[
https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Davide Giannella closed OAK-3498.
---------------------------------
Bulk close for 1.7.1
> DN can't be used as the group name in the external auth handler
> ---------------------------------------------------------------
>
> Key: OAK-3498
> URL: https://issues.apache.org/jira/browse/OAK-3498
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-ldap
> Affects Versions: 1.0.22, 1.2.7, 1.3.7
> Reporter: Tomek Rękawek
> Assignee: Tomek Rękawek
> Priority: Minor
> Fix For: 1.8, 1.7.1
>
> Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch
>
>
> One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He
> uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is
> configured in such manner, that both principal id and authorizable name is
> set to the DN (eg. {{CN=my-group,OU=abc,...}}).
> After migration to Oak LDAP users can't login. The reason is that during the
> login, the {{DefaultSyncContext}} tries to synchronize all groups memberships
> and create missing groups. By default it uses CN as the group name and tries
> to find it. It fails, because the migrated group has a name created with its
> DN. It assumes that the group doesn't exist and then wants to create it -
> which fails as well, because group with the given principal name already
> exists. As a result, the whole login process fails.
> The LDAP attribute to be used as the group name can be configured. However,
> the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in
> {{LdapProviderConfig}} results in a {{NullPointerException}}.
> I think one thing can be improved here:
> 1. It should be possible to use DN as the {{group.nameAttribute}}.
> 2. -{{DefaultSyncContext}} should try to find a group using its principal
> name rather than group id.-
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
