Loading...

XML

Word

Printable

Details

Type: Improvement
Resolution: Fixed
Priority: Minor
Fix Version/s: 3.3-milestone-1
Affects Version/s: None
Component/s: Authentication
Labels:
None

Tests:

Unit
Difficulty:
Medium
Similar issues:

Description

The needs
***********
Form now, group mapping feature synchronizes list of users from a ldap directory to Xwiki group using a ldap read operation which say that it concerns only static group of users
An improvement of this solution should be to add "dynamic group" concept: instead of getting list of user by reading a Ldap 's dn, we should have a ldap search based on LDAP 's attributs.

What to do
**********

For now, we are using following rules:
xwiki.authentication.ldap.group_mapping=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groupes,dc=aelia,dc=ad|\
XWiki.Organisation=cn=AdminRole,ou=groupes,dc=aelia,dc=ad

This should be extend like this:
xwiki.authentication.ldap.group_mapping.read=XWiki.XWikiAdminGroup=cn=AdminRole,ou=groupes,dc=aelia,dc=ad|\
XWiki.Organisation=cn=AdminRole,ou=groupes,dc=aelia,dc=ad

xwiki.authentication.ldap.group_mapping.search=XWiki.XWikiManagerGroup=(&(objectclass=person)(title=Manager))|\
XWiki.Paris=(&(objectclass=person)(title=Manager)(l=Paris))

Features description & requirements
*************************************

1 - The new group mapping extension should work on both read and search mode, it means that :

xwiki.authentication.ldap.group_mapping.read is evaluated first to get list of members of static user
xwiki.authentication.ldap.group_mapping.search is evaluated after to get list of members from ldap search

It is assumed that xwiki.authentication.ldap.group_mapping.read can't refer to the same group than xwiki.authentication.ldap.group_mapping.search

Some question/issues
********************

1 - To optimize ldap request, those following items should be considered:

Having base dn defined in the search expression : XWiki.XWikiManagerGroup="ou=groupes,dc=aelia,dc=ad" "(&(objectclass=person)(title=Manager))"
Defining list of attributs returned : XWiki.XWikiManagerGroup="(&(objectclass=person)(title=Manager))" "(attrib=member,uniqueMember)"

Can we defined ldap search expression defined as standart: XWiki.XWikiManagerGroup= base -b "dc=aelia,dc=ad" "(&(objectclass=person)(title=Manager))" member uniquemember

2 - What's about other XWiki.cfg properties

xwiki.authentication.ldap.group_classes = group,groupOfNames,groupOfUniqueNames,dynamicGroup,dynamicGroupAux,groupWiseDistributionList
xwiki.authentication.ldap.group_memberfields=member,uniqueMember

Attachments

Issue Links

is related to

XWIKI-6900 Add support for organization units in LDAP group mapping

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Christophe Coll

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 31/May/11 12:56

Updated:: 18/Oct/11 16:08

Resolved:: 18/Oct/11 16:08