Active directory + multiple group_mapping = strange behaviour

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Active directory + multiple group_mapping = strange behaviour

couak couak
Hi,

I'm using XWiki Enterprise v1.7 under Windows 2003 and Oracle Database
I set up 2 AD groups that map to the same XWiki group :
xwiki.authentication.ldap.group_mapping=XWiki.MyXWikiGroup=cn=ADGroup1,ou=Site,dc=company,dc=comI\
XWiki.MyGroup=cn=ADGroup2,ou=Site,dc=company,dc=com

Users that belong to MyXWikiGroup are able to EDIT a space, all others can't.

As long as a user from ADGroup2 is logged and visit the space, user's
permissions can't stop swapping from "able to edit" and "not able to
edit" the space.
I took a look on the group changes history and it seems that a change
is performed 10 times a minute. After one hour of connection the
history reached the version number 700+

I search through the mailing-list archives but I didn't see any things similar.
Any ideas ?

David
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Active directory + multiple group_mapping = strange behaviour

Thomas Mortagne
Administrator
Hi,

On Mon, Dec 15, 2008 at 9:10 PM, couak couak <[hidden email]> wrote:

> Hi,
>
> I'm using XWiki Enterprise v1.7 under Windows 2003 and Oracle Database
> I set up 2 AD groups that map to the same XWiki group :
> xwiki.authentication.ldap.group_mapping=XWiki.MyXWikiGroup=cn=ADGroup1,ou=Site,dc=company,dc=comI\
> XWiki.MyGroup=cn=ADGroup2,ou=Site,dc=company,dc=com
>
> Users that belong to MyXWikiGroup are able to EDIT a space, all others can't.
>
> As long as a user from ADGroup2 is logged and visit the space, user's
> permissions can't stop swapping from "able to edit" and "not able to
> edit" the space.
> I took a look on the group changes history and it seems that a change
> is performed 10 times a minute. After one hour of connection the
> history reached the version number 700+
>
> I search through the mailing-list archives but I didn't see any things similar.
> Any ideas ?

I think it's a bug in the way membership is managed when two different
LDAP groups is synchronised with same XWiki group.

I take a look.

>
> David
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Active directory + multiple group_mapping = strange behaviour

Thomas Mortagne
Administrator
On Tue, Dec 16, 2008 at 2:49 PM, Thomas Mortagne
<[hidden email]> wrote:

> Hi,
>
> On Mon, Dec 15, 2008 at 9:10 PM, couak couak <[hidden email]> wrote:
>> Hi,
>>
>> I'm using XWiki Enterprise v1.7 under Windows 2003 and Oracle Database
>> I set up 2 AD groups that map to the same XWiki group :
>> xwiki.authentication.ldap.group_mapping=XWiki.MyXWikiGroup=cn=ADGroup1,ou=Site,dc=company,dc=comI\
>> XWiki.MyGroup=cn=ADGroup2,ou=Site,dc=company,dc=com
>>
>> Users that belong to MyXWikiGroup are able to EDIT a space, all others can't.
>>
>> As long as a user from ADGroup2 is logged and visit the space, user's
>> permissions can't stop swapping from "able to edit" and "not able to
>> edit" the space.
>> I took a look on the group changes history and it seems that a change
>> is performed 10 times a minute. After one hour of connection the
>> history reached the version number 700+
>>
>> I search through the mailing-list archives but I didn't see any things similar.
>> Any ideas ?
>
> I think it's a bug in the way membership is managed when two different
> LDAP groups is synchronised with same XWiki group.

See http://jira.xwiki.org/jira/browse/XWIKI-2988

We are working on it, it will be fixed for 1.7.1

>
> I take a look.
>
>>
>> David
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>
>
>
> --
> Thomas Mortagne
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Active directory + multiple group_mapping = strange behaviour

Stefan Woehrer
In reply to this post by couak couak

We have created an extra set of active directory groups that are linked 1 to 1 to xwiki groups.
The active directory groups contain all users (or other groups, of course) that need to be mapped to a specific group in xwiki.
The advantage is, that user/group administration can completely be done in active directory. Once set up, you never ever have to touch the xwiki user administration tool or the xwiki.cfg any more (at least in terms of user management ;-) ).

This can be a workaround for your problem too if you need to get it running before 1.7.1.


steve

Reply | Threaded
Open this post in threaded view
|

Re: Active directory + multiple group_mapping = strange behaviour

Thomas Mortagne
Administrator
On Wed, Dec 17, 2008 at 2:30 PM, Stefan Woehrer <[hidden email]> wrote:

>
>
> We have created an extra set of active directory groups that are linked 1 to
> 1 to xwiki groups.
> The active directory groups contain all users (or other groups, of course)
> that need to be mapped to a specific group in xwiki.
> The advantage is, that user/group administration can completely be done in
> active directory. Once set up, you never ever have to touch the xwiki user
> administration tool or the xwiki.cfg any more (at least in terms of user
> management ;-) ).
>
> This can be a workaround for your problem too if you need to get it running
> before 1.7.1.
>

And by the way if you can't wait for 1.7.1 the fix is already packaged
in the last 1.7 snapshot version at
http://maven.xwiki.org/snapshots/com/xpn/xwiki/platform/xwiki-core/1.7-SNAPSHOT/.
I forgot to indicate this.

>
> steve
>
>
> --
> View this message in context: http://n2.nabble.com/Active-directory-%2B-multiple-group_mapping-%3D-strange-behaviour-tp1659781p1667866.html
> Sent from the XWiki- Users mailing list archive at Nabble.com.
>
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>



--
Thomas Mortagne
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Active directory + multiple group_mapping = strange behaviour

couak couak
thanks

david

On Wed, Dec 17, 2008 at 2:41 PM, Thomas Mortagne
<[hidden email]> wrote:

> On Wed, Dec 17, 2008 at 2:30 PM, Stefan Woehrer <[hidden email]> wrote:
>>
>>
>> We have created an extra set of active directory groups that are linked 1 to
>> 1 to xwiki groups.
>> The active directory groups contain all users (or other groups, of course)
>> that need to be mapped to a specific group in xwiki.
>> The advantage is, that user/group administration can completely be done in
>> active directory. Once set up, you never ever have to touch the xwiki user
>> administration tool or the xwiki.cfg any more (at least in terms of user
>> management ;-) ).
>>
>> This can be a workaround for your problem too if you need to get it running
>> before 1.7.1.
>>
>
> And by the way if you can't wait for 1.7.1 the fix is already packaged
> in the last 1.7 snapshot version at
> http://maven.xwiki.org/snapshots/com/xpn/xwiki/platform/xwiki-core/1.7-SNAPSHOT/.
> I forgot to indicate this.
>
>>
>> steve
>>
>>
>> --
>> View this message in context: http://n2.nabble.com/Active-directory-%2B-multiple-group_mapping-%3D-strange-behaviour-tp1659781p1667866.html
>> Sent from the XWiki- Users mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> http://lists.xwiki.org/mailman/listinfo/users
>>
>
>
>
> --
> Thomas Mortagne
> _______________________________________________
> users mailing list
> [hidden email]
> http://lists.xwiki.org/mailman/listinfo/users
>
_______________________________________________
users mailing list
[hidden email]
http://lists.xwiki.org/mailman/listinfo/users