On Fri, Aug 1, 2008 at 7:54 PM, Vincent Massol <[email protected]> wrote:
On Aug 1, 2008, at 7:46 PM, Thomas Mortagne wrote:
On Fri, Aug 1, 2008 at 6:22 PM, Vincent Massol <[email protected]> wrote:
On Aug 1, 2008, at 6:17 PM, Thomas Mortagne wrote:
[snip]
I found what is the problem: It's not your configuration, by default XWiki store the DN in the user's profile (with the "ldap_dn=dn" in xwiki.authentication.ldap.fields_mapping property) to speed up the DN search. The problem is that it will always use the first DN used for a user even the user moved in LDAP server.
So what you can do to fix it:
- for existing users in XWiki: edit the user's profile page using object editor and change the value of the property ldap_dn (LDAP DN). Set the new DN or just blank it to let XWiki update it. - if you plan to move LDAP users regularely: remove the "ldap_dn=dn" from xwiki.authentication.ldap.fields_mapping property to avoid LDAP user DN storage.
This looks like an important XWiki limitation isn't it?
I guess moving users in LDAP is a pretty common thing and we should probably not request admins to edit related XWiki users objects. That doesn't sound right.
It's not a limitation, just configuration. As I said, If you don't have "ldap_dn=dn" in xwiki.authentication.ldap.fields_mapping the DN is never stored so you don't have the problem. But maybe the default value of wiki.authentication.ldap.fields_mapping has to be changed.
I understand but cannot we do better? It looks a bit like magic and the parameter name doesn't reflect the behavior and the dangerousness associated with it.
This work like that since the first old LDAP authenticator and it's the first time someone report that it's an issue AFAIK... Anyway maybe a new parameter "userDN_constant=true/false" or something like that would be better. Or we completely remove this way to get the DN.
Also I don't see the use cases where this parameter could be used? (unless your LDAP is read only which is probably pretty rare).
You are maybe right, I really don't know as I pretty much never used LDAP for personal needs.
Thanks -Vincent _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
-- Thomas Mortagne