8.4. Frequently asked questions

Warning

You are looking at documentation for an older release. Not what you want? See the current release documentation.

Q1. What are differences between Read-Only and Read-Write modes?
Q2. How does Directory get ready for integration?
Q3. How to enable sign-in for LDAP pre-existing users?
Q4. How to configure PicketLink to look up users in an entire tree?
Q5. Cannot log into eXo Platform: error code 49

Q1.

What are differences between Read-Only and Read-Write modes?

"Read-Only" means eXo Platform does not write to LDAP. Some differences between two modes should be noticed:

  • Organization information can be saved in Database and LDAP Directory. Database is mandatory because the LDAP directory natively does not fit for everything. Therefore, all information is written to Database in the Read-only mode, whereas a part of information is written to Directory in the Read-Write mode, and the rest is written to Database.

    Then, in the read-write mode, which information is stored in Directory? Let's see the mapping between email (Platform user attribute) and mail (LDAP attribute):

    
    <identity-object-type>
        <name>USER</name>
        <attributes>
            <attribute>
                <name>email</name>
                <mapping>mail</mapping>
                <type>text</type>
                <isRequired>false</isRequired>
                <isMultivalued>false</isMultivalued>
                <isReadOnly>false</isReadOnly>
                <isUnique>true</isUnique>
            </attribute>
        </attributes>
    <identity-object-type>

    With this configuration, the user email will be saved into LDAP. In particular, it is first mapped, then is mapped with isReadOnly=false.

  • Choosing the Read-only mode means you will not manage LDAP identities via eXo Platform. For example, a user password update should not be performed via Platform Web UI, if the user is an LDAP user. If an identity is created via Platform Web UI, it does not become an LDAP entry.

    In the read-write mode, if a user is registered via Platform Web UI, the username and password are saved into Directory. Where other user information is saved depends on the attributes mapping.

  • For configuration, the difference is only one Repository option:

    
    <repository>
        <id>PortalRepository</id>
        ...
        <identity-store-mappings>
            ...
            <identity-store-mapping>
                <identity-store-id>PortalLDAPStore</identity-store-id>
                ...
                <options>
                    <option>
                        <name>readOnly</name>
                        <value>true</value>
                    </option>
                </options>
            </identity-store-mapping>
        </identity-store-mappings>
    </repository>

    This option is true in the Read-only mode, and false or empty in the Read-Write mode.

Q2.

How does Directory get ready for integration?

Not any condition except that the top DN should be created before being integrated.

You should ensure that the Directory contains an entry like the following:

dn: dc=example,dc=com
objectClass: top
objectClass: domain
dc: example

Q3.

How to enable sign-in for LDAP pre-existing users?

LDAP users are visible in the Users and Groups Management Page but they are unable to sign in eXo Platform. More exactly, they do not have access permission to any pages.

There are additional steps to allow them to sign in. You can choose either of two approaches:

  • Manually adding users to the appropriate groups

    It is performed in the User and Group Management Page (http://[your_host]:[your_port]/portal/g/:platform:administrators/administration/management). Just go to this page and add users to appropriate groups. The /platform/users group is required to access the intranet page.

  • Using the Organization Integration service

    This approach is recommended because the service is a good solution for synchronization between LDAP and eXo Platform. The synchronization is automatic, scheduled, and can be operated by the JMX or REST service.

    Follow Synchronization to activate the service and synchronize eXo Platform with your directory.

Q4.

How to configure PicketLink to look up users in an entire tree?

See real case in Community forum.

Use this option:


<option>
    <name>entrySearchScope</name>
    <value>subtree</value>
</option>

See more details at PicketLink IDM configuration.

Q5.

Cannot log into eXo Platform: error code 49

This may happen with OpenLDAP, when users are created successfully but they cannot login, and there is error code 49 in your LDAP log as follows:

5630e5ba conn=1002 op=0 BIND dn="uid=firstuser,ou=People,o=portal,o=gatein,dc=steinhoff,dc=com" method=128
5630e5ba do_bind: version=3 dn="uid=firstuser,ou=People,o=portal,o=gatein,dc=steinhoff,dc=com" method=128
5630e5ba ==> bdb_bind: dn: uid=firstuser,ou=People,o=portal,o=gatein,dc=steinhoff,dc=com
5630e5ba bdb_dn2entry("uid=firstuser,ou=people,o=portal,o=gatein,dc=steinhoff,dc=com")
5630e5ba => access_allowed: result not in cache (userPassword)
5630e5ba => access_allowed: auth access to "uid=firstuser,ou=People,o=portal,o=gatein,dc=steinhoff,dc=com" "userPassword" requested
5630e5ba => dn: [1] 
5630e5ba <= acl_get: done.
5630e5ba => slap_access_allowed: no more rules
5630e5ba => access_allowed: no more rules
5630e5ba send_ldap_result: conn=1002 op=0 p=3
5630e5ba send_ldap_result: err=49 matched="" text=""
5630e5ba send_ldap_response: msgid=1 tag=97 err=49

To resolve this, add an ACL (Access Control List) rule in the slapd.conf file as below:

# Access and Security Restrictions (Most restrictive entries first)
access to attrs=userPassword
	by self write   
	## by dn.sub="ou=admin,dc=domain,dc=example" read ## not mandatory, useful if you need grant a permission to a particular dn
	by anonymous auth
	by users none 
access to * by * read

For more information, refer to this discussion or this link.

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus