It would probably be a lot easier on IRC :) See http://dev.xwiki.org/xwiki/bin/view/Community/IRC (my id is tmortagne).
On Mon, Feb 10, 2014 at 12:01 PM, Eric Kimn <[email protected]> wrote: > Well > I had actually configured a groups class for mycompany-group in xwiki.cfg. I > also tried adding posixGroup to that list and xwiki wasn’t able to find me in > the group. > > What I mean by first memberUid in the list is: > The group contains n-number of memberUid attributes, one for each member. > The code as i saw in LdapUtils seems to not iterate over the list of all > memberUid entries. Instead it seemed to put only one entry into the member > map. > > Best, > > > Eric Kyungsuk Kimn > 김경석 > Senior Back End Developer > [email protected] > > > > > > > > On Feb 10, 2014, at 2:49 AM, Thomas Mortagne <[email protected]> > wrote: > >> On Mon, Feb 10, 2014 at 11:44 AM, Eric Kimn <[email protected]> wrote: >>> Hi Thomas, >>> >>> Ah, thanks for the responses. >>> >>> However, I tried the full group dn as you suggested and unfortunately it >>> still only finds the first memberUid in the list and so it doesn’t think I >>> am a member of the group. >> >> What do you mean exactly by "first memberUid in the list" ? Because in >> your first mail it was returning the group itself and not at all the >> the member of the group. If you did not configured groups class and >> member field then it's normal since it think your group is a user. >> >>> >>> Best, >>> >>> >>> Eric Kyungsuk Kimn >>> 김경석 >>> Senior Back End Developer >>> [email protected] >>> >>> >>> >>> >>> >>> >>> >>> On Feb 10, 2014, at 2:39 AM, Thomas Mortagne <[email protected]> >>> wrote: >>> >>>> On Mon, Feb 10, 2014 at 11:38 AM, Thomas Mortagne >>>> <[email protected]> wrote: >>>>> On Mon, Feb 10, 2014 at 11:26 AM, Eric Kimn <[email protected]> wrote: >>>>>> Hi Thomas, >>>>>> >>>>>> Thanks for the replies~! Really appreciate it. >>>>>> >>>>>> To answer your questions: >>>>>> >>>>>> For the group DN, I was watching the logs, and while yes, I could have >>>>>> put the full dn in there, it does a check to see if it can find it with >>>>>> the group dn alone and if it can’t find it, it then tries to find it >>>>>> with the base dn and then the group dn as a filter. So that’s why I >>>>>> just put the cn=mygroup in the group name. >>>>> >>>>> Yes it's supposed to work (and now it does) but using the full group >>>>> DN is simply better for performance since it less LDAP requests. >>>>> >>>>>> >>>>>> My group ldif looks like: >>>>>> This is the query i run, it’s the same query xwiki is executing when >>>>>> trying to if I’m a member of the group: >>>>>> ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com >>>>>> cn=mygroup attributes objectClass uid memberUid >>>>>> >>>>>> # extended LDIF >>>>>> # >>>>>> # LDAPv3 >>>>>> # base <dc=mycompany,dc=com> with scope subtree >>>>>> # filter: cn=mygroup >>>>>> # requesting: attributes objectClass uid memberUid >>>>>> # >>>>>> >>>>>> # mygroup, groups, mycompany.com >>>>>> dn: cn=mygroup,cn=groups,dc=mycompany,dc=com >>>>>> objectClass: posixGroup >>>>>> objectClass: mycompany-group >>>>>> objectClass: extensibleObject >>>>>> objectClass: top >>>>>> memberUid: member1 >>>>>> memberUid: member2 >>>>>> memberUid: member3 >>>>>> memberUid: member4 >>>>>> etc…. >>>>>> >>>>>> >>>>>> Finally, I read the jira bug and I’m not totally sure (from the >>>>>> description) if that’s the issue I’m seeing. You said that an LDAP >>>>>> subgroup is listed as UID it’s not expanded. But the issue I’m running >>>>>> into isn’t related to subgroups, it’s that when there are multiple >>>>>> memberUid’s in the group, that logic isn’t adding all of them into the >>>>>> member map object, thus it incorrectly determines that a person isn’t in >>>>>> a group, if they’re not the first in the list. Please correct me if I’m >>>>>> seeing it wrong. >>>>> >>>>> Actually it is :) >>>>> >>>>> As I told you in my previous mail "cn=mygroup" does not means your >>>>> group, your group is a subgroup of what we call a group in XWiki which >>>>> mean either a group DN, a filter or an organization usint. In you case >>>> >>>> s/usint/unit/ >>>> >>>>> the group "cn=mygroup" has a member called >>>>> "cn=mygroup,cn=groups,dc=mycompany,dc=com" which was not expanded. >>>>> >>>>>> >>>>>> And doubly finally, if I’m wrong and the issue is fixed (which would >>>>>> awesome), when can I get the fix? It’s really holding up using xwiki on >>>>>> a broader scale because I can’t get it integrated with our LDAP. >>>>> >>>>> Again you should be fine with full group DN, did you tested with it ? >>>>> 4.5.1 release is planned tomorrow. >>>>> >>>>>> >>>>>> >>>>>> >>>>>> Best, >>>>>> >>>>>> >>>>>> Eric Kyungsuk Kimn >>>>>> 김경석 >>>>>> Senior Back End Developer >>>>>> [email protected] >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 10, 2014, at 2:04 AM, Thomas Mortagne <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Created and fixed http://jira.xwiki.org/browse/XWIKI-10031. Thanks for >>>>>>> the report ! >>>>>>> >>>>>>> On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne >>>>>>> <[email protected]> wrote: >>>>>>>> Hmm actually could be something else. >>>>>>>> >>>>>>>> How does your group ldiff looks like ? Looks like there is a bug with >>>>>>>> subgroups containing uids instead of complete DNs. >>>>>>>> >>>>>>>> On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne >>>>>>>> <[email protected]> wrote: >>>>>>>>> From what I understand from you use case you should not put >>>>>>>>> "cn=mygroup" but your complete group DN >>>>>>>>> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" >>>>>>>>> does not really mean that group but "everything that matches >>>>>>>>> "cn=mygroup"" (which is why it list you the group as found member by >>>>>>>>> the way). There is still a bug in the fact that it seems to not expand >>>>>>>>> the found groups to find submembers when using partial DN but if you >>>>>>>>> use complete DN in the configuration you should be fine. >>>>>>>>> >>>>>>>>> I will try to reproduce and debug the partial DN use case. Thanks for >>>>>>>>> the report. >>>>>>>>> >>>>>>>>> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn <[email protected]> wrote: >>>>>>>>>> Hey all, >>>>>>>>>> >>>>>>>>>> I managed to view the code for this class by a google search. But >>>>>>>>>> i’m noticing a problem with the getGroupMembers logic and I’m >>>>>>>>>> experiencing it myself in my 5.4 install of xwiki. >>>>>>>>>> Some background: I am using Apple’s open directory as my ldap server. >>>>>>>>>> My ldap config is as such (using the LDAP application): >>>>>>>>>> >>>>>>>>>> Restrict to group: >>>>>>>>>> cn=mygroup >>>>>>>>>> >>>>>>>>>> LDAP base dn: >>>>>>>>>> dc=mycompany,dc=com >>>>>>>>>> >>>>>>>>>> LDAP UID Attribute name >>>>>>>>>> memberUid >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> The symptom: When XWiki tries to locate the members of a group, it >>>>>>>>>> finds only one, typically the alphabetically first one, and not all. >>>>>>>>>> >>>>>>>>>> The source of the problem: >>>>>>>>>> The entry point is here: >>>>>>>>>> public Map<String, String> getGroupMembers(String groupDN, >>>>>>>>>> XWikiContext context) >>>>>>>>>> >>>>>>>>>> which calls with a new map of <String, String> for members, this >>>>>>>>>> line -> >>>>>>>>>> boolean isGroup = getGroupMembers(groupDN, members, new >>>>>>>>>> ArrayList<String>(), context); >>>>>>>>>> >>>>>>>>>> That method has this signature -> >>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>> memberMap, List<String> subgroups, XWikiContext context) >>>>>>>>>> >>>>>>>>>> which falls to >>>>>>>>>> if (searchAttributeList != null) { >>>>>>>>>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, >>>>>>>>>> searchAttributeList, context); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> But of course there are search attributes, so it calls this-> >>>>>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> >>>>>>>>>> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> >>>>>>>>>> searchAttributeList, XWikiContext context) >>>>>>>>>> >>>>>>>>>> And this is where the problem is: >>>>>>>>>> It for loops through the search attributes and executes a query, if >>>>>>>>>> it gets a response that isn’t a group and the member map doesn’t >>>>>>>>>> already contain that key, it will add it: >>>>>>>>>> if (!memberMap.containsKey(groupDN)) { >>>>>>>>>> memberMap.put(groupDN.toLowerCase(), id == null ? "" : >>>>>>>>>> id.toLowerCase()); >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> But then it RETURNS isGroup, which is now true, >>>>>>>>>> And that flows back up the chain, except it never iterates through >>>>>>>>>> the rest of the entries. >>>>>>>>>> >>>>>>>>>> My logs show: >>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a >>>>>>>>>> DN, lets try filter or id >>>>>>>>>> 2014-02-08 17:45:22,858 >>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>> c.x.x.p.l.XWikiLDAPConnection - LDAP search: >>>>>>>>>> baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] attr=[[objectClass, >>>>>>>>>> uid, memberuid, memberUid]] ldapScope=[2] >>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members >>>>>>>>>> [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >>>>>>>>>> 2014-02-08 17:45:22,864 >>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>> c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >>>>>>>>>> 2014-02-08 17:45:22,865 >>>>>>>>>> [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG >>>>>>>>>> u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >>>>>>>>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user >>>>>>>>>> member2 does not belong to LDAP group cn=mygroup. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Am I reading the logs or code wrong? If I am, then what am I doing >>>>>>>>>> wrong with my ldap configuration? I’m clearly part of mygroup but >>>>>>>>>> it consistently fails to find me. >>>>>>>>>> >>>>>>>>>> Best, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Eric Kyungsuk Kimn >>>>>>>>>> 김경석 >>>>>>>>>> Senior Back End Developer >>>>>>>>>> [email protected] >>>>>>>>>> _______________________________________________ >>>>>>>>>> devs mailing list >>>>>>>>>> [email protected] >>>>>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thomas Mortagne >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Thomas Mortagne >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thomas Mortagne >>>>>>> _______________________________________________ >>>>>>> devs mailing list >>>>>>> [email protected] >>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>> >>>>>> _______________________________________________ >>>>>> devs mailing list >>>>>> [email protected] >>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>> >>>>> >>>>> >>>>> -- >>>>> Thomas Mortagne >>>> >>>> >>>> >>>> -- >>>> Thomas Mortagne >>>> _______________________________________________ >>>> devs mailing list >>>> [email protected] >>>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> _______________________________________________ >>> devs mailing list >>> [email protected] >>> http://lists.xwiki.org/mailman/listinfo/devs >> >> >> >> -- >> Thomas Mortagne >> _______________________________________________ >> devs mailing list >> [email protected] >> http://lists.xwiki.org/mailman/listinfo/devs > > _______________________________________________ > devs mailing list > [email protected] > http://lists.xwiki.org/mailman/listinfo/devs -- Thomas Mortagne _______________________________________________ devs mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/devs
