New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not all mapped LDAP groups being updated - LDAP User Import Application #88
Comments
Hello, Mohamed. After some testing and investigating, I have the following observations. The authenticator supports three types of ldap groups and so does the ldap user import app. The second type of groups For example, if we have the following ldap group and users:
It is expected that the daily updater job will create/update both the User1 and the User2. User2 belonging to the TYPE 2 case. And it works as expected. What we could do as an improvement to the application is to also list the organizational units when associating a xwiki group to a ldap entity. I will create an issue in that regard. The third type of groups Now, in the context of the User Import App, I understand that the clients expects that when you associate a XWiki group to a LDAP group i.e. Currently, the User Import App, doesn't give the user the possibility to associate a group with a filter but you can easily do that in the Active Directory administration section, under the advanced configuration. However, if we want to keep the applications separate, it is a good improvement. I will create an issue for this as well. To give a solution to this issue, I added a new configuration property where the admin can specify an attribute (such as memberOf) where the group updating jobs should also look for when resolving user membership to a group. Now, if you associate a xwiki group to a ldap group and specify the memberOf attribute in the configuration, the updater job will look for all the members inside that mappped group but also for all the members that have the value of the attribute equal to the mapped group. |
Thank you for the improvement @trrenty |
We have an issue with the "LDAP User Import" Application (version 1.5.6), the issue is that several mapped LDAP groups are not updated by the "Mapped groups daily updater" Job, the corresponding XWiki groups are empty knowing that the LDAP groups are not empty.
Note that the XWiki LDAP Authenticator supports 3 types of groups :
Based on that I managed to correctly update the empty groups with a workaround, the workaround consists of updating the mapping (on XWiki.XWikiPreferences) of the groups to replace the group DN in the mapping with an LDAP filter (type 3).
Example :
Mapping generated by the LDAP User Import Application
xwiki:XWiki.TestGroup=CN=Employees,OU=Groups,OU=ABC,DC=example,DC=com
Replaced with
xwiki:XWiki.TestGroup=MemberOf=CN=Employees,OU=Groups,OU=ABC,DC=example,DC=com
So, it seems that we are in the situation where the LDAP group do not directly contains its members but it is the users who are associated with the group (via an attribute (ex : memberOf)).
So, for the moment only LDAP static groups (type 1) is supported by the LDAP User Import Application.
The objective of this ticket is to add support for the other group types (2 and 3) on the LDAP User Import application.
The text was updated successfully, but these errors were encountered: