Hey all,
I managed to view the code for this class by a google search. But i’m noticing
a problem with the getGroupMembers logic and I’m experiencing it myself in my
5.4 install of xwiki.
Some background: I am using Apple’s open directory as my ldap server.
My ldap config is as such (using the LDAP application):
Restrict to group:
cn=mygroup
LDAP base dn:
dc=mycompany,dc=com
LDAP UID Attribute name
memberUid
The symptom: When XWiki tries to locate the members of a group, it finds only
one, typically the alphabetically first one, and not all.
The source of the problem:
The entry point is here:
public Map<String, String> getGroupMembers(String groupDN, XWikiContext
context)
which calls with a new map of <String, String> for members, this line ->
boolean isGroup = getGroupMembers(groupDN, members, new ArrayList<String>(),
context);
That method has this signature ->
public boolean getGroupMembers(String groupDN, Map<String, String> memberMap,
List<String> subgroups, XWikiContext context)
which falls to
if (searchAttributeList != null) {
isGroup = getGroupMembers(fixedDN, memberMap, subgroups,
searchAttributeList, context);
}
But of course there are search attributes, so it calls this->
public boolean getGroupMembers(String groupDN, Map<String, String> memberMap,
List<String> subgroups, List<XWikiLDAPSearchAttribute> searchAttributeList,
XWikiContext context)
And this is where the problem is:
It for loops through the search attributes and executes a query, if it gets a
response that isn’t a group and the member map doesn’t already contain that
key, it will add it:
if (!memberMap.containsKey(groupDN)) {
memberMap.put(groupDN.toLowerCase(), id == null ? "" :
id.toLowerCase());
}
But then it RETURNS isGroup, which is now true,
And that flows back up the chain, except it never iterates through the rest of
the entries.
My logs show:
2014-02-08 17:45:22,858
[http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets try
filter or id
2014-02-08 17:45:22,858
[http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com]
query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2]
2014-02-08 17:45:22,864
[http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members
[{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}]
2014-02-08 17:45:22,864
[http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null]
2014-02-08 17:45:22,865
[http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG
u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does
not belong to LDAP group cn=mygroup.
Am I reading the logs or code wrong? If I am, then what am I doing wrong with
my ldap configuration? I’m clearly part of mygroup but it consistently fails
to find me.
Best,
Eric Kyungsuk Kimn
김경석
Senior Back End Developer
[email protected]
_______________________________________________
devs mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/devs
