Tomek Rękawek created OAK-3498:
----------------------------------
Summary: DN can't be used as the group name in the external auth
handler
Key: OAK-3498
URL: https://issues.apache.org/jira/browse/OAK-3498
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-external
Affects Versions: 1.0.22, 1.3.7, 1.2.7
Reporter: Tomek Rękawek
Priority: Critical
One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He
uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is
configured in such manner, that both principal id and authorizable name is set
to the DN (eg. {{CN=my-group,OU=abc,...}}).
After migration to Oak LDAP users can't login. The reason is that during the
login, the {{DefaultSyncContext}} tries to synchronize all groups memberships
and create missing groups. By default it uses CN as the group name and tries to
find it. It fails, because the migrated group has a name created with its DN.
It assumes that the group doesn't exist and then wants to create it - which
fails as well, because group with the given principal name already exists. As a
result, the whole login process fails.
The LDAP attribute to be used as the group name can be configured. However, the
DN is not an attribute, so setting {{group.nameAttribute="dn"}} in
{{LdapProviderConfig}} results in a {{NullPointerException}}.
I think two things can be improved here:
1. {{DefaultSyncContext}} should try to find a group using its principal name
rather than group id.
2. It should be possible to use DN as the {{group.nameAttribute}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
