![enter image description here][1]I made user and group link from LDAP to Liferay. When I test in liferay, I can see LDAP user and group.
When I restart liferay server, I can see LDAP user in Liferay user, but I cannot see LDAP group in Liferay User Groups. any body help me? thank u.
In Liferay there are two ways to import users/groups. This is controlled by the ldap.import.method property. This property has two possible values:
user - In this case, the import will loop over all users in LDAP and, for each user, make an association to the right group (UserGroup in Liferay). For this to work correctly, each user in LDAP should have a link to his roles.
group - In this case, the import will loop over all groups in LDAP and, for each group, import all users. For this to work correctly, your group memberships should be set up correctly in LDAP.
Probably, you're using a certain import method but your LDAP tree doesn't have the correct links set up?
Related
I wonder if anyone can help. I am working on a project that requires the use of wso2is and openldap together on linux. I am quite new to both technologies, so there may be some things I dont quite understand properly.
I have set openldap up as a secondary user store in wso2is. In openldap, using ldif files I have managed to create groups, and some dummy users. These entries can be read and displayed successfully by wso2is. The good user entries follow the format below
In wso2is I can create new users for the secondary data store and it lookks like I can assign them to the different roles. The problem is that when I create a new user in wso2, it seems to be lacking certain attributes such as password, and mail. When I view users created in wso2 (using ldap admin) they are different to users created manually using ldif. I dont know how to add the extra attributes such as email to new users created using wso2 (The extra attributes are necessary for ldap to log into another program).
The image below for user "bob" does not have the correct attributes.
The other things I dont understand is that in wso2is if I set 'cn' as the username attribute and try to view the extra attribute fields for users I created in wso2, I get an 'error reading metadata screen'. However if I set 'uid' as the username attribute and try to view extra attributes, I am allowed to see them (most are blank), but if I try to populate those fields such as surname or mail, I then get an error message saying they are not supported by the underlying ldap.
Maybe Im missing something fundamental but I dont know what it is, apparently it almost does what I want.
When you configure an external LDAP, you need to map its attributes to the WSO2 local Claims. Because with in WSO2 Identity Server all user attributes are considered as claims. Hence please try mapping secondary userstore attributes to the each local claim in the user profile. For example http://wso2.org/claims/emailaddress claim can be mapped your secondary user-store attribute as shown in the image.
Moreover, Hope you have added User Search Base, User Search Filter and User List filter properly in the secondary userstore configurations.
I am using version 6.1. I want to create a user who has most admin capabilities. However I do not want them to have access to creating user groups, users etc. I want them to have access to products etc. Is there a functionality in Backoffice to restrict users from adding users. Is there a way to hid this function in the navigation tree?
THanks
Use Hybris access rights, for example to give read permissions to user group mygroup for item type User (this can be executed as an Impex query):
$START_USERRIGHTS;;;;;;;;;
Type;UID;MemberOfGroups;Password;Target;read;change;create;remove;change_perm
UserGroup;mygroup;;;;;;;;
;;;;User;+;-;-;-;-;
$END_USERRIGHTS;;;;;
I am migrating data into Liferay from legacy database for which I have written script to programmatically push data into Liferay's user as I see fit.
Now authentication happens with LDAP and some basic details of user are also in LDAP which is supposed to be synced. Will it cause problem if I migrate users to Liferay and also sync basic details of user from LDAP after migration. Will the LDAP sync try to insert new record instead of updating the existing record in database(earlier from migration)?
If you set the Authentication Search Filter, the Import Search Filter and the User Mapping in the LDAP settings correctly, it should find the appropriate user during synchronization.
Depending on the setup of your LDAP you can use the screen name or the email address of the user as place holder in the Authentication Search Filter:
(cn=#email_address#)
or
(cn=#screen_name#)
The Import Search Filteris just to constrain the possible values, e.g.:
(&(objectClass=inetOrgPerson))
And the User Mapping should at least contain the correct mapping for the screen name, e.g. cn.
I'm building a sitecore 7.2 using asp.net MVC 5.0. The site will have login and each user will be roles.
We need to show/hide the site menu items based on logged in user Roles. The user detail and roles are stored in SAP backend.
Could someone please advise what's the best way to achieve above?
Essentially you will want to map the roles stored in your backend system to Sitecore Roles. Potentially look into creating a custom Role Provider (see in document below)
Once logged in, requests are made to Sitecore are made in context of that logged in user. Therefore if the user, or their role, does not have permission to view an Item, it will not be returned in the request. This effect means that your Menu will not display items they do not have permission to access.
You and Content Editors can control what users and roles can access via the Security Editor and view their access rights via the Access Viewer in the Content Editor.
This documents will have everything you need - http://sdn.sitecore.net/upload/sitecore6/sc61keywords/security_api_cookbook_usletter.pdf
http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf
Its also worth noting that Sitecore's seucirty manages roles as Ors. So if one of the user's role has permission to see an Item, then the user can see it.
If you require the roles to be Ands; every role must have permission before its displayed to the user, check this post out - http://www.sitecore.net/learn/blogs/technical-blogs/john-west-sitecore-blog/posts/2015/03/require-membership-in-multiple-roles-in-the-sitecore-aspnet-cms.aspx
You need the roles for the current user from SAP? There is an Odata API for that: http://help.sap.com/saphelp_nw73ehp1/helpdata/en/4c/5bde6197817511e10000000a42189b/content.htm
You could query the API in real-time, but it would of course require a login to SAP for the current user.
Or - you could use another API and connect via a service user.
Please, can you give me your opinion about this issue?
I've done an Autologin which is authenticating the username and password against my legacy system.
Once I've verified the user, I have two choices:
Add the user (if it does not exist) to Liferay ( and assign groups )
or
Map the verified user against 3 or 4 liferay users.
If my database is about 10.000 users, but I only have 3 or 4 roles, I thought the second choice would be better, but, what happens then with the welcome message once the user is logged with the liferay user credentials?
Ivan,
You need to create all the users in liferay because while login either we use the screenName or emailAdress(which must be unique and exsits in DB) ,also before login we can't check what role is assigned to user and we can't fetch the user of same role from the liferay(probably it will effect the security measures of liferay).About the welcome message it's managed by theme (velocity template) which use the name of current loggeIn user,it can't be managed, so we can't show different name with the same user login on the basis of role.
Thanks