Details

    • Type: Bug Bug
    • Status: Closed
    • Resolution: Duplicate
    • Affects Version/s: 5.1.2
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      Java 1.6, Tomcat 5.5, MySql 5
    • Similar Issues:
      Show 5 results 

      Description

      Trying to import users from a LDAP server you get the below error for all users and no users are imported.
      NOTE that from the Administration portlet the test about users to import is ok - it shows all the user to import.

      -----------------------------------------------------------
      18:12:11,531 ERROR [PortalLDAPUtil] Problem adding user with screen name m2 and
      email address m2@clivet.it
      com.liferay.portal.ModelListenerException: javax.naming.directory.InvalidAttribu
      teValueException: [LDAP: error code 21 - INVALID_ATTRIBUTE_SYNTAX: failed for
      Modify Request
      Object : '2.5.4.3=m2,2.5.4.11=people,0.9.2342.19200300.100.1.25=clivet,0
      .9.2342.19200300.100.1.25=it'
      Modification[0]
      Operation : replace
      Modification
      givenname:
      Modification[1]
      Operation : replace
      Modification
      sn:
      Modification[2]
      Operation : replace
      Modification
      mail: m2@clivet.it
      Modification[3]
      Operation : replace
      Modification
      title:
      : Attribute value '' for attribute 'givenname' is syntactically incorrect]; remaining name 'cn=m2,ou=People,dc=clivet,dc=it'

      Actual portal-ext.properties:

      ##

        1. LDAP
          ##

      #

      1. Set the values used to connect to a LDAP store.
        #
        ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
        ldap.base.provider.url=ldap://localhost:10389
        ldap.base.dn=dc=clivet,dc=it
        ldap.security.principal=uid=admin,ou=system
        ldap.security.credentials=xxxxxxxx

      #

      1. Settings for com.liferay.portal.security.auth.LDAPAuth can be configured
      2. from the Admin portlet. It provides out of the box support for Apache
      3. Directory Server, Microsoft Active Directory Server, Novell eDirectory,
      4. and OpenLDAP. The default settings are for Apache Directory Server.
        #
      5. The LDAPAuth class must be specified in the property "auth.pipeline.pre"
      6. to be executed.
        #
      7. Encryption is implemented by com.liferay.util.Encryptor.provider.class in
      8. system.properties.
        #
        ldap.auth.enabled=true
        ldap.auth.required=false

      #

      1. Set either bind or password-compare for the LDAP authentication method.
      2. Bind is preferred by most vendors so that you don't have to worry about
      3. encryption strategies.
        #
        #ldap.auth.method=password-compare

      #

      1. Active Directory stores information about the user account as a series of
      2. bit fields in the UserAccountControl attribute.
        #
      3. If you want to prevent disabled accounts from logging into the portal you
      4. need to use a search filter similiar to the following:
      5. (&(objectclass=person)(userprincipalname=@email_address@)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
        #
      6. See the following links:
      7. http://support.microsoft.com/kb/305144/
      8. http://support.microsoft.com/?kbid=269181
        #
        ldap.auth.search.filter=(cn=@screen_name@)
        ldap.import.search.filter=(objectClass=inetOrgPerson)
        #
      9. The following settings are used to map LDAP users to portal users.
        #
      10. You can write your own class that extends
      11. com.liferay.portal.security.ldap.LDAPUser to customize the behavior for
      12. exporting portal users to the LDAP store.
        #
        ldap.users.dn=ou=People,dc=clivet,dc=it
        ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership
        ldap.user.impl=com.liferay.portal.security.ldap.LDAPUser
        ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson
        #
      13. The following settings are used to map LDAP groups to portal user groups.
        #
        ldap.groups.dn=ou=Roles,dc=clivet,dc=it
        ldap.group.mappings=groupName=cn\ndescription=description

      #

      1. Settings for importing users and groups from LDAP to the portal.
        #
        ldap.import.enabled=true
        ldap.import.on.startup=true
        ldap.import.interval=10

      #

      1. Settings for exporting users from the portal to LDAP. This allows a user
      2. to modify his first name, last name, etc. in the portal and have that
      3. change get pushed to the LDAP server. This will only be active if the
      4. property "ldap.auth.enabled" is also set to true.
        #
        ldap.export.enabled=true

      #

      1. Set this to true to use the LDAP's password policy instead of the portal
      2. password policy.
        #
        ldap.password.policy.enabled=false

        Activity

        Hide
        Paul Mietz Egli added a comment -

        Similar issue when using Apache DS:

        Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - INVALID_ATTRIBUTE_SYNTAX: failed for Add Request :
        ClientEntry
        dn: 2.5.4.3=10108,2.5.4.11=people,0.9.2342.19200300.100.1.25=motionxlive,0.9.2342.19200300.100.1.25=com
        objectclass: top
        objectclass: person
        objectclass: inetOrgPerson
        objectclass: organizationalPerson
        sn:
        cn: 10108
        givenname:
        mail: default@liferay.com
        : Attribute value '' for attribute 'sn' is syntactically incorrect]; remaining name 'cn=10108,ou=people,dc=motionxlive,dc=com'
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2998)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
        at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:379)
        at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:336)
        at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:596)
        at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:183)
        at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:173)
        at javax.naming.InitialContext.bind(InitialContext.java:359)
        at com.liferay.portal.security.ldap.PortalLDAPUtil.exportToLDAP(PortalLDAPUtil.java:129)
        at com.liferay.portal.model.ContactListener.onAfterCreate(ContactListener.java:50)
        ... 55 more

        Note that sn and givenname have no values. I found this workaround for 5.1.x on one of the message boards a while back but unfortunately am not able to dig it back up to give proper credit. To fix the problem with sn and givenname, add the following code to PortalLDAPUtil.exportToLDAP(Contact contact):

        if (!isAuthEnabled(companyId) || !isExportEnabled(companyId))

        { return; }

        // ADD CODE BETWEEN THESE LINES
        // technically, we should check givenName and sn here because the mapping
        // might not be sn -> lastName and givenname -> firstName
        if (Validator.isNull(contact.getFirstName()) || Validator.isNull(contact.getLastName()))

        { _log.info("not exporting; first or last name is null"); return; }

        // ADD CODE BETWEEN THESE LINES

        LdapContext ctx = getContext(companyId);

        and the same to PortalLDAPUtil.exportToLDAP(User user). Diff file attached.

        Show
        Paul Mietz Egli added a comment - Similar issue when using Apache DS: Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - INVALID_ATTRIBUTE_SYNTAX: failed for Add Request : ClientEntry dn: 2.5.4.3=10108,2.5.4.11=people,0.9.2342.19200300.100.1.25=motionxlive,0.9.2342.19200300.100.1.25=com objectclass: top objectclass: person objectclass: inetOrgPerson objectclass: organizationalPerson sn: cn: 10108 givenname: mail: default@liferay.com : Attribute value '' for attribute 'sn' is syntactically incorrect]; remaining name 'cn=10108,ou=people,dc=motionxlive,dc=com' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2998) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737) at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:379) at com.sun.jndi.ldap.LdapCtx.c_bind(LdapCtx.java:336) at com.sun.jndi.toolkit.ctx.ComponentContext.p_bind(ComponentContext.java:596) at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:183) at com.sun.jndi.toolkit.ctx.PartialCompositeContext.bind(PartialCompositeContext.java:173) at javax.naming.InitialContext.bind(InitialContext.java:359) at com.liferay.portal.security.ldap.PortalLDAPUtil.exportToLDAP(PortalLDAPUtil.java:129) at com.liferay.portal.model.ContactListener.onAfterCreate(ContactListener.java:50) ... 55 more Note that sn and givenname have no values. I found this workaround for 5.1.x on one of the message boards a while back but unfortunately am not able to dig it back up to give proper credit. To fix the problem with sn and givenname, add the following code to PortalLDAPUtil.exportToLDAP(Contact contact): if (!isAuthEnabled(companyId) || !isExportEnabled(companyId)) { return; } // ADD CODE BETWEEN THESE LINES // technically, we should check givenName and sn here because the mapping // might not be sn -> lastName and givenname -> firstName if (Validator.isNull(contact.getFirstName()) || Validator.isNull(contact.getLastName())) { _log.info("not exporting; first or last name is null"); return; } // ADD CODE BETWEEN THESE LINES LdapContext ctx = getContext(companyId); and the same to PortalLDAPUtil.exportToLDAP(User user). Diff file attached.
        Hide
        Paul Mietz Egli added a comment -
        Show
        Paul Mietz Egli added a comment - Diff file of https://lportal.svn.sourceforge.net/svnroot/lportal/portal/branches/5.1.x/portal-impl/src/com/liferay/portal/security/ldap/PortalLDAPUtil.java@22661 to fix problem with empty sn and givenName attributes in LDAP export.
        Hide
        werner mueller added a comment - - Restricted to

        have the same issue on ApacheDS 1.5.4

        is there a known workaround to sync users?

        Show
        werner mueller added a comment - - Restricted to have the same issue on ApacheDS 1.5.4 is there a known workaround to sync users?
        Hide
        Amos Fong added a comment - - Restricted to - edited

        See LPS-2755 for fix.

        if your ldap.import.method=group, you may also need to see LPS-2883 for an additional fix.

        Show
        Amos Fong added a comment - - Restricted to - edited See LPS-2755 for fix. if your ldap.import.method=group, you may also need to see LPS-2883 for an additional fix.

          People

          • Votes:
            3 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              6 years, 21 weeks ago

              Development

                Structure Helper Panel