[
https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14948806#comment-14948806
]
angela commented on OAK-3498:
-----------------------------
not sure about the patch... according to your description this seems to be a
migration issue... i would rather not make the regular code complicated for
something that should be fixed during upgrade (assuming that it was a conscious
decision to no longer allow to use the dn as the group id). also the patch
looks a bit hacky to me...
so, i would suggest that we first clarify the limitation mentioned in the
subject really needs to be addressed and clearly understand the consequences of
doing this before considering on how to address it.
btw: 'groupname' is a bit confusing as the underlying API doesn't know anything
about the name. you are properly referring to the id, right?
> DN can't be used as the group name in the external auth handler
> ---------------------------------------------------------------
>
> Key: OAK-3498
> URL: https://issues.apache.org/jira/browse/OAK-3498
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: auth-external
> Affects Versions: 1.3.7, 1.2.7, 1.0.22
> Reporter: Tomek Rękawek
> Priority: Critical
> Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch
>
>
> One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He
> uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is
> configured in such manner, that both principal id and authorizable name is
> set to the DN (eg. {{CN=my-group,OU=abc,...}}).
> After migration to Oak LDAP users can't login. The reason is that during the
> login, the {{DefaultSyncContext}} tries to synchronize all groups memberships
> and create missing groups. By default it uses CN as the group name and tries
> to find it. It fails, because the migrated group has a name created with its
> DN. It assumes that the group doesn't exist and then wants to create it -
> which fails as well, because group with the given principal name already
> exists. As a result, the whole login process fails.
> The LDAP attribute to be used as the group name can be configured. However,
> the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in
> {{LdapProviderConfig}} results in a {{NullPointerException}}.
> I think two things can be improved here:
> 1. {{DefaultSyncContext}} should try to find a group using its principal name
> rather than group id.
> 2. It should be possible to use DN as the {{group.nameAttribute}}.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
