Liferay is a Gartner Magic Quadrant Leader for the Sixth Year! Find out why

Tribune

Home » Liferay Portal » English » 3. Development

Vista Combinata Vista Piatta Vista ad Albero
Discussioni [ Precedente | Successivo ]
Rahul Pande
Not able to import user groups from OpenLDAP
27 marzo 2012 3.39
Risposta

Rahul Pande

Punteggio: Expert

Messaggi: 308

Data di Iscrizione: 6 luglio 2010

Messaggi recenti

Hi all,

I have a requirement to connect Liferay with openLDAP, so set up OpenLDAP for testing purpose on my local machine.
I am using Liferay 6.1 CE and OpenLDAP for Windows.

I am able to import users from OpenLDAP, but user groups are not getting imported in liferay. There are no errors on the console as well.

Following are my entries in portal-ext.properties file

  1
  2    #
  3    # Settings for com.liferay.portal.security.auth.LDAPAuth can be configured
  4    # from the Admin portlet. It provides out-of-the-box support for Apache
  5    # Directory Server, Microsoft Active Directory Server, Novell eDirectory,
  6    # and OpenLDAP. The default settings are for Apache Directory Server.
  7    #
  8    # The LDAPAuth class must be specified in the property "auth.pipeline.pre"
  9    # to be executed.
 10    #
 11    # Encryption is implemented by com.liferay.util.Encryptor.provider.class in
 12    # system.properties.
 13    #
 14    ldap.auth.enabled=true
 15    ldap.auth.required=false
 16
 17    #
 18    # Settings for importing users and groups from LDAP to the portal.
 19    #
 20    ldap.import.enabled=true
 21    ldap.import.on.startup=false
 22    ldap.import.interval=3
 23
 24    #
 25    # Set either user or group for import method. If set to user, the portal
 26    # will import all users and the groups associated with those users. If set
 27    # to group, the portal import all groups and the users associated those
 28    # groups. This value should be set based on how your LDAP server stores
 29    # group membership information.
 30    #
 31    ldap.import.method=user
 32    #ldap.import.method=group
 33
 34    #
 35    # If set to true, the group filter will be applied, but only to groups in
 36    # the specified base DN. If set to false, the filter will not be applied and
 37    # all groups that are associated with the imported users will be imported
 38    # regardless of the base DN.
 39    #
 40    ldap.import.group.search.filter.enabled=true
 41
 42   
 43    #
 44    # Set this to true if the portal should automatically create a role per
 45    # group imported from LDAP. The role will be assigned to the group so that
 46    # users can automatically inherit that role when they are assigned to the
 47    # group.
 48    #
 49    ldap.import.create.role.per.group=true
 50
 51    #
 52    # Set these values to be a portion of the error message returned by the
 53    # appropriate directory server to allow the portal to recognize messages
 54    # from the LDAP server. The default values will work for Fedora DS.
 55    #
 56    ldap.error.password.age=age
 57    ldap.error.password.expired=expired
 58    ldap.error.password.history=history
 59    ldap.error.password.not.changeable=not allowed to change
 60    ldap.error.password.syntax=syntax
 61    ldap.error.password.trivial=trivial
 62    ldap.error.user.lockout=retry limit
 63
 64    #
 65    # Set this to false when the LDAP user's password should not be imported.
 66    #
 67    ldap.import.user.password.enabled=true
 68
 69
 70    #
 71    # Set the values used to connect to a LDAP store.
 72    #
 73    # The list of properties must end with a subsequent integer (0, 1, etc.) and
 74    # it is assumed that the list has reached an end when the pattern or
 75    # replacement is not set.
 76    #
 77    ldap.base.provider.url.0=ldap://localhost:389
 78    ldap.base.dn.0=dc=maxcrc,dc=com
 79    ldap.security.principal.0=cn=manager,dc=maxcrc,dc=com
 80    ldap.security.credentials.0=secret
 81
 82    #
 83    # When importing and exporting users, the portal will use this mapping to
 84    # connect LDAP user attributes and portal contact attributes.
 85    #
 86    # See com.liferay.portal.model.ContactModel for a list of attributes.
 87    #
 88    #ldap.contact.mappings.0=
 89
 90    #
 91    # When importing and exporting users, the portal will use this mapping to
 92    # connect LDAP user attributes and portal user attributes.
 93    #
 94    # See com.liferay.portal.model.UserModel for a list of attributes.
 95    #
 96    ldap.user.mappings.0=uuid=uid\nscreenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title
 97
 98
 99    #
100    # When importing groups, the portal will use this mapping to connect LDAP
101    # group attributes and portal user group attributes.
102    #
103    ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=memberUid
104
105    #
106    # Settings for importing users and groups from LDAP to the portal. These
107    # setttings are not used unless the property "ldap.import.enabled" is set
108    # to true.
109    #
110    ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
111    ldap.import.group.search.filter.0=(objectClass=posixGroup)      
112   
113    #
114    # When importing and exporting users, the portal will use this mapping to
115    # connect LDAP user attributes and portal user's custom attributes.
116    #
117    ldap.user.custom.mappings.0=
118   
119    #
120    # When importing and exporting users, the portal will use this mapping to
121    # connect LDAP user attributes and portal contact attributes.
122    #
123    # See com.liferay.portal.model.ContactModel for a list of attributes.
124    #
125    ldap.contact.mappings.0=
126   
127    #
128    # When importing and exporting users, the portal will use this mapping to
129    # connect LDAP user attributes and portal contact's custom attributes.
130    #
131    ldap.contact.custom.mappings.0=


Following are the screenshots of my sample directory structure
Allegato

Allegato

Allegato

Allegato

Allegati: directory structure.png (45,2k), hr group structure.png (41,8k), it group structure.png (38,0k), user information.png (52,2k)
David H Nebinger
RE: Not able to import user groups from OpenLDAP
27 marzo 2012 5.20
Risposta

David H Nebinger

Community Moderator

Punteggio: Liferay Legend

Messaggi: 10359

Data di Iscrizione: 1 settembre 2006

Messaggi recenti

Try rebuilding search indices from the system control panel.
Luis Mas
RE: Not able to import user groups from OpenLDAP
4 settembre 2012 9.28
Risposta

Luis Mas

Punteggio: Regular Member

Messaggi: 146

Data di Iscrizione: 18 maggio 2009

Messaggi recenti

I'm facing the same problem, with the same configuration. Were you able to solve this issue?

Thanks, Luis
Jogen Gondalia
RE: Not able to import user groups from OpenLDAP
4 settembre 2012 12.09
Risposta

Jogen Gondalia

Punteggio: New Member

Messaggi: 4

Data di Iscrizione: 20 settembre 2010

Messaggi recenti

Hi,

There could be possibly two reasons -

1)
Set either user or group for import method. If set to user, the portal will import all users and the groups associated with those users. If set to group, the portal import all groups and the users associated those groups. This value should be set based on how your LDAP server stores group membership information.

try to use use ldap.import.method=group

2)
Liferay don't include groups which are missing the required attributes (Group Name and User).
These groups will not be imported until these attributes are filled in.

Regards,
Vipin Bardia
Luis Mas
RE: Not able to import user groups from OpenLDAP
4 settembre 2012 13.16
Risposta

Luis Mas

Punteggio: Regular Member

Messaggi: 146

Data di Iscrizione: 18 maggio 2009

Messaggi recenti

Thank you but:

Reason 1, it isn't as already tested this option and It returns that error:
20:01:02,528 ERROR [liferay/scheduler_dispatch-16][PortalLDAPImporterImpl:655] Unable to import group cn=ACADEMICO,ou=groups: null:null:{cn=cn: ACADEMICO}
javax.naming.InvalidNameException: aavila: [LDAP: error code 34 - invalid DN]; remaining name 'aavila'

as it sends an Uid instead of a DN.

Reason 2, it isn't as it has all data, but in mappings we have:
ldap.import.group.search.filter.0=(objectClass=posixGroup)
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=memberUid

and LDAP records for groups are:
dn: cn=DOCENTE,ou=groups,dc=domain,dc=edu
objectClass: top
objectClass: posixGroup
cn: DOCENTE
gidNumber: 1013
memberUid: aacevedo
createTimestamp: 20120815000737Z
creatorsName: cn=admin,dc=domain,dc=edu
entryCSN: 20120827153532Z#000000#00#000000
entryDN: cn=DOCENTE,ou=groups,dc=domain,dc=edu
entryUUID:: Zjc4NTdjNmEtN2FiOC0xMDMxLThhODQtNzUyMTRkZjg4Y2Jk
hasSubordinates: FALSE
modifiersName: cn=admin,dc=domain,dc=edu
modifyTimestamp: 20120827153532Z
structuralObjectClass: posixGroup
subschemaSubentry: cn=Subschema

As you can see memberUid, it isn't a FullDN is an Uid, and my customer sais that this is the correct standard for OpenLDAP v2.4. They are a University and are very strict with standards.

We did a test filling memberUid with DNs and worked fine, but it would force to do a misconfiguration in OpenLDAP (they tell me).

Regards
Luis Mas
RE: Not able to import user groups from OpenLDAP
5 settembre 2012 9.48
Risposta

Luis Mas

Punteggio: Regular Member

Messaggi: 146

Data di Iscrizione: 18 maggio 2009

Messaggi recenti

I've been investigating and this problem will affect to all Liferay integration that intend to import userGroups of type posixGroup from OpenLDAP:

http://www.openldap.org/doc/admin24/overlays.html

"... So, if you are planning in using this for posixGroups, be sure to use RFC2307bis and some attribute which can hold distinguished names. The memberUid attribute used in the posixGroup object class can hold only names, not DNs, and is therefore not suitable for dynamic groups..."

http://en.wikipedia.org/wiki/POSIX (POSIX standar definition)
http://www.rainingpackets.com/ldap-posixgroup-groupofnames/