I used liferay 5.2 and I can integrate ldap correctly with liferay and I activated ldap in login.
and I arrived to import only users from ldap wich exists in my groups using this configuration :
my problem now is when I try to login in liferay
it checks user if exist or not in all locations in ldap
I want in login state to check user if exist or not only in my specifics group which is exist in my configuration.
meaning in login state check user only in :
testGroup1 and testGroup2 and not in all locations in ldap
Related
I'm using Flowable 6.7.2 OpenSource and I want to integrate it with AD using LDAP. I've changed several properties in flowable-default.propierties (flowable.idm.ldap.*) and I can login with the AD user to the flowable-ui module actually but he can't see any modules within it.
I have setup a group for Admin users in AD.
How can set admin role for a certain AD user or group
I installed Openldap in server and after that added the user into the ldap,below screen show show the added user through Apache Active Directory
Now in keycloak i added user federation as a openLdap and its connecting to ldap without any issue,but when i am trying to sync the user i am getting message
Success! Sync of users finished successfully. 0 imported users, 0
updated users
So no user import from ldap to keycloak ,below is the related ldap connection information in keycloak .
Thanks to #EricLavault and one of company colleague at last Keycloak able to import the user successfully. Below changes i have done to fix the issue.
Change the User Object Classes=*
Created a new entry ou=People then created user under it
In Keycloak used Users DN = ou=user,ou=people,dc=suredev20
After this its start throwing below exception
ERROR [org.keycloak.storage.ldap.LDAPStorageProviderFactory] (default
task-1931) Failed during import user from LDAP:
org.keycloak.models.ModelException: User returned from LDAP has null
username! Check configuration of your LDAP mappings. Mapped username
LDAP attribute: uid, user DN:
cn=subodh123,ou=user,ou=People,dc=suredev20, attributes from LDAP:
{sn=[joshi123], cn=[subodh123], createTimestamp=[20191118180647Z],
modifyTimestamp=[20191118180647Z]}
Which is fixed by using Username LDAP attribute = cn as ldap username Attribute description in openldap case bydefault cn
User entries are not stored correctly in your directory. In fact you shouldn't use cn=root as a container as it's supposed to represent the directory manager and should be used for binding and other operations but not for structuring your directory.
Instead, you should use the default user container (at least for OpenLDAP and Apache DS) that is ou=people,dc=suredev20, ie. you need to move cn=subodh
from cn=subodh,ou=user,cn=root,dc=suredev
to cn=subodh,ou=people,dc=suredev20
Also, in Keycloack you need to set users dn accordingly : ou=people,dc=suredev20
(you can try with ou=user,cn=root,dc=suredev without moving subodh entry but not recommended).
I am trying to login into liferay portal as LDAP user. screen names are by default case sensitive for internal validation.
But for external validation, i.e, an LDAP user with name say TestUser and if i try to login as testuser, the login is failed in the portal, but the console says that login is successful.
How to add case insensitivity to liferay for LDAP users also..i.e, for external validation?
You can write a CustomAuthenticator by implemeting com.liferay.portal.security.auth.Authenticator to override the default behavior. Then you could use auth.pipeline.pre=com.auth.YourCustomAuth
Problem: Why realm is required for some users in beeline connection,even its ensured with ldap authentciation.?
While connecting with beeline,with configured ldap authentication some users connected with without realm and some users connect with realm authentication.This is because of while creating users in active directory ,display name differ with logon name.
During authentication,it can only validate by logon name only,but some users validate also by display name.Actually its only validate by on logon name but here it seems validate by display name.
Please refer the attached images and provide the ideas if you overcome this.
Thanks,
Mathes
I have a question about Liferay.
I have configuate my system with Liferay + Jasig CAS Authentication and OpenLDAP.
I can authenticate my user correctly and I can import user account from LDAP (Ldap import).
I have also configurate the user export to OpenLDAP..so, now I can export an account when this will be create.
Infact I can see this new account in my OpenLDAP server.
When Liferay create a new account it generate a random password for this new account (for example 4hdsdsh) and the user receive an e-mail after the registration.
The problem is: I my OpenLDAP server this password does not seem to be equal to the one just generated by Liferay..
So, the new user will never be able to authenticate into my Liferay (because I use CAS + LDAP).
I also found a funny/strange thing: If I modify this new password in Liferay (using an administrator account) I see this password correctly into my OpenLDAP server and so, the user can finally log into my Liferay..
I am not sure but it seems while user registration it is just exporting the fields entered by user in registration screen and since the password is auto generated after registration, it is not exported to LDAP and might be blank till User has not updated his password by Logging in.
You can debug this class PortalLDAPExporterImpl.Java and also watch user detail in LDAP via jxplorer whats the password & user status as well. If password is blank you could extend class and your logic to pass auto generated or default password for first time case.
This is a bug of Liferay:
See following issue: https://issues.liferay.com/browse/LPS-43045