Allow admins to block users to update their details when imported from LDAP

Details

Type: Story
Status: Closed
Priority: Minor
Resolution: Completed
Affects Version/s: 6.1.1 CE GA2, 6.1.20 EE GA2
Fix Version/s: 6.2.0 CE B2, 6.2.0 CE RC2
Component/s: Administration UI, Administration UI > Users
Labels:

Similar Issues:

Show 4 results

Description

When LDAP authentication / import is enabled in Liferay, users should not be allowed to change and save their details in My Account. Their details will be overridden with values from LDAP, either when user is bulk-imported or logs in again. The same behavior may be added to Users Administration, as updating user details here also does not make sense.

As not all users may be imported from LDAP, the feature should be configurable on per user basis. E.g. add portal config property listing email domains, that should / should not be blocked. Example:

(1) users imported from LDAP have emails with @liferay.com or @sf.net, those should not be allowed to change their details, any other user can update details:

user.details.update.enabled.whitelist=*
user.details.update.enabled.blacklist=liferay.com,sf.net

(2) Customer has external users in their Liferay DB (all with external-company.com emails) and imports internal users from LDAP (users have many email domains assigned). Only external users can update their details.

user.details.update.enabled.whitelist=external-company.com
user.details.update.enabled.blacklist=

As LDAP import may be customized, it would also be good to allow admins to configure which fields should be blocked for LDAP imported users, like:

user.details.ldap.field.blocked[com.liferay.portal.model.User.prefix]=true
user.details.ldap.field.blocked[com.liferay.portal.model.User.firstName]=true
user.details.ldap.field.blocked[com.liferay.portal.model.User.middleName]=true

This may be integrated with / added to existing feature:

field.enable.com.liferay.portal.model.Contact.male=true
field.enable.com.liferay.portal.model.Contact.birthday=true
field.enable.com.liferay.portal.model.Organization.status=false

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

Attachment 1.png

77 kB

29/Jul/13 3:36 PM
Attachment 2.png

77 kB

29/Jul/13 3:36 PM
Attachment 3.png

48 kB

29/Jul/13 3:36 PM

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Randy Zhu added a comment - 14/Feb/13 5:49 PM

In preparation for Ideation; we are merging New Feature and Improvement tickets into a singular ticket type called “Feature Request”.

This ticket has been converted to story ticket type for you; so that the ticket may continue to progress through the workflow properly.

However these tickets were not writing in the proper story format. Please format this ticket to story standards.

Show

Randy Zhu added a comment - 14/Feb/13 5:49 PM In preparation for Ideation; we are merging New Feature and Improvement tickets into a singular ticket type called “Feature Request”. This ticket has been converted to story ticket type for you; so that the ticket may continue to progress through the workflow properly. However these tickets were not writing in the proper story format. Please format this ticket to story standards.

Hide

Permalink

David Truong added a comment - 30/Jul/13 1:19 PM

Can we get a better error description instead of saying you don't have permission to edit it? Seems more appropriate to say "This user is imported from LDAP. Please change the user from using through your LDAP." or something similar.

Show

David Truong added a comment - 30/Jul/13 1:19 PM Can we get a better error description instead of saying you don't have permission to edit it? Seems more appropriate to say "This user is imported from LDAP. Please change the user from using through your LDAP." or something similar.

Hide

Permalink

David Truong added a comment - 05/Aug/13 2:35 PM

Error message will display "Your portal admin has disabled the ability to change the following fields: ... " since there are numerous portal.properties that can disable the field.

Show

David Truong added a comment - 05/Aug/13 2:35 PM Error message will display "Your portal admin has disabled the ability to change the following fields: ... " since there are numerous portal.properties that can disable the field.

Hide

Permalink

Sharon Choi added a comment - 19/Sep/13 4:17 PM

PASSED Manual Testing following the steps in the description.

Fixed on:
Tomcat 7.0 + MySQL 5. Portal master GIT ID: cdf244c828f99209553e20c86ab5989dc16d906c.

Following the steps listed above, in Jonathan's comment, after setting those properties in the portal-ext file, admins are allowed to block users from updating their details regardless of being imported from LDAP or not. No errors appear on the console, and everything appears to be working successfully.

Show

Sharon Choi added a comment - 19/Sep/13 4:17 PM PASSED Manual Testing following the steps in the description. Fixed on: Tomcat 7.0 + MySQL 5. Portal master GIT ID: cdf244c828f99209553e20c86ab5989dc16d906c. Following the steps listed above, in Jonathan's comment, after setting those properties in the portal-ext file, admins are allowed to block users from updating their details regardless of being imported from LDAP or not. No errors appear on the console, and everything appears to be working successfully.

People

Assignee:

Sharon Choi

Reporter:

Josef Šustáček

Participants of an Issue:

David Truong, Josef Šustáček, Randy Zhu, Sharon Choi

Vote (0)

Watch (6)

Dates

Created:

19/Sep/12 7:48 AM

Updated:

19/Sep/13 4:17 PM

Resolved:

19/Sep/13 4:17 PM

Days since last comment:

30 weeks, 6 days ago

Agile

View on Board

~~LPS-13933~~	Liferay should not import user's password from LDAP
~~LPS-36696~~	User attributes not imported from LDAP if LDAP user was never modified
~~LPS-14014~~	Wrong user in LDAP gets updated
~~LPS-4856~~	omniadmin users' password is not updated from LDAP