Fórumok

OpenLDAP integration issues

thumbnail
lou cat, módosítva 10 év-val korábban

OpenLDAP integration issues

Regular Member Bejegyzések: 196 Csatlakozás dátuma: 2012.01.26. Legújabb bejegyzések
Hello all,

I'm trying to integrate my existing LR6.0.6 portal with OpenLDAP, I read a lot about it but I still have some confusion and I'm experiencing some rather random behaviours during my test.
Any suggestion, feedback or simply psychological support (emoticon) from people who experienced similar issues are more than welcome!!

My settings are: LDAP enable and required, import and export enabled.
The screen-name is auto-generated by liferay.

I am able to connect to the LDAP and retrieve the users, but:

1) the pre-existing Liferay users are not exported to LDAP, it exports only the ones created after the "connection": is this the correct behaviour ?

2) I cannot map the LDAP groups to the Liferay organizations and viceversa. As far as I understood openLDAP doesn't have the attributes that Liferay requires (a membership attribute both for the user and for the group). Is this correct? Does anyone have useful information regarding adding these attributes?

3) If I delete users from Liferay they won't be deleted in LDAP. As far as I understood this is normal as the import/export feature is not a real sync, and we need an external tool to delete them, maybe a scheduler... Can you confirm this? Other suggestions on this point?

4) When I create mock users in Liferay they are correctly exported in ldap but the screen-name, which is auto-generated by Liferay. changes!! I'm not sure of when, probably when I try to change the password of the mock user from the Portal Admin account, but it may change more than once and this ends up in having multiple entries for the same user in ldap, and having binding problems when authenticating. Is this normal?? Why is Liferay assigning a screen-name and then changing it???

5) I've tried to change passwords of my mock users and every time I get success and no errors in the server log, but probably the password doesn't change in ldap as I cannot authenticate! I can do it with the old password. This happens randomly, it seems it doesn't like some password (even if I used them for other users), but I cannot find a "rule" and the worse thing is that to the user it will say that the pw changed correctly emoticon

I am particularly concerned by these last 2 points as they seem random to me and I haven't read in the forum of anyone else experiencing them... so again, any feedback would be highly appreciated!

Thanks!!!
thumbnail
Christoph Rabel, módosítva 10 év-val korábban

RE: OpenLDAP integration issues

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések
Hi!
lou cat:
Hello all,

My settings are: LDAP enable and required, import and export enabled.
The screen-name is auto-generated by liferay.

Why??? Don't do that.

Screenname and mailaddress are key values for import/export to ldap. Make sure somehow that you have a unique cn/uid for your users that can be used as screenname. If all else fails, you could try to use the email address instead. (You probably need to turn the validation on the field off)

I am able to connect to the LDAP and retrieve the users, but:

lou cat:

1) the pre-existing Liferay users are not exported to LDAP, it exports only the ones created after the "connection": is this the correct behaviour ?


Not sure about that. Never really used that feature. LDAP export uses the (hidden) company id of the user to find export configuration. So, maybe there is no configuration associated with older users. But that's just a guess.

lou cat:

2) I cannot map the LDAP groups to the Liferay organizations and viceversa. As far as I understood openLDAP doesn't have the attributes that Liferay requires (a membership attribute both for the user and for the group). Is this correct? Does anyone have useful information regarding adding these attributes?


Map them to groups.
Assign the groups as members to the organizations. Groups in openldap should have a member attribute and users a memberof attribute (Note: In some ldap servers this is a hidden attribute, it's there, but not visible)

lou cat:

3) If I delete users from Liferay they won't be deleted in LDAP. As far as I understood this is normal as the import/export feature is not a real sync, and we need an external tool to delete them, maybe a scheduler... Can you confirm this? Other suggestions on this point?


Yes. The implementation does not delete users. If you delete them in ldap, they are not deleted in Liferay either.

My suggestion: Don't delete users. Users usually have content (forum posts, comments, blogs, webcontent, ...) associated with them, so why do you want to delete them?

lou cat:

5) I've tried to change passwords of my mock users and every time I get success and no errors in the server log, but probably the password doesn't change in ldap as I cannot authenticate! I can do it with the old password. This happens randomly, it seems it doesn't like some password (even if I used them for other users), but I cannot find a "rule" and the worse thing is that to the user it will say that the pw changed correctly emoticon


Hmm, any errors in openldap logfile? I once ran into the problem that the default encryption option for export of passwords is "NONE". A lot of ldap servers don't like that.

Try to add the following configuration to your portal-ext.properties file:
ldap.auth.password.encryption.algorithm=

hth
thumbnail
lou cat, módosítva 10 év-val korábban

RE: OpenLDAP integration issues

Regular Member Bejegyzések: 196 Csatlakozás dátuma: 2012.01.26. Legújabb bejegyzések
Thank you Christoph for replying!


Christoph Rabel:
Hi!
lou cat:

The screen-name is auto-generated by liferay.

Why??? Don't do that.

Screenname and mailaddress are key values for import/export to ldap. Make sure somehow that you have a unique cn/uid for your users that can be used as screenname. If all else fails, you could try to use the email address instead. (You probably need to turn the validation on the field off)


I must have completely misunderstood the screen-name role then, I even wrote another thread just asking why Liferay is changing the screen-names, are you saying that this is normal?

I thought that as the screen-name was supposed to be unique, Liferay would have generated one at the creation of the account and would have never changed it!
Why should it change it? if it's a duplicate it will create a different one for the new user, but why changing the old one?
I can see that if screen-name is not autogenerated, the user is allowed to change it, but I thought auto-generating it through liferay would have been more "secure"!
Anyway I had already tried both configurations and my problems weren't solved emoticon

Christoph Rabel:

lou cat:

2) I cannot map the LDAP groups to the Liferay organizations and viceversa. As far as I understood openLDAP doesn't have the attributes that Liferay requires (a membership attribute both for the user and for the group). Is this correct? Does anyone have useful information regarding adding these attributes?


Map them to groups.
Assign the groups as members to the organizations. Groups in openldap should have a member attribute and users a memberof attribute (Note: In some ldap servers this is a hidden attribute, it's there, but not visible)


As far as I understood reading about OpenLDAP, it has just one of the membership attribute (I think it has the membership for a Group class/object, but not the memberOf attribute for the user). I don't see any hidden attributes in the yast LDAP browser or using the ldapsearch command, but probably I don't know how to search for them.
I know this is more an OpenLDAP problem than a liferay one, but the documentation online is not much so I hoped someone with the same ldap server could give good hints.

Christoph Rabel:

Don't delete users. Users usually have content (forum posts, comments, blogs, webcontent, ...) associated with them, so why do you want to delete them?


Well, in my case there is not such type of information associated to users, we just want to prevent them from logging in the private area, and if they are not going to subscribe again we usually delete them.
I don't see why I should increase the size of my database (I know it's little but...) and risk that someone could enable again a user who shouldn't have access.
But apart from this, consider my configuration is creating multiple ldap entries for each liferay users, I don't think they should stay there...

Christoph Rabel:

lou cat:

5) probably the password doesn't change in ldap


Hmm, any errors in openldap logfile? I once ran into the problem that the default encryption option for export of passwords is "NONE". A lot of ldap servers don't like that.

Try to add the following configuration to your portal-ext.properties file:
ldap.auth.password.encryption.algorithm=hth


Ok, I'll try this, thanks again!
thumbnail
Christoph Rabel, módosítva 10 év-val korábban

RE: OpenLDAP integration issues

Liferay Legend Bejegyzések: 1554 Csatlakozás dátuma: 2009.09.24. Legújabb bejegyzések
lou cat:
Thank you Christoph for replying!
I must have completely misunderstood the screen-name role then, I even wrote another thread just asking why Liferay is changing the screen-names, are you saying that this is normal?


Hmm, I looked into the code now and it should work with autogenerated usernames too. Maybe a bug.
I guess, the problem is the generated screenname + import/export. I guess, whenever it tries to import the user, it generates a new screenname.

Try to enable logging:
com.liferay.portal.security.ldap.*

Adding users is written as a debug log output:
if (_log.isDebugEnabled()) {
_log.debug("Adding user " + ldapUser.getEmailAddress());
}
http://grepcode.com/file/repo1.maven.org/maven2/com.liferay.portal/portal-impl/6.0.6/com/liferay/portal/security/ldap/PortalLDAPImporterImpl.java

Maybe it will give some insight into the matter.

lou cat:

As far as I understood reading about OpenLDAP, it has just one of the membership attribute (I think it has the membership for a Group class/object, but not the memberOf attribute for the user). I don't see any hidden attributes in the yast LDAP browser or using the ldapsearch command, but probably I don't know how to search for them.
I know this is more an OpenLDAP problem than a liferay one, but the documentation online is not much so I hoped someone with the same ldap server could give good hints.


It seems, you have to enable memberof in openldap, found several hits with a quick search.
http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/

Hidden attributes are, well, hidden. You don't see them in ldap browser. You need to ask explicitly for those attributes. Something like:
ldapsearch ... (filter) uid cn mail memberof

lou cat:

Well, in my case there is not such type of information associated to users, we just want to prevent them from logging in the private area, and if they are not going to subscribe again we usually delete them.
I don't see why I should increase the size of my database (I know it's little but...) and risk that someone could enable again a user who shouldn't have access.
But apart from this, consider my configuration is creating multiple ldap entries for each liferay users, I don't think they should stay there...


Liferay doesn't delete users, so you are kinda stuck there.
thumbnail
lou cat, módosítva 10 év-val korábban

RE: OpenLDAP integration issues

Regular Member Bejegyzések: 196 Csatlakozás dátuma: 2012.01.26. Legújabb bejegyzések
Christoph Rabel:


Liferay doesn't delete users, so you are kinda stuck there.


Thank you again Christoph!
I'll follow your suggestions and will update here if I have news.

Just a thing that is not clear... what do you mean by "Liferay doesn't delete users"??

I can deactivate a user, and after de-activating it I can delete it, and Liferay actually delete it from its database...
If you mean that it doesn't delete users in ldap: yes I got that, I was just wondering if there were other ways to do it (apart from implementing a scheduler that does the job)
thumbnail
lou cat, módosítva 10 év-val korábban

RE: OpenLDAP integration issues

Regular Member Bejegyzések: 196 Csatlakozás dátuma: 2012.01.26. Legújabb bejegyzések
ok, I've made other tests, in this moment I care only about point 4 (screen-name changes).

I've changed to password-compare method and I can see better what's happening, I have only the export enabled now, auto-generate screen-name is on, but I've really tried all the configurations possible, and I always have the same problems:

one of the most typical scenarios:

1) portal admin creates a dummy user in liferay -> the user is correctly exported to ldap
2) portal admin changes the password of the dummy user -> instead of updating the old pw, another ldap entry is created, with a new screen-name (".1" is appended)
3) the dummy user logs in successfully but the screen-name is now the second one
4) the dummy user changes his pw successfully BUT when he tries to login passwords do not match because it is checked against the 1st ldap entry, and probably the pw was updated in the second one (with the other screen-name)

This continuous changing of screen-name and creation of duplicated ldap entries is driving me crazy...