Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Silvano Fari
Liferay and LDAP: current an old password works!
June 21, 2011 12:52 AM
Answer

Silvano Fari

Rank: Junior Member

Posts: 58

Join Date: June 16, 2010

Recent Posts

Hi, I have a Liferay, which is bound to an LDAP (Active Directory) as user registry. It works fine so far!

When I am changing a password of a user in AD the according user is able to immediately log in with the new password.
But what I don't understand is, that logging in with the old one works as well....

Is this working as designed? Can somebody explain, why that behaves like this?
Jack Bakker
RE: Liferay and LDAP: current an old password works!
July 23, 2012 12:20 PM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 840

Join Date: January 3, 2010

Recent Posts

I also look for solution to this (LR v6.0.6 against Active Directory)
Hüseyin Uzun
RE: Liferay and LDAP: current an old password works!
July 24, 2012 2:02 AM
Answer

Hüseyin Uzun

Rank: New Member

Posts: 10

Join Date: November 11, 2010

Recent Posts

There's an blog-entry, where you can see the integration of secure LDAP-Integration: http://www.liferay.com/web/jonas.yuan/blog/-/blogs/6583930
Which Version of Liferay do you use? In 6.0.6 you must implement the sources themselves.
Hitoshi Ozawa
RE: Liferay and LDAP: current an old password works!
July 24, 2012 4:30 AM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

This seems to a security risk but I think I've seen similar post before. Have you tried the nightly trunk version because it may be solved there.
elias saliba
RE: Liferay and LDAP: current an old password works!
July 24, 2012 7:57 AM
Answer

elias saliba

Rank: New Member

Posts: 24

Join Date: July 16, 2012

Recent Posts

hi Silvano,
when your portal liferay imports data from LDAP, it imports password of users and stores it into liferay repository database. then when you change password in your portal, the two passwords will be accepeted. try to not importing data from LDAP server and make your LDAP required:
Attachment

Attachments: lll.png (34.8k)
Jack Bakker
RE: Liferay and LDAP: current an old password works!
July 24, 2012 10:21 AM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 840

Join Date: January 3, 2010

Recent Posts

if ldap is not required ; do we know if authentication is FIRST tried against ldap and then against Liferay ? or might it be against Liferay first and then LDAP ?
elias saliba
RE: Liferay and LDAP: current an old password works!
July 24, 2012 12:00 PM
Answer

elias saliba

Rank: New Member

Posts: 24

Join Date: July 16, 2012

Recent Posts

Hi jack,
If ldap is required then the authentication would take place on the ldap server. This means that the username and password of ldap will be checked.
Jack Bakker
RE: Liferay and LDAP: current an old password works!
July 24, 2012 12:16 PM
Answer

Jack Bakker

Rank: Liferay Master

Posts: 840

Join Date: January 3, 2010

Recent Posts

Elias wrote

Hi jack,
If ldap is required then the authentication would take place on the ldap server. This means that the username and password of ldap will be checked.


Jack asked

if ldap is not required ; do we know if authentication is FIRST tried against ldap and then against Liferay ? or might it be against Liferay first and then LDAP ?
elias saliba
RE: Liferay and LDAP: current an old password works!
July 24, 2012 1:02 PM
Answer

elias saliba

Rank: New Member

Posts: 24

Join Date: July 16, 2012

Recent Posts

Jack Bakker:
Elias wrote

Hi jack,
If ldap is required then the authentication would take place on the ldap server. This means that the username and password of ldap will be checked.


Jack asked

if ldap is not required ; do we know if authentication is FIRST tried against ldap and then against Liferay ? or might it be against Liferay first and then LDAP ?


Elias answer:

If required is true then liferay only search in ldap server.
If required is false then liferay will firstly seach in its repository, if the authentication is false then liferay will go to the third party (ldap) .

Conclusion, if ldap is not required, liferay will fetch firstly in its repository because its is more quick and its dependent to liferay, then fetch in ldap.
Hitoshi Ozawa
RE: Liferay and LDAP: current an old password works!
July 24, 2012 3:34 PM
Answer

Hitoshi Ozawa

Rank: Liferay Legend

Posts: 7949

Join Date: March 23, 2010

Recent Posts

Please try it and see it actually works. I think there was a bug which made it to always check liferay's repository.