Members can't see documents

We also face the same issue while preparing our migration from Nuxeo 5.8 to Nuxeo LTS2015.

With Nuxeo server in DEBUG mode we notice these log entries while accessing the "Permissions" tab :
```
017-01-23 11:15:01,305 DEBUG [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(members, true): LDAP search base='ou=grouper,dc=univ-rennes1,dc=fr' filter='(&(cn={0})(&(&(objectClass=groupOfNames))(cn=*)))'  args='members' scope='1' [LDAPSession '-3831897279493570335' for directory ldapGroupDirectory]
2017-01-23 11:15:01,371 WARN  [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] The application should not query for entries with an empty id => return no results
```

If I understand it correctly, the Nuxeo server is not able to load ACEs referring to the "members" group; while Nuxeo 5.8 was behaving well with them.

I noticed the reference to `defaultGroup` in the Nuxeo documentation <https://doc.nuxeo.com/nxdoc/using-a-ldap-directory/> and tried changing our default-ldap-users-directory-bundle.xml as follows, but we still face the same issue:
```
...
  <extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">

<userManager>
      <userCacheName>default-cache</userCacheName>
      <defaultAdministratorId>p-salaun</defaultAdministratorId>
      <defaultGroup>members</defaultGroup>
      <users>
        <directory>ldapUserDirectory</directory>
        <virtualUser id="MyAdministrator" searchable="false">
          <password>secret</password>
          <property name="firstName"></property>
          <property name="lastName"></property>
          <group>administrators</group>
        </virtualUser>
        <anonymousUser id="Anonyme">
          <property name="firstName">Invite</property>
          <property name="lastName">Utilisateur</property>
        </anonymousUser>
      </users>
      <groups>
        <directory>ldapGroupDirectory</directory>
      </groups>
    </userManager>
```
Any feedback from the Nuxeo team on this? 
Anyone found a workaround?

We also face the same issue while preparing our migration from Nuxeo 5.8 to Nuxeo LTS2015.

With Nuxeo server in DEBUG mode we notice these log entries while accessing the “Permissions” tab :

017-01-23 11:15:01,305 DEBUG [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(members, true): LDAP search base='ou=grouper,dc=univ-rennes1,dc=fr' filter='(&(cn={0})(&(&(objectClass=groupOfNames))(cn=*)))'  args='members' scope='1' [LDAPSession '-3831897279493570335' for directory ldapGroupDirectory]
2017-01-23 11:15:01,371 WARN  [http-bio-0.0.0.0-8856-exec-21] [org.nuxeo.ecm.directory.ldap.LDAPSession] The application should not query for entries with an empty id => return no results

If I understand it correctly, the Nuxeo server is not able to load ACEs referring to the “members” group; while Nuxeo 5.8 was behaving well with them.

I noticed the reference to defaultGroup in the Nuxeo documentation https://doc.nuxeo.com/nxdoc/using-a-ldap-directory/ and tried changing our default-ldap-users-directory-bundle.xml as follows, but we still face the same issue:

...
  <extension target="org.nuxeo.ecm.platform.usermanager.UserService" point="userManager">

    <userManager>
      <userCacheName>default-cache</userCacheName>
      <defaultAdministratorId>p-salaun</defaultAdministratorId>
      <defaultGroup>members</defaultGroup>
      <users>
        <directory>ldapUserDirectory</directory>
        <virtualUser id="MyAdministrator" searchable="false">
          <password>secret</password>
          <property name="firstName"></property>
          <property name="lastName"></property>
          <group>administrators</group>
        </virtualUser>
        <anonymousUser id="Anonyme">
          <property name="firstName">Invite</property>
          <property name="lastName">Utilisateur</property>
        </anonymousUser>
      </users>
      <groups>
        <directory>ldapGroupDirectory</directory>
      </groups>
    </userManager>

Any feedback from the Nuxeo team on this? Anyone found a workaround?

0 votes

Copy URL

Olivier Salaün

Eventually we found a way to fix the issue : switching to the multidirectory mode seems to fix the problem. The multidirectory documentation: https://doc.nuxeo.com/nxdoc/how-to-configure-a-multidirectory-for-users-and-groups/

02/08/2017

Thanks for you answer,

Did you define the group members in your ldap ? If not, in my case, this group doesn't exist in the application. If defined each time the permissions is check, the answer of the ldap takes a too long time, Ihave to reload the page in my browser (time out).

I never had this problem with previous versions (5.6, 5.8, 6.0) , the members group was not defined in our ldap.

Vincent

0 votes

Copy URL

ssze

We don't have the members group defined in LDAP - it's only there in nuxeo by default. And by default, the following permssions are set on the root node: Administrator - Manage everything Members group - Read, Version
Administrators group - Manage everything

Prior to the latest update this was enough for all LDAP users to see all content the Members group had access too. What happened in LTS 2015 is that "Permissions Inherited from Upper Levels" is blocked by default on my installation and I have to unblock it manually in order for my member group users to see the internally public content again.

01/26/2016

VincentT

Thanks again for your answer. Until now, I never defined the member group in our ldap , and everything worked perfectly. With the LTS if the members group is not defined in the ldap I cann't find it in Nuxeo ansdame with administrators group defined in my default-multi-directories-config.xml

Logs at startup :

2016-01-26 15:53:07,668 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2016-01-26 15:53:07,669 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(members, true): LDAP search base='ou=groupes-dynamiques,ou=Applications,dc=meteo,dc=fr' filter='(&(cn={0})(&(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs)))(cn=)))' args='members' scope='2' [LDAPSession '9125266273620459558' for directory ldapGroupDirectory] 2016-01-26 15:53:07,674 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] Entry not found: members 2016-01-26 15:53:07,675 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.BaseSession] Can't get current user to check directory permission. EVERYTHING is allowed by default 2016-01-26 15:53:07,675 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] LDAPSession.getLdapEntry(administrators, true): LDAP search base='ou=groupes-dynamiques,ou=Applications,dc=meteo,dc=fr' filter='(&(cn={0})(&(&(|(objectClass=groupOfUniqueNames)(objectClass=groupOfURLs)))(cn=)))' args='administrators' scope='2' [LDAPSession '9125266303685230631' for directory ldapGroupDirectory] 2016-01-26 15:53:07,676 DEBUG [ajp-bio-0.0.0.0-8009-exec-8] [org.nuxeo.ecm.directory.ldap.LDAPSession] Entry not found: administrators

Vincent

01/26/2016

Hi,

I have the same issues using LDAP that the permission behavior changed in the 2015 LTS. Now it is not enough for the Members group to have read and version rights by inheritance on the root node to see items (default setup). I had to add the members group locally on the root and other nodes too to make it work.

Stefan

0 votes

Copy URL

Hi,

I have the same problem. The content is only avalaible for the administrators guys. And nobody else is able to see content. I migated from 5.6 version to the latest LTS. Everythings was working fine with the previous versions (5.6, 5.8; 6.0) . In my case Ihad some problems to link the Nuxeo (version 7.10) with our ldap. (https://answers.nuxeo.com/general/q/f9dec9b209044181a59831014f6aefa3/Nuxeo-7-10-ldap-authentication)

0 votes

Copy URL

Authentication Required

Invite people to answer

What's new in Quandora?