Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
James Sumners
CAS and LDAP importing, how does it work?
June 6, 2011 6:45 AM
Answer

James Sumners

Rank: New Member

Posts: 10

Join Date: May 10, 2011

Recent Posts

First, I will describe what I expect:

I want users authenticated via CAS. Upon successful CAS authentication, I want Liferay to import the user from a defined LDAP source if the user does not exist in Liferay's database.

Now, what is actually happening:

I am able to successfully authenticate against CAS. If the user already exists in the Liferay database, then the user is logged in to Liferay. If the user is not already in Liferay's database then a UserNotFound exception is logged is not imported from LDAP (despite it being enabled and configured properly) and the user is not logged into Liferay.

How do I get my expected scenario to work? And how do I get it to work such that Liferay won't try to import all of my LDAP users at some pre-defined interval? I only want Liferay to import a user if the user tries to login.
Alan Wamser
RE: CAS and LDAP importing, how does it work?
June 3, 2011 1:00 PM
Answer

Alan Wamser

Rank: Junior Member

Posts: 26

Join Date: April 15, 2010

Recent Posts

I'm having the exact same issue. Have you been able to find a solution?
James Sumners
RE: CAS and LDAP importing, how does it work?
June 3, 2011 1:04 PM
Answer

James Sumners

Rank: New Member

Posts: 10

Join Date: May 10, 2011

Recent Posts

Nope. I've decided that if I end up using Liferay then I will have to override and implement the process myself.
Juan Gonzalez
RE: CAS and LDAP importing, how does it work?
June 4, 2011 12:17 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2805

Join Date: October 28, 2008

Recent Posts

James Sumners:
First, I will describe what I expect:

I want users authenticated via CAS. Upon successful CAS authentication, I want Liferay to import the user from a defined LDAP source if the user does not exist in Liferay's database.

Now, what is actually happening:

I am able to successfully authenticate against CAS. If the user already exists in the Liferay database, then the user is logged in to Liferay. If the user is not already in Liferay's database then the a UserNotFound exception is neither imported from LDAP (despite it being enabled and configured properly) and the user is not logged into Liferay.

How do I get my expected scenario to work? And how do I get it to work such that Liferay won't try to import all of my LDAP users at some pre-defined interval? I only want Liferay to import a user if the user tries to login.


What is your LDAP config? Liferay version? Any error on logs?
Bijan Vakili
RE: CAS and LDAP importing, how does it work?
June 5, 2011 12:13 PM
Answer

Bijan Vakili

Rank: Expert

Posts: 354

Join Date: March 10, 2009

Recent Posts

James, if the LDAP settings are correct and the user authenticates via CAS, then Liferay should import the user from LDAP. It is strange that this is not happening. Provide the log, LDAP setting, version number for us to help you. Or you can check out the CASAutoLogin.java code to find the issue yourself.
CASAutoLogin.java Source Code
Good luck.
James Sumners
RE: CAS and LDAP importing, how does it work?
June 6, 2011 12:49 PM
Answer

James Sumners

Rank: New Member

Posts: 10

Join Date: May 10, 2011

Recent Posts

I updated my post to correct some confusing wording.

My LDAP config works just fine according to the test tool in the configuration wizard. It successfully connects to my LDAP and shows me users that match the defined filters. But when a CAS user tries to login, who is not already added to the Liferay database but does exist in LDAP, a UserNotFound exception is logged and the login fails.
James Sumners
RE: CAS and LDAP importing, how does it work?
June 6, 2011 12:54 PM
Answer

James Sumners

Rank: New Member

Posts: 10

Join Date: May 10, 2011

Recent Posts

The version of Liferay is 6.0.6. I don't have the log because I gave up on it.
Juan Gonzalez
RE: CAS and LDAP importing, how does it work?
June 8, 2011 4:18 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2805

Join Date: October 28, 2008

Recent Posts

Perhaps enabling "Required" in LDAP config solves the issue....
Alan Wamser
RE: CAS and LDAP importing, how does it work?
June 8, 2011 7:17 AM
Answer

Alan Wamser

Rank: Junior Member

Posts: 26

Join Date: April 15, 2010

Recent Posts

Juan Gonzalez P:
Perhaps enabling "Required" in LDAP config solves the issue....



This will force a complete import of all users and groups. I'm only looking to import users that attempt to access the portal. Trying to keep things clean emoticon
James Sumners
RE: CAS and LDAP importing, how does it work?
June 8, 2011 7:21 AM
Answer

James Sumners

Rank: New Member

Posts: 10

Join Date: May 10, 2011

Recent Posts

Alan Wamser:
Juan Gonzalez P:
Perhaps enabling "Required" in LDAP config solves the issue....



This will force a complete import of all users and groups. I'm only looking to import users that attempt to access the portal. Trying to keep things clean emoticon



Yep. Which means it does not solve the problem.
Juan Gonzalez
RE: CAS and LDAP importing, how does it work?
June 11, 2011 7:05 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2805

Join Date: October 28, 2008

Recent Posts

Alan Wamser:
Juan Gonzalez P:
Perhaps enabling "Required" in LDAP config solves the issue....



This will force a complete import of all users and groups. I'm only looking to import users that attempt to access the portal. Trying to keep things clean emoticon



I guess it shouldn't import all users, at least in my environment (Liferay 6.0.5 CE). It will import all users only if it has import on startup enabled. If not, only imports on demand (when users login).

Enabling "LDAP required" means that Liferay authentication pipeline will check Liferay LDAP only (and hence import user from it if doesn't exists). I know this because I 'd been investigating in source code some months ago because of an issue.

Please test this and check if it doesn't import all users without enabling "import on startup" and post the results.

It will be helpful if you can post here your config (LDAP screen and/or portal-ext.properties), there are some parameter combination in LDAP config that should be checked. If not it will be very hard to find a solution.
Alan Wamser
RE: CAS and LDAP importing, how does it work?
June 22, 2011 2:38 PM
Answer

Alan Wamser

Rank: Junior Member

Posts: 26

Join Date: April 15, 2010

Recent Posts

Here is my process for setting this up.

1. Extract new liferay ce (6.0.6)
2. Change Portal Settings -> Authentication -> How do users authenticate to "By Screen Name"
3. Edit Test User -> Screen Name change to my AD/CAS username
4. Configure Portal Settings -> Authentication -> CAS update
Login URL, Logout URL, Server Name, Server URL and check Enabled
5. Exit Liferay and successfully login using CAS server

Looking good so far!

6. Configure Portal Settings -> Authentication -> LDAP (Add)
-- Configure connection and test = Liferay has successfully connected to the LDAP server.
-- Configure User Mapping (Test LDAP Users works)

Authentication Search Filter - (&objectCategory=Person)
Import Search Filter - (objectClass=user)
Screen Name - cn
Password - userPassword
Email Address - mail
Fulll Name - displayName
First Name - givenName
Last Name - sn
Job Title - title
Group - memberOf

-- Groups (Test LDAP Groups works)
Import Search Filter = (objectClass=group)
Group Name - cn
Description - description
User - member
<SAVE>

7. In the CAS check "Import from LDAP"
8. In LDAP check "Enable". "Required" and "Import Enabled" are both NOT checked.

9. Sign in and out using my ID just to make sure things are still working.
10. Now test a user that is in AD/CAS but not in Liferay. Able to login to CAS but the users isn't being created in Liferay.

Logs show the following


INFO: Server startup in 23447 ms
21:15:51,623 INFO [PluginPackageUtil:1230] Checking for available updates
21:15:51,623 INFO [PluginPackageUtil:1274] Finished checking for available updates in 0 ms
21:31:40,134 WARN [CASAutoLogin:218] Problem accessing LDAP server Unbalanced parenthesis
21:32:34,627 WARN [CASAutoLogin:218] Problem accessing LDAP server Unbalanced parenthesis
21:32:34,646 ERROR [CASAutoLogin:131] com.liferay.portal.NoSuchUserException: No User exists with the key {companyId=1, screenName=testuser1}
com.liferay.portal.NoSuchUserException: No User exists with the key {companyId=1, screenName=testuser1}

Juan Gonzalez
RE: CAS and LDAP importing, how does it work?
June 23, 2011 12:41 AM
Answer

Juan Gonzalez

LIFERAY STAFF

Rank: Liferay Legend

Posts: 2805

Join Date: October 28, 2008

Recent Posts

Alan Wamser:
Here is my process for setting this up.

1. Extract new liferay ce (6.0.6)
2. Change Portal Settings -> Authentication -> How do users authenticate to "By Screen Name"
3. Edit Test User -> Screen Name change to my AD/CAS username
4. Configure Portal Settings -> Authentication -> CAS update
Login URL, Logout URL, Server Name, Server URL and check Enabled
5. Exit Liferay and successfully login using CAS server

Looking good so far!

6. Configure Portal Settings -> Authentication -> LDAP (Add)
-- Configure connection and test = Liferay has successfully connected to the LDAP server.
-- Configure User Mapping (Test LDAP Users works)

Authentication Search Filter - (&objectCategory=Person)
Import Search Filter - (objectClass=user)
Screen Name - cn
Password - userPassword
Email Address - mail
Fulll Name - displayName
First Name - givenName
Last Name - sn
Job Title - title
Group - memberOf

-- Groups (Test LDAP Groups works)
Import Search Filter = (objectClass=group)
Group Name - cn
Description - description
User - member
<SAVE>

7. In the CAS check "Import from LDAP"
8. In LDAP check "Enable". "Required" and "Import Enabled" are both NOT checked.

9. Sign in and out using my ID just to make sure things are still working.
10. Now test a user that is in AD/CAS but not in Liferay. Able to login to CAS but the users isn't being created in Liferay.

Logs show the following


INFO: Server startup in 23447 ms
21:15:51,623 INFO [PluginPackageUtil:1230] Checking for available updates
21:15:51,623 INFO [PluginPackageUtil:1274] Finished checking for available updates in 0 ms
21:31:40,134 WARN [CASAutoLogin:218] Problem accessing LDAP server Unbalanced parenthesis
21:32:34,627 WARN [CASAutoLogin:218] Problem accessing LDAP server Unbalanced parenthesis
21:32:34,646 ERROR [CASAutoLogin:131] com.liferay.portal.NoSuchUserException: No User exists with the key {companyId=1, screenName=testuser1}
com.liferay.portal.NoSuchUserException: No User exists with the key {companyId=1, screenName=testuser1}



AFAIK there is no method to authenticate only in LDAP with CAS (without Liferay users). We had to enable LDAP Import to make this work with CAS. Don't remember exactly, but this behaviour is clear in source code . Unless LDAP "Required" is checked, Liferay authentication pipeline will authenticate under Liferay users lastly (that's why import should be enabled). Please test with "Import" enabled, and check if only users that logged in are imported.
Alan Wamser
RE: CAS and LDAP importing, how does it work?
June 23, 2011 7:45 AM
Answer

Alan Wamser

Rank: Junior Member

Posts: 26

Join Date: April 15, 2010

Recent Posts

Made the change "Import Enabled" in the LDAP config section. I left the "Import on Startup Enabled" unchecked. After I restarted it's still importing all the users.