[
https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14950046#comment-14950046
]
Tomek Rękawek commented on OAK-3498:
------------------------------------
Hi [~anchela], thanks for your feedback. I was thinking about it and I think
you are right. I was happy that I'd found the cause of the annoying issue and
maybe was too eager to fix it.
Anyway, perhaps the changes in the {{DefaultSyncContext}} are indeed a little
hacky. We can remove them from patch. What about the {{LdapIdentityProvider}}
improvement? It isn't too invasive and requires explicitly setting the
{{group.nameAttribute}} or {{user.idAttribute}} to {{dn}}. It provides a
feature which was present in the Jackrabbit 2 and apparently was used by
clients. This change alone would allow us to fix the described issue. WDYT?
> DN can't be used as the group name in the external auth handler
> ---------------------------------------------------------------
>
> Key: OAK-3498
> URL: https://issues.apache.org/jira/browse/OAK-3498
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.3.7, 1.2.7, 1.0.22
> Reporter: Tomek Rękawek
> Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch
>
>
> One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He
> uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is
> configured in such manner, that both principal id and authorizable name is
> set to the DN (eg. {{CN=my-group,OU=abc,...}}).
> After migration to Oak LDAP users can't login. The reason is that during the
> login, the {{DefaultSyncContext}} tries to synchronize all groups memberships
> and create missing groups. By default it uses CN as the group name and tries
> to find it. It fails, because the migrated group has a name created with its
> DN. It assumes that the group doesn't exist and then wants to create it -
> which fails as well, because group with the given principal name already
> exists. As a result, the whole login process fails.
> The LDAP attribute to be used as the group name can be configured. However,
> the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in
> {{LdapProviderConfig}} results in a {{NullPointerException}}.
> I think two things can be improved here:
> 1. {{DefaultSyncContext}} should try to find a group using its principal name
> rather than group id.
> 2. It should be possible to use DN as the {{group.nameAttribute}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
