access controls any authenticated LDAP user has access by default. LDAP can also be used for lookup for other information if you use it, e.g. contact info with email and phone numbers by using the Extensions::LdapNgPlugin.
I would suggest the IRC channel if you have questions during config.
--
LarsEik - 28 Oct 2011
Thanks, I was beginning to suspect I would need admin access to the LDAP server in order to create a group to control access. Unfortunately, I don't have such access and was hoping to use the LDAP for authentication only.
I understand how to limit users with access controls after they've been authenticated, but at this point the number of users I'd have to control if I used my institution's LDAP would far outnumber my little group.
I might suggest a note in the documentation that the instructions for LDAP assume admin access to the LDAP server when access control is desired with a warning that adopting LDAP without group controls will let all valid LDAP users log in.
Thanks for your help!
--
JohnRoberts - 29 Oct 2011
This unanswered question was asked over 5 years ago, however, I could not find more recent information about how to limit access to our Foswiki installation. Currently, I use LDAP for authentication only and threrefore every LDAP user is "auto registered".
Where can I find more information / documentation about how to use
{Ldap}{UserBase} or
{Ldap}{LoginFilter} or
Group settings to restrict user access to a certain set of LDAP users? A binary choice, e.g., login enabled/disabled per user id would suffice. Thanks!
-- Daniel, 21.2.2017