Getting started with xwiki

wb-we · March 20, 2023, 10:01am

Hello There,

I am pretty new to the UCS so I am a bit lost with that one. I just installed the controller on one host (VM) and on another (VM) I installed a managed node and on that one I added the xwiki app.

In order to make the sso work I needed to install the open id connect provider on the main controller and now the login is possible.

But now I am facing the issue that I am searching the place / a manual / some hint about how to make the xwiki aware of some sort of permissions I can set in the UCS.

For instance. Now, every user - no matter which group - can login to the xwiki, but none gets administrator privileges.

So I need some way to tell the xwiki about that. Is that something I can do on the UCS? If so, how is that thought to work? If not, I guess I have to tweak some configuration on the xwiki host, but all I found on this topic is here: https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/OpenID%20Authentication%20with%20UCS/#HXWikiConfiguration But that is for ucs 4.4 and I am unsure if that applies to 5 as well?

Thanks for Directions!

wb-we · April 5, 2023, 8:07am

After some sort of trail an Error we were able to login somehow.

As it turned out, I missed to record the login and password that should have appeared during the install of the app. So I needed to tweak: /var/lib/univention-appcenter/apps/xwiki/data/xwiki-data/data/xwiki.cfg to include the hardcoded admin account as described here: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Configuration/#HEnablesuperadminaccount

after restarting the app we could finally login.

BUT there is still some wired stuff going on which I do not know weather look for on the UCS or XWIKI side.

As described here: https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/OpenID%20Authentication%20with%20UCS/ , at the bottom where the UCS LDAP setup is explained, one is asked to create a new item in the LDAP Directory at <root>/univention/oicd. As shown the type is:
Screenshot from 2023-04-05 10-05-14

But when creating a new Item there, I simply cannot select such a type, nor anything that looks like open id connect - no items in the list. What can I do about it?

Right now, everybody can login to xwiki, no matter if admin or not and in case the users clicks the Logout item on the xwiki’s menu, no logout happens, the users is redirected to the page itelf. Here is the relevant section in xwiki.properties

oidc.endpoint.authorization=https://ucs-sso.werkbank.intranet/signin/v1/identifier/_/authorize
oidc.endpoint.token=https://ucs-sso.werkbank.intranet/konnect/v1/token
oidc.endpoint.userinfo=https://ucs-sso.werkbank.intranet/konnect/v1/userinfo
oidc.endpoint.logout=https://ucs-sso.werkbank.intranet/signin/v1/identifier/_/endsession
oidc.scope=openid,profile,email
oidc.idtokenclaims=id_token
oidc.user.nameFormater=${oidc.user.preferredUsername._clean}
oidc.userinfoclaims=
oidc.clientid=xwiki
oidc.secret=xxxxxxxxxxx