[gatein-issues] [JBoss JIRA] (GTNPORTAL-3493) Membership just added, disappears

Mon Jun 2 06:03:16 EDT 2014

    [ https://issues.jboss.org/browse/GTNPORTAL-3493?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12972292#comment-12972292 ] 

Marek Posolda commented on GTNPORTAL-3493:
------------------------------------------

The comment is correct as it is. Parameter "ignoreMappedMembershipTypeGroupList" should be really used just for RW LDAP and it should have just groups, which are mapped to LDAP. 

In MembershipDAOImpl.linkMemberships there are 2 important method calls to IDM:
- getIdentitySession().getRelationshipManager().associateUserByKeys(groupId, user.getUserName()); which is usable for RW LDAP scenario to create the memberships in LDAP. It's only useful when these conditions are met:
- You want to create membership with membershipType "member"
- You have target group mapped as LDAP group
- You have RW LDAP (not read-only LDAP, because in read-only LDAP you want your memberships to be stored in DB and not in LDAP)

- getIdentitySession().getRoleManager().createRole(mt.getName(), user.getUserName(), groupId); -- this is used to create membership in database.

Parameter "ignoreMappedMembershipTypeGroupList" is useful just for RW ldap scenario, because if you have RW LDAP and you won't use "ignoreMappedMembershipTypeGroupList" parameter, then GateIn will invoke both methods mentioned above and create membership in both LDAP server and DB, which would mean that membership will be created 2 times.

In your unit test, you are using Read-Only LDAP, so you shouldn't map anything to  "ignoreMappedMembershipTypeGroupList" and keep it empty. Instead you are mapping it to "/*" which is incorrect (Note that even if you use RW LDAP, you should map just those groups mapped to LDAP, but not whole tree like /* ). When I commented the mapping like this in your TestMembership-configuration.xml file:
{code}
					<field name="ignoreMappedMembershipTypeGroupList">
						<collection type="java.util.ArrayList" item-type="java.lang.String">
							<!--<value>
								<string>/*</string>
							</value>-->
						</collection>
					</field>
{code}
I have correct result. Membership is correctly created and test is passing.

> Membership just added, disappears
> ---------------------------------
>
>                 Key: GTNPORTAL-3493
>                 URL: https://issues.jboss.org/browse/GTNPORTAL-3493
>             Project: GateIn Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 3.5.9.Final
>            Reporter: Boubaker Khanfir
>         Attachments: plidm-ldap-membership-disappear.zip
>
>
> I attach a new unit test for a bug that we met in GateIN 3.5 (PL IDM 1.4.4).
> This one shows how we can add a membership and just after that it disappears.
> In this file [idm-configuration.xml|https://github.com/gatein/gatein-portal/blob/3.5.x/web/portal/src/main/webapp/WEB-INF/conf/organization/idm-configuration.xml], the comment :
> {quote}
>           <!-- if "associationMembershipType" option is used and this option is set to true
>                 then Membership with MembershipType configured to be stored as PicketLink IDM association
>                 will not be stored as PicketLink IDM Role in case that they are in groups from this parameter.
>                 For RW LDAP setup, it's recommended to map all groups mapped to LDAP (all those from parameter groupTypeMappings)
>                 However for DB only and/or Read-only LDAP, it's recommended to not map anything here -->
> {quote}
> is not good and have to be like this:
> {quote}
>           <!-- if "associationMembershipType" option is used and this option is set to true
>                 then Membership with MembershipType configured to be stored as PicketLink IDM association
>                 will not be stored as PicketLink IDM Role in case that they are in groups from this parameter.
>                 For LDAP setup, it's recommended to map all groups mapped to LDAP (all those from parameter groupTypeMappings)
>                 However for DB only, it's recommended to not map anything here -->
> {quote}
> What changes in this comment ?
> The LDAP RW or ReadOnly have to get the same behavior using this parameter and we should map all LDAP groups in "ignoreMappedMembershipTypeGroupList".
> I think it's better to force/compute this parameter in OrganizationService instead of giving the ability to do it manually. The other solution is to modify OrganizationService Impl to deal with such a use case but I prefer the first choice.

--
This message was sent by Atlassian JIRA
(v6.2.3#6260)