D4Science Infrastructure

For example the users belonging to the PARTHENOS VRE should be able to join the Redmine instance of Parthenos

Yes liferay can support more than one ldap server

Massimiliano Assante so you can patch liferay to insert in the "external" LDAP the users instead of creating only on local database. With this feature we can plan to have a SSO or a sort of it

Luca Frosini wrote:

Massimiliano Assante so you can patch liferay to insert in the "external" LDAP the users instead of creating only on local database. With this feature we can plan to have a SSO or a sort of it

I can make Liferay export its users to any LDAP server, no patches are needed just LDAP coordinates and credentials

We need to complete this activity since we have more than 40 people registered to Liferay that need to use redmine. Without exporting Liferay users in LDAP this is not possible. This task has to be completed asap

Updated: we're having troubles mapping users into LDAP, Tom is trying to fix the issue

Tom fixed the issue, however the users do not seem to get exported from Liferay to LDAP. We're not sure when Liferay would do that (we tried restarting the portal but no users were exported, we waited 10/15 minutes but no users were exported).

We also found out that (perhaps) the export is not performed on the whole set of portal users. It seems it is only performed per user, when he either login or changes something in his account, i.e. whenever the user logs on to Liferay, Liferay will automatically export the user to LDAP (or on any type of update on user. Login changes the LastLoginDate and hence export happens).
If this is confirmed it might be a problem because it will force user to login first and then they will have the possibility to access on redmine.

I think we should wait a bit more for the export to be done by LR, if LR does not export, then I will take care of creating a periodic task that does the job on Monday.

In the meantime we should make sure that Remind is able to work with this new LDAP instance.

LR does not export, my feeling is that if the import is not enabled then the export will not work. I'm now going to try to see if i can make it the export myself.

350 production users (circa) were successfully exported to the new LDAP instance (350 is the number of users of services d4science that are registered at least to one VRE)

Will you then integrate this list of users with the ones registered to the other portals?

sure, I will if not today, tomorrow

Just found out the LDAP instance syncs with Redmine every 30 minutes, if this can't be changed there's no point for the Liferay to LDAP export to be set every 10 minutes. What should we do?

descramble users exported successfully

Massimiliano Assante wrote:

Just found out the LDAP instance syncs with Redmine every 30 minutes, if this can't be changed there's no point for the Liferay to LDAP export to be set every 10 minutes. What should we do?

About this matter: the syncronization is used by redmine to only merge the changes made on ldap to existing users: email or name changes, for example. So we do not need to wait for a synchronization to have a new user active, the new users are active as soon as they appear inside the ldap server.

I was able to connect Liferay and LDAP, now PARTHENOS VRE users can access Redmine without further authorisations: https://services.d4science.org/group/parthenos/issue-tracker,

however 2 issues remain open:

1) The PARTHENOS VRE users who have not been yet assigned to PARTHENOS Project on RedMine get authenticated but then Redmine says they have no permission to see the page (obviously)

2) The old LDAP users having a different password on services do not get authenticated as Redmine tries first to authenticate them against the old LDAP (But passing the new LDAP password)

Actually it seems that although the PARTHENOS VRE users were exported to LDAP they are not present in Redmine, e.g. Achille Felicetti is not present on Redmine

After talking with Andrea he told me the users are in Redmine but in a "locked" state (325 users are in locked state) They have to be unlocked first manually from Redmine and then you can add them to the Project. I'm not Admin of Redmine i can't do that

Users that are present in the ldap server but did not try to access to redmine yet are in 'locked' state. They are visible from the 'Users' redmine panel, switching the filter to "locked"

Thanks Andrea, as a Redmine admin now I can unlock the users. however since they are 350 circa I have to click 350 times.... not fun at all :(

Is it somehow possible to setup Redmine to not lock the users?

Massimiliano Assante wrote:

Thanks Andrea, as a Redmine admin now I can unlock the users. however since they are 350 circa I have to click 350 times.... not fun at all :(

Is it somehow possible to setup Redmine to not lock the users?

I'll try. At worst we can modify the database directly

I see that all the users but four where already been unlocked.
From what I'm reading on the ldap sync plugin sources, it's possibile that the users were put in a locked state when we changed the ldap schema. Let's see what happens with the new ones.

They are the same 4 users that I unlocked myself yesterday evening. Y'll try to understand what's wrong with them.

are the emails actual emails?

Pasquale Pagano wrote:

are the emails actual emails?

Their syntax is valid.

sorry Andrea, if None of the four users is present in any of the LDAP servers how can they be in Redmine?

If they are present in one of the portals, maybe they were imported in one of the early ldap tests: the redmine ldap sync process has always been active.
Why they are not imported into the ldap server anymore, I don't know.

May I remove those four users from redmine?

Yes, I think so.