Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Josh Bonczkowski
User password change exporting to LDAP (AD)?
August 17, 2010 11:42 AM
Answer

Josh Bonczkowski

Rank: Junior Member

Posts: 59

Join Date: June 8, 2010

Recent Posts

I am currently using Liferay 6.0.2 for my tests. Later this week or early next, I'll be able to test with Liferay 6.0.5.

I have my LDAP (Active Directory) source configured within Liferay for authentication. When users log in, Liferay authenticates against LDAP. I configured LDAP using the secure LDAP port so that AD will accept changes for passwords (unicodePwd attribute).

When I go to the user details control panel and change a password, this results in the userPassword attribute being updated within LDAP and it now contains the plaintext password that was just set. Is Liferay properly configured to update the unicodePwd attribute with the properly formatted password for Active Directory?

To try and work around this, I have been trying to extend the UpdatePasswordAction class in Liferay. I believe this is called when a user submits a new password through the control panel. The code to update the password in AD isn't that hard since I have already worked that out previously. I defined my new action class in the com.liferay.portal.action package within the ext-impl/src/ directory. In ext-web/docroot/WEB-INF/, I updated struts-config-ext.xml to include the new mapping for this one action.

1
2<action path="/portal/update_password" type="com.liferay.portal.action.MyUpdatePasswordAction">
3  <forward name="portal.update_password" path="portal.update_password" />
4</action>


Unfortunately, it does not appear that my code is being executed, so I am not able to force the password to be set through the unicodePwd attribute using this method at this time.


Suggestions? Thoughts?
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
August 17, 2010 11:57 AM
Answer

Josh Bonczkowski

Rank: Junior Member

Posts: 59

Join Date: June 8, 2010

Recent Posts

I just remembers the LDAP mappings in portal-ext.properties. I changed the ldap.user.mappings entry to map password=unicodePwd (was previously userPassword). A quick restart of my application server (tomcat) and tried to change my password through the control panel. The password was not updated. Just to make sure, I ran that test a few times.

Perhaps that setting is not taking effect. It appears that the userPassword attribute is still being updated within LDAP to the plaintext password that I changed to in the control panel. Is there a way to check the current settings? Is it read from the file then stored in the DB?
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
August 18, 2010 7:04 AM
Answer

Josh Bonczkowski

Rank: Junior Member

Posts: 59

Join Date: June 8, 2010

Recent Posts

I believe I found at least part of my own answer.

com.liferay.portal.action.UpdatePasswordAction is not used to change a users password from the control panel.

com.liferay.portlet.myaccount.action.EditUserAction is used to change a users password from the control panel. I was able transform my extension of UpdatePasswordAction to an extension of EditUserAction to push the new users password to Active Directory.

There is a second EditUserAction in com.liferay.portlet.enterpriseadmin.action. This is the base class for the one in the myaccount.action package. Does anyone know how this one is used? It is used for when an administrator edits a user? I'll play with it a bit this morning to see if I need to override this as well.


I still have no idea if changing portlet-ext.properties and modifying the ldap.user.mappings property to have 'password=unicodePwd' will work. For some reason, that property is still not being used by my server even after multiple reboots. I have cleared the tomcat cache directory (work/Catalina/localhost/*) to see if that would matter as well. Somewhere, there appears to be a cached value where 'password=userPassword' and I have yet to find it to force the proper change. Getting help on this would be beneficial as well.
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
August 18, 2010 8:24 AM
Answer

Josh Bonczkowski

Rank: Junior Member

Posts: 59

Join Date: June 8, 2010

Recent Posts

It appears that I do need to extend com.liferay.portlet.enterpriseadmin.action.EditUserAction as well. And it is used in 7 different actions (in Liferay 6.0.2).
Samuel Liu
RE: User password change exporting to LDAP (AD)?
August 18, 2010 9:46 AM
Answer

Samuel Liu

Community Moderator

Rank: Expert

Posts: 301

Join Date: May 27, 2010

Recent Posts

Hi Josh,

I would recommend switching to 6.0.5 before getting this to work. From what I understand, 6.0.5 and 6.0.2 differ a bit in terms of LDAP configuration.

I don't know LDAP well enough to answer your other questions, but this is just a recommendation emoticon I also have the settings that makes LDAP work for our test servers, so you can refer to them if you get stuck.

Warm regards,
Sam
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
August 18, 2010 10:04 AM
Answer

Josh Bonczkowski

Rank: Junior Member

Posts: 59

Join Date: June 8, 2010

Recent Posts

Thanks Sam.

I have been planning on upgrading my test environment to 6.0.5 next week. But that might just happen today or tomorrow.

I figured out my issue with changing the ldap.user.mappings property in portal-ext.properties. This value is only used when creating a new LDAP configuration. Once the configuration is created, I have to update it using the Liferay UI for editing an LDAP configuration.

Changing the associate of Liferay password to AD unicodePwd (again, in 6.0.2) does not work either. When using a secure connection (only way AD will allow password changes), the AD server throws an LDAP error code 53, problem 5003 (WILL_NOT_PERFORM). I am not at all surprised to see this as the password has to be specifically formatted for AD.

I'll give 6.0.5 a try soon and see how it fares out of the box.
Alan Robertson
RE: User password change exporting to LDAP (AD)?
January 20, 2011 8:43 AM
Answer

Alan Robertson

Rank: New Member

Posts: 19

Join Date: November 4, 2010

Recent Posts

Josh, were you able to get this working? I'm trying to use Liferay 6.0.5 to change passwords in Active Directory and It's not working for me.
Ryan Ward
RE: User password change exporting to LDAP (AD)?
January 24, 2011 11:06 AM
Answer

Ryan Ward

Rank: New Member

Posts: 18

Join Date: February 12, 2010

Recent Posts

I'm also interested in this answer. I'm unable to set AD passwords from within Liferay, I just get plain text storage of the password in the userPassword attribute in AD.
Fezrul fizree
RE: User password change exporting to LDAP (AD)?
March 25, 2011 1:19 AM
Answer

Fezrul fizree

Rank: New Member

Posts: 5

Join Date: March 13, 2011

Recent Posts

hi there, i have a question, i need to bind AD with liferay using LDAP option in portal setting authentication. My problem is, In AD, there is no userPassword attribute for user,

How i'm suppose to mapping password attribute?

my AD have 3400++ user and i dont see any attribute userPassword on it, only have pwdLastSet attribute witch is nothing to do with user password.
William Liu
RE: User password change exporting to LDAP (AD)?
June 21, 2011 5:46 PM
Answer

William Liu

Rank: New Member

Posts: 1

Join Date: June 21, 2011

Recent Posts

I am currently using Liferay 6.0.6 and having the same issue.

I have LDAPS connection and password fields mapped to unicodePwd, and when I change password i got the exception below.

1[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0 ]

Anyone got it working here? Thanks!
Sandip Patel
RE: User password change exporting to LDAP (AD)?
January 7, 2013 11:04 PM
Answer

Sandip Patel

Rank: Regular Member

Posts: 195

Join Date: January 4, 2011

Recent Posts

Hi,
I am currently facing issue like:::
i have map Liferay User password field to unicodePwd of LDAP (AD). When i am creating user in Liferay it will give error as below.

Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=testone,OU=Users,OU=Radisson Edwardian,DC=rbehtest,DC=ed-mstest,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)


If i am map Liferay user password field to userPassword of LDAP (AD) then it successfully create user in LDAP.

Please help me.. Do I need to change any code for this ??