jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomek Rękawek (JIRA) <j...@apache.org>
Subject [jira] [Updated] (OAK-3498) DN can't be used as the group name in the external auth handler
Date Tue, 22 Mar 2016 09:25:25 GMT

     [ https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Tomek Rękawek updated OAK-3498:
    Priority: Minor  (was: Major)

> DN can't be used as the group name in the external auth handler
> ---------------------------------------------------------------
>                 Key: OAK-3498
>                 URL: https://issues.apache.org/jira/browse/OAK-3498
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>    Affects Versions: 1.3.7, 1.2.7, 1.0.22
>            Reporter: Tomek Rękawek
>            Priority: Minor
>         Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch
> One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He uses LDAP
for authentication. The LDAP synchronization in Jackrabbit 2 is configured in such manner,
that both principal id and authorizable name is set to the DN (eg. {{CN=my-group,OU=abc,...}}).
> After migration to Oak LDAP users can't login. The reason is that during the login, the
{{DefaultSyncContext}} tries to synchronize all groups memberships and create missing groups.
By default it uses CN as the group name and tries to find it. It fails, because the migrated
group has a name created with its DN. It assumes that the group doesn't exist and then wants
to create it - which fails as well, because group with the given principal name already exists.
As a result, the whole login process fails.
> The LDAP attribute to be used as the group name can be configured. However, the DN is
not an attribute, so setting {{group.nameAttribute="dn"}} in {{LdapProviderConfig}} results
in a {{NullPointerException}}.
> I think one thing can be improved here:
> 1. It should be possible to use DN as the {{group.nameAttribute}}.
> 2. -{{DefaultSyncContext}} should try to find a group using its principal name rather
than group id.-

This message was sent by Atlassian JIRA

View raw message