PUBLIC - Liferay Portal Community Edition
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-40877

Setting ldap.import.group.search.filter.enabled=false does not allow import of user groups

    Details

    • Type: Bug Bug
    • Status: Closed
    • Resolution: Won't Fix
    • Affects Version/s: 6.1.20 EE GA2, 6.1.X EE, 6.2.0 CE RC3
    • Labels:
      None
    • Environment:
      LIFERAY VERSION: 6.1 GA2
      OPERATING SYSTEM: Red Hat Enterprise 5
      APPLICATION SERVER: Weblogic 11
      JAVA VIRTUAL MACHINE: Java 7
      DATABASE: Oracle 11.2
    • Similar Issues:
      Show 5 results 

      Description

      Short description of the client's issue:
      Based on my testing it seems that setting ldap.import.group.search.filter.enabled=false does not allow user groups to be imported. This property should allow users with groups outside of their Base DN to be imported, but no groups are imported at all.

      Steps to reproduce / testing done:
      1. Start up a new Liferay bundle with the following portal-ext.properties:
      ldap.import.enabled=true
      ldap.import.on.startup=true
      ldap.import.interval=1

      ldap.import.group.search.filter.enabled=false

      ldap.auth.enabled=true
      ldap.auth.required=true
      ldap.base.provider.url.0=ldap://192.168.89.137:389
      ldap.security.principal.0=CN=Administrator,CN=Users,DC=windows2008r2,DC=ntlm
      ldap.security.credentials.0=liferay
      ldap.base.dn.0=OU=Liferay,DC=windows2008r2,DC=ntlm
      ldap.auth.search.filter.0=(sAMAccountName=@screen_name@)
      ldap.import.user.search.filter.0=(objectClass=person)
      ldap.user.mappings.0=screenName=sAMAccountName\npassword=userPassword\nemailAddress=userprincipalname\nfirstName=givenName\nlastName=sn\njobTitle=title
      ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson
      ldap.import.group.search.filter.0=(objectClass=group)
      ldap.group.mappings.0=groupName=cn\ndescription=sAMAccountName\nuser=member
      ldap.group.default.object.classes.0=top,group
      ldap.user.custom.mappings.0=
      ldap.contact.mappings.0=
      ldap.contact.custom.mappings.0=
      ldap.password.policy.enabled=false
      ldap.auth.password.encryption.algorithm=NONE
      company.security.auth.type=screenName

      2. Create a user group in the LDAP
      3. Add a user to the LDAP (the user and the group can be in the same Base DN, since technically, disabling the search filter should catch every group that the user belongs to.)
      4. Add this user to the user group in LDAP
      example:
      cn: useruser
      objectClass: inetOrgPerson
      objectClass: organizationalPerson
      objectClass: person
      objectClass: top
      sn: testuser
      givenName: useruser
      mail: useruser@liferay.com
      userPassword (in plaintext): test
      5. Start up the portal and sign in as "useruser"
      6. Check Control Panel > Users and Organizations.
      7. Notice that the user has not been assigned to the new group

      Results of steps / testing:
      The new user can sign in, but they do not have any groups imported.

      Errors/logs:
      When the log levels are set to DEBUG, the following errors come up:

      23:26:20,381 DEBUG [http-bio-8080-exec-9][PortalLDAPUtil:44] -- listing properties --
      java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      java.naming.provider.url=ldap://192.168.89.137:389
      com.sun.jndi.ldap.connect.timeout=500
      java.naming.security.principal=CN=Administrator,CN=Users,DC=windows2...
      com.sun.jndi.ldap.connect.pool=true
      java.naming.security.credentials=liferay
      java.naming.referral=follow
      com.sun.jndi.ldap.read.timeout=15000
      
      23:26:20,383 DEBUG [http-bio-8080-exec-9][LDAPSettingsUtil:44] -- listing properties --
      password=userPassword
      lastName=sn
      screenName=sAMAccountName
      firstName=givenName
      jobTitle=title
      emailAddress=userprincipalname
      
      23:26:20,387 WARN  [http-bio-8080-exec-9][PortalLDAPImporterImpl:317] Problem accessing LDAP server null
      23:26:20,388 DEBUG [http-bio-8080-exec-9][PortalLDAPImporterImpl:321] java.lang.NullPointerException
      java.lang.NullPointerException
      	at com.liferay.portal.security.ldap.PortalLDAPUtil.getNameInNamespace(PortalLDAPUtil.java:393)
      	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importGroups(PortalLDAPImporterImpl.java:792)
      	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:235)
      	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:307)
      	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:364)
      	at com.liferay.portal.security.ldap.PortalLDAPImporterUtil.importLDAPUser(PortalLDAPImporterUtil.java:74)
      	at com.liferay.portal.security.auth.RequestHeaderAutoLogin.login(RequestHeaderAutoLogin.java:61)
      	at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:184)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
      	at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
      	at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:80)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
      	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
      	at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:216)
      	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
      	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
      	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
      	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
      	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
      	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
      	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
      	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
      	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
      	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
      	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
      	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
      	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
      	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
      	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
      	at java.lang.Thread.run(Thread.java:662)
      23:26:42,893 DEBUG [liferay/scheduler_dispatch-3][PortalLDAPUtil:44] -- listing properties --
      java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
      java.naming.provider.url=ldap://192.168.89.137:389
      com.sun.jndi.ldap.connect.timeout=500
      java.naming.security.principal=CN=Administrator,CN=Users,DC=windows2...
      com.sun.jndi.ldap.connect.pool=true
      java.naming.security.credentials=liferay
      java.naming.referral=follow
      com.sun.jndi.ldap.read.timeout=15000
      

      Workaround:
      Remove ldap.import.group.search.filter.enabled=false from portal-ext.properties, or comment it out.

      Testing in 6.1.X:
      3b600580db9411f1ea8fc5a425e070dcccb55796
      Issue is reproduced.

      Testing in Trunk:
      9e584c8f5607b5ed45f2531c71e7bab9d58e93e7
      Issue is reproduced.

        Issue Links

          Activity

          Hide
          Kim Wang (Inactive) added a comment -

          hello,Brian.
          I think there are two ways to handle this problem,the first is to add in "ldap.user.mappings.0"with group=uid(uid is the attribute in ldap user,i user this attribute to specify which group it belongs and uid should be filled in as a fullDN of the group); and another way is to add"ldap.import.method=group" in portal-ext.properties file,and by default,the ldap.import.method=user.

          Show
          Kim Wang (Inactive) added a comment - hello,Brian. I think there are two ways to handle this problem,the first is to add in "ldap.user.mappings.0"with group=uid(uid is the attribute in ldap user,i user this attribute to specify which group it belongs and uid should be filled in as a fullDN of the group); and another way is to add"ldap.import.method=group" in portal-ext.properties file,and by default,the ldap.import.method=user.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                1 year, 26 weeks, 2 days ago

                Development

                  Structure Helper Panel