XWiki: LDAP/OIDC admin mapping, config mounts, and REST installs

- LDAP: move settings to xwiki.cfg; enable trylocal (1/0), group_mapping to XWiki.XWikiAdminGroup,
  and mode_group_sync=always.
- OIDC: add groups claim request (oidc.userinfoclaims), map provider group to XWiki.XWikiAdminGroup,
  and use space-separated scopes.
- Compose: mount xwiki.cfg and xwiki.properties into /usr/local/xwiki.
- Extensions: wait for REST readiness; pre-check OIDC/LDAP extensions (URL-encoded IDs);
  install via REST job only if missing.
- Vars: strict mappings to LDAP.* and OIDC.* (no defaults), add XWIKI_ADMIN_GROUP and derived DNs.
- Config: expose ldap.local_enabled; tidy meta tags; README grammar update.

Conversation: https://chatgpt.com/share/68c2b8ad-4814-800f-b377-065f967998db

roles/web-app-xwiki/templates/docker-compose.yml.j2

@@ -7,8 +7,10 @@
     container_name: "{{ XWIKI_CONTAINER }}"
     hostname: '{{ XWIKI_HOSTNAME}}'
     ports:
-      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
+      - "127.0.0.1:{{ XWIKI_HOST_PORT }}:{{ container_port }}"
     volumes:
+      - "{{ XWIKI_HOST_CONF_PATH }}:/usr/local/xwiki/xwiki.cfg"
+      - "{{ XWIKI_HOST_PROPERTIES_PATH }}:/usr/local/xwiki/xwiki.properties"
       - 'data:/usr/local/xwiki'
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}

roles/web-app-xwiki/templates/env.j2

@@ -3,27 +3,3 @@ DB_PASSWORD="{{ database_password }}"
 DB_HOST="{{ database_host }}"
 DB_PORT="{{ database_port }}"
 DB_DATABASE="{{ database_name }}"
-
-### Pretix core
-#XWIKI_XWIKI_INSTANCE_NAME="{{ PRIMARY_DOMAIN | upper }} Tickets"
-#XWIKI_XWIKI_ALLOWED_HOSTS="{{ XWIKI_HOSTNAME }},127.0.0.1,localhost"
-#XWIKI_XWIKI_URL="{{ XWIKI_URL }}"
-#XWIKI_XWIKI_AUTH_BACKENDS="xwiki.base.auth.NativeAuthBackend{% if XWIKI_OIDC_ENABLED %},xwiki_oidc.auth.OIDCAuthBackend{% endif %}"
-#
-### Locale
-#XWIKI_LOCALE_TIMEZONE="{{ HOST_TIMEZONE }}"
-#
-#{% if XWIKI_OIDC_ENABLED %}
-### OIDC (plugin)
-#XWIKI_OIDC_TITLE="{{ XWIKI_OIDC_LABEL | replace('\"','\\\"') }}"
-#XWIKI_OIDC_ISSUER="{{ XWIKI_OIDC_ISSUER }}"
-#XWIKI_OIDC_AUTHORIZATION_ENDPOINT="{{ XWIKI_OIDC_AUTH_URL }}"
-#XWIKI_OIDC_TOKEN_ENDPOINT="{{ XWIKI_OIDC_TOKEN_URL }}"
-#XWIKI_OIDC_USERINFO_ENDPOINT="{{ XWIKI_OIDC_USERINFO_URL }}"
-#XWIKI_OIDC_END_SESSION_ENDPOINT="{{ XWIKI_OIDC_LOGOUT_URL }}"
-#XWIKI_OIDC_JWKS_URI="{{ XWIKI_OIDC_JWKS_URL }}"
-#XWIKI_OIDC_CLIENT_ID="{{ XWIKI_OIDC_CLIENT_ID }}"
-#XWIKI_OIDC_CLIENT_SECRET="{{ XWIKI_OIDC_CLIENT_SECRET }}"
-#XWIKI_OIDC_SCOPES="{{ XWIKI_OIDC_SCOPES }}"
-#XWIKI_OIDC_UNIQUE_ATTRIBUTE="{{ XWIKI_OIDC_UNIQUE_ATTRIBUTE }}"
-#{% endif %}

roles/web-app-xwiki/templates/installjobrequest.xml.j2

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<jobRequest xmlns="http://www.xwiki.org">
+  <id>install-extensions</id>
+  <jobType>install</jobType>
+  <request>
+    <namespace>wiki:xwiki</namespace>
+    <interactive>false</interactive>
+    <verbose>true</verbose>
+    <installDependencies>true</installDependencies>
+    <extensions>
+      {% if XWIKI_LDAP_ENABLED | bool %}
+      <extension>
+        <id>{{ XWIKI_EXT_LDAP_ID }}</id>
+        <version>{{ XWIKI_EXT_LDAP_VERSION }}</version>
+        <namespace>wiki:xwiki</namespace>
+      </extension>
+      {% endif %}
+      {% if XWIKI_OIDC_ENABLED | bool %}
+      <extension>
+        <id>{{ XWIKI_EXT_OIDC_ID }}</id>
+        <version>{{ XWIKI_EXT_OIDC_VERSION }}</version>
+        <namespace>wiki:xwiki</namespace>
+      </extension>
+      {% endif %}
+    </extensions>
+  </request>
+</jobRequest>

roles/web-app-xwiki/templates/xwiki.cfg.j2

@@ -0,0 +1,20 @@
+# ---- Authentication selection
+{% if XWIKI_OIDC_ENABLED | bool %}
+xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
+{% elif XWIKI_LDAP_ENABLED | bool %}
+xwiki.authentication.authclass=org.xwiki.contrib.ldap.XWikiLDAPAuthServiceImpl
+xwiki.authentication.ldap=1
+xwiki.authentication.ldap.trylocal={{ (XWIKI_LDAP_TRYLOCAL | bool) | ternary(1, 0) }}
+xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup={{ XWIKI_LDAP_ADMIN_GROUP_DN }}
+xwiki.authentication.ldap.mode_group_sync=always
+xwiki.authentication.ldap.server={{ XWIKI_LDAP_SERVER }}
+xwiki.authentication.ldap.port={{ XWIKI_LDAP_PORT }}
+xwiki.authentication.ldap.base_DN={{ XWIKI_LDAP_BASE_DN }}
+xwiki.authentication.ldap.bind_DN={{ XWIKI_LDAP_BIND_DN }}
+xwiki.authentication.ldap.bind_pass={{ XWIKI_LDAP_BIND_PASS }}
+xwiki.authentication.ldap.fields_mapping={{ XWIKI_LDAP_FIELDS_MAPPING }}
+xwiki.authentication.ldap.update_user=1
+{% else %}
+# Fallback: Native XWiki Auth
+# xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl
+{% endif %}

roles/web-app-xwiki/templates/xwiki.properties.j2

@@ -0,0 +1,16 @@
+############################################
+# OIDC
+{% if XWIKI_OIDC_ENABLED | bool %}
+oidc.provider={{ XWIKI_OIDC_PROVIDER }}
+oidc.endpoint.authorization={{ XWIKI_OIDC_AUTHORIZATION }}
+oidc.endpoint.token={{ XWIKI_OIDC_TOKEN }}
+oidc.endpoint.userinfo={{ XWIKI_OIDC_USERINFO }}
+oidc.endpoint.logout={{ XWIKI_OIDC_LOGOUT }}
+oidc.clientid={{ XWIKI_OIDC_CLIENT_ID }}
+oidc.secret={{ XWIKI_OIDC_CLIENT_SECRET }}
+oidc.scope={{ XWIKI_OIDC_SCOPES }}
+oidc.enableUser=true
+oidc.userinfoclaims={{ XWIKI_OIDC_GROUPS_CLAIM }}
+oidc.groups.claim={{ XWIKI_OIDC_GROUPS_CLAIM }}
+oidc.groups.mapping=XWiki.XWikiAdminGroup={{ XWIKI_OIDC_ADMIN_PROVIDER_GROUP }}
+{% endif %}