[ https://issues.apache.org/jira/browse/OAK-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Davide Giannella closed OAK-3498. --------------------------------- Bulk close for 1.7.1 > DN can't be used as the group name in the external auth handler > --------------------------------------------------------------- > > Key: OAK-3498 > URL: https://issues.apache.org/jira/browse/OAK-3498 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-ldap > Affects Versions: 1.0.22, 1.2.7, 1.3.7 > Reporter: Tomek Rękawek > Assignee: Tomek Rękawek > Priority: Minor > Fix For: 1.8, 1.7.1 > > Attachments: OAK-3498-1.0.patch, OAK-3498-trunk.patch > > > One of the users wants to migrate his repository from Jackrabbit 2 to Oak. He > uses LDAP for authentication. The LDAP synchronization in Jackrabbit 2 is > configured in such manner, that both principal id and authorizable name is > set to the DN (eg. {{CN=my-group,OU=abc,...}}). > After migration to Oak LDAP users can't login. The reason is that during the > login, the {{DefaultSyncContext}} tries to synchronize all groups memberships > and create missing groups. By default it uses CN as the group name and tries > to find it. It fails, because the migrated group has a name created with its > DN. It assumes that the group doesn't exist and then wants to create it - > which fails as well, because group with the given principal name already > exists. As a result, the whole login process fails. > The LDAP attribute to be used as the group name can be configured. However, > the DN is not an attribute, so setting {{group.nameAttribute="dn"}} in > {{LdapProviderConfig}} results in a {{NullPointerException}}. > I think one thing can be improved here: > 1. It should be possible to use DN as the {{group.nameAttribute}}. > 2. -{{DefaultSyncContext}} should try to find a group using its principal > name rather than group id.- -- This message was sent by Atlassian JIRA (v6.3.15#6346)