I'm surprised that your ldif does not fully look like what http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCases;jsessionid=620528B27745C914E631257DCF4DDD3A#HAppleOpenDirectoryServer suggest.
On Mon, Feb 10, 2014 at 11:59 AM, Thomas Mortagne <[email protected]> wrote: > Something else: > > "LDAP UID Attribute name" is not related to the member field in a > group, it's the name of the field in a user that contains the uid. > > On Mon, Feb 10, 2014 at 11:56 AM, Thomas Mortagne > <[email protected]> wrote: >> Just added built in support for these group class and member field id >> (http://jira.xwiki.org/browse/XWIKI-10032). Will be part of 5.4.1 too. >> >> On Mon, Feb 10, 2014 at 11:49 AM, Thomas Mortagne >> <[email protected]> wrote: >>> On Mon, Feb 10, 2014 at 11:44 AM, Eric Kimn <[email protected]> wrote: >>>> Hi Thomas, >>>> >>>> Ah, thanks for the responses. >>>> >>>> However, I tried the full group dn as you suggested and unfortunately it >>>> still only finds the first memberUid in the list and so it doesn’t think I >>>> am a member of the group. >>> >>> What do you mean exactly by "first memberUid in the list" ? Because in >>> your first mail it was returning the group itself and not at all the >>> the member of the group. If you did not configured groups class and >>> member field then it's normal since it think your group is a user. >>> >>>> >>>> Best, >>>> >>>> >>>> Eric Kyungsuk Kimn >>>> 김경석 >>>> Senior Back End Developer >>>> [email protected] >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Feb 10, 2014, at 2:39 AM, Thomas Mortagne <[email protected]> >>>> wrote: >>>> >>>>> On Mon, Feb 10, 2014 at 11:38 AM, Thomas Mortagne >>>>> <[email protected]> wrote: >>>>>> On Mon, Feb 10, 2014 at 11:26 AM, Eric Kimn <[email protected]> wrote: >>>>>>> Hi Thomas, >>>>>>> >>>>>>> Thanks for the replies~! Really appreciate it. >>>>>>> >>>>>>> To answer your questions: >>>>>>> >>>>>>> For the group DN, I was watching the logs, and while yes, I could have >>>>>>> put the full dn in there, it does a check to see if it can find it with >>>>>>> the group dn alone and if it can’t find it, it then tries to find it >>>>>>> with the base dn and then the group dn as a filter. So that’s why I >>>>>>> just put the cn=mygroup in the group name. >>>>>> >>>>>> Yes it's supposed to work (and now it does) but using the full group >>>>>> DN is simply better for performance since it less LDAP requests. >>>>>> >>>>>>> >>>>>>> My group ldif looks like: >>>>>>> This is the query i run, it’s the same query xwiki is executing when >>>>>>> trying to if I’m a member of the group: >>>>>>> ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com >>>>>>> cn=mygroup attributes objectClass uid memberUid >>>>>>> >>>>>>> # extended LDIF >>>>>>> # >>>>>>> # LDAPv3 >>>>>>> # base <dc=mycompany,dc=com> with scope subtree >>>>>>> # filter: cn=mygroup >>>>>>> # requesting: attributes objectClass uid memberUid >>>>>>> # >>>>>>> >>>>>>> # mygroup, groups, mycompany.com >>>>>>> dn: cn=mygroup,cn=groups,dc=mycompany,dc=com >>>>>>> objectClass: posixGroup >>>>>>> objectClass: mycompany-group >>>>>>> objectClass: extensibleObject >>>>>>> objectClass: top >>>>>>> memberUid: member1 >>>>>>> memberUid: member2 >>>>>>> memberUid: member3 >>>>>>> memberUid: member4 >>>>>>> etc…. >>>>>>> >>>>>>> >>>>>>> Finally, I read the jira bug and I’m not totally sure (from the >>>>>>> description) if that’s the issue I’m seeing. You said that an LDAP >>>>>>> subgroup is listed as UID it’s not expanded. But the issue I’m running >>>>>>> into isn’t related to subgroups, it’s that when there are multiple >>>>>>> memberUid’s in the group, that logic isn’t adding all of them into the >>>>>>> member map object, thus it incorrectly determines that a person isn’t >>>>>>> in a group, if they’re not the first in the list. Please correct me if >>>>>>> I’m seeing it wrong. >>>>>> >>>>>> Actually it is :) >>>>>> >>>>>> As I told you in my previous mail "cn=mygroup" does not means your >>>>>> group, your group is a subgroup of what we call a group in XWiki which >>>>>> mean either a group DN, a filter or an organization usint. In you case >>>>> >>>>> s/usint/unit/ >>>>> >>>>>> the group "cn=mygroup" has a member called >>>>>> "cn=mygroup,cn=groups,dc=mycompany,dc=com" which was not expanded. >>>>>> >>>>>>> >>>>>>> And doubly finally, if I’m wrong and the issue is fixed (which would >>>>>>> awesome), when can I get the fix? It’s really holding up using xwiki >>>>>>> on a broader scale because I can’t get it integrated with our LDAP. >>>>>> >>>>>> Again you should be fine with full group DN, did you tested with it ? >>>>>> 4.5.1 release is planned tomorrow. >>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> Best, >>>>>>> >>>>>>> >>>>>>> Eric Kyungsuk Kimn >>>>>>> 김경석 >>>>>>> Senior Back End Developer >>>>>>> [email protected] >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 10, 2014, at 2:04 AM, Thomas Mortagne >>>>>>> <[email protected]> wrote: >>>>>>> >>>>>>>> Created and fixed http://jira.xwiki.org/browse/XWIKI-10031. Thanks for >>>>>>>> the report ! >>>>>>>> >>>>>>>> On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne >>>>>>>> <[email protected]> wrote: >>>>>>>>> Hmm actually could be something else. >>>>>>>>> >>>>>>>>> How does your group ldiff looks like ? Looks like there is a bug with >>>>>>>>> subgroups containing uids instead of complete DNs. >>>>>>>>> >>>>>>>>> On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne >>>>>>>>> <[email protected]> wrote: >>>>>>>>>> From what I understand from you use case you should not put >>>>>>>>>> "cn=mygroup" but your complete group DN >>>>>>>>>> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" >>>>>>>>>> does not really mean that group but "everything that matches >>>>>>>>>> "cn=mygroup"" (which is why it list you the group as found member by >>>>>>>>>> the way). There is still a bug in the fact that it seems to not >>>>>>>>>> expand >>>>>>>>>> the found groups to find submembers when using partial DN but if you >>>>>>>>>> use complete DN in the configuration you should be fine. >>>>>>>>>> >>>>>>>>>> I will try to reproduce and debug the partial DN use case. Thanks for >>>>>>>>>> the report. >>>>>>>>>> >>>>>>>>>> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn <[email protected]> wrote: >>>>>>>>>>> Hey all, >>>>>>>>>>> >>>>>>>>>>> I managed to view the code for this class by a google search. But >>>>>>>>>>> i’m noticing a problem with the getGroupMembers logic and I’m >>>>>>>>>>> experiencing it myself in my 5.4 install of xwiki. >>>>>>>>>>> Some background: I am using Apple’s open directory as my ldap >>>>>>>>>>> server. >>>>>>>>>>> My ldap config is as such (using the LDAP application): >>>>>>>>>>> >>>>>>>>>>> Restrict to group: >>>>>>>>>>> cn=mygroup >>>>>>>>>>> >>>>>>>>>>> LDAP base dn: >>>>>>>>>>> dc=mycompany,dc=com >>>>>>>>>>> >>>>>>>>>>> LDAP UID Attribute name >>>>>>>>>>> memberUid >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> The symptom: When XWiki tries to locate the members of a group, it >>>>>>>>>>> finds only one, typically the alphabetically first one, and not all. >>>>>>>>>>> >>>>>>>>>>> The source of the problem: >>>>>>>>>>> The entry point is here: >>>>>>>>>>> public Map<String, String> getGroupMembers(String groupDN, >>>>>>>>>>> XWikiContext context) >>>>>>>>>>> >>>>>>>>>>> which calls with a new map of <String, String> for members, this >>>>>>>>>>> line -> >>>>>>>>>>> boolean isGroup = getGroupMembers(groupDN, members, new >>>>>>>>>>> ArrayList<String>(), context); >>>>>>>>>>> >>>>>>>>>>> That method has this signature -> >>>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>>> memberMap, List<String> subgroups, XWikiContext context) >>>>>>>>>>> >>>>>>>>>>> which falls to >>>>>>>>>>> if (searchAttributeList != null) { >>>>>>>>>>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, >>>>>>>>>>> searchAttributeList, context); >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> But of course there are search attributes, so it calls this-> >>>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>>> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> >>>>>>>>>>> searchAttributeList, XWikiContext context) >>>>>>>>>>> >>>>>>>>>>> And this is where the problem is: >>>>>>>>>>> It for loops through the search attributes and executes a query, if >>>>>>>>>>> it gets a response that isn’t a group and the member map doesn’t >>>>>>>>>>> already contain that key, it will add it: >>>>>>>>>>> if (!memberMap.containsKey(groupDN)) { >>>>>>>>>>> memberMap.put(groupDN.toLowerCase(), id == null ? "" >>>>>>>>>>> : id.toLowerCase()); >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> But then it RETURNS isGroup, which is now true, >>>>>>>>>>> And that flows back up the chain, except it never iterates through >>>>>>>>>>> the rest of the entries. >>>>>>>>>>> >>>>>>>>>>> My logs show: >>>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a >>>>>>>>>>> DN, lets try filter or id >>>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>> c.x.x.p.l.XWikiLDAPConnection - LDAP search: >>>>>>>>>>> baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] attr=[[objectClass, >>>>>>>>>>> uid, memberuid, memberUid]] ldapScope=[2] >>>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members >>>>>>>>>>> [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >>>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >>>>>>>>>>> 2014-02-08 17:45:22,865 >>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >>>>>>>>>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user >>>>>>>>>>> member2 does not belong to LDAP group cn=mygroup. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Am I reading the logs or code wrong? If I am, then what am I doing >>>>>>>>>>> wrong with my ldap configuration? I’m clearly part of mygroup but >>>>>>>>>>> it consistently fails to find me. >>>>>>>>>>> >>>>>>>>>>> Best, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Eric Kyungsuk Kimn >>>>>>>>>>> 김경석 >>>>>>>>>>> Senior Back End Developer >>>>>>>>>>> [email protected] >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> devs mailing list >>>>>>>>>>> [email protected] >>>>>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thomas Mortagne >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thomas Mortagne >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thomas Mortagne >>>>>>>> _______________________________________________ >>>>>>>> devs mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>> >>>>>>> _______________________________________________ >>>>>>> devs mailing list >>>>>>> [email protected] >>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thomas Mortagne >>>>> >>>>> >>>>> >>>>> -- >>>>> Thomas Mortagne >>>>> _______________________________________________ >>>>> devs mailing list >>>>> [email protected] >>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>> >>>> _______________________________________________ >>>> devs mailing list >>>> [email protected] >>>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> >>> >>> -- >>> Thomas Mortagne >> >> >> >> -- >> Thomas Mortagne > > > > -- > Thomas Mortagne -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
