Migration from Confluence and LDAP configuration with users with dot in CN

blelump · January 23, 2020, 7:44am

Hi!

We’ve struggled with it for a few days so I will just left it here, perhaps someone will find it useful. So we have migrated from Confluence to XWiki using extension https://extensions.xwiki.org/xwiki/bin/view/Extension/Confluence/XML/ . We have also setup LDAP for authentication and in the end weird things started to happen.

Due to the fact that in our LDAP users CN attr is having format name.surname and migration from Confluence have created users exactly in this format, we have had each user duplicated in users list, because apparently XWiki does not allow user name with dot inside. After several hours we have found this answer https://forum.xwiki.org/t/username-with-dot/624/6 which told us that XWiki operates on users without a dot in users name. So we thought it is some LDAP extension issue, but in the end it turned out that all the mess have been created due to the migration. Then we were not sure which users should we use and from where these duplicates come from (name.surname and namesurname). So we set up another instance of XWiki without the migration and things started to be clear.

Probably very rare/edge use case, but perhaps someone will strugle with something similar in the future so I will just left it here.

tmortagne · January 23, 2020, 8:40am

So from what I understand your problem is actually due to the fact that the Confluence migrator created standard XWiki users (so without any information about LDAP) so the LDAP authenticator created new users to not break those standard XWiki users.

If you edit one of the duplicated user pages with the object editor you will find an object containing the LDAP DN and uid in those created by the LDAP authenticator and not in the one created by the importer. This is the object the LDAP authenticator use to find existing user (since XWiki user identifier support less characters than LDAP and is also case sensitive contrary to LDAP) and make sure not not overwrite a non LDAP user.

If you don’t care too deeply about migrating right setup or groups coming from Confluence I guess the simplest would be to add an option in the Confluence input filter to skip users and groups.

I guess the ideal fix would be to add some kind of support for the LDAP Confluence users right in the Confluence importer but that’s assuming there is enough info for it in the Confluence export (it’s also not the kind of thing I will personally have the time to work anytime soon but I can provide some pointers if someone wants to work on it). All other workarounds imply finding a way to add to the users created by the Confluence importer an LDAP object with the right uid in it (the DN is not very important in practice so it can be left empty).

blelump · January 24, 2020, 7:11am

Hi @tmortagne, thanks for replying. To be honest I wasn’t expected that, just wanted to leave a note here, in case of anyone in the future would face it as well. Thanks!

The major issue we’ve had was the ambiguity of the data. I mean, after migration and LDAP setup whether this duplicates come from incorrect LDAP setup and which user is correct. Until we’ve read the post mentioned in previous my previous post, we was not aware of the dot issue and it was not clear.

tmortagne · January 24, 2020, 8:27am

I suppose ideally it should be made more explicit in the user profile that it’s an LDAP user but the standard profile is missing some extension points in the UI to allow the LDAP authenticator to insert information like these.