[jira] [Commented] (OAK-2705) DefaultSyncHandler should use the principalName as a fallback when no externalId is available
[ https://issues.apache.org/jira/browse/OAK-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483487#comment-14483487 ] Tobias Bocanegra commented on OAK-2705: --- you wrote in the description: "user nodes lack the property rep:externalId ... using the principalName instead would work fine". which is not 100% correct. as the externalId also contains the name of the IDP. > DefaultSyncHandler should use the principalName as a fallback when no > externalId is available > - > > Key: OAK-2705 > URL: https://issues.apache.org/jira/browse/OAK-2705 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-auth-external, upgrade >Reporter: Manfred Baedke > > After a crx2oak repository migration, user nodes lack the property > rep:externalId, which is needed for the DefaultSyncHandler to work properly. > In the majority of cases (when there is only one ExternalIdentityProvider) > using the principalName instead would work fine, so we should implement this > as a fallback when rep:externalId is missing. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-2705) DefaultSyncHandler should use the principalName as a fallback when no externalId is available
[ https://issues.apache.org/jira/browse/OAK-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14483459#comment-14483459 ] Manfred Baedke commented on OAK-2705: - Hi [~tripod], bq. not quite. the rep:externalId is a combination of IDP and the domain specific id. in the ldap case, the id part is the DN. Yes. Not sure what the "not quite" refers to. I just said that in the ldap case the principalName is the DN. Using the principalName as a fallback was your original suggestion in a separate discussion and I found it very reasonable. Still don't see what's wrong with it. The option to configure a default IPD for missing rep:externalIds can be added later and wouldn't collide with the fallback solution. > DefaultSyncHandler should use the principalName as a fallback when no > externalId is available > - > > Key: OAK-2705 > URL: https://issues.apache.org/jira/browse/OAK-2705 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-auth-external, upgrade >Reporter: Manfred Baedke > > After a crx2oak repository migration, user nodes lack the property > rep:externalId, which is needed for the DefaultSyncHandler to work properly. > In the majority of cases (when there is only one ExternalIdentityProvider) > using the principalName instead would work fine, so we should implement this > as a fallback when rep:externalId is missing. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-2705) DefaultSyncHandler should use the principalName as a fallback when no externalId is available
[ https://issues.apache.org/jira/browse/OAK-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14389449#comment-14389449 ] Tobias Bocanegra commented on OAK-2705: --- not quite. the rep:externalId is a combination of IDP and the domain specific id. in the ldap case, the id part is the DN. So I think all that is needed is to specify some default behaviour if the authorizables have no external ID. maybe based on path patterns. the proper way is probably to extend the logic, so that an IDP can be the default IDP for missing external IDs. so for example, the LDAP IDP would then be asked if the given authorizable's principal name is a valid DN. > DefaultSyncHandler should use the principalName as a fallback when no > externalId is available > - > > Key: OAK-2705 > URL: https://issues.apache.org/jira/browse/OAK-2705 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-auth-external, upgrade >Reporter: Manfred Baedke > > After a crx2oak repository migration, user nodes lack the property > rep:externalId, which is needed for the DefaultSyncHandler to work properly. > In the majority of cases (when there is only one ExternalIdentityProvider) > using the principalName instead would work fine, so we should implement this > as a fallback when rep:externalId is missing. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-2705) DefaultSyncHandler should use the principalName as a fallback when no externalId is available
[ https://issues.apache.org/jira/browse/OAK-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14389286#comment-14389286 ] Manfred Baedke commented on OAK-2705: - Yes. In the LDAP case, that would just be the DN, wouldn't it? > DefaultSyncHandler should use the principalName as a fallback when no > externalId is available > - > > Key: OAK-2705 > URL: https://issues.apache.org/jira/browse/OAK-2705 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-auth-external, upgrade >Reporter: Manfred Baedke > > After a crx2oak repository migration, user nodes lack the property > rep:externalId, which is needed for the DefaultSyncHandler to work properly. > In the majority of cases (when there is only one ExternalIdentityProvider) > using the principalName instead would work fine, so we should implement this > as a fallback when rep:externalId is missing. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OAK-2705) DefaultSyncHandler should use the principalName as a fallback when no externalId is available
[ https://issues.apache.org/jira/browse/OAK-2705?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14388592#comment-14388592 ] angela commented on OAK-2705: - [~baedke], are you sure you really mean principalName? > DefaultSyncHandler should use the principalName as a fallback when no > externalId is available > - > > Key: OAK-2705 > URL: https://issues.apache.org/jira/browse/OAK-2705 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: oak-auth-external, upgrade >Reporter: Manfred Baedke > > After a crx2oak repository migration, user nodes lack the property > rep:externalId, which is needed for the DefaultSyncHandler to work properly. > In the majority of cases (when there is only one ExternalIdentityProvider) > using the principalName instead would work fine, so we should implement this > as a fallback when rep:externalId is missing. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
