Re: [xwiki-devs] Problem with XWikiLDAPUtils class

Hi Thomas, Ah, thanks for the responses. However, I tried the full group dn as you suggested and unfortunately it still only finds the first memberUid in the list and so it doesn’t think I am a member of the group.

Best, Eric Kyungsuk Kimn 김경석 Senior Back End Developer ekimn(a)apple.com On Feb 10, 2014, at 2:39 AM, Thomas Mortagne &lt;thomas.mortagne(a)xwiki.com&gt; wrote: > On Mon, Feb 10, 2014 at 11:38 AM, Thomas Mortagne > &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >> On Mon, Feb 10, 2014 at 11:26 AM, Eric Kimn &lt;ekimn(a)apple.com&gt; wrote: >>> Hi Thomas, >>> >>> Thanks for the replies~! Really appreciate it. >>> >>> To answer your questions: >>> >>> For the group DN, I was watching the logs, and while yes, I could have put the full dn in there, it does a check to see if it can find it with the group dn alone and if it can’t find it, it then tries to find it with the base dn and then the group dn as a filter. So that’s why I just put the cn=mygroup in the group name. >> >> Yes it's supposed to work (and now it does) but using the full group >> DN is simply better for performance since it less LDAP requests. >> >>> >>> My group ldif looks like: >>> This is the query i run, it’s the same query xwiki is executing when trying to if I’m a member of the group: >>> ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com cn=mygroup attributes objectClass uid memberUid >>> >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <dc=mycompany,dc=com> with scope subtree >>> # filter: cn=mygroup >>> # requesting: attributes objectClass uid memberUid >>> # >>> >>> # mygroup, groups, mycompany.com >>> dn: cn=mygroup,cn=groups,dc=mycompany,dc=com >>> objectClass: posixGroup >>> objectClass: mycompany-group >>> objectClass: extensibleObject >>> objectClass: top >>> memberUid: member1 >>> memberUid: member2 >>> memberUid: member3 >>> memberUid: member4 >>> etc…. >>> >>> >>> Finally, I read the jira bug and I’m not totally sure (from the description) if that’s the issue I’m seeing. You said that an LDAP subgroup is listed as UID it’s not expanded. But the issue I’m running into isn’t related to subgroups, it’s that when there are multiple memberUid’s in the group, that logic isn’t adding all of them into the member map object, thus it incorrectly determines that a person isn’t in a group, if they’re not the first in the list. Please correct me if I’m seeing it wrong. >> >> Actually it is :) >> >> As I told you in my previous mail "cn=mygroup" does not means your >> group, your group is a subgroup of what we call a group in XWiki which >> mean either a group DN, a filter or an organization usint. In you case > > s/usint/unit/ > >> the group "cn=mygroup" has a member called >> "cn=mygroup,cn=groups,dc=mycompany,dc=com" which was not expanded. >> >>> >>> And doubly finally, if I’m wrong and the issue is fixed (which would awesome), when can I get the fix? It’s really holding up using xwiki on a broader scale because I can’t get it integrated with our LDAP. >> >> Again you should be fine with full group DN, did you tested with it ? >> 4.5.1 release is planned tomorrow. >> >>> >>> >>> >>> Best, >>> >>> >>> Eric Kyungsuk Kimn >>> 김경석 >>> Senior Back End Developer >>> ekimn(a)apple.com >>> >>> >>> >>> >>> >>> >>> >>> On Feb 10, 2014, at 2:04 AM, Thomas Mortagne &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >>> >>>> Created and fixed http://jira.xwiki.org/browse/XWIKI-10031. Thanks for >>>> the report ! >>>> >>>> On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne >>>> &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >>>>> Hmm actually could be something else. >>>>> >>>>> How does your group ldiff looks like ? Looks like there is a bug with >>>>> subgroups containing uids instead of complete DNs. >>>>> >>>>> On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne >>>>> &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >>>>>> From what I understand from you use case you should not put >>>>>> "cn=mygroup" but your complete group DN >>>>>> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" >>>>>> does not really mean that group but "everything that matches >>>>>> "cn=mygroup"" (which is why it list you the group as found member by >>>>>> the way). There is still a bug in the fact that it seems to not expand >>>>>> the found groups to find submembers when using partial DN but if you >>>>>> use complete DN in the configuration you should be fine. >>>>>> >>>>>> I will try to reproduce and debug the partial DN use case. Thanks for >>>>>> the report. >>>>>> >>>>>> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn &lt;ekimn(a)apple.com&gt; wrote: >>>>>>> Hey all, >>>>>>> >>>>>>> I managed to view the code for this class by a google search. But i’m noticing a problem with the getGroupMembers logic and I’m experiencing it myself in my 5.4 install of xwiki. >>>>>>> Some background: I am using Apple’s open directory as my ldap server. >>>>>>> My ldap config is as such (using the LDAP application): >>>>>>> >>>>>>> Restrict to group: >>>>>>> cn=mygroup >>>>>>> >>>>>>> LDAP base dn: >>>>>>> dc=mycompany,dc=com >>>>>>> >>>>>>> LDAP UID Attribute name >>>>>>> memberUid >>>>>>> >>>>>>> >>>>>>> The symptom: When XWiki tries to locate the members of a group, it finds only one, typically the alphabetically first one, and not all. >>>>>>> >>>>>>> The source of the problem: >>>>>>> The entry point is here: >>>>>>> public Map<String, String> getGroupMembers(String groupDN, XWikiContext context) >>>>>>> >>>>>>> which calls with a new map of <String, String> for members, this line -> >>>>>>> boolean isGroup = getGroupMembers(groupDN, members, new ArrayList<String>(), context); >>>>>>> >>>>>>> That method has this signature -> >>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, XWikiContext context) >>>>>>> >>>>>>> which falls to >>>>>>> if (searchAttributeList != null) { >>>>>>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, searchAttributeList, context); >>>>>>> } >>>>>>> >>>>>>> But of course there are search attributes, so it calls this-> >>>>>>> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> searchAttributeList, XWikiContext context) >>>>>>> >>>>>>> And this is where the problem is: >>>>>>> It for loops through the search attributes and executes a query, if it gets a response that isn’t a group and the member map doesn’t already contain that key, it will add it: >>>>>>> if (!memberMap.containsKey(groupDN)) { >>>>>>> memberMap.put(groupDN.toLowerCase(), id == null ? "" : id.toLowerCase()); >>>>>>> } >>>>>>> >>>>>>> But then it RETURNS isGroup, which is now true, >>>>>>> And that flows back up the chain, except it never iterates through the rest of the entries. >>>>>>> >>>>>>> My logs show: >>>>>>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets try filter or id >>>>>>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2] >>>>>>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >>>>>>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >>>>>>> 2014-02-08 17:45:22,865 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >>>>>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does not belong to LDAP group cn=mygroup. >>>>>>> >>>>>>> >>>>>>> Am I reading the logs or code wrong? If I am, then what am I doing wrong with my ldap configuration? I’m clearly part of mygroup but it consistently fails to find me. >>>>>>> >>>>>>> Best, >>>>>>> >>>>>>> >>>>>>> Eric Kyungsuk Kimn >>>>>>> 김경석 >>>>>>> Senior Back End Developer >>>>>>> ekimn(a)apple.com >>>>>>> _______________________________________________ >>>>>>> devs mailing list >>>>>>> devs(a)xwiki.org >>>>>>> http://lists.xwiki.org/mailman/listinfo/devs >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thomas Mortagne >>>>> >>>>> >>>>> >>>>> -- >>>>> Thomas Mortagne >>>> >>>> >>>> >>>> -- >>>> Thomas Mortagne >>>> _______________________________________________ >>>> devs mailing list >>>> devs(a)xwiki.org >>>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> _______________________________________________ >>> devs mailing list >>> devs(a)xwiki.org >>> http://lists.xwiki.org/mailman/listinfo/devs >> >> >> >> -- >> Thomas Mortagne > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs