Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Al Bermin
Unable to import users from Active Directory
December 23, 2011 1:00 PM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

Hello community,

I'm trying to take the Liferay product for a spin and need to get it authenticating with our Active Directory. I did an initial setup and configured the authentication mechanism where the Test LDAP Users button works fine and shows me some users and properties but the usernames never get imported. I'm also unable to see any errors in the log files even after restarting the services. Can you advise some pointers?

Regards,
Al
David H Nebinger
RE: Unable to import users from Active Directory
December 23, 2011 2:35 PM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 13099

Join Date: September 1, 2006

Recent Posts

Sometimes you need to go to the control panel to the Server Administration page and click on the "Reindex all search indexes" Execute button.
Al Bermin
RE: Unable to import users from Active Directory
December 23, 2011 3:00 PM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

Thanks for the reply David. I did that and it didn't seem to help. I still see no users in the system. That option seemed to do some things with the Lucene indexer so not sure how that would relate to Active Directory authentication.
David H Nebinger
RE: Unable to import users from Active Directory
December 23, 2011 3:56 PM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 13099

Join Date: September 1, 2006

Recent Posts

The lucene indices are used as the primary data store in the control panel, but the lucene indices are populated by the values in the database.

Sometimes manual rebuilding of the indices are necessary in order to ensure they contain the same data as the database.

In the past I had issues where the AD import populated the database, but not the indices and rebuilding them helped to sync them up.

It's possible that although the test of the users worked (I'm assuming you could see the list of users in the popup window), it failed during the insert due to some missing piece of key info required during the insert. The logs should have reflected the failure...

If you have the import at restart flag selected, I'd try restarting your Liferay instance; it will try the AD import again and maybe this time you'll be able to see some error that is blocking the import.
Hitoshi Ozawa
RE: Unable to import users from Active Directory
December 23, 2011 4:09 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

How did you check if AD users are being imported or not? From Liferay's Control Panel or from user_ table in the database?
From "restarting the services", do you mean restarting Liferay? Are you not able to login with an user from AD?

The following thread may help you on setting up AD:
http://www.liferay.com/community/forums/-/message_boards/message/313817
Al Bermin
RE: Unable to import users from Active Directory
December 23, 2011 8:23 PM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

Yes I can see some test users with the correct fields mapped in the popup window of the LDAP configuration page. The logs don't indicate a failure when I try to sign on as a domain user. I have restarted the instance several times. I'm expecting to see the users imported in the user page of the control panel but maybe that's not the case. We do have a few thousand users in this OU but it shouldn't take more than an hour at most I would think (and should show a status as it goes along). I have the import users at startup option checked. How can I check the user_ table when using the built-in non-production database system?
Hitoshi Ozawa
RE: Unable to import users from Active Directory
December 23, 2011 9:15 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

When using the build in hsql database, you'll have to shutdown the server and go to \data\hsql directory where you've installed liferay.
Open up the lportal.script file with a text editor and search for the user_ table. If you have many users being imported, you can also
check by looking at the file size to see if additional rows are being inserted.
Al Bermin
RE: Unable to import users from Active Directory
December 24, 2011 5:57 AM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

I did a search in lportal.script for user_table but nothing came up. It seems weird that the test for accounts will show me some and the authentication check works fine with the LDAP user credentials yet nothing comes in and nothing appears to be logged. I've tested this setup with other CMS systems and the user accounts are either successfully imported or I have detailed logs that show what the issue is.
Jack Bakker
RE: Unable to import users from Active Directory
December 24, 2011 8:33 PM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 934

Join Date: January 3, 2010

Recent Posts

I have AD to LR sync for many thousands of users ; works great, though yeah there are people who want what they see through other systems (one example for me is having a notice to LR user that AD password is to expire in 'x' days)

Note that LDAP to LR sync affords a sync from many different LDAP flavours (AD being one of them). To narrow in for you wrt more logging, have a look at a LR Administrators view of the LR Control Panel : Server Administration (at bottom left) : and then Log Level

increase the log level for com.liferay.portal.security.ldap and com.liferay.portal.security.ldap.PortalLDAPUtil to see if you can learn more about what might be just a config that needs attention
Al Bermin
RE: Unable to import users from Active Directory
December 27, 2011 6:25 AM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

Thanks for the logging tip Jack. I see from the logs that I am getting at least two different kinds of exceptions.

 114:14:12,657 ERROR [PortalLDAPImporterImpl:672] Unable to import user CN=tst_ftlelt025 (Test Account): null:null:{samaccountname=sAMAccountName: tst_ftlelt025}
 2com.liferay.portal.UserEmailAddressException: Email address cannot be null for tst_ftlelt025 (Test Account)
 3    at com.liferay.portal.security.ldap.BaseLDAPToPortalConverter.importLDAPUser(BaseLDAPToPortalConverter.java:127)
 4    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importUser(PortalLDAPImporterImpl.java:862)
 5    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAPByUser(PortalLDAPImporterImpl.java:662)
 6    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:189)
 7    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:128)
 8    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:95)
 9    at com.liferay.portal.security.ldap.PortalLDAPImporterUtil.importFromLDAP(PortalLDAPImporterUtil.java:30)
10    at com.liferay.portlet.admin.messaging.LDAPImportMessageListener.doReceive(LDAPImportMessageListener.java:28)
11    at com.liferay.portal.kernel.messaging.BaseMessageListener.receive(BaseMessageListener.java:25)
12    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
13    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
14    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
15    at java.lang.reflect.Method.invoke(Method.java:597)
16    at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:54)
17    at $Proxy279.receive(Unknown Source)
18    at com.liferay.portal.kernel.scheduler.messaging.SchedulerEventMessageListenerWrapper.receive(SchedulerEventMessageListenerWrapper.java:75)
19    at com.liferay.portal.kernel.messaging.InvokerMessageListener.receive(InvokerMessageListener.java:65)
20    at com.liferay.portal.kernel.messaging.ParallelDestination$1.run(ParallelDestination.java:106)
21    at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask._runTask(ThreadPoolExecutor.java:669)
22    at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask.run(ThreadPoolExecutor.java:580)
23    at java.lang.Thread.run(Thread.java:619)
2414:14:14,546 ERROR [PortalLDAPImporterImpl:672] Unable to import user CN=Noah Goldman (3P): null:null:{samaccountname=sAMAccountName: t_noahg}
25com.liferay.portal.UserScreenNameException
26    at com.liferay.portal.service.impl.UserLocalServiceImpl.validateScreenName(UserLocalServiceImpl.java:5563)
27    at com.liferay.portal.service.impl.UserLocalServiceImpl.validate(UserLocalServiceImpl.java:5384)
28    at com.liferay.portal.service.impl.UserLocalServiceImpl.addUserWithWorkflow(UserLocalServiceImpl.java:590)
29    at com.liferay.portal.service.impl.UserLocalServiceImpl.addUser(UserLocalServiceImpl.java:461)
30    at sun.reflect.GeneratedMethodAccessor465.invoke(Unknown Source)
31    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
32    at java.lang.reflect.Method.invoke(Method.java:597)
33    at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:112)
34    at com.liferay.portal.spring.transaction.TransactionInterceptor.invoke(TransactionInterceptor.java:71)
35    at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:108)
36    at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:59)
37    at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:108)
38    at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:59)
39    at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:108)
40    at com.liferay.portal.spring.aop.ChainableMethodAdvice.invoke(ChainableMethodAdvice.java:59)
41    at com.liferay.portal.spring.aop.ServiceBeanMethodInvocation.proceed(ServiceBeanMethodInvocation.java:108)
42    at com.liferay.portal.spring.aop.ServiceBeanAopProxy.invoke(ServiceBeanAopProxy.java:211)
43    at $Proxy96.addUser(Unknown Source)
44    at com.liferay.portal.service.UserLocalServiceUtil.addUser(UserLocalServiceUtil.java:445)
45    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.addUser(PortalLDAPImporterImpl.java:474)
46    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importUser(PortalLDAPImporterImpl.java:873)
47    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAPByUser(PortalLDAPImporterImpl.java:662)
48    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:189)
49    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:128)
50    at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:95)
51    at com.liferay.portal.security.ldap.PortalLDAPImporterUtil.importFromLDAP(PortalLDAPImporterUtil.java:30)
52    at com.liferay.portlet.admin.messaging.LDAPImportMessageListener.doReceive(LDAPImportMessageListener.java:28)
53    at com.liferay.portal.kernel.messaging.BaseMessageListener.receive(BaseMessageListener.java:25)
54    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
55    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
56    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
57    at java.lang.reflect.Method.invoke(Method.java:597)
58    at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:54)
59    at $Proxy279.receive(Unknown Source)
60    at com.liferay.portal.kernel.scheduler.messaging.SchedulerEventMessageListenerWrapper.receive(SchedulerEventMessageListenerWrapper.java:75)
61    at com.liferay.portal.kernel.messaging.InvokerMessageListener.receive(InvokerMessageListener.java:65)
62    at com.liferay.portal.kernel.messaging.ParallelDestination$1.run(ParallelDestination.java:106)
63    at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask._runTask(ThreadPoolExecutor.java:669)
64    at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask.run(ThreadPoolExecutor.java:580)
65    at java.lang.Thread.run(Thread.java:619)


One appears to be an issue with the lack of an email address for some accounts (test accounts and such don't have email addresses) and the other is related to underscores in the usernames which all of our contractors have. So the questions now are why can't I import users without email addresses and ones that have underscores? Also, are these kinds of errors preventing LDAP synchronization for my other users (is this an all or nothing thing)? I'm trying to authenticate to the system with a valid user account that doesn't have an underscore and has an email address yet it still fails.
Al Bermin
RE: Unable to import users from Active Directory
December 27, 2011 6:38 AM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

After looking again in the users and organizations section of the control panel, I see a few thousand users which have come in; however, my test user has not so I'm trying to track it down in the logs.
Jack Bakker
RE: Unable to import users from Active Directory
December 27, 2011 9:42 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 934

Join Date: January 3, 2010

Recent Posts

com.liferay.portal.UserEmailAddressException: Email address cannot be null for tst_ftlelt025 (Test Account))

in ROOT/WEB-INF/classes/portal-ext.properties

# Set this to false if you want to be able to create users without an email
# address. An email address will be automatically assigned to a user based
# on the property "users.email.address.auto.suffix".
#
users.email.address.required=true
Jack Bakker
RE: Unable to import users from Active Directory
December 27, 2011 9:46 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 934

Join Date: January 3, 2010

Recent Posts

for underscores in 'screenname' look at

users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator
Al Bermin
RE: Unable to import users from Active Directory
December 27, 2011 10:18 AM
Answer

Al Bermin

Rank: New Member

Posts: 16

Join Date: December 23, 2011

Recent Posts

So I think I was able to get it going. My test user name was deactivated so it didn't show up when I did a search for active users only. I reactivated it and now I can login successfully with it. I also entered the following lines in portal-ext.properties to allow underscores in usernames and prevent the password reminder, respectively.

users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator
users.reminder.queries.enabled=false
users.reminder.queries.custom.question.enabled=false

So I only receive a few errors in the logs for users with no email addresses but I don't care about those anyways. Thanks again to everyone for their help! Liferay seems to have a pretty complete LDAP implementation. Now I just need to figure out some permissions, full-text searching of documents, and other requirements. I may be posting here again soon. emoticon

Happy Holidays!

--Al