Today we will treat a very specific stack and associated needs :
Active Directory for LDAP users directory
LDAPS for the XWiki <-> Active Directory connection
In this guide I assume that the certificate served by your Active Directory for LDAPS connections has been signed by a third certificate authority (documentation).
First, we will review a little BASH script achieving most of the work for this specific use case :
# nano run_xwiki.sh
So basically, we create a new container named
xwiki from the
xwiki:mysql-tomcat official image.
The most important parts are the mounted volumes.
The first one will allow us to tweak the XWiki configuration from our host (and of course will add some persistance for the data files and the extensions), under
The second one is interesting : We actually map the bundle of our CA (present on the host) into the
/usr/local/share/ca-certificates/ directory, which is supposed to store our personal CAs (note the
ro (read only) aspect of the mapping).
After its creation, we execute two commands within our container :
We synchronize the container CA bundles to consider our new added CA
keytoolto add our CA to the JVM’s default keystore
Note : We tried each one of the above procedures separately ; It didn’t work out.
Once the additions has been performed, we restart our container to make the JVM reloading the known certificate authorities list.
Don’t forget to change the database configuration (or the base image if you don’t use MySQL) to fit with your setup !
Now that you noticed where our XWiki configuration is located, I wil show you the required entries to perform LDAP authentication from the application !
# nano /data/xwiki/data/xwiki.cfg
So here we enabled SSL/TLS for LDAP connections and configured some parameters to lean the authentication process against our Active Directory directly.
A precision though : You will have to replace the
PrivilegedUser & its associated password by the credentials of an user with read rights on your dictionnary.
Once you think everything is OK on your own, you may run the previous script :
For verification purposes, you should be able to check that :
The container has been correctly created and started (
d9f51096aed5df650f09431d87be7203734d5c7f3f22db7854923f69fd491645in our case)
Your third CA has been added to the trusted container’s CAs (
1 added, 0 removed; done.)
Your third CA has been also added to the JVM default keystore (
certificate was added to keystore)
The container has been marked to restart (
As a “workaround”, we could also fetch and build the Docker image from source (cc @Xysto), but we opted out for a more straightforward way to achieve this.
About updating (if you were wondering), you actually only have to pull the latest version from the Hub (
# docker pull xwiki:mysql-tomcat), remove your current running container and execute one more time the
To conclude the conclusion, sometimes it could be pretty frightening to browse forums and tutorials about Active Directory and remote third services integration over LDAP ‘cause most of people don’t bother encrypting those connections.
It just means that usually some privileged user credentials move back and forth insecurely over the network.
Friendly reminder : Enabling LDAPS without certificate verification is just useless as a clear-text LDAP connection.
So please, don’t disable it on production servers with real credentials (actually, it looks like you can’t with XWiki, but you may with other services…).