export liferay user group to OpenLDAP - liferay

I configured liferay-portal-6.2-ce-ga4 with OpenLDAP. Users are imported into OpenLDAP from liferay. But User group of liferay are not exported into OpenLDAP. Here is my portal-ext.properties:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.server.name=ldapadmin
ldap.auth.enabled=true
ldap.import.enabled=true
ldap.export.enabled=true
ldap.import.on.startup=true
ldap.export.on.startup=true
ldap.export.method.0=group
ldap.export.method.0=user
ldap.password.policy.enabled=true
ldap.base.provider.url.0=ldap://localhost:389
ldap.base.dn.0=dc=test,dc=com
ldap.security.principal.0=cn=admin,dc=test,dc=com
ldap.security.credentials.0=secret
ldap.auth.search.filter.0=(mail=#email_address#)
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.user.mappings.0=userId=uid\nscreenName=cn\nemailAddress=mail\npassword=userPassword\nfirstName=givenName\nlastName=sn
ldap.import.group.search.filter.0=(objectClass=posixGroup)
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=memberUid
ldap.users.dn.0=ou=people,dc=test,dc=com
ldap.groups.dn.0=ou=groups,dc=test,dc=com
ldap.user.default.object.classes.0=inetOrgPerson, top
ldap.group.default.object.classes.0=posixGroup, top, groupOfUniqueNames,organizationalUnit
I have checked by clicking on 'Test LDAP Groups' button I can see around 5 groups which are created in OpenLDAP using OpenLDAP GUI but can't see any group which i create in liferay. Its not exporting User Groups its only exporting users. Please give some solution for this.

I think the keys you use on your portal-ext.properties file are wrong.
In the documentation we can read:
#
# Settings for exporting users from the portal to LDAP. This allows a user
# to modify his first name, last name, etc. in the portal and have that
# change pushed to the LDAP server. This setting is not used unless the
# property "ldap.auth.enabled" is set to true.
#
ldap.export.enabled=false
#
# Set this to true if groups and their associations should be exported from
# the portal to LDAP. This setting is not used unless the property
# "ldap.auth.enabled" is set to true.
#
ldap.export.group.enabled=true
So you should use:
ldap.export.enabled=true
ldap.export.group.enabled=true

Related

OpenLDAP Access Control Issue

I need guidance in below situation -
I am migrating RHDS to openLDAP. I managed to convert the DIT and their attributes and Schemas. However, I am stuck at Access control.
In RHDS, currently, the access control is as below -
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target = ldap:///uid=*,ou=household,dc=example,dc=com) (targetattr="*") (version 3.0; acl "Household Itms Consumer subtree read - aci"; allow (read, compare, search) (userdn = "ldap:///*,ou=applications,dc=example,dc=com") ;);
Could some please guide me in creating the OLC LDIF format?
Access control is not part of the LDAPv3 standard and thus attribute aci is specific to RHDS and similar implementations.
You have to define new ACLs for your OpenLDAP setup.
I'd recommend to read the following docs:
OpenLDAP Admin Guide -- Access control
slapd.access(5)
FAQ-O-MATIC: Access Control
FAQ-O-MATIC: Sets in Access Control

Programatically filter web content by scope in Liferay 6.2.GA2

Updating to have more info:
Is there any way to programatically select all the web content from global scope or currently selected site scope.
I want to do this in velocity template "portal_normal.vm". I wrote "$themeDisplay.getScopeGroupId().toString()" to get group id.
I have 2 sites/communities and I have assigned one user to each of them. One site is default liferay site which has default liferay user.Other site is my custom site and has my own user. When I try to login with each of them ,I always get group id of liferay site.Is there any other method I need to use to get site of current logged in user?
You must allow the usage of ServiceLocator in your Velocity templates. In your portal-ext.properties set the following:
journal.template.velocity.restricted.variables=
If you already have these keys set, just remove serviceLocator from the list.
Using serviceLocator we can load GroupLocalServiceUtil and JournalArticleLocalServiceUtil. Its very simple to obtain all the sites WebContent:
#set ($journal_article_local_service = $serviceLocator.findService("com.liferay.portal.service.JournalArticleLocalService"))
#set ($journal_articles = $journal_article_local_service.getArticles($theme_display.getScopeGroupId()))
To get all the ones in the global scope:
For the global group:
#set ($group_local_service = $serviceLocator.findService("com.liferay.portal.service.GroupLocalService"))
#set ($global_group = $group_local_service.getGroup($theme_display.getCompanyId(), "Global"))
#set ($journal_article_local_service = $serviceLocator.findService("com.liferay.portal.service.JournalArticleLocalService"))
#set ($journal_articles = $journal_article_local_service.getArticles($global_group.getGroupId()))

Symfony 2 - Sonata Admin Role based security

With Sonata, I'm trying to use the role based security.
I want to give a group, rights for listing, editing & creating users, so I created a role with
ROLE_MANAGE_USERS:
- ROLE_SONATA_USER_ADMIN_USER_EDIT
- ROLE_SONATA_USER_ADMIN_USER_LIST
- ROLE_SONATA_USER_ADMIN_USER_CREATE
This works fine, but according to the doc, I'm understanding that a user granted with
ROLE_SONATA_USER_STAFF
Should already inherit rights for [EDIT, LIST, CREATE], but that does not seem to be the case
I also tried with
ROLE_SONATA_USER_ADMIN_USER_STAFF
Is there something I misunderstood ?
I guess that's not the case. First of all, the name of the main roles for edit depends on the services names. For example, if the service of the admin is sonata.user.admin, then the roles will be, for example:
ROLE_SONATA_USER_ADMIN_LIST
ROLE_SONATA_USER_ADMIN_VIEW
As you can see, the prefix is always ROLE (symfony 2 requirement), followed by the service name (but having the dots exchanged with underscores, and all capital letters), and ended with the prefix for the specific permission:
LIST: view the list of objects
VIEW: view the detail of one object
CREATE: create a new object
EDIT: update an existing object
DELETE: delete an existing object
EXPORT: (for the native Sonata export links)
As I can understand, there is no ROLE_SONATA_USER_STAFF predefined for edit, list and create. However, you can define it in the hierarchy, in the security.yml file:
security:
role_hierarchy:
# Setting up
ROLE_SONATA_USER_STAFF:
- ROLE_SONATA_USER_ADMIN_EDIT
- ROLE_SONATA_USER_ADMIN_LIST
- ROLE_SONATA_USER_ADMIN_CREATE
# using the staff role to create new roles
ROLE_MANAGE_USERS: [ROLE_SONATA_USER_STAFF]

How to add a new LDAP'ed user to subversion

Our SVN administrator is on holidays, and I need to add a new user to subversion.
We're using Collabnet Subversion on a RedHat box.
I've found the CollabNet_Subversion/conf/ directory with all the configuration files, including an auth file that I can see contains all our users and the groups that they belong to.
All our users need to log in with their LDAP credentials, so I don't need to change any of that.
It looks something like this:
company_auth_production
`[groups]
it-leads = jsmith, hsimpson, pgriffin
it-all = ajolie, rwitherspoon, #it-leads
[/]
* =
[prod:/]
#it-all = rw
`
So I added the new user and restarted subversion. But that doesn't seem to have done the trick. Am I missing something else ? Thanks
a. You have mention that there is "company_auth_production" file. Please check if there is some other authorization file, probably "authz". Can you please provide more information on this.
As per the structure in your file
[prod:/]
#it-all = rw
should have given the read write access to all the users of "it-all" till the path "prod".
b. If this is not working then please try using "VisualSVN Server". It has a very nice gui to add users and give them priviledges also.
Hope this helps.
In your apache Configuration is usually a require directive (eg "require group" or "require user"). Often there is a specific group which user has to belong to access svn (eg svnusers, etc...)

Register/ Login/ Membership module in Orchard

I can't figure out how to add Register/Login functionality to a site in Orchard. Is there a Membership module or some configuration I need to enable?
EDIT: What I had in mind were modules along the lines of these that extend the existing User model with registration/profile functionality:
Extended Registration module: http://extendedregistration.codeplex.com/
Orchard Profile module: http://orchardprofile.codeplex.com/
It's under settings/users in the admin ui.
In the Dashboard scroll down to Settings and select Users.
Make sure "Users can create new accounts on the site" is checked and click "Save".
Once this is done log out.
Then click log in, and bellow your username and password field there will be a small text with a blue link to Register.
You don't actually need the extended registration and profile for this. Those are for adding additional information to the registration form.
This can also be done programmatically:
var registrationSettings = _services.WorkContext.CurrentSite.As<RegistrationSettingsPart>();
registrationSettings.UsersCanRegister = true;
However this will not work if you're doing it from Migrations because you won't be able to use WorkContext.
For migrations you can use IRepository for RegistrationSettingsPartRecord:
RegistrationSettingsPartRecord currentSetting = _registrationSettingRepository.Table.First();
currentSetting.UsersCanRegister = true;
_registrationSettingRepository.Update(currentSetting);
However this will no longer work as of Orchard version 1.8 as the record no longer exists. As of 1.8 one way I know of would be using ISiteService:
var site = _siteService.GetSiteSettings();
var regsettings = site.As<RegistrationSettingsPart>();
regsettings.UsersCanRegister = true;

Resources