Hi again,
Thank you for your time and answers,
I have resolved it.
I really advise to go check this Microsoft AD + Liferay configuration web-page which describe exactly what you have to do and how to solve the problem. Wish I could find this way earlier..
On the one hand: "@ Screen Name: If you just import user to Liferay, just map any field in AD, eg “sAMAccountName”(“sAMAccountName” is User login name(pre-Windows 2000)), “cn”, please make sure the filed is unique in AD. But if you also want to export user to AD, just map screen name with cn, there’s no second choice"
Yes, I've discovered that when exporting users into AD, Liferay will always take the attribute you've mapped with @screen_name@ to build the Distinguished Name and update/create the user. So apparently you have to map it with CN, otherwise the export cannot be done.
But on the other hand: "Take care that, cn in AD is for “First Name + Last Name” by default, it contains whitespace, so it can’t be imported to liferay as screen name. So you need to change it in AD".
Yes, because Liferay will refuse to import user that have whitespace or different caracters than .,-,_ in their LDAP CN attribute, in fact in LR Database it is going to be the screen name.
From here, if you have configured well your ldaps connection, you can map Liferay Password Attribute with unicodePwd and the export password is working well. (Or userPassword, depends on you Active Directory Configuration).
This second point is problematic though because I cannot change all 300+ users CN LDAP attribute in my Active Directory to avoid whitespace. So I will continue to search for a solution. (Maybe a hook?). But on my Test Active Directory it is working
Hoping that Liferay will add some clarifications to their LDAP Configuration page.
Hope to help someone one day with this post as well..
Regards,
Axel.
Thank you for your time and answers,
I have resolved it.
I really advise to go check this Microsoft AD + Liferay configuration web-page which describe exactly what you have to do and how to solve the problem. Wish I could find this way earlier..
On the one hand: "@ Screen Name: If you just import user to Liferay, just map any field in AD, eg “sAMAccountName”(“sAMAccountName” is User login name(pre-Windows 2000)), “cn”, please make sure the filed is unique in AD. But if you also want to export user to AD, just map screen name with cn, there’s no second choice"
Yes, I've discovered that when exporting users into AD, Liferay will always take the attribute you've mapped with @screen_name@ to build the Distinguished Name and update/create the user. So apparently you have to map it with CN, otherwise the export cannot be done.
But on the other hand: "Take care that, cn in AD is for “First Name + Last Name” by default, it contains whitespace, so it can’t be imported to liferay as screen name. So you need to change it in AD".
Yes, because Liferay will refuse to import user that have whitespace or different caracters than .,-,_ in their LDAP CN attribute, in fact in LR Database it is going to be the screen name.
From here, if you have configured well your ldaps connection, you can map Liferay Password Attribute with unicodePwd and the export password is working well. (Or userPassword, depends on you Active Directory Configuration).
This second point is problematic though because I cannot change all 300+ users CN LDAP attribute in my Active Directory to avoid whitespace. So I will continue to search for a solution. (Maybe a hook?). But on my Test Active Directory it is working
Hoping that Liferay will add some clarifications to their LDAP Configuration page.
Hope to help someone one day with this post as well..
Regards,
Axel.