Re: [xwiki-devs] Problem with XWikiLDAPUtils class

Hi Thomas, Thanks for the replies~! Really appreciate it. To answer your questions: For the group DN, I was watching the logs, and while yes, I could have put the full dn in there, it does a check to see if it can find it with the group dn alone and if it can’t find it, it then tries to find it with the base dn and then the group dn as a filter. So that’s why I just put the cn=mygroup in the group name.

My group ldif looks like: This is the query i run, it’s the same query xwiki is executing when trying to if I’m a member of the group: ldapsearch -x -h od.mycompany.com -s sub -b dc=mycompany,dc=com cn=mygroup attributes objectClass uid memberUid # extended LDIF # # LDAPv3 # base <dc=mycompany,dc=com> with scope subtree # filter: cn=mygroup # requesting: attributes objectClass uid memberUid # # mygroup, groups, mycompany.com dn: cn=mygroup,cn=groups,dc=mycompany,dc=com objectClass: posixGroup objectClass: mycompany-group objectClass: extensibleObject objectClass: top memberUid: member1 memberUid: member2 memberUid: member3 memberUid: member4 etc…. Finally, I read the jira bug and I’m not totally sure (from the description) if that’s the issue I’m seeing. You said that an LDAP subgroup is listed as UID it’s not expanded. But the issue I’m running into isn’t related to subgroups, it’s that when there are multiple memberUid’s in the group, that logic isn’t adding all of them into the member map object, thus it incorrectly determines that a person isn’t in a group, if they’re not the first in the list. Please correct me if I’m seeing it wrong.

And doubly finally, if I’m wrong and the issue is fixed (which would awesome), when can I get the fix? It’s really holding up using xwiki on a broader scale because I can’t get it integrated with our LDAP.

Best, Eric Kyungsuk Kimn 김경석 Senior Back End Developer ekimn(a)apple.com On Feb 10, 2014, at 2:04 AM, Thomas Mortagne &lt;thomas.mortagne(a)xwiki.com&gt; wrote: > Created and fixed http://jira.xwiki.org/browse/XWIKI-10031. Thanks for > the report ! > > On Mon, Feb 10, 2014 at 10:18 AM, Thomas Mortagne > &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >> Hmm actually could be something else. >> >> How does your group ldiff looks like ? Looks like there is a bug with >> subgroups containing uids instead of complete DNs. >> >> On Mon, Feb 10, 2014 at 9:47 AM, Thomas Mortagne >> &lt;thomas.mortagne(a)xwiki.com&gt; wrote: >>> From what I understand from you use case you should not put >>> "cn=mygroup" but your complete group DN >>> ("cn=mygroup,cn=groups,dc=mycompany,dc=com=member1"). "cn=mygroup" >>> does not really mean that group but "everything that matches >>> "cn=mygroup"" (which is why it list you the group as found member by >>> the way). There is still a bug in the fact that it seems to not expand >>> the found groups to find submembers when using partial DN but if you >>> use complete DN in the configuration you should be fine. >>> >>> I will try to reproduce and debug the partial DN use case. Thanks for >>> the report. >>> >>> On Sun, Feb 9, 2014 at 3:16 AM, Eric Kimn &lt;ekimn(a)apple.com&gt; wrote: >>>> Hey all, >>>> >>>> I managed to view the code for this class by a google search. But i’m noticing a problem with the getGroupMembers logic and I’m experiencing it myself in my 5.4 install of xwiki. >>>> Some background: I am using Apple’s open directory as my ldap server. >>>> My ldap config is as such (using the LDAP application): >>>> >>>> Restrict to group: >>>> cn=mygroup >>>> >>>> LDAP base dn: >>>> dc=mycompany,dc=com >>>> >>>> LDAP UID Attribute name >>>> memberUid >>>> >>>> >>>> The symptom: When XWiki tries to locate the members of a group, it finds only one, typically the alphabetically first one, and not all. >>>> >>>> The source of the problem: >>>> The entry point is here: >>>> public Map<String, String> getGroupMembers(String groupDN, XWikiContext context) >>>> >>>> which calls with a new map of <String, String> for members, this line -> >>>> boolean isGroup = getGroupMembers(groupDN, members, new ArrayList<String>(), context); >>>> >>>> That method has this signature -> >>>> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, XWikiContext context) >>>> >>>> which falls to >>>> if (searchAttributeList != null) { >>>> isGroup = getGroupMembers(fixedDN, memberMap, subgroups, searchAttributeList, context); >>>> } >>>> >>>> But of course there are search attributes, so it calls this-> >>>> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> searchAttributeList, XWikiContext context) >>>> >>>> And this is where the problem is: >>>> It for loops through the search attributes and executes a query, if it gets a response that isn’t a group and the member map doesn’t already contain that key, it will add it: >>>> if (!memberMap.containsKey(groupDN)) { >>>> memberMap.put(groupDN.toLowerCase(), id == null ? "" : id.toLowerCase()); >>>> } >>>> >>>> But then it RETURNS isGroup, which is now true, >>>> And that flows back up the chain, except it never iterates through the rest of the entries. >>>> >>>> My logs show: >>>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets try filter or id >>>> 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2] >>>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] >>>> 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] >>>> 2014-02-08 17:45:22,865 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. >>>> com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does not belong to LDAP group cn=mygroup. >>>> >>>> >>>> Am I reading the logs or code wrong? If I am, then what am I doing wrong with my ldap configuration? I’m clearly part of mygroup but it consistently fails to find me. >>>> >>>> Best, >>>> >>>> >>>> Eric Kyungsuk Kimn >>>> 김경석 >>>> Senior Back End Developer >>>> ekimn(a)apple.com >>>> _______________________________________________ >>>> devs mailing list >>>> devs(a)xwiki.org >>>> http://lists.xwiki.org/mailman/listinfo/devs >>> >>> >>> >>> -- >>> Thomas Mortagne >> >> >> >> -- >> Thomas Mortagne > > > > -- > Thomas Mortagne > _______________________________________________ > devs mailing list > devs(a)xwiki.org > http://lists.xwiki.org/mailman/listinfo/devs _______________________________________________ devs mailing list devs(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/devs