Hi all , We still use Nuxeo 5.6 connected to a ldap. Ldap manage users and groups (static and dynamic groups). Everything works as expected. We try to upgrade to the latest Nuxeo platform version LTS 7.10. I upgraded our 5.6 installation to 5.8 then 6.0, following the excellent Nuxeo documentation. Everything worked as expected.

Our problems started upgrading 6.0 version to 7.10. Once the upgrade done (still folowing the documentation), it was just impossible to log in the platform (https://answers.nuxeo.com/general/q/f9dec9b209044181a59831014f6aefa3/Nuxeo-7-10-ldap-authentication ). I managed to to log in modifying the default-ldap-users-directory-bundle.xml file but I never succeded to see statics or dynamics groups once connected. In addition, I encountered somme problems with permissions on folders or files.

Installing the 8.x version and using the default-ldap-users-directory-bundle.xml that never worked with the 7.10 (same as documentation provided by nuxeo), things restarted working again : log in, users permissions, and statics groups, partialy dynamic groups. But still a problem: I am able to see these dynamics groups as well as users of these groups, but not the reverse : the groups they belong to are not displayed excepted groups built using the filter username field mapping name. In my case :

<rdnAttribute>cn</rdnAttribute>
      <fieldMapping name="username">mail</fieldMapping>

Dynamic group ldap memberURL value : ldap:///ou=XXXX,ou=people,dc=yyy,dc=fr?cn?sub?(mail=*) All groups built on this model are displayed. All others are not, for example (not working): ldap:///ou=XXX,ou=people,dc=yyy,dc=fr??sub?(supannCondition= myCondition)

Logs :

2016-06-22 09:21:31,640 DEBUG [ajp-bio-0.0.0.0-8009-exec-10] [org.nuxeo.ecm.directory.ldap.LDAPReference] LDAPReference.getSourceIdsForTarget(my.user@organisation.fr): LDAP search search base='ou=groupes-dynamiques,ou=Applications,dc=institution,dc=fr' filter='(&(member={0})(&(&(|(objectClass=groupOfNames)(objectClass=groupOfURLs)))(cn=*)))' args='cn=My User,ou=organization,ou=people,dc=institution,dc=fr' scope='2' [LDAPReference to resolve field='members' of sourceDirectory='ldapGroupDirectory' with targetDirectory='ldapUserDirectory' and staticAttributeId='member', dynamicAttributeId='memberURL'].

To sum up : LDAP dynamic groups stopped working after 6.0 version. Is Nuxeo waiting now a ldap configuration we don't have (we use dynlit contribution ) ? In this case, do you have recommendations to make LDAP-Nuxeo fully functionnal ? Or is there a way to specify other kinds of filters in our xml file configuration , and in this case , how ?

Thanks a lot for your answers,

Best regards

Vincent