I need to plug to a LDAP which has an OU for its Users and an OU for its Groups. Each groups contain the list of its members in a "memberUid" attribute.
I have changed the parentMembershipAttributeName of my Identity Object Type which reprensents my group to "memberUid", so I can retrieve all the users of a Group. This works fine if the memberUid value is the full DN of the user.
My problem is that this memberUid attribute does only contain the uid of the user (so for example "toto" instead of "uid=toto,ou=Users,dc=mycompany"). And in this case, PicketLink is not able to retrieve the user. This is clearly mentionned in the org.picketlink.idm.impl.store.ldap.LDAPIdentityStoreImpl class in the findIdentityObject method :
|//TODO: if relationships are not refered with DNs and only names its not possible to map|
|//TODO: them to proper IdentityType and keep name uniqnes per type. Workaround needed|
|throw new NotYetImplementedException("LDAP limitation. If relationship targets are not refered with FQDNs " +|
|"and only names, it's not possible to map them to proper IdentityType and keep name uniqnes per type. " +|
So my questions are :
- do I use the correct configuration to retrieve the users of a group ? Not sure that the parentMembershipAttributeName attribute is the right one.
- does anybody have found the workaround (as stated in the code) ?