Uploaded image for project: 'Jackrabbit Oak'
  1. Jackrabbit Oak
  2. OAK-3498

DN can't be used as the group name in the external auth handler

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Won't Fix
    • 1.0.22, 1.2.7, 1.3.7
    • 1.7.1, 1.8.0
    • auth-ldap
    • None

    Description

      One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is configured in such manner, that both principal id and authorizable name is set to the DN (eg. CN=my-group,OU=abc,...).

      After migration to Oak LDAP users can't login. The reason is that during the login, the DefaultSyncContext tries to synchronize all groups memberships and create missing groups. By default it uses CN as the group name and tries to find it. It fails, because the migrated group has a name created with its DN. It assumes that the group doesn't exist and then wants to create it - which fails as well, because group with the given principal name already exists. As a result, the whole login process fails.

      The LDAP attribute to be used as the group name can be configured. However, the DN is not an attribute, so setting group.nameAttribute="dn" in LdapProviderConfig results in a NullPointerException.

      I think one thing can be improved here:

      1. It should be possible to use DN as the group.nameAttribute.
      2. DefaultSyncContext should try to find a group using its principal name rather than group id.

      Attachments

        1. OAK-3498-1.0.patch
          3 kB
          Tomek Rękawek
        2. OAK-3498-trunk.patch
          3 kB
          Tomek Rękawek

        Activity

          People

            tomek.rekawek Tomek Rękawek
            tomek.rekawek Tomek Rękawek
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: