Issue Details (XML | Word | Printable)

Key: XWIKI-2414
Type: Improvement Improvement
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Thomas Mortagne
Reporter: Michael Jeanson
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
XWiki Core

Support for LDAP groups where the member attributes do not contain the full dn

Created: 29/May/08 21:00   Updated: 14/Aug/08 10:30
Component/s: Auth Service - LDAP
Affects Version/s: 1.3.2, 1.4
Fix Version/s: 1.6 M1

File Attachments: 1. Text File ldap.patch (24 kB)
2. Text File xwiki-posixgroup-membership.patch (4 kB)

keywords: ldap authentication group openldap posixGroup
Date of First Response: 07/Aug/08 22:16
Resolution Date: 14/Aug/08 10:30
Tests: Integration


 Description  « Hide
Another problem I ran into with posixGroup is that the members are listed only by their userid and not their full dn. For example the ldif of my xwiki group :

1. xwiki, Group, example.com
dn: cn=xwiki,ou=Group,dc=example,dc=com
cn: xwiki
description: Utilisateurs de XWiki
gidNumber: 2005
memberUid: mjeanson
memberUid: jmdault
memberUid: julien
memberUid: luiggi
objectClass: top
objectClass: posixGroup

Xwiki expects to have the full dn for each member attribute and so is not able to map group membership. Here is the debug output I get :

For each member of the xwiki group :
14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find att
ribute uid for LDAP dn frobichaud
14:22:19,735 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPConnection - LDAP Search failed

LDAPException: Invalid DN Syntax (34) Invalid DN Syntax
LDAPException: Server Message: invalid DN
LDAPException: Matched DN:
at com.novell.ldap.LDAPResponse.getResultException(Unknown Source)
at com.novell.ldap.LDAPResponse.chkResultCode(Unknown Source)
at com.novell.ldap.LDAPSearchResults.next(Unknown Source)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPConnection.searchLDAP(XWikiLDAPConnection.java:274)
at com.xpn.xwiki.plugin.ldap.XWikiLDAPUtils.searchGroupsMembers(XWikiLDAPUtils.java:211)
...

And finaly :
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] ERROR ldap.XWikiLDAPUtils - Could not find attribute uid for LDAP dn mjeanson
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - Found user dn in user group:null
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG ldap.XWikiLDAPUtils - LDAP authentication failed: user not in LDAP user group
14:22:19,738 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] DEBUG LDAP.XWikiLDAPAuthServiceImpl - Trying authentication against XWiki DB
14:22:19,739 http://xwiki.revolutionlinux.com/xwiki-1.5/bin/loginsubmit/XWiki/XWikiLogin [http-8080-1] WARN LDAP.XWikiLDAPAuthServiceImpl - LDAP authentication failed.
com.xpn.xwiki.XWikiException: Error number 8001 in 8: LDAP user mjeanson does not belong to LDAP group cn=xwiki,ou=Group,dc=example,dc=com.
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.ldapAuthenticate(XWikiLDAPAuthServiceImpl.java:216)
at com.xpn.xwiki.user.impl.LDAP.XWikiLDAPAuthServiceImpl.authenticate(XWikiLDAPAuthServiceImpl.java:107)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.authenticate(MyFormAuthenticator.java:195)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:128)
at com.xpn.xwiki.user.impl.xwiki.MyFormAuthenticator.processLogin(MyFormAuthenticator.java:113)
at com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl.checkAuth(XWikiAuthServiceImpl.java:205)
...

I wrote a patch that does an ldap request for each group member to find their full dn. It's clearly a hack, please understand that I am by no mean a java programmer nor a programmer at all but I needed the ldap authentication to work.

I think the proper solution, correct me if I'm wrong, would be to add a configuration option allowing to match ldap group membership with the userid instead of the full dn.

 All   Comments   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Michael Jeanson added a comment - 29/May/08 21:02
The patch mentionned earlier.

[ Permlink | « Hide ]
Stephen Reindl added a comment - 07/Aug/08 22:16
The patch provided here is against version 1.5.

As I had a lot of trouble with the Novell LDAP implementation (several errors in the OpenLDAP-Server) additionally I switched to the javax.naming LDAP implementation from java (Sorry for the inconvinience).


[ Permlink | « Hide ]
Thomas Mortagne added a comment - 13/Aug/08 17:07
In this kind of group, if the member is a group, is it a full DN ? And if not which field of the ldap group object is targeted by the value ?

[ Permlink | « Hide ]
Michael Jeanson added a comment - 13/Aug/08 22:57
To the best of my knowledge a posixgroup will contain only user accounts since it's mapped to the linux user/group permission mechanism.

[ Permlink | « Hide ]
Michael Jeanson added a comment - 13/Aug/08 23:02
This could help : http://ldap.akbkhome.com/index.php/objectclass/posixGroup.html

[ Permlink | « Hide ]
Thomas Mortagne added a comment - 14/Aug/08 10:15
Ok thanks, then I'm committing a fix supporting members as users UID in 1.6 branch, it will be part of 1.6M1


Powered by a free Atlassian JIRA open source license for XWiki. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13-#330) - Bug/feature request - Atlassian news - Contact Administrators