1 Aug
2008
1 Aug
'08
7:54 p.m.
On Aug 1, 2008, at 7:46 PM, Thomas Mortagne wrote:
On Fri, Aug 1, 2008 at 6:22 PM, Vincent Massol
<vincent(a)massol.net>
wrote:
I understand but cannot we do better? It looks a bit like magic and
the parameter name doesn't reflect the behavior and the dangerousness
associated with it.
Also I don't see the use cases where this parameter could be used?
(unless your LDAP is read only which is probably pretty rare).
Thanks
-Vincent
On Aug 1, 2008, at 6:17 PM, Thomas Mortagne wrote:
[snip]
It's not a limitation, just configuration. As I said, If you don't
have "ldap_dn=dn" in xwiki.authentication.ldap.fields_mapping the DN
is never stored so you don't have the problem. But maybe the default
value of wiki.authentication.ldap.fields_mapping has to be changed. I found what is the problem: It's not your
configuration, by default
XWiki store the DN in the user's profile (with the "ldap_dn=dn" in
xwiki.authentication.ldap.fields_mapping property) to speed up the
DN
search. The problem is that it will always use the first DN used
for a
user even the user moved in LDAP server.
So what you can do to fix it:
- for existing users in XWiki: edit the user's profile page using
object editor and change the value of the property ldap_dn (LDAP
DN).
Set the new DN or just blank it to let XWiki update it.
- if you plan to move LDAP users regularely: remove the "ldap_dn=dn"
from xwiki.authentication.ldap.fields_mapping property to avoid LDAP
user DN storage.
This looks like an important XWiki limitation isn't it?
I guess moving users in LDAP is a pretty common thing and we should
probably not request admins to edit related XWiki users objects. That
doesn't sound right.