posixgroup and staticattributeisId

Hi,

i follow this doc : http://newjoyzzz.blogspot.fr/2011/04/using-posix-directory-schema-with-nuxeo.html

and so, put the staticAttributeIsId to true my conf.

But when I log ldap queries : i got : “Filter: (&(uniqueMember=uid=mylogin,o=people,dc=exemple,dc=fr)(&(objectClass=posixGroup)(cn=*)))

and i think it should be : uniqueMember=mylogin

thank you

0 votes

1 answers

871 views

ANSWER



Hi,

Looking at the issue NXP-6430 and the LDAPDirectoryFactory component documentation, the attribute is “staticAttributeIdIsDn” (not “staticAttributeIsId“).

The TestLDAPPOSIXSession unit tests are fine so I'm pretty confident in that it's still working. Your issue likely comes from the wrong attribute name (set it to “false”).

1 votes



You're right I've found the same error.

So, I modify my conf and now, when I see the LDAP request I have : "Filter: (&(uniqueMember=uid=mylogin,o=people,dc=exemple,dc=fr)(&(objectClass=posixGroup)(cn=*)))"

it's not the right query.

I try to remove staticAttributeId="uniqueMember" but after no LDAPReference are done.

Thank you

06/13/2014

Would you be able to write a reproduction test case in TestLDAPPOSIXSession.java?
06/13/2014

Sorry, i'm a newbie in Java and I don't know how to program test.

I think bug is maybe after line 535 of LDAPReference.java

        if (staticAttributeIdIsDn) {
            filterArgs[0] = targetDn;
        } else {
            filterArgs[0] = targetId;
        }

        String searchBaseDn = sourceDirectory.getConfig().getSearchBaseDn();
        LDAPSession sourceSession = (LDAPSession) sourceDirectory.getSession();
        SearchControls sctls = sourceDirectory.getSearchControls();
        try {
            if (log.isDebugEnabled()) {
                log.debug(String.format(
                        "LDAPReference.getSourceIdsForTarget(%s): LDAP search search base='%s'"
                                + " filter='%s' args='%s' scope='%s' [%s]",
                        targetId, searchBaseDn, filterExpr,
                        StringUtils.join(filterArgs, ", "),
                        sctls.getSearchScope(), this));
            }
            NamingEnumeration<SearchResult> results = sourceSession.dirContext.search(
                    searchBaseDn, filterExpr, filterArgs, sctls);

" because in DEBUG, targetId is right but filterArgs not.

[org.nuxeo.ecm.directory.ldap.LDAPReference] LDAPReference.getSourceIdsForTarget(mylogin): LDAP search search base='dc=exemple,dc=fr' filter='(&(memberUid={0})(&(&(objectClass=posixGroup))(cn=*)))' args='uid=mylogin,o=people,dc=exemple,dc=fr' scope='2' [LDAPReference to resolve field='members' of sourceDirectory='groupLdapDirectory' with targetDirectory='userDirectory' and staticAttributeId='memberUid', dynamicAttributeId='null']

Thanks

06/19/2014

Could you share your XML contribution?
06/20/2014

You mean my conf ?

  default-ldap-groups-directory-config.xml 

  <?xml version="1.0"?>
  <component name="org.nuxeo.ecm.directory.ldap.storage.groups">
  <implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
  <implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
  <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>

  <!-- the groups LDAP directory for users is required to make this bundle work -->
  <require>org.nuxeo.ecm.directory.ldap.storage.users</require>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
    point="directories">

    <directory name="groupLdapDirectory">

      <!-- Reuse the default server configuration defined for userDirectory -->
      <server>default</server>

      <schema>group</schema>
      <idField>groupname</idField>

      <searchBaseDn>dc=exemple,dc=fr</searchBaseDn>
      <searchFilter>
        (objectClass=posixGroup)
      </searchFilter>
      <searchScope>subtree</searchScope>

      <readOnly>true</readOnly>

      <!-- comment <cache* /> tags to disable the cache -->
      <!-- cache timeout in seconds -->
      <cacheTimeout>3600</cacheTimeout>

      <!-- maximum number of cached entries before global invalidation -->
      <cacheMaxSize>1000</cacheMaxSize>

      <creationBaseDn>ou=groups,dc=example,dc=com</creationBaseDn>
      <creationClass>top</creationClass>
      <creationClass>groupOfUniqueNames</creationClass>

      <!-- Maximum number of entries returned by the search -->
      <querySizeLimit>200</querySizeLimit>

      <!-- Time to wait for a search to finish. 0 to wait indefinitely -->
      <queryTimeLimit>0</queryTimeLimit>

      <rdnAttribute>cn</rdnAttribute>
      <fieldMapping name="groupname">cn</fieldMapping>
      <!-- Add another field to map reel group label
      <fieldMapping name="grouplabel">sn</fieldMapping>
      -->

      <references>


        <!-- LDAP reference resolve DNs embedded in uniqueMember attributes

          If the target directory has no specific filtering policy, it is most
          of the time not necessary to enable the 'forceDnConsistencyCheck' policy.

          Enabling this option will fetch each reference entry to ensure its
          existence in the target directory.
        -->

        <ldapReference field="members" directory="userDirectory"
          forceDnConsistencyCheck="false"  staticAttributeId="memberUid"
          staticAttributeIsDn="false" />

        <ldapReference field="subGroups" directory="groupLdapDirectory"
          forceDnConsistencyCheck="false" staticAttributeId="memberUid"
          staticAttributeIsDn="false" />

        <inverseReference field="parentGroups" directory="groupLdapDirectory"
          dualReferenceField="subGroups" />

        <!-- LDAP tree reference resolves children following the ldap tree
          structure.

          Available scopes are "onelevel" (default), "subtree". Children with
          same id than parent will be filtered.

          Enabling this option will fetch each reference entry to ensure its
          existence in the target directory.

          WARNING: Edit is NOT IMPLEMENTED: modifications to this field will be
          ignored when saving the entry.
        -->
        <ldapTreeReference field="directChildren" directory="unitDirectory"
          scope="onelevel" />
        <ldapTreeReference field="children" directory="unitDirectory"
          scope="subtree" />

      </references>

    </directory>

  </extension>

</component>

And

default-ldap-users-directory-config.xml 
<?xml version="1.0"?>
<component name="org.nuxeo.ecm.directory.ldap.storage.users">

  <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>

  <!-- the groups SQL directories are required to make this bundle work -->
  <require>org.nuxeo.ecm.directory.sql.storage</require>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
    point="servers">

    <!-- Configuration of a server connection
      A single server declaration can point to a cluster of replicated
      servers (using OpenLDAP's slapd + sluprd for instance). To leverage
      such a cluster and improve availability, please provide one
      <ldapUrl/> tag for each replica of the cluster.
    -->
    <server name="default">
      <ldapUrl>ldap://ldap:389</ldapUrl>
      <!-- Optional servers from the same cluster for failover
        and load balancing:

        <ldapUrl>ldap://server2:389</ldapUrl>
        <ldapUrl>ldaps://server3:389</ldapUrl>

        "ldaps" means TLS/SSL connection.
      -->

      <!-- Credentials used by Nuxeo5 to browse the directory, create
        and modify entries.

        Only the authentication of users (bind) use the credentials entered
        through the login form if any.
      -->
      <bindDn>secret</bindDn>
      <bindPassword>secret</bindPassword>
    </server>
  </extension>

  <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
    point="directories">
    <directory name="userDirectory">
      <server>default</server>
      <schema>user</schema>
      <idField>username</idField>
      <passwordField>password</passwordField>

      <searchBaseDn>o=People,dc=exemple,dc=fr</searchBaseDn>
      <searchClass>person</searchClass>
      <!-- To additionally restricte entries you can add an
        arbitrary search filter such as the following:

        <searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter>

        Beware that "&" writes "&" in XML.
      -->

      <!-- use subtree if the people branch is nested -->
      <searchScope>onelevel</searchScope>

      <!-- using 'subany', search will match *toto*. use 'subfinal' to
        match *toto and 'subinitial' to match toto*. subinitial is the
        default  behaviour-->
      <substringMatchType>subany</substringMatchType>

      <readOnly>true</readOnly>

      <!-- comment <cache* /> tags to disable the cache -->
      <!-- cache timeout in seconds -->
      <cacheTimeout>3600</cacheTimeout>

      <!-- maximum number of cached entries before global invalidation -->
      <cacheMaxSize>1000</cacheMaxSize>

      <!--
           If the id field is not returned by the search, we set it with the searched entry, probably the login.
           Before setting it, you can change its case. Accepted values are 'lower' and 'upper',
           anything else will not change the case.
      -->
      <missingIdFieldCase>lower</missingIdFieldCase>

      <!-- Maximum number of entries returned by the search -->
      <querySizeLimit>200</querySizeLimit>

      <!-- Time to wait for a search to finish. 0 to wait indefinitely -->
      <queryTimeLimit>0</queryTimeLimit>

      <creationBaseDn>ou=people,dc=example,dc=com</creationBaseDn>
      <creationClass>top</creationClass>
      <creationClass>person</creationClass>
      <creationClass>organizationalPerson</creationClass>
      <creationClass>inetOrgPerson</creationClass>

      <rdnAttribute>uid</rdnAttribute>
      <fieldMapping name="username">uid</fieldMapping>
      <fieldMapping name="password">userPassword</fieldMapping>
      <fieldMapping name="firstName">givenName</fieldMapping>
      <fieldMapping name="lastName">sn</fieldMapping>
      <fieldMapping name="company">o</fieldMapping>
      <fieldMapping name="email">mail</fieldMapping>

      <references>
        <inverseReference field="groups" directory="groupLdapDirectory"
          dualReferenceField="members" />
      </references>
    </directory>
  </extension>

  <extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
    <userManager>
      <defaultAdministratorId>admin1</defaultAdministratorId>
      <defaultAdministratorId>admin2</defaultAdministratorId>
      <defaultGroup>members</defaultGroup>
    </userManager>
  </extension>
</component>
06/24/2014