Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Chuck Wyatt
LDAP users and groups both import, but they are disconnected
December 21, 2012 12:12 PM
Answer

Chuck Wyatt

Rank: New Member

Posts: 10

Join Date: October 17, 2011

Recent Posts

In Liferay 6.1.1 CE GA2 , we've got LDAP users that only get imported when they login, which is perfect. You'll see that passwords aren't being mapped, which means that credentials are authenticated against our LDAP server, which also is perfect.

But then there's groups.

I added this line to our portal-ext.properties:

ldap.import.method=group

The only other LDAP related configurations are via the Liferay (GUI, see image below. LDAP groups automatically imported. When a new user logs in, they do auth via LDAP and are automatically added, but none of their group associations are mapped between Users and Groups. Each user has a "primaryGroupID" field.And each group has it's own gUID of course, and has users attached via memberUid.

I'm just stumped as to why there's no association that appears in Liferay.

Thanks and Happy Holidays,

Chuck
Amit Doshi
RE: LDAP users and groups both import, but they are disconnected
December 26, 2012 4:49 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 540

Join Date: December 29, 2010

Recent Posts

Chuck Wyatt:
In Liferay 6.1.1 CE GA2 , we've got LDAP users that only get imported when they login, which is perfect. You'll see that passwords aren't being mapped, which means that credentials are authenticated against our LDAP server, which also is perfect.

But then there's groups.

I added this line to our portal-ext.properties:

ldap.import.method=group

The only other LDAP related configurations are via the Liferay (GUI, see image below. LDAP groups automatically imported. When a new user logs in, they do auth via LDAP and are automatically added, but none of their group associations are mapped between Users and Groups. Each user has a "primaryGroupID" field.And each group has it's own gUID of course, and has users attached via memberUid.

I'm just stumped as to why there's no association that appears in Liferay.

Thanks and Happy Holidays,

Chuck


First of all make sure that you have enabled the required property in liferay, in order to authenticate with LDAP.
In your case below two property should be true in order to authenticate with LDAP.

ldap.auth.enabled=true
ldap.auth.required=true

And also note one more thing as below :-

#
# Set either user or group for import method. If set to user, the portal
# will import all users and the groups associated with those users. If set
# to group, the portal import all groups and the users associated those
# groups. This value should be set based on how your LDAP server stores
# group membership information.
#
ldap.import.method=user
#ldap.import.method=group

So in your case it will update the user with his group, when the ldap import will started because you have kept "ldap.import.method=group".
If you keep the ldap.import.method=user then it will add the user with its group during login.

Please check and let me know.

Thanks & Regards,
Amit Doshi
Chuck Wyatt
RE: LDAP users and groups both import, but they are disconnected
December 26, 2012 7:23 AM
Answer

Chuck Wyatt

Rank: New Member

Posts: 10

Join Date: October 17, 2011

Recent Posts

Thanks so much Amit! Do you happen to know what in Liferay controls an "on demand" import of user's LDAP record as opposed to more of a scheduled import en masse of LDAP users (regardless of user activity)?

We've seen both kinds of behavior with our attempts at LDAP integration, and it isn't clear to me what controls it.

What's preferred for us is to have the LDAP user record imported upon login ONLY, but I'm unclear why during some testing we've seen that work, and other testing, we blink our eyes and the whole LDAP directory has been imported!

Thanks,

Chuck
Amit Doshi
RE: LDAP users and groups both import, but they are disconnected
December 27, 2012 3:11 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 540

Join Date: December 29, 2010

Recent Posts

Chuck Wyatt:
Thanks so much Amit! Do you happen to know what in Liferay controls an "on demand" import of user's LDAP record as opposed to more of a scheduled import en masse of LDAP users (regardless of user activity)?

We've seen both kinds of behavior with our attempts at LDAP integration, and it isn't clear to me what controls it.

What's preferred for us is to have the LDAP user record imported upon login ONLY, but I'm unclear why during some testing we've seen that work, and other testing, we blink our eyes and the whole LDAP directory has been imported!

Thanks,

Chuck


If you don't want to import all the users. so keep the below properties false

ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10 (by default after 10 min it scheduled the ldap import if the ldap.import.enabled=true)

So it will not import all the users. it will just import the users which you have logged in.

Read the below information carefully in order to check which property to use for ldap import by user or group.

#
# Set either user or group for import method. If set to user, the portal
# will import all users and the groups associated with those users. If set
# to group, the portal import all groups and the users associated those
# groups. This value should be set based on how your LDAP server stores
# group membership information.

ldap.import.method=user
#ldap.import.method=group

Let me know if you need more info.

Thanks & Regards,
Amit Doshi