Thomas, Yes, thank you but I understood what LDAP UID attribute name is referring to. in my xwiki.cfg, I set it to uid, just like the page you sent had suggested. I also set teh member fields to be as that page, along with the group_classes. So, actually, my setup isn’t too different from what that page is suggesting.
I’ve removed posixGroup form teh group_classes list as I don’t think that’s the solution i’m looking for. mycompany-group seems like that should have worked. Best, Eric Kyungsuk Kimn 김경석 Senior Back End Developer [email protected] On Feb 10, 2014, at 3:00 AM, Thomas Mortagne <[email protected]> wrote: > I'm surprised that your ldif does not fully look like what > http://platform.xwiki.org/xwiki/bin/view/AdminGuide/LDAPAuthenticationUseCases;jsessionid=620528B27745C914E631257DCF4DDD3A#HAppleOpenDirectoryServer > suggest. > > On Mon, Feb 10, 2014 at 11:59 AM, Thomas Mortagne > <[email protected]> wrote: >> Something else: >> >> "LDAP UID Attribute name" is not related to the member field in a >> group, it's the name of the field in a user that contains the uid. >> >> On Mon, Feb 10, 2014 at 11:56 AM, Thomas Mortagne >> <[email protected]> wrote: >>> Just added built in support for these group class and member field id >>> (http://jira.xwiki.org/browse/XWIKI-10032). Will be part of 5.4.1 too. >>> >>> On Mon, Feb 10, 2014 at 11:49 AM, Thomas Mortagne >>> <[email protected]> wrote: >>>> On Mon, Feb 10, 2014 at 11:44 AM, Eric Kimn <[email protected]> wrote: >>>>> Hi Thomas, >>>>> >>>>> Ah, thanks for the responses. >>>>> >>>>> However, I tried the full group dn as you suggested and unfortunately it >>>>> still only finds the first memberUid in the list and so it doesn’t think >>>>> I am a member of the group. >>>> >>>> What do you mean exactly by "first memberUid in the list" ? Because in >>>> your first mail it was returning the group itself and not at all the >>>> the member of the group. If you did not configured groups class and >>>> member field then it's normal since it think your group is a user. >>>> >>>>> >>>>> Best, >>>>> >>>>> >>>>> Eric Kyungsuk Kimn >>>>> 김경석 >>>>> Senior Back End Developer >>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 10, 2014, at 2:39 AM, Thomas Mortagne <[email protected]> >>>>> wrote: >>>>> >>>>>> On Mon, Feb 10, 2014 at 11:38 AM, Thomas Mortagne >>>>>> <[email protected]> wrote: >>>>>>> On Mon, Feb 10, 2014 at 11:26 AM, Eric Kimn <[email protected]> wrote: >>>>>>>> Hi Thomas, >>>>>>>> >>>>>>>> Thanks for the replies~! Really appreciate it. >>>>>>>> >>>>>>>> To answer your questions: >>>>>>>> >>>>>>>> For the group DN, I was watching the logs, and while yes, I could have >>>>>>>> put the full dn in there, it does a check to see if it can find it >>>>>>>> with the group dn alone and if it can’t find it, it then tries to find >>>>>>>> it with the base dn and then the group dn as a filter. So that’s >>>>>>>> why I just put the cn=mygroup in the group name. >>>>>>> >>>>>>> Yes it's supposed to work (and now it does) but using the full group >>>>>>> DN is simply better for performance since it less LDAP requests. >>>>>>> >>>>>>>> >>>>>>>> My group ldif looks like: >>>>>>>> This is the query i run, it’s the same query xwiki is executing when >>>>>>>> trying to if I’m a member of the group: >>>>>>>> ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com >>>>>>>> cn=mygroup attributes objectClass uid memberUid >>>>>>>> >>>>>>>> # extended LDIF >>>>>>>> # >>>>>>>> # LDAPv3 >>>>>>>> # base <dc=mycompany,dc=com> with scope subtree >>>>>>>> # filter: cn=mygroup >>>>>>>> # requesting: attributes objectClass uid memberUid >>>>>>>> # >>>>>>>> >>>>>>>> # mygroup, groups, mycompany.com >>>>>>>> dn: cn=mygroup,cn=groups,dc=mycompany,dc=com >>>>>>>> objectClass: posixGroup >>>>>>>> objectClass: mycompany-group >>>>>>>> objectClass: extensibleObject >>>>>>>> objectClass: top >>>>>>>> memberUid: member1 >>>>>>>> memberUid: member2 >>>>>>>> memberUid: member3 >>>>>>>> memberUid: member4 >>>>>>>> etc…. >>>>>>>> >>>>>>>> >>>>>>>> Finally, I read the jira bug and I’m not totally sure (from the >>>>>>>> description) if that’s the issue I’m seeing. You said that an LDAP >>>>>>>> subgroup is listed as UID it’s not expanded. But the issue I’m running >>>>>>>> into isn’t related to subgroups, it’s that when there are multiple >>>>>>>> memberUid’s in the group, that logic isn’t adding all of them into the >>>>>>>> member map object, thus it incorrectly determines that a person isn’t >>>>>>>> in a group, if they’re not the first in the list. Please correct me >>>>>>>> if I’m seeing it wrong. >>>>>>> >>>>>>> Actually it is :) >>>>>>> >>>>>>> As I told you in my previous mail "cn=mygroup" does not means your >>>>>>> group, your group is a subgroup of what we call a group in XWiki which >>>>>>> mean either a group DN, a filter or an organization usint. In you case >>>>>> >>>>>> s/usint/unit/ >>>>>> >>>>>>> the group "cn=mygroup" has a member called >>>>>>> "cn=mygroup,cn=groups,dc=mycompany,dc=com" which was not expanded. >>>>>>> >>>>>>>> >>>>>>>> And doubly finally, if I’m wrong and the issue is fixed (which would >>>>>>>> awesome), when can I get the fix? It’s really holding up using xwiki >>>>>>>> on a broader scale because I can’t get it integrated with our LDAP. >>>>>>> >>>>>>> Again you should be fine with full group DN, did you tested with it ? >>>>>>> 4.5.1 release is planned tomorrow. >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Best, >>>>>>>> >>>>>>>> >>>>>>>> Eric Kyungsuk Kimn >>>>>>>> 김경석 >>>>>>>> Senior Back End Developer >>>>>>>> [email protected] >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 10, 2014, at 2:04 AM, Thomas Mortagne >>>>>>>> <[email protected]> wrote: >>>>>>>> >>>>>>>>> Created and fixed http://jira.xwiki.org/browse/XWIKI-10031. Thanks for >>>>>>>>> the report ! >>>>>>>>> >>>>>>>>> On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne >>>>>>>>> <[email protected]> wrote: >>>>>>>>>> Hmm actually could be something else. >>>>>>>>>> >>>>>>>>>> How does your group ldiff looks like ? Looks like there is a bug with >>>>>>>>>> subgroups containing uids instead of complete DNs. >>>>>>>>>> >>>>>>>>>> On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne >>>>>>>>>> <[email protected]> wrote: >>>>>>>>>>> From what I understand from you use case you should not put >>>>>>>>>>> "cn=mygroup" but your complete group DN >>>>>>>>>>> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" >>>>>>>>>>> does not really mean that group but "everything that matches >>>>>>>>>>> "cn=mygroup"" (which is why it list you the group as found member by >>>>>>>>>>> the way). There is still a bug in the fact that it seems to not >>>>>>>>>>> expand >>>>>>>>>>> the found groups to find submembers when using partial DN but if you >>>>>>>>>>> use complete DN in the configuration you should be fine. >>>>>>>>>>> >>>>>>>>>>> I will try to reproduce and debug the partial DN use case. Thanks >>>>>>>>>>> for >>>>>>>>>>> the report. >>>>>>>>>>> >>>>>>>>>>> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn <[email protected]> wrote: >>>>>>>>>>>> Hey all, >>>>>>>>>>>> >>>>>>>>>>>> I managed to view the code for this class by a google search. But >>>>>>>>>>>> i’m noticing a problem with the getGroupMembers logic and I’m >>>>>>>>>>>> experiencing it myself in my 5.4 install of xwiki. >>>>>>>>>>>> Some background: I am using Apple’s open directory as my ldap >>>>>>>>>>>> server. >>>>>>>>>>>> My ldap config is as such (using the LDAP application): >>>>>>>>>>>> >>>>>>>>>>>> Restrict to group: >>>>>>>>>>>> cn=mygroup >>>>>>>>>>>> >>>>>>>>>>>> LDAP base dn: >>>>>>>>>>>> dc=mycompany,dc=com >>>>>>>>>>>> >>>>>>>>>>>> LDAP UID Attribute name >>>>>>>>>>>> memberUid >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> The symptom: When XWiki tries to locate the members of a group, it >>>>>>>>>>>> finds only one, typically the alphabetically first one, and not >>>>>>>>>>>> all. >>>>>>>>>>>> >>>>>>>>>>>> The source of the problem: >>>>>>>>>>>> The entry point is here: >>>>>>>>>>>> public Map<String, String> getGroupMembers(String groupDN, >>>>>>>>>>>> XWikiContext context) >>>>>>>>>>>> >>>>>>>>>>>> which calls with a new map of <String, String> for members, this >>>>>>>>>>>> line -> >>>>>>>>>>>> boolean isGroup = getGroupMembers(groupDN, members, new >>>>>>>>>>>> ArrayList<String>(), context); >>>>>>>>>>>> >>>>>>>>>>>> That method has this signature -> >>>>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>>>> memberMap, List<String> subgroups, XWikiContext context) >>>>>>>>>>>> >>>>>>>>>>>> which falls to >>>>>>>>>>>> if (searchAttributeList != null) { >>>>>>>>>>>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, >>>>>>>>>>>> searchAttributeList, context); >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> But of course there are search attributes, so it calls this-> >>>>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>>>> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> >>>>>>>>>>>> searchAttributeList, XWikiContext context) >>>>>>>>>>>> >>>>>>>>>>>> And this is where the problem is: >>>>>>>>>>>> It for loops through the search attributes and executes a query, >>>>>>>>>>>> if it gets a response that isn’t a group and the member map >>>>>>>>>>>> doesn’t already contain that key, it will add it: >>>>>>>>>>>> if (!memberMap.containsKey(groupDN)) { >>>>>>>>>>>> memberMap.put(groupDN.toLowerCase(), id == null ? "" >>>>>>>>>>>> : id.toLowerCase()); >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> But then it RETURNS isGroup, which is now true, >>>>>>>>>>>> And that flows back up the chain, except it never iterates through >>>>>>>>>>>> the rest of the entries. >>>>>>>>>>>> >>>>>>>>>>>> My logs show: >>>>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a >>>>>>>>>>>> DN, lets try filter or id >>>>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>>> c.x.x.p.l.XWikiLDAPConnection - LDAP search: >>>>>>>>>>>> baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] >>>>>>>>>>>> attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2] >>>>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members >>>>>>>>>>>> [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >>>>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >>>>>>>>>>>> 2014-02-08 17:45:22,865 >>>>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>>>> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >>>>>>>>>>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user >>>>>>>>>>>> member2 does not belong to LDAP group cn=mygroup. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Am I reading the logs or code wrong? If I am, then what am I >>>>>>>>>>>> doing wrong with my ldap configuration? I’m clearly part of >>>>>>>>>>>> mygroup but it consistently fails to find me. >>>>>>>>>>>> >>>>>>>>>>>> Best, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Eric Kyungsuk Kimn >>>>>>>>>>>> 김경석 >>>>>>>>>>>> Senior Back End Developer >>>>>>>>>>>> [email protected] >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> devs mailing list >>>>>>>>>>>> [email protected] >>>>>>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thomas Mortagne >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Thomas Mortagne >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thomas Mortagne >>>>>>>>> _______________________________________________ >>>>>>>>> devs mailing list >>>>>>>>> [email protected] >>>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> devs mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thomas Mortagne >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thomas Mortagne >>>>>> _______________________________________________ >>>>>> devs mailing list >>>>>> [email protected] >>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>> >>>>> _______________________________________________ >>>>> devs mailing list >>>>> [email protected] >>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>> >>>> >>>> >>>> -- >>>> Thomas Mortagne >>> >>> >>> >>> -- >>> Thomas Mortagne >> >> >> >> -- >> Thomas Mortagne > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
