Members can't see documents
Hi!
I have problem with permissions. While Members Group should read all domains, and documents I see information that I can't see any content(logged as user from members group). I tried to change it at permissions settings but regiving permissions for members group or any user isn't working. I'm using Oracle database.
We also face the same issue while preparing our migration from Nuxeo 5.8 to Nuxeo LTS2015.
With Nuxeo server in DEBUG mode we notice these log entries while accessing the “Permissions” tab :
017-01-23 11:15:01,305 DEBUG [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(members, true): LDAP search base='ou=grouper,dc=univ-rennes1,dc=fr' filter='(&(cn={0})(&(&(objectClass=groupOfNames))(cn=*)))' args='members' scope='1' [LDAPSession '-3831897279493570335' for directory ldapGroupDirectory]
2017-01-23 11:15:01,371 WARN [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] The application should not query for entries with an empty id => return no results
If I understand it correctly, the Nuxeo server is not able to load ACEs referring to the “members” group; while Nuxeo 5.8 was behaving well with them.
I noticed the reference to defaultGroup
in the Nuxeo documentation https://doc.nuxeo.com/nxdoc/using-a-ldap-directory/ and tried changing our default-ldap-users-directory-bundle.xml as follows, but we still face the same issue:
...
<extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">
<userManager>
<userCacheName>default-cache</userCacheName>
<defaultAdministratorId>p-salaun</defaultAdministratorId>
<defaultGroup>members</defaultGroup>
<users>
<directory>ldapUserDirectory</directory>
<virtualUser id="MyAdministrator" searchable="false">
<password>secret</password>
<property name="firstName"></property>
<property name="lastName"></property>
<group>administrators</group>
</virtualUser>
<anonymousUser id="Anonyme">
<property name="firstName">Invite</property>
<property name="lastName">Utilisateur</property>
</anonymousUser>
</users>
<groups>
<directory>ldapGroupDirectory</directory>
</groups>
</userManager>
Any feedback from the Nuxeo team on this? Anyone found a workaround?
Thanks for you answer,
Did you define the group members in your ldap ? If not, in my case, this group doesn't exist in the application. If defined each time the permissions is check, the answer of the ldap takes a too long time, Ihave to reload the page in my browser (time out).
I never had this problem with previous versions (5.6, 5.8, 6.0) , the members group was not defined in our ldap.
Vincent
Administrators group - Manage everything
Prior to the latest update this was enough for all LDAP users to see all content the Members group had access too. What happened in LTS 2015 is that "Permissions Inherited from Upper Levels" is blocked by default on my installation and I have to unblock it manually in order for my member group users to see the internally public content again.
Logs at startup :
2016-01-26 15:53:07,668 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2016-01-26 15:53:07,669 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(members, true): LDAP search base='ou=groupes-dynamiques,ou=Applications,dc=meteo,dc=fr' filter='(&(cn={0})(&(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs)))(cn=)))' args='members' scope='2' [LDAPSession '9125266273620459558' for directory ldapGroupDirectory] 2016-01-26 15:53:07,674 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] Entry not found: members 2016-01-26 15:53:07,675 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2016-01-26 15:53:07,675 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(administrators, true): LDAP search base='ou=groupes-dynamiques,ou=Applications,dc=meteo,dc=fr' filter='(&(cn={0})(&(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs)))(cn=)))' args='administrators' scope='2' [LDAPSession '9125266303685230631' for directory ldapGroupDirectory] 2016-01-26 15:53:07,676 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] Entry not found: administrators
Vincent
Hi,
I have the same issues using LDAP that the permission behavior changed in the 2015 LTS. Now it is not enough for the Members group to have read and version rights by inheritance on the root node to see items (default setup). I had to add the members group locally on the root and other nodes too to make it work.
Stefan
Hi,
I have the same problem. The content is only avalaible for the administrators guys. And nobody else is able to see content. I migated from 5.6 version to the latest LTS. Everythings was working fine with the previous versions (5.6, 5.8; 6.0) . In my case Ihad some problems to link the Nuxeo (version 7.10) with our ldap. (https://answers.nuxeo.com/general/q/f9dec9b209044181a59831014f6aefa3/Nuxeo-7-10-ldap-authentication)