Details
-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
Unknown
-
Description
Currently, the authenticator allows to map users to LDAP groups using one method :
- The authenticator will look into every group mapping registered in XWiki
- For each group mapping, the authenticator will query the LDAP server to fetch the available users for this group
- The results of this query will be then stored in the Groups Cache, which will then be used to check, for each user connecting to the wiki, if this user is part of one of the mapped groups.
This approach may not work completely for some deployments. When XWiki is connected to a very large LDAP directory, the creation of the groups cache will take a very long time as the authenticator needs to go through every mapped group.
So the goal of this issue is to introduce the notion of "group mapping strategies". We can distinguish two types of strategies at first :
- Strategies that are "group first" : the authenticator will start to resolve the group members from the group mappings
- Strategies that are "user first" : the authenticator will compute the groups for which the user is a member based on the LDAP user entry