Details
-
Bug
-
Status: Closed
-
Resolution: Inactive
-
6.1.0 CE GA1
-
None
-
Apple OS X 10.7.4
OpenLDAP
Liferay 6.1.0 GA1
Description
Hello,
I'm trying to import data from our Apple 10.7.4 OpenLDAP server. When simply importing the users everything works fine, but when I try to import the user groups from LDAP, some problems occur.
Suppose the BaseDN for the LDAP is dc=AAA,dc=BBB,dc=CCC
Computer groups are stored under cn=computer_groups,dc=AAA,dc=BBB,dc=CCC
User groups are stored under cn=groups,dc=AAA,dc=BBB,dc=CCC
Users are stored under cn=users,dc=AAA,dc=BBB,dc=CCC
1) When trying to import the groups, you have to specify the base DN as dc=AAA,dc=BBB,dc=CCC. With a search filter of (objectClass=posixGroup) you'll find both the computer_groups and regular user groups. There doesn't seem to be any attribute to differentiate the user groups from the computer groups other than the DN of the groups. But when specifying cn=groups,dc=AAA,dc=BBB,dc=CCC as the base DN, the import of the users will fail because there are no users defined under that DN.
2) In Apple's OpenLDAP the relationship between groups and users is stored in the user group in the attribute
memberUid (stores the user's alphanumeric uid or short name)
or in the attribute
apple-group-memberguid (stores the user's UUID)
Unfortunately the memberUid stores only the short name, not the fully qualified DN for the users, thus you'll only find johndoe in the attribute, not uid=johndoe,cn=users,dc=AAA,dc=BBB,dc=CCC. This seems to make the group based LDAP import fail in PortalLDAPImporterImpl with error message:
Unable to import group cn=groupname,cn=groups: null:null:
javax.naming.InvalidNameException: john doe: [LDAP: error code 34 - invalid DN]; remaining name 'john doe'
In order to make the import from Apple OpenLDAP work, I think the following changes would be needed:
1) add a property to specify that it is an Apple OpenLDAP (if this is specific to Apple's OpenLDAP implementation and not a common problem for OpenLDAP in general). I can't confirm the latter because I don't have some other OpenLDAP available
2) import the user groups from the groups DN cn=groups,dc=AAA,dc=BBB,dc=CCC. We could use the ldap.groups.dn.# property in portal.properties. Currently this property is only used when ldap.auth.enabled and ldap.export.enabled are set to true
3) import the users from the users DN cn=users,dc=AAA,dc=BBB,dc=CCC. We could use the ldap.users.dn.# property in portal.properties. Currently this property is only used when ldap.auth.enabled and ldap.export.enabled are set to true
4) When reading the users list from the group, wrap the username in uid=...,cn=users,dc=AAA,dc=BBB,dc=CCC to form a fully qualified DN for the user
I think this should solve the problem and make the import work.