Foros de discusión

[SOLVED] ldap synchronization

Gaëtan Dumont, modificado hace 9 años.

[SOLVED] ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
Hi,

I have some issues with LDAP User Properties.

There are some informations in the Ldap User Properties that I want to synchronize with LifeRay User Properties.

I found the easy way to synchronize user first name, last name, password and email, but I also want to synchronize Phone numbers ( mobile and landline phone) and some other custom properties .

I found some properties to put in the portal-ext.properties, but they don't seem to be used.

Do you have any clue of what I might have missed ?

Thank you for your Help
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
Hi Gaetan,

It's not documented very well (or anywhere I think) but as soon as you configure something in the control panel for LDAP the portal-ext settings are no longer used. What I would suggest is the following.

1. Go to the database

2. Retrieve the row from the PortalPreferences table where the ownerId = <your comapnyId> -- if you don't know where to find this, you can do a lookup in the VirtualHost table and find it there.

3. Update the row, removing an <preference/> that maps to an LDAP property.

4. Move all your LDAP settings to the portal-ext.properties file

5. Restart your server.

.. let me know if that helps. If not, then there are a few other things we can try.
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
*Sight*

That's what I thought... Well I'll try this. For my dev environment it'll be easy but for the prod one I think it'll be harder.

There is no other way to clean this parameters ?

Any thanks for your fast answer ;)
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
None that I am aware of to be honest. I suppose you could try writing a hook that would make the edits as a StartupAction or something (if you are worried about being allowed to make the changes manually in PROD).
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
Well I'll try your way...
Or I'm wondering if I can use some others fields in the Liferay users parameters and put my LDAP users parameters inside (eg : put a LDAP field in second firstname or something like that).

Do you think it'll be possible ?
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization (Respuesta)

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
You could, but that would be a pretty gross solution. Remember, that would mean everywhere you wanted to, for example, "get a users favourite colour" you would be doing user.getMiddleName()... also think about people down the road that have to maintain your code, and what they might think of you after seeing something like that! emoticon

Another possibility --

1. Create a JSP hook for the LDAP Settings page and add some additional fields.
2. Use this property to create your own transformer --

#
# You can write your own class that implements
# com.liferay.portal.security.ldap.AttributesTransformer to transform the
# LDAP attributes before a user or group is imported to the LDAP store.
#
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer

and then store the extra attributes in User Expando fields.

... all of this sure seems like a lot of work though if you can simply use the portal-ext settings. Having said all that, Even if you do go the portal-ext route I would strongly urge you to create a JSP hook for the portal auth settings section to disable the ability to do anything in the LDAP tab and add a message saying it is managed in the portal-ext. I have had situations in the past where someone came along and thought it was a mistake (not having them in the control panel) added them -- and then buggered up all the portal-ext work.
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
I'll remember your solution but for now I have to finish this 3 days ago ^^

Do you have examples of portal-ext.properties with the configuration for SSO CAS and LDAP authentication ? And the hook you're talking about too will be great.

And another question, I have to use 3 LDAP directory. Is it working too only with configuration in the portal-ext.properties ? The GUI allow us to do that but I'm not sure for the file.
thumbnail
Jack Bakker, modificado hace 9 años.

RE: ldap synchronization

Liferay Master Mensajes: 978 Fecha de incorporación: 3/01/10 Mensajes recientes
A CAS server is, IMHO, best set up as a separate web app. I don't use the cas-web plugin available in marketplace because Liferay going offline shouldn't affect other cas clients that are also connecting to CAS (like Moodle, or whatever). So think CAS-server webapp, and Liferay as CAS-client.

CAS-server config is in CAS itself, and you can configure it to look to LDAP(s) and other auth sources (side note: if you have some users in LDAP and others only in Liferay you also could config CAS-server to auth against Liferay db itself but you might face some password encryption challenges ...).

Liferay as a CAS-client can be set to import users from LDAP which ends up being pretty well the same as if you didn't have CAS in the mix.

As for getting this done 3 days ago, you might also face some time travel challenges.
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
Hi Jack, I don't use the plugin either. I have a separate tomcat with a CAS on it and it's fully configured to use LDAP.
This way is all good, the only part where I'm in trouble it's with the users synchronization. I wan't to get some LDAP properties but they don't want to be synchronized.

And I think the challenge of time travel will be easier to solve than my current problem ^^
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
I believe you can configure multiple LDAP servers in the portal-ext but postfixing the properties and configuring the available servers. This method I pulled from the PortalLDAPUtil class --

	public static long getLdapServerId(
			long companyId, String screenName, String emailAddress)
		throws Exception {

		long preferredLDAPServerId = LDAPSettingsUtil.getPreferredLDAPServerId(
			companyId, screenName);

		if ((preferredLDAPServerId &gt;= 0) &amp;&amp;
			hasUser(
				preferredLDAPServerId, companyId, screenName, emailAddress)) {

			return preferredLDAPServerId;
		}

		long[] ldapServerIds = StringUtil.split(
			PrefsPropsUtil.getString(companyId, "ldap.server.ids"), 0L);

		for (long ldapServerId : ldapServerIds) {
			if (hasUser(ldapServerId, companyId, screenName, emailAddress)) {
				return ldapServerId;
			}
		}

		boolean hasProperties = false;

		for (int ldapServerId = 0;; ldapServerId++) {
			String postfix = LDAPSettingsUtil.getPropertyPostfix(ldapServerId);

			String providerUrl = PrefsPropsUtil.getString(
				companyId, PropsKeys.LDAP_BASE_PROVIDER_URL + postfix);

			if (Validator.isNull(providerUrl)) {
				break;
			}

			hasProperties = true;

			if (hasUser(ldapServerId, companyId, screenName, emailAddress)) {
				return ldapServerId;
			}
		}

		if (hasProperties || (ldapServerIds.length &lt;= 0)) {
			return 0;
		}

		return ldapServerIds[0];
	}


-- another alternative might be to simply use the default settings from the control panel but then create a model listener for the user object for the User model for the onAfterCreate event -- check this out: https://www.liferay.com/community/wiki/-/wiki/Main/Portal+Hook+Plugins#section-Portal+Hook+Plugins-Model+Listeners

In there you could write your own logic to get the rest of the mappings from your LDAP server and make the updates to the user yourself.

Sorry -- I haven't had to do this one yet so I don't have any example code I can share. But the link looks to me like its pretty straight forward and should not take you long to do emoticon
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
Hi, finaly I'll do the bad solution for now but I'll keep in mind your solution.

I hope it'll be usefull for a next project.

Thanks for all emoticon
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
Hi here, antoher question still about ldap sync.

Finaly all my fields seams to be ok but nothing is updated. When I test the connection in the ldap configuration page in the control panel of liferay I see my fileds but in the user itself Nothing appear.

I think Liferay don't do an update if it find the user but I can but sur.

Any idea ? Any clue to help me ?

Thanks emoticon
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
... when you say doesn't do an update, do you mean that the user is already in Liferay? or do you mean that the user is not being pulled into Liferay?

Also, --

1. Do you have the "LDAP required" set to true/checked.
2. Are you are importing users on startup?
3. Are you importing users on a timed interval?
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
When I say an update, I mean my users are already in the Liferay database. But the new fields I wan't to sync there are not.

1 : yes
2 : yes
3 : yes

And for information, if I delete a user from the Liferay database I've got all the properties that I wan't... But I can't do that in my prod server....
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization (Respuesta)

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
Ok that helps.

Automatic updates are triggered when the "modified" date on the LDAP record is different from the "modified" date on the user record in the Liferay database. Have a look at this https://github.com/liferay/liferay-portal/blob/6.2.x/portal-impl/src/com/liferay/portal/security/ldap/PortalLDAPImporterImpl.java .. line 1178.

I guess, make sure that the modified date in LDAP is changing and enbale debug logging for that class to see what is showing in the log.
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
That's a very good information !! I think that's why my users are never updated.
I'll try to change the value in the LDAP and if I can't I'll change it in the database (putting it at the 01/01/10 should be enought ^^).

Thank's a lot, I'll try that quickly.
thumbnail
Andew Jardine, modificado hace 9 años.

RE: ldap synchronization

Liferay Legend Mensajes: 2416 Fecha de incorporación: 22/12/10 Mensajes recientes
ok sure -- let us know how it goes, if for no other reason than to close of the thread for anyone else who might have the same issue as you.
Gaëtan Dumont, modificado hace 9 años.

RE: ldap synchronization

New Member Mensajes: 19 Fecha de incorporación: 7/08/13 Mensajes recientes
It works great thanks a lot emoticon