Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
amit singh
Liferay 6.1.0 - LDAP configuration
July 2, 2012 12:16 AM
Answer

amit singh

Rank: New Member

Posts: 12

Join Date: February 7, 2012

Recent Posts

I am doing an implementation in my organization using Liferay 6.1.0 and currently trying to configure Liferay with LDAP authentication.
I need a few clarifications on how LDAP works with liferay.

I created some users in LDAP Apache Active Directory server and when i went to Liferay Portal , i enabled and added a new LDAP server and verified the connection with LDAP server and Tested LDAP users and Groups available.

I didn't checked the Required, Import Users, Export enabled and Ldap Password Policy.

Now when i logout and login using LDAP user credentials , its successfully able to login however to my surprise it stores those details in Database and shows the details of the user on the screen in Users and Organisation tab in control panel.

Now if i shutdown the LDAP server and try to login with the LDAP user credentials , it allows me to login. Is this the correct Behavior ?
Please correct me and help me understand how lIferay behaves with LDAP Server Authetication.

Help me with Required checkbox functionality , Import Enabled, LDAP password Policy.


Thanks
Amit
Amit Doshi
RE: Liferay 6.1.0 - LDAP configuration
July 2, 2012 12:57 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 549

Join Date: December 29, 2010

Recent Posts

amit singh:
I am doing an implementation in my organization using Liferay 6.1.0 and currently trying to configure Liferay with LDAP authentication.
I need a few clarifications on how LDAP works with liferay.

I created some users in LDAP Apache Active Directory server and when i went to Liferay Portal , i enabled and added a new LDAP server and verified the connection with LDAP server and Tested LDAP users and Groups available.

I didn't checked the Required, Import Users, Export enabled and Ldap Password Policy.

Now when i logout and login using LDAP user credentials , its successfully able to login however to my surprise it stores those details in Database and shows the details of the user on the screen in Users and Organisation tab in control panel.

Now if i shutdown the LDAP server and try to login with the LDAP user credentials , it allows me to login. Is this the correct Behavior ?
Please correct me and help me understand how lIferay behaves with LDAP Server Authetication.

Help me with Required checkbox functionality , Import Enabled, LDAP password Policy.


Thanks
Amit


If you unchecked the Required field, that means it will not strictly bind to LDAP Server. If you want to strictly bind to the LDAP Server only then you have to check the Required Field.
amit singh
RE: Liferay 6.1.0 - LDAP configuration
July 2, 2012 5:11 AM
Answer

amit singh

Rank: New Member

Posts: 12

Join Date: February 7, 2012

Recent Posts

Thanks for quick response.

Is there an issue with LDAP import functionality and the Required authentication. as i am facing lots of issues while configuring the LDAP integration. Sometimes the import works , while sometime it doesn't. Is there a manual or link on how to correctly setup liferay 6.1.0 with LDAP with example. I am facing lots of troubles.
Amit Doshi
RE: Liferay 6.1.0 - LDAP configuration
July 3, 2012 5:04 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 549

Join Date: December 29, 2010

Recent Posts

Hi Amit,

I don't have the list of tickets generated for LDAP Issues.
But one issue that is well known is as below :-

When the Required is true and Export is also true then it will export the password empty in the LDAP is one of the Biggest issue during LDAP Import and Export.

Let me know if you are getting any other issue? We will try to solve it.

Thanks & Regards,
Amit Doshi
amit singh
RE: Liferay 6.1.0 - LDAP configuration
July 4, 2012 12:32 AM
Answer

amit singh

Rank: New Member

Posts: 12

Join Date: February 7, 2012

Recent Posts

Thanks for the reply Amit. That definetely Helps !!

I need your help on below scenario:

I am able to bind my Liferay instance with Apache AD Ldap server. I have checked Enable & Required as true. Import./Export is set as False/unchecked.
I am successfully able to login with the LDAP user , however Liferay also maintains a copy of user information in User_ table. If i Shutdown LDAP server and try to login with the User credentials , it allows me to login. That means Liferay keeps the LDAP user information in the Database as well.

My Requirement is that i want Liferay authentication to be done from LDAP only not from the Database.
Please help !!

Thanks,
Amit Singh
David H Nebinger
RE: Liferay 6.1.0 - LDAP configuration
July 4, 2012 5:36 AM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 11046

Join Date: September 1, 2006

Recent Posts

amit singh:
My Requirement is that i want Liferay authentication to be done from LDAP only not from the Database.


Not understanding how Liferay LDAP works is your mistake.

Liferay uses an import/export process to synchronize the Liferay database with LDAP. All it does is pull the basic user information over to Liferay so Liferay can satisfy foreign keys to user information.

However, when you log in using an LDAP-configured Liferay instance, authentication does only happen with LDAP and not from the database. Liferay's process identifies that the user came over during an LDAP import and will attempt to bind to LDAP using the user's LDAP information from the database and the password they provide (unless you're using NTLM, but that's a different story)... If the bind is successful, they're in, otherwise they are not. No database password check, etc.

So even though the user information is in the Liferay database, authentication only occurs through LDAP.
Amit Doshi
RE: Liferay 6.1.0 - LDAP configuration
July 4, 2012 11:23 PM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 549

Join Date: December 29, 2010

Recent Posts

Amit Singh :-

My Requirement is that i want Liferay authentication to be done from LDAP only not from the Database.
Please help !!


If you want to strictly bind to LDAP Server only, not with the DB then Enabled the Required Field. It will strictly bind to LDAP only.

Let me know if any concers or issues.

Regards,
Amit Doshi
amit singh
RE: Liferay 6.1.0 - LDAP configuration
July 5, 2012 12:20 AM
Answer

amit singh

Rank: New Member

Posts: 12

Join Date: February 7, 2012

Recent Posts

Thanks Amit , David for your quick replies.
I understand there is need of user information for satisfying foreign key dependencies.

However if i set enable and Required as True and shut the LDAP server down. Then in that case as well Liferay allows the user to login using the default password maintained by Liferay, that completely bypasses the LDAP authentication.

I made these changes in port-ext.properties

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=amit

and when i shutdown the LDAP server and try to login, then it takes the password as "amit".

I looked upon the forums and google and found out that there is a BUG in Liferay LDAP implementation and a patch has been generated for the same.
following posts explains about the same.
http://www.liferay.com/community/forums/-/message_boards/message/14713614
http://www.liferay.com/web/jonas.yuan/blog/-/blogs/keeping-user-password-secure-with-ldap-integration

Following the above posts , i have checked out the latest source from SVN site for Portal for 6.1.X
I will build it and will try configuring LDAP again on the newly build.

Also please request you to clarify me on one scenario.

1)Lets say there is a User in LDAP server and We have set user password import and autogenerate as false.
2)LDAP is enabled and required on Liferay. import/export is false.
3)I login with the user credentials and do some operation in liferay. Then i shutdown the LDAP server and try to login with the same user again on liferay.
4) Liferay blocks me to login and suggest me to click forgot password link or send password on email notification.
5)if i update my password using forgot password utility and makes the LDAP server up.
6) Then Liferay will itself update the User Password stored in LDAP whose password has been changed. (Keeping in mind Import/Export is set as false in Liferay LDAP settings)

Please correct me on the above mentioned steps if i am wrong somewhere.

Thanks,
Amit
David H Nebinger
RE: Liferay 6.1.0 - LDAP configuration
July 5, 2012 5:49 AM
Answer

David H Nebinger

Community Moderator

Rank: Liferay Legend

Posts: 11046

Join Date: September 1, 2006

Recent Posts

amit singh:
However if i set enable and Required as True and shut the LDAP server down. Then in that case as well Liferay allows the user to login using the default password maintained by Liferay, that completely bypasses the LDAP authentication.


This is also untrue. If you shut down LDAP, then users cannot connect to Liferay at all, unless they're omniadmins (special admin users defined in portal-ext.properties that can log in when LDAP is down using database credentials).

I made these changes in port-ext.properties

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=amit

and when i shutdown the LDAP server and try to login, then it takes the password as "amit".


How about the auth params. Using values like:

1ldap.auth.enabled=true
2ldap.auth.required­=false
3ldap.auth.method=bind


will allow Liferay to use database login if ldap is not available.

I looked upon the forums and google and found out that there is a BUG in Liferay LDAP implementation and a patch has been generated for the same.


I don't think you are hitting this 'bug', I think you just don't have enough experience to know how the ldap stuff works in Liferay and are merely guessing.


1)Lets say there is a User in LDAP server and We have set user password import and autogenerate as false.
2)LDAP is enabled and required on Liferay. import/export is false.
3)I login with the user credentials and do some operation in liferay. Then i shutdown the LDAP server and try to login with the same user again on liferay.
4) Liferay blocks me to login and suggest me to click forgot password link or send password on email notification.
5)if i update my password using forgot password utility and makes the LDAP server up.
6) Then Liferay will itself update the User Password stored in LDAP whose password has been changed. (Keeping in mind Import/Export is set as false in Liferay LDAP settings)


Again, let's say you don't know what you're doing and no one in their right mind would set up a production server to use LDAP for authentication but allow for fallback to the database when LDAP is down.

Seriously, not requiring LDAP is only used when you're going to have a mix of users:

  1. Users within your org that are in LDAP and must be authenticated there.
  2. Users outside of your org that will not have an account in LDAP.
amit singh
RE: Liferay 6.1.0 - LDAP configuration
July 8, 2012 10:26 PM
Answer

amit singh

Rank: New Member

Posts: 12

Join Date: February 7, 2012

Recent Posts

Hi Amit,

I enabled the Required field. However still it is not able to strictly bind with the LDAP , user is been able to login using password stored in DB.
Can you help me step by step , so that anything i am doing wrong may be corrected.

Regards,
Amit Singh
Amit Doshi
RE: Liferay 6.1.0 - LDAP configuration
July 9, 2012 12:09 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 549

Join Date: December 29, 2010

Recent Posts

amit singh:
Hi Amit,

I enabled the Required field. However still it is not able to strictly bind with the LDAP , user is been able to login using password stored in DB.
Can you help me step by step , so that anything i am doing wrong may be corrected.

Regards,
Amit Singh


Amit Singh :-

You need to add below properties into the portal-ext.properties file.

ldap.auth.enabled=true
ldap.auth.required=true

ldap.auth.enabled=true
Set ldap.auth.enabled = true to enable LDAP Authentication

ldap.auth.required=true
Setting required = true means that you must successfully bind with the record in the LDAP server before Liferay will allow the user to log in

And also check that the changes are getting reflected by verifying the tables portletpreferences in DB.

In portletpreferences table, there is preference Column in that you can check where your all configuration are saved in xml format.

Hope it helps.

Regards,
Amit Doshi
Pasi Kössi
RE: Liferay 6.1.0 - LDAP configuration
February 7, 2013 1:23 AM
Answer

Pasi Kössi

Rank: New Member

Posts: 2

Join Date: October 13, 2008

Recent Posts

Sorry for digging up an old thread, but this may be a good place to deliver my information on this subject; also updating this thread to cover the latest CE release.

I hope the originator of this thread got his problem solved, eventually. I could not solve my own similar problem with the release 6.1.1 CE GA2 with these instructions, though. It seems that even though I have ldap authentication both as enabled and required, the system still falls back to checking the password against liferay database, at least in our configuration (login using e-mail address). While I have not read the source code completely and do not know if this standard setting could in fact work in some environments, I did finally come up with a working workaround that strictly requires Ldap login for all accounts, including omniadmins. In portal-ext.properties, I had to add

auth.pipeline.enable.liferay.check=false

My other relevant portal-ext settings are:
ldap.auth.required=true
ldap.auth.enabled=true
ldap.auth.method=bind

But without explicitly disabling the liferay password check we could still create new accounts in Control Panel and log in with those accounts.

Best Regards,
Pasi
Brij Mohan Kataria
RE: Liferay 6.1.0 - LDAP configuration
June 17, 2013 10:21 PM
Answer

Brij Mohan Kataria

Rank: New Member

Posts: 10

Join Date: May 20, 2013

Recent Posts

Hi amit,

Can you explain in detail how to configure LDAP in liferay. i write below what i do. when i Test Ldap Connection the message is Liferay has successfully connected to the LDAP server but when i Test LDAP Users the message is No users were found. please help me.

LDAP SERVER USER
ObjectClass : inetOrgPerson (structural)
ObjectClass : organizationalPerson (structural)
ObjectClass : person (structural)
ObjectClass : top (abstract)
cn : test
sn : test
uid : test
userPassword : test

Liferay LDAP Setting
Authentication Search Filter :sn=@screen_name@
Import Search Filter : (objectClass=InetOrgPerson)
Screen Name : test
Password :test
Email Address : mail
Full Name :
First Name : test
Last Name : test
Job Title :
Portrait :
Group :
UUID:
Brij Mohan Kataria
RE: Liferay 6.1.0 - LDAP configuration
June 18, 2013 12:41 AM
Answer

Brij Mohan Kataria

Rank: New Member

Posts: 10

Join Date: May 20, 2013

Recent Posts

Hey i done it.

Thanks!
Daniel Tyger
RE: Liferay 6.1.0 - LDAP configuration
August 8, 2013 12:18 PM
Answer

Daniel Tyger

Rank: Junior Member

Posts: 79

Join Date: February 5, 2013

Recent Posts

Pasi Kössi:
Sorry for digging up an old thread, but this may be a good place to deliver my information on this subject; also updating this thread to cover the latest CE release.
I hope the originator of this thread got his problem solved, eventually.... I did finally come up with a working workaround that strictly requires Ldap login for all accounts, including omniadmins. In portal-ext.properties, I had to add

auth.pipeline.enable.liferay.check=false

My other relevant portal-ext settings are:
ldap.auth.required=true
ldap.auth.enabled=true
ldap.auth.method=bind

But without explicitly disabling the liferay password check we could still create new accounts in Control Panel and log in with those accounts.

Best Regards,
Pasi


Pasi-

I very much appreciate you having taken the action to add to this thread, as it has helped me, and I am sure others, too... Sincerely -daniel
Mohammad Hosang Khan
RE: Liferay 6.1.0 - LDAP configuration
March 17, 2014 6:48 AM
Answer

Mohammad Hosang Khan

Rank: New Member

Posts: 1

Join Date: February 20, 2014

Recent Posts

Hi Brij Mohan Kataria,

Kindly let everyone how you made it work.

Thanks in advance