Hey all, I managed to view the code for this class by a google search. But i’m noticing a problem with the getGroupMembers logic and I’m experiencing it myself in my 5.4 install of xwiki. Some background: I am using Apple’s open directory as my ldap server. My ldap config is as such (using the LDAP application): Restrict to group: cn=mygroup LDAP base dn: dc=mycompany,dc=com LDAP UID Attribute name memberUid The symptom: When XWiki tries to locate the members of a group, it finds only one, typically the alphabetically first one, and not all. The source of the problem: The entry point is here: public Map<String, String> getGroupMembers(String groupDN, XWikiContext context) which calls with a new map of <String, String> for members, this line -> boolean isGroup = getGroupMembers(groupDN, members, new ArrayList<String>(), context); That method has this signature -> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, XWikiContext context) which falls to if (searchAttributeList != null) { isGroup = getGroupMembers(fixedDN, memberMap, subgroups, searchAttributeList, context); } But of course there are search attributes, so it calls this-> public boolean getGroupMembers(String groupDN, Map<String, String> memberMap, List<String> subgroups, List<XWikiLDAPSearchAttribute> searchAttributeList, XWikiContext context) And this is where the problem is: It for loops through the search attributes and executes a query, if it gets a response that isn’t a group and the member map doesn’t already contain that key, it will add it: if (!memberMap.containsKey(groupDN)) { memberMap.put(groupDN.toLowerCase(), id == null ? "" : id.toLowerCase()); } But then it RETURNS isGroup, which is now true, And that flows back up the chain, except it never iterates through the rest of the entries. My logs show: 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Looks like [cn=mygroup] is not a DN, lets try filter or id 2014-02-08 17:45:22,858 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPConnection - LDAP search: baseDN=[dc=mycompany,dc=com] query=[cn=mygroup] attr=[[objectClass, uid, memberuid, memberUid]] ldapScope=[2] 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found group [cn=mygroup] members [{cn=mygroup,cn=groups,dc=mycompany,dc=com=member1}] 2014-02-08 17:45:22,864 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG c.x.x.p.l.XWikiLDAPUtils - Found user dn in user group [null] 2014-02-08 17:45:22,865 [http://myserver/xwiki/bin/loginsubmit/XWiki/XWikiLogin] DEBUG u.i.L.XWikiLDAPAuthServiceImpl - Local LDAP authentication failed. com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user member2 does not belong to LDAP group cn=mygroup. Am I reading the logs or code wrong? If I am, then what am I doing wrong with my ldap configuration? I’m clearly part of mygroup but it consistently fails to find me. Best, Eric Kyungsuk Kimn 김경석 Senior Back End Developer [email protected]