Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-27886

LDAP group import not working with Apple OS X OpenLDAP

    XMLWordPrintable

    Details

      Description

      Hello,

      I'm trying to import data from our Apple 10.7.4 OpenLDAP server. When simply importing the users everything works fine, but when I try to import the user groups from LDAP, some problems occur.

      Suppose the BaseDN for the LDAP is dc=AAA,dc=BBB,dc=CCC
      Computer groups are stored under cn=computer_groups,dc=AAA,dc=BBB,dc=CCC
      User groups are stored under cn=groups,dc=AAA,dc=BBB,dc=CCC
      Users are stored under cn=users,dc=AAA,dc=BBB,dc=CCC

      1) When trying to import the groups, you have to specify the base DN as dc=AAA,dc=BBB,dc=CCC. With a search filter of (objectClass=posixGroup) you'll find both the computer_groups and regular user groups. There doesn't seem to be any attribute to differentiate the user groups from the computer groups other than the DN of the groups. But when specifying cn=groups,dc=AAA,dc=BBB,dc=CCC as the base DN, the import of the users will fail because there are no users defined under that DN.

      2) In Apple's OpenLDAP the relationship between groups and users is stored in the user group in the attribute
      memberUid (stores the user's alphanumeric uid or short name)
      or in the attribute
      apple-group-memberguid (stores the user's UUID)

      Unfortunately the memberUid stores only the short name, not the fully qualified DN for the users, thus you'll only find johndoe in the attribute, not uid=johndoe,cn=users,dc=AAA,dc=BBB,dc=CCC. This seems to make the group based LDAP import fail in PortalLDAPImporterImpl with error message:
      Unable to import group cn=groupname,cn=groups: null:null:

      {cn=cn: group name}

      javax.naming.InvalidNameException: john doe: [LDAP: error code 34 - invalid DN]; remaining name 'john doe'

      In order to make the import from Apple OpenLDAP work, I think the following changes would be needed:
      1) add a property to specify that it is an Apple OpenLDAP (if this is specific to Apple's OpenLDAP implementation and not a common problem for OpenLDAP in general). I can't confirm the latter because I don't have some other OpenLDAP available
      2) import the user groups from the groups DN cn=groups,dc=AAA,dc=BBB,dc=CCC. We could use the ldap.groups.dn.# property in portal.properties. Currently this property is only used when ldap.auth.enabled and ldap.export.enabled are set to true
      3) import the users from the users DN cn=users,dc=AAA,dc=BBB,dc=CCC. We could use the ldap.users.dn.# property in portal.properties. Currently this property is only used when ldap.auth.enabled and ldap.export.enabled are set to true
      4) When reading the users list from the group, wrap the username in uid=...,cn=users,dc=AAA,dc=BBB,dc=CCC to form a fully qualified DN for the user

      I think this should solve the problem and make the import work.

        Attachments

          Activity

            People

            Assignee:
            michael.saechang Michael Saechang
            Reporter:
            alex.weirig@technolink.lu Alex Weirig
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              5 years, 47 weeks, 3 days ago

                Packages

                Version Package