10 Feb
2014
10 Feb
'14
11:39 a.m.
On Mon, Feb 10, 2014 at 11:38 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
On Mon, Feb 10, 2014 at 11:26 AM, Eric Kimn
<ekimn(a)apple.com> wrote:
s/usint/unit/
Hi Thomas,
Thanks for the replies~! Really appreciate it.
To answer your questions:
For the group DN, I was watching the logs, and while yes, I could have put the full dn in
there, it does a check to see if it can find it with the group dn alone and if it can’t
find it, it then tries to find it with the base dn and then the group dn as a filter.
So that’s why I just put the cn=mygroup in the group name.
Yes it's supposed to work (and now it does) but using the full group
DN is simply better for performance since it less LDAP requests.
My group ldif looks like:
This is the query i run, it’s the same query xwiki is executing when trying to if I’m a
member of the group:
ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com cn=mygroup attributes
objectClass uid memberUid
# extended LDIF
#
# LDAPv3
# base <dc=mycompany,dc=com> with scope subtree
# filter: cn=mygroup
# requesting: attributes objectClass uid memberUid
#
# mygroup, groups, mycompany.com
dn: cn=mygroup,cn=groups,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: mycompany-group
objectClass: extensibleObject
objectClass: top
memberUid: member1
memberUid: member2
memberUid: member3
memberUid: member4
etc….
Finally, I read the jira bug and I’m not totally sure (from the description) if that’s
the issue I’m seeing. You said that an LDAP subgroup is listed as UID it’s not expanded.
But the issue I’m running into isn’t related to subgroups, it’s that when there are
multiple memberUid’s in the group, that logic isn’t adding all of them into the member map
object, thus it incorrectly determines that a person isn’t in a group, if they’re not the
first in the list. Please correct me if I’m seeing it wrong.
Actually it is :)
As I told you in my previous mail "cn=mygroup" does not means your
group, your group is a subgroup of what we call a group in XWiki which
mean either a group DN, a filter or an organization usint. In you case the group "cn=mygroup" has a member called
"cn=mygroup,cn=groups,dc=mycompany,dc=com" which was not expanded.
--
Thomas Mortagne
And doubly finally, if I’m wrong and the issue is fixed (which would awesome), when can I
get the fix? It’s really holding up using xwiki on a broader scale because I can’t get it
integrated with our LDAP.
Again you should be fine with full group DN, did you tested with it ?
4.5.1 release is planned tomorrow.
Best,
Eric Kyungsuk Kimn
김경석
Senior Back End Developer
ekimn(a)apple.com
On Feb 10, 2014, at 2:04 AM, Thomas Mortagne <thomas.mortagne(a)xwiki.com> wrote:
--
Thomas Mortagne Created and fixed
http://jira.xwiki.org/browse/XWIKI-10031. Thanks for
the report !
On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs Hmm actually could be something else.
How does your group ldiff looks like ? Looks like there is a bug with
subgroups containing uids instead of complete DNs.
On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne
<thomas.mortagne(a)xwiki.com> wrote:
> From what I understand from you use case you should not put
> "cn=mygroup" but your complete group DN
> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1").
"cn=mygroup"
> does not really mean that group but "everything that matches
> "cn=mygroup"" (which is why it list you the group as found member by
> the way). There is still a bug in the fact that it seems to not expand
> the found groups to find submembers when using partial DN but if you
> use complete DN in the configuration you should be fine.
>
> I will try to reproduce and debug the partial DN use case. Thanks for
> the report.
>
> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn <ekimn(a)apple.com> wrote:
>> Hey all,
>>
>> I managed to view the code for this class by a google search. But i’m noticing a
problem with the getGroupMembers logic and I’m experiencing it myself in my 5.4 install of
xwiki.
>> Some background: I am using Apple’s open directory as my ldap server.
>> My ldap config is as such (using the LDAP application):
>>
>> Restrict to group:
>> cn=mygroup
>>
>> LDAP base dn:
>> dc=mycompany,dc=com
>>
>> LDAP UID Attribute name
>> memberUid
>>
>>
>> The symptom: When XWiki tries to locate the members of a group, it finds only
one, typically the alphabetically first one, and not all.
>>
>> The source of the problem:
>> The entry point is here:
>> public Map<String, String> getGroupMembers(String groupDN, XWikiContext
context)
>>
>> which calls with a new map of <String, String> for members, this line
->
>> boolean isGroup = getGroupMembers(groupDN, members, new
ArrayList<String>(), context);
>>
>> That method has this signature ->
>> public boolean getGroupMembers(String groupDN, Map<String, String>
memberMap, List<String> subgroups, XWikiContext context)
>>
>> which falls to
>> if (searchAttributeList != null) {
>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups,
searchAttributeList, context);
>> }
>>
>> But of course there are search attributes, so it calls this->
>> public boolean getGroupMembers(String groupDN, Map<String, String>
memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute>
searchAttributeList, XWikiContext context)
>>
>> And this is where the problem is:
>> It for loops through the search attributes and executes a query, if it gets a
response that isn’t a group and the member map doesn’t already contain that key, it will
add it:
>> if (!memberMap.containsKey(groupDN)) {
>> memberMap.put(groupDN.toLowerCase(), id == null ? "" :
id.toLowerCase());
>> }
>>
>> But then it RETURNS isGroup, which is now true,
>> And that flows back up the chain, except it never iterates through the rest of
the entries.
>>
>> My logs show:
>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets try
filter or id
>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com]
query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2]
>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members
[{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}]
>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null]
>> 2014-02-08 17:45:22,865 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin]
DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed.
>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does not
belong to LDAP group cn=mygroup.
>>
>>
>> Am I reading the logs or code wrong? If I am, then what am I doing wrong with my
ldap configuration? I’m clearly part of mygroup but it consistently fails to find me.
>>
>> Best,
>>
>>
>> Eric Kyungsuk Kimn
>> 김경석
>> Senior Back End Developer
>> ekimn(a)apple.com
>> _______________________________________________
>> devs mailing list
>> devs(a)xwiki.org
>> http://lists.xwiki.org/mailman/listinfo/devs
>
>
>
> --
> Thomas Mortagne
--
Thomas Mortagne
--
Thomas Mortagne
_______________________________________________
devs mailing list
devs(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/devs