Tomek Rękawek created OAK-3498: ---------------------------------- Summary: DN can't be used as the group name in the external auth handler Key: OAK-3498 URL: https://issues.apache.org/jira/browse/OAK-3498 Project: Jackrabbit Oak Issue Type: Bug Components: auth-external Affects Versions: 1.0.22, 1.3.7, 1.2.7 Reporter: Tomek Rękawek Priority: Critical
One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is configured in such manner, that both principal id and authorizable name is set to the DN (eg. {{CN=my-group,OU=abc,...}}). After migration to Oak LDAP users can't login. The reason is that during the login, the {{DefaultSyncContext}} tries to synchronize all groups memberships and create missing groups. By default it uses CN as the group name and tries to find it. It fails, because the migrated group has a name created with its DN. It assumes that the group doesn't exist and then wants to create it - which fails as well, because group with the given principal name already exists. As a result, the whole login process fails. The LDAP attribute to be used as the group name can be configured. However, the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in {{LdapProviderConfig}} results in a {{NullPointerException}}. I think two things can be improved here: 1. {{DefaultSyncContext}} should try to find a group using its principal name rather than group id. 2. It should be possible to use DN as the {{group.nameAttribute}}. -- This message was sent by Atlassian JIRA (v6.3.4#6332)