[
https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16024438#comment-16024438
]
Tomek Rękawek commented on OAK-3498:
------------------------------------
I worked on this a bit, but it's more complex than I thought. In particular,
it's not enough to change the code responsible for writing the LDAP groups in
the repo using their DN as the node name (that's the easy part), but also we
need to use the stored DN when fetching group from the LDAP (code around the
getEntryIterator method). In order to do this, we need to parse the DN and
transform it into a filter string, remember about proper escaping, etc.
Because of that I think it's easier, after all, to update the customer
repository rather than introducing this improvement. [~anchela], if you don't
object I'll resolve this as "won't fix". Thanks for your time.
> DN can't be used as the group name in the external auth handler
> ---------------------------------------------------------------
>
> Key: OAK-3498
> URL: https://issues.apache.org/jira/browse/OAK-3498
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-ldap
> Affects Versions: 1.0.22, 1.2.7, 1.3.7
> Reporter: Tomek Rękawek
> Assignee: Tomek Rękawek
> Priority: Minor
> Fix For: 1.8, 1.7.1
>
> Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch
>
>
> One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He
> uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is
> configured in such manner, that both principal id and authorizable name is
> set to the DN (eg. {{CN=my-group,OU=abc,...}}).
> After migration to Oak LDAP users can't login. The reason is that during the
> login, the {{DefaultSyncContext}} tries to synchronize all groups memberships
> and create missing groups. By default it uses CN as the group name and tries
> to find it. It fails, because the migrated group has a name created with its
> DN. It assumes that the group doesn't exist and then wants to create it -
> which fails as well, because group with the given principal name already
> exists. As a result, the whole login process fails.
> The LDAP attribute to be used as the group name can be configured. However,
> the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in
> {{LdapProviderConfig}} results in a {{NullPointerException}}.
> I think one thing can be improved here:
> 1. It should be possible to use DN as the {{group.nameAttribute}}.
> 2. -{{DefaultSyncContext}} should try to find a group using its principal
> name rather than group id.-
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
