Task #1702
closed
Export LDAP groups to Redmine and populate them
100%
Description
Now that we have activity #1407 (Export Liferay Portal groups to LDAP) completed, we need to make Redmine aware of these groups and populate them, as far as I remember there should be a redmine test instance we could use.
Files
Related issues
Updated by Andrea Dell'Amico over 9 years ago
Yes. The redmine instance is http://redmine-d.d4science.org/
Do I need to change the ldap base DN from
ou=People,o=Liferay,ou=Organizations,dc=d4science,dc=org
to
ou=People,o=D4Science,ou=Organizations,dc=d4science,dc=org
?
Updated by Massimiliano Assante over 9 years ago
yes -> ou=People,o=D4Science,ou=Organizations,dc=d4science,dc=org
Updated by Andrea Dell'Amico over 9 years ago
OK, done. We need to wait some minutes to give time to the next synchronization to complete.
Updated by Massimiliano Assante over 9 years ago
- Priority changed from Normal to Urgent
Updated by Luca Frosini over 9 years ago
- Assignee changed from Luca Frosini to Andrea Dell'Amico
I don't know how to do it. @andrea.dellamico@isti.cnr.it can you do this?
Updated by Andrea Dell'Amico over 9 years ago
- File ldap_sync_ldap_settings.png ldap_sync_ldap_settings.png added
- File ldap_sync_synchronization_actions.png ldap_sync_synchronization_actions.png added
- Status changed from New to In Progress
- % Done changed from 0 to 80
I made it work.
The needed steps are:
Change the cron job's sync action from
sync_userstosync_allOn the ldap sync settings, the
ldap settingstab needs to be changed as showed in the screenshotOn the ldap sync settings, the
synchronzation actionsneeds to have the groups creation checked. I also activated, as a test, theAdd users to groupaction (the group is created if it doesn't exist and must not to be an LDAP group), andAdministrators groupso that the users in the group NextNext automatically become administrators.
Updated by Andrea Dell'Amico over 9 years ago
- File ldap_d_luca_frosini_groups.png ldap_d_luca_frosini_groups.png added
- File redmine_dev_new_groups.png redmine_dev_new_groups.png added
- Status changed from In Progress to Feedback
- % Done changed from 80 to 100
I'm attaching a couple of screenshots of the results: the new groups list and the groups properties of @luca.frosini@isti.cnr.it
It seems OK to me, we need to check the actual Redmine groups to avoid duplications or too close similarities (Infrascience/Infrascience system engineer as an example?).
Updated by Andrea Dell'Amico over 9 years ago
Last, it could be useful to have a LDAP group called something like redmineAdmins and assign it to all the people that we want as redmine administrators.
Updated by Luca Frosini over 9 years ago
Sounds good.
In my opinion the manually created group can be removed. They was useful when the procedure was manual, but now is useless and create confusion.
The group should only come from VRE.
Updated by Massimiliano Assante over 9 years ago
I'm not sure that removing that current group is the best solution, perhaps we could remove the ones of partner organizations (FAO, IRD etc) but some of the groups, e.g. redmineAdmins, infraScience sysadmins could be useful.
Also, we need to schedule this update on production quite soon, possibly before the TCom (Jan 25th).
I think the plan could be as follows (prerequisite: announcing a minor Redmine downtime of 2 hours):
- backup of the current redMine prod. DB (and current LDAP DB) and connection to an empty new redMine DB
- Delete of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
- configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
- ensure that everything works as expected and be prepared to roll-back if anything goes wrong
I can take care of #2 and #4 (portal side), probably @andrea.dellamico@isti.cnr.it could take care of #1 and @luca.frosini@isti.cnr.it of #3 + #4 (redmine side)?
Does the plan work for you?
Updated by Andrea Dell'Amico over 9 years ago
Massimiliano Assante wrote:
I'm not sure that removing that current group is the best solution, perhaps we could remove the ones of partner organizations (FAO, IRD etc) but some of the groups, e.g. redmineAdmins, infraScience sysadmins could be useful.
Can you create them with your script on ldap? so that we can exploit ldap to set the redmine administrators.
Also, we need to schedule this update on production quite soon, possibly before the TCom (Jan 25th).
I think the plan could be as follows (prerequisite: announcing a minor Redmine downtime of 2 hours):
- backup of the current redMine prod. DB (and current LDAP DB) and connection to an empty new redMine DB
Why? OK for the backup, there are scripts already in place - there's also a nightly backup btw, as in all the 'new' postgresql installations. But I do not understand the need to use an empty one.
- Delete of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
- configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
- ensure that everything works as expected and be prepared to roll-back if anything goes wrong
I can take care of #2 and #4 (portal side), probably @andrea.dellamico@isti.cnr.it could take care of #1 and @luca.frosini@isti.cnr.it of #3 + #4 (redmine side)?
Does the plan work for you?
Updated by Luca Frosini over 9 years ago
Andrea Dell'Amico wrote:
Massimiliano Assante wrote:
I'm not sure that removing that current group is the best solution, perhaps we could remove the ones of partner organizations (FAO, IRD etc) but some of the groups, e.g. redmineAdmins, infraScience sysadmins could be useful.
Can you create them with your script on ldap? so that we can exploit ldap to set the redmine administrators.
I agree. Without creating a a VRE we should manage this from LDAP. Otherwise we will always have problems.
We can start add this group with a script (maybe ansible one).
Also, we need to schedule this update on production quite soon, possibly before the TCom (Jan 25th).
I think the plan could be as follows (prerequisite: announcing a minor Redmine downtime of 2 hours):
- backup of the current redMine prod. DB (and current LDAP DB) and connection to an empty new redMine DB
Why? OK for the backup, there are scripts already in place - there's also a nightly backup btw, as in all the 'new' postgresql installations. But I do not understand the need to use an empty one.
- Delete of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
- configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
- ensure that everything works as expected and be prepared to roll-back if anything goes wrong
No problem for me to do 3 and 4 (redmine side)
I can take care of #2 and #4 (portal side), probably @andrea.dellamico@isti.cnr.it could take care of #1 and @luca.frosini@isti.cnr.it of #3 + #4 (redmine side)?
Does the plan work for you?
Updated by Massimiliano Assante over 9 years ago
My LDAP script reflects the VREs into LDAP Groups, unless we create a VRE for redmine admins is not possible to do it. And I don't want to hardcode anything in there.
As for:
Why? OK for the backup, there are scripts already in place - there's also a nightly backup btw, as in all the 'new' postgresql installations. But I do not understand the need to use an empty one.
Andrea you're right, of course there is no need to use an empty DB for Redmine, I meant the LDAP DB should be an empty one not the Redmine. Sorry. I am rewriting the plan:
I think the plan could be as follows (prerequisite: announcing a minor Redmine downtime of 2 hours):
- backup of the current LDAP DB (Ldap-liferay)
- drop of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
- configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
- ensure that everything works as expected and be prepared to roll-back if anything goes wrong
It seems we have an agreement on this:
Andrea takes #1
Massi takes #2 and #4 (portal side)
Luca takes #3 and #4 (redmine side)
Step #1 is prerequisite to #2 and #3
Updated by Andrea Dell'Amico over 9 years ago
Massimiliano Assante wrote:
My LDAP script reflects the VREs into LDAP Groups, unless we create a VRE for redmine admins is not possible to do it. And I don't want to hardcode anything in there.
OK, I'll try to work out something that adds groups.
Andrea you're right, of course there is no need to use an empty DB for Redmine, I meant the LDAP DB should be an empty one not the Redmine. Sorry. I am rewriting the plan:
OK, now it's clear.
I think the plan could be as follows (prerequisite: announcing a minor Redmine downtime of 2 hours):
- backup of the current LDAP DB (Ldap-liferay)
- drop of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
- configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
- ensure that everything works as expected and be prepared to roll-back if anything goes wrong
It seems we have an agreement on this:
Andrea takes #1
Massi takes #2 and #4 (portal side)
Luca takes #3 and #4 (redmine side)Step #1 is prerequisite to #2 and #3
OK. The ldap server already has daily backups, so it will be a matter of running it manually once just before the drop.
Updated by Massimiliano Assante over 9 years ago
- Related to Upgrade #1911: D4Science Infrastructure Upgrade to gCube 3.10.0 added
Updated by Massimiliano Assante over 9 years ago
- Status changed from Feedback to In Progress
Updated by Massimiliano Assante over 9 years ago
- Status changed from In Progress to Paused
The plan is ready, I'm pausing the ticket waiting for the first upgrade of gCube 3.10 #1911 in production (which will include this upgrade too) according to the plan agreed above.
Updated by Massimiliano Assante over 9 years ago
- Status changed from Paused to In Progress
- Infrastructure Pre-Production added
Something wrong with the LDAP to Redmine group export.
I was testing my Ldap Export Script on preproduction (preprod.d4science.org) still with ldap-liferay-d.d4science.org.
I reset ldap-liferay-d.d4science.org and run the ldap export script against ldap-liferay-d.d4science.org. Users and Groups were exported successfully but there is a problem in exporting these users in redmine-d.d4science.org/
Groups were created correctly, however some of the users present in ldap-liferay-d are not reflected in the RedMine associated group:
For instance:
- preprodVRE ldap group counts 6 users but only 5 in RedMine preprodVRE group
- BiodiversityLab ldap group counts 4 users but only 1 in RedMine preprodVRE group
In general it seems that the groups were created correctly but not all the users were associated to them
Updated by Massimiliano Assante over 9 years ago
- Priority changed from Urgent to Immediate
Updated by Andrea Dell'Amico over 9 years ago
Can you list those users? I suspect that they also exist with the same email address in the old ldap server and they are configured to authenticate with that one.
The sync procedure skips those users, see:
... -- Updating user 'mister.blue@d4science.org' (Blue Mister)... -- Updating user 'mister.brown@d4science.org' (Brown Mister)... -- Updating user 'mister.orange@d4science.org' (Tim Roth)... -- Updating user 'mister.pink@d4science.org' (Jesse Pinkman)... -- Updating user 'mister.white@d4science.org' (Walter White)... -- Skipping user 'p.koltsida@di.uoa.gr': it already exists on a different auth_source -- Skipping user 'paolo.fabriani@eng.it': it already exists on a different auth_source -- Skipping user 'pasquale.pagano@isti.cnr.it': it already exists on a different auth_source -- Skipping user 'roberto.cirillo@isti.cnr.it': it already exists on a different auth_source -- Updating user 'statistical.manager@gmail.com' (statistical manager)... -- Skipping user 'tommaso.piccioli@isti.cnr.it': it already exists on a different auth_source -- Skipping user 'valentina.marioli@isti.cnr.it': it already exists on a different auth_source
Updated by Massimiliano Assante over 9 years ago
Yes that could be the reason, in fact on Biodiversity Lab only my user is exported (and My user is configured to authenticate against the liferay-ldap) while, lucio, gxanpaolo and roberto (the 3 missing users) are configured to authenticate against the old ldap.
Updated by Andrea Dell'Amico over 9 years ago
You can test changing the configuration of one of them. At the next synch it should appear in the group.
We'll have to handle this right after the migration.
Updated by Massimiliano Assante over 9 years ago
I did try that, and Indeed I confirm the one you suspected is the actual reason.
How do you think we should proceed right after the migration? How do we know who are the users needing to auth against the liferay-ldap and who don't. I suppose we should just make all of them auth against the liferay-ldap.
Updated by Andrea Dell'Amico over 9 years ago
Massimiliano Assante wrote:
I did try that, and Indeed I confirm the one you suspected is the actual reason.
How do you think we should proceed right after the migration? How do we know who are the users needing to auth against the liferay-ldap and who don't. I suppose we should just make all of them auth against the liferay-ldap.
After the first synchronization run we will have a complete list of duplicate entries. We can choose to migrate them all and then manage the new problems (forgotten passwords, whatever).
The change can be done updating the DB tables directly, it's a matter of minutes.
Updated by Massimiliano Assante over 9 years ago
ok then the plan is updated as follows:
Announcement a minor Redmine downtime of 1 hour tomorrow at 17.30:
1) backup of the current LDAP DB (Ldap-liferay)
2) drop of current (Ldap-liferay) LDAP Structure and deployment of the ldap-export artifact written by me, on all the gateways
3) configuring (as explained in this ticket) the redMine prod. to support the export of LDAP groups and their "population"
4) ensure that everything works as expected and be prepared to roll-back if anything goes wrong
5) migrate all the users authenticating against the old ldap to the new one via updating the DB tables
Andrea takes #1 and #5
Massi takes #2 and #4 (portal side)
Luca takes #3 and #4 (redmine side)
Step #1 is prerequisite to #2, #3 #4
Step #2 and #3 are prerequisite of 5
Updated by Massimiliano Assante over 9 years ago
The portal users were exported correctly on LDAP Liferay Production
#1, #2 and #4 complete (portal side)
Updated by Massimiliano Assante over 9 years ago
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from In Progress to Feedback
Step #5 completed
Updated by Luca Frosini over 9 years ago
The last step to do is associating the automatically created group from VRE to the relative redmine project if any, and removing the association beetween the manually created group to projects. Only with this step we complete the migration and we realize if everything is working.
I will take care of this tomorrow and I will also made a post on BlueBridge to advise everyone. Moreover to invite any member to contact me if they have any problems.
After one week we can try to start to remove manually created groups relative to external partners (keeping our internal one). Then we will disconnect the old LDAP and we will delete the uneeded old users presents only on old LDAP and not registered in any portal.
Updated by Luca Frosini over 9 years ago
- Related to Support #2049: Redmine: remove manually created group and add the one created from LDAP import to the right project added
Updated by Andrea Dell'Amico over 9 years ago
- Status changed from Feedback to Closed
