Hmm actually could be something else. How does your group ldiff looks like ? Looks like there is a bug with subgroups containing uids instead of complete DNs.
On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne <[email protected]> wrote: > From what I understand from you use case you should not put > "cn=mygroup" but your complete group DN > ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" > does not really mean that group but "everything that matches > "cn=mygroup"" (which is why it list you the group as found member by > the way). There is still a bug in the fact that it seems to not expand > the found groups to find submembers when using partial DN but if you > use complete DN in the configuration you should be fine. > > I will try to reproduce and debug the partial DN use case. Thanks for > the report. > > On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn <[email protected]> wrote: >> Hey all, >> >> I managed to view the code for this class by a google search. But i’m >> noticing a problem with the getGroupMembers logic and I’m experiencing it >> myself in my 5.4 install of xwiki. >> Some background: I am using Apple’s open directory as my ldap server. >> My ldap config is as such (using the LDAP application): >> >> Restrict to group: >> cn=mygroup >> >> LDAP base dn: >> dc=mycompany,dc=com >> >> LDAP UID Attribute name >> memberUid >> >> >> The symptom: When XWiki tries to locate the members of a group, it finds >> only one, typically the alphabetically first one, and not all. >> >> The source of the problem: >> The entry point is here: >> public Map<String, String> getGroupMembers(String groupDN, XWikiContext >> context) >> >> which calls with a new map of <String, String> for members, this line -> >> boolean isGroup = getGroupMembers(groupDN, members, new ArrayList<String>(), >> context); >> >> That method has this signature -> >> public boolean getGroupMembers(String groupDN, Map<String, String> >> memberMap, List<String> subgroups, XWikiContext context) >> >> which falls to >> if (searchAttributeList != null) { >> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, >> searchAttributeList, context); >> } >> >> But of course there are search attributes, so it calls this-> >> public boolean getGroupMembers(String groupDN, Map<String, String> >> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> >> searchAttributeList, XWikiContext context) >> >> And this is where the problem is: >> It for loops through the search attributes and executes a query, if it gets >> a response that isn’t a group and the member map doesn’t already contain >> that key, it will add it: >> if (!memberMap.containsKey(groupDN)) { >> memberMap.put(groupDN.toLowerCase(), id == null ? "" : >> id.toLowerCase()); >> } >> >> But then it RETURNS isGroup, which is now true, >> And that flows back up the chain, except it never iterates through the rest >> of the entries. >> >> My logs show: >> 2014-02-08 17:45:22,858 >> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets >> try filter or id >> 2014-02-08 17:45:22,858 >> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com] >> query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] >> ldapScope=[2] >> 2014-02-08 17:45:22,864 >> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members >> [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >> 2014-02-08 17:45:22,864 >> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >> 2014-02-08 17:45:22,865 >> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does >> not belong to LDAP group cn=mygroup. >> >> >> Am I reading the logs or code wrong? If I am, then what am I doing wrong >> with my ldap configuration? I’m clearly part of mygroup but it consistently >> fails to find me. >> >> Best, >> >> >> Eric Kyungsuk Kimn >> 김경석 >> Senior Back End Developer >> [email protected] >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs > > > > -- > Thomas Mortagne -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
