Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3-milestone-1
    • Component/s: Authentication
    • Labels:
      None
    • Tests:
      Unit
    • Difficulty:
      Medium
    • Similar issues:

      Description

      The needs
      ***********
      Form now, group mapping feature synchronizes list of users from a ldap directory to Xwiki group using a ldap read operation which say that it concerns only static group of users
      An improvement of this solution should be to add "dynamic group" concept: instead of getting list of user by reading a Ldap 's dn, we should have a ldap search based on LDAP 's attributs.

      What to do
      **********

      For now, we are using following rules:
      xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groupes,dc=aelia,dc=ad|\
      XWiki.Organisation=cn=AdminRole,ou=groupes,dc=aelia,dc=ad

      This should be extend like this:
      xwiki.authentication.ldap.group_mapping.read=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groupes,dc=aelia,dc=ad|\
      XWiki.Organisation=cn=AdminRole,ou=groupes,dc=aelia,dc=ad

      xwiki.authentication.ldap.group_mapping.search=XWiki.XWikiManagerGroup=(&(objectclass=person)(title=Manager))|\
      XWiki.Paris=(&(objectclass=person)(title=Manager)(l=Paris))

      Features description & requirements
      *************************************

      1 - The new group mapping extension should work on both read and search mode, it means that :

      • xwiki.authentication.ldap.group_mapping.read is evaluated first to get list of members of static user
      • xwiki.authentication.ldap.group_mapping.search is evaluated after to get list of members from ldap search

      It is assumed that xwiki.authentication.ldap.group_mapping.read can't refer to the same group than xwiki.authentication.ldap.group_mapping.search

      Some question/issues
      ********************

      1 - To optimize ldap request, those following items should be considered:

      • Having base dn defined in the search expression : XWiki.XWikiManagerGroup="ou=groupes,dc=aelia,dc=ad" "(&(objectclass=person)(title=Manager))"
      • Defining list of attributs returned : XWiki.XWikiManagerGroup="(&(objectclass=person)(title=Manager))" "(attrib=member,uniqueMember)"

      Can we defined ldap search expression defined as standart: XWiki.XWikiManagerGroup= base -b "dc=aelia,dc=ad" "(&(objectclass=person)(title=Manager))" member uniquemember

      2 - What's about other XWiki.cfg properties

      • xwiki.authentication.ldap.group_classes = group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
      • xwiki.authentication.ldap.group_memberfields=member,uniqueMember

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tmortagne Thomas Mortagne
                Reporter:
                ccoll Christophe Coll
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: