Auto removimg users from ldap groups

Help / Discuss
#1

Hi guys!
I have installed and configured xwiki 13.2 Ubuntu 20.04 Tomcat9 PGSQL
Configured integration with AD using LDAP Authenticator / LDAP Application.
Everything works, users are created and authorized, fields are filled in, groups are created.
But, when I remove a user from the AD group, it remains in the Xwiki group. ResetGroupCashe doesn’t help.
What to do?
Thanks in advance!

#2

Yes that’s a current limitation of the authenticator. The reason is that updates are done when a user authenticate and by definition a removed user is not going to try to authenticate.

All you can do right now is manually disable/remove a user you moved on LDAP side.

The only way to support this auto disable/remove would be to write a scheduler which regularly check if all the XWiki LDAP users still exist on the LDAP server side.

#3

Thanks for the answer!
Apparently you didn’t understand)
When I remove a user from the AD group, it remains in the XWIKI group
My english is bad(

#4

Indeed, I read a bit too fast. Users authenticating are definitely removed from configured groups when there are no longer in there on LDAP side.

I can only think of the following reasons:

  • the user did not authenticate yet (as I explain any user related change is done when this user authenticate)
  • you have xwiki.authentication.ldap.mode_group_sync=create instead of the default always
  • the group cache was not really invalidated (you can make extra sure of that by restarting XWiki)
#5

Thank you so much!
Can I make changes at the same time, both through the GUI and through xwiki.cfg?

#6

Any change to xwiki.cfg requires a restart to be taken into account.

#7

Does not work.
Please advise which log to look at?
I have been working with XWIKI for two days))

#8

Did you check https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HEnableLDAPdebuglog on how to enable debug log for LDAP ?

#9

Checked it out. It also happens in LTSC.
I turned on logging, but where can I watch the logs?

#10

You can find some help on Logging (XWiki.org) regarding where to find the log depending on your setup.

#11

Nothing interesting( Only tomcat logs
Any ideas?