Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-40877

Setting ldap.import.group.search.filter.enabled=false does not allow import of user groups

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Resolution: Won't Fix
    • 6.1.20 EE GA2, 6.1.X EE, 6.2.0 CE RC3
    • 6.1.2 CE GA3, 6.1.X EE, 6.2.0 CE RC5
    • Application Security > LDAP, Portal Services
    • None
    • LIFERAY VERSION: 6.1 GA2
      OPERATING SYSTEM: Red Hat Enterprise 5
      APPLICATION SERVER: Weblogic 11
      JAVA VIRTUAL MACHINE: Java 7
      DATABASE: Oracle 11.2

    Description

      Short description of the client's issue:
      Based on my testing it seems that setting ldap.import.group.search.filter.enabled=false does not allow user groups to be imported. This property should allow users with groups outside of their Base DN to be imported, but no groups are imported at all.

      Steps to reproduce / testing done:
      1. Start up a new Liferay bundle with the following portal-ext.properties:
      ldap.import.enabled=true
      ldap.import.on.startup=true
      ldap.import.interval=1

      ldap.import.group.search.filter.enabled=false

      ldap.auth.enabled=true
      ldap.auth.required=true
      ldap.base.provider.url.0=ldap://192.168.89.137:389
      ldap.security.principal.0=CN=Administrator,CN=Users,DC=windows2008r2,DC=ntlm
      ldap.security.credentials.0=liferay
      ldap.base.dn.0=OU=Liferay,DC=windows2008r2,DC=ntlm
      ldap.auth.search.filter.0=([email protected][email protected])
      ldap.import.user.search.filter.0=(objectClass=person)
      ldap.user.mappings.0=screenName=sAMAccountName\npassword=userPassword\nemailAddress=userprincipalname\nfirstName=givenName\nlastName=sn\njobTitle=title
      ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson
      ldap.import.group.search.filter.0=(objectClass=group)
      ldap.group.mappings.0=groupName=cn\ndescription=sAMAccountName\nuser=member
      ldap.group.default.object.classes.0=top,group
      ldap.user.custom.mappings.0=
      ldap.contact.mappings.0=
      ldap.contact.custom.mappings.0=
      ldap.password.policy.enabled=false
      ldap.auth.password.encryption.algorithm=NONE
      company.security.auth.type=screenName

      2. Create a user group in the LDAP
      3. Add a user to the LDAP (the user and the group can be in the same Base DN, since technically, disabling the search filter should catch every group that the user belongs to.)
      4. Add this user to the user group in LDAP
      example:
      cn: useruser
      objectClass: inetOrgPerson
      objectClass: organizationalPerson
      objectClass: person
      objectClass: top
      sn: testuser
      givenName: useruser
      mail: [email protected]
      userPassword (in plaintext): test
      5. Start up the portal and sign in as "useruser"
      6. Check Control Panel > Users and Organizations.
      7. Notice that the user has not been assigned to the new group

      Results of steps / testing:
      The new user can sign in, but they do not have any groups imported.

      Errors/logs:
      When the log levels are set to DEBUG, the following errors come up:

      23:26:20,381 DEBUG [http-bio-8080-exec-9][PortalLDAPUtil:44] -- listing properties --
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url=ldap://192.168.89.137:389
com.sun.jndi.ldap.connect.timeout=500
java.naming.security.principal=CN=Administrator,CN=Users,DC=windows2...
com.sun.jndi.ldap.connect.pool=true
java.naming.security.credentials=liferay
java.naming.referral=follow
com.sun.jndi.ldap.read.timeout=15000

23:26:20,383 DEBUG [http-bio-8080-exec-9][LDAPSettingsUtil:44] -- listing properties --
password=userPassword
lastName=sn
screenName=sAMAccountName
firstName=givenName
jobTitle=title
emailAddress=userprincipalname

23:26:20,387 WARN  [http-bio-8080-exec-9][PortalLDAPImporterImpl:317] Problem accessing LDAP server null
23:26:20,388 DEBUG [http-bio-8080-exec-9][PortalLDAPImporterImpl:321] java.lang.NullPointerException
java.lang.NullPointerException
	at com.liferay.portal.security.ldap.PortalLDAPUtil.getNameInNamespace(PortalLDAPUtil.java:393)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importGroups(PortalLDAPImporterImpl.java:792)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:235)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:307)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importLDAPUser(PortalLDAPImporterImpl.java:364)
	at com.liferay.portal.security.ldap.PortalLDAPImporterUtil.importLDAPUser(PortalLDAPImporterUtil.java:74)
	at com.liferay.portal.security.auth.RequestHeaderAutoLogin.login(RequestHeaderAutoLogin.java:61)
	at com.liferay.portal.servlet.filters.autologin.AutoLoginFilter.processFilter(AutoLoginFilter.java:184)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
	at com.liferay.portal.servlet.filters.sso.ntlm.NtlmPostFilter.processFilter(NtlmPostFilter.java:83)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
	at com.liferay.portal.sharepoint.SharepointFilter.processFilter(SharepointFilter.java:80)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
	at com.liferay.portal.kernel.servlet.BaseFilter.processFilter(BaseFilter.java:163)
	at com.liferay.portal.servlet.filters.virtualhost.VirtualHostFilter.processFilter(VirtualHostFilter.java:216)
	at com.liferay.portal.kernel.servlet.BaseFilter.doFilter(BaseFilter.java:57)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:738)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDoFilter(InvokerFilterChain.java:206)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:108)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:167)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:116)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.processDirectCallFilter(InvokerFilterChain.java:187)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilterChain.doFilter(InvokerFilterChain.java:95)
	at com.liferay.portal.kernel.servlet.filters.invoker.InvokerFilter.doFilter(InvokerFilter.java:73)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
	at java.lang.Thread.run(Thread.java:662)
23:26:42,893 DEBUG [liferay/scheduler_dispatch-3][PortalLDAPUtil:44] -- listing properties --
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url=ldap://192.168.89.137:389
com.sun.jndi.ldap.connect.timeout=500
java.naming.security.principal=CN=Administrator,CN=Users,DC=windows2...
com.sun.jndi.ldap.connect.pool=true
java.naming.security.credentials=liferay
java.naming.referral=follow
com.sun.jndi.ldap.read.timeout=15000

      Workaround:
      Remove ldap.import.group.search.filter.enabled=false from portal-ext.properties, or comment it out.

      Testing in 6.1.X:
      3b600580db9411f1ea8fc5a425e070dcccb55796
      Issue is reproduced.

      Testing in Trunk:
      9e584c8f5607b5ed45f2531c71e7bab9d58e93e7
      Issue is reproduced.

      Attachments

        Issue Links

          relates

          Bug - A problem which impairs or prevents the functions of the product. LPS-40063 If ldap.import.group.search.filter.enabled=false, no groups import

          • Closed

          Activity

            People

              joel.garman Joel Garman
              brian.suh Brian Suh
              Kiyoshi Lee Kiyoshi Lee
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                9 years, 35 weeks, 1 day ago

                Packages

                  Version Package
                  6.1.2 CE GA3
                  6.1.X EE
                  6.2.0 CE RC5