Q1. |
What are differences between Read-Only and Read-Write modes?
|
|
"Read-Only" means eXo Platform does not write to LDAP.
Some differences between two modes should be noticed:
Organization information can be saved in Database and LDAP Directory.
Database is mandatory because the LDAP directory natively does not fit for everything.
Therefore, all information is written to Database in the read-only mode,
whereas a part of information is written to Directory in the read-write mode,
and the rest is written to Database.
Then, in the read-write mode, which information is stored in Directory?
Let's see the mapping between email (Platform user attribute)
and mail (LDAP attribute):
<identity-object-type>
<name>USER</name>
<attributes>
<attribute>
<name>email</name>
<mapping>mail</mapping>
<type>text</type>
<isRequired>false</isRequired>
<isMultivalued>false</isMultivalued>
<isReadOnly>false</isReadOnly>
<isUnique>true</isUnique>
</attribute>
</attributes>
<identity-object-type>
With this configuration, the user email will be saved into LDAP.
In particular, it is first mapped, then is mapped with isReadOnly=false.
Choosing the read-only mode means you will not manage LDAP identities via eXo Platform. For example,
a user password update should not be performed via Platform Web UI, if the user is an LDAP user.
If an identity is created via Platform Web UI, it does not become an LDAP entry.
In the read-write mode, if a user is registered via Platform Web UI, the username and password are saved into Directory.
Where other user information is saved depends on the attributes mapping.
For configuration, the difference is only one Repository option:
<repository>
<id>PortalRepository</id>
...
<identity-store-mappings>
...
<identity-store-mapping>
<identity-store-id>PortalLDAPStore</identity-store-id>
...
<options>
<option>
<name>readOnly</name>
<value>true</value>
</option>
</options>
</identity-store-mapping>
</identity-store-mappings>
</repository>
This option is true in the read-only mode, and false or empty in the read-write mode.
|
Q2. |
How does Directory get ready for integration?
|
|
Not any condition except that the top DN should be created before being integrated.
You should ensure that the Directory contains an entry like the following:
dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example |
Q3. |
How to enable sign-in for LDAP pre-existing users?
|
|
LDAP users are visible in the
Users and Groups Management Page but they are unable to sign in eXo Platform.
More exactly, they do not have access permission to any pages.
There are additional steps to allow them to sign in. You can choose either of two approaches:
Manually adding users to the appropriate groups
It is performed in the
User and Group Management Page
(http://[your_host]:[your_port]/portal/g/:platform:administrators/administration/management).
Just go to this page and add users to appropriate groups.
The /platform/users group is required to access the intranet page.
Using the Organization Integration service
This approach is recommended because the service is a good solution for synchronization between LDAP and eXo Platform.
The synchronization is automatic, scheduled, and can be operated by the JMX or REST service.
Follow Synchronization
to activate the service and synchronize eXo Platform with your directory.
|
Q4. |
How to configure PickletLink to look up users in an entire tree?
See real case in
Community forum.
|
|
Use this option:
<option>
<name>entrySearchScope</name>
<value>subtree</value>
</option>
See more details at PicketLink IDM configuration.
|