LDAP with AD in Liferay 6.0.5
1. Introduction :
This is an example of a basic LDAP integration in Liferay 6.0.5. In the example we import users/groups into Liferay via LDAP and vice versa.
Windows Server 2003, Active Directory
3. LDAP & AD
LDAP (Lightweight Directory Access Protocol) is a directory publishing service and specially designed for directory service providers.
AD (Active directory) is a directory service provider, where you can add new user to a directory, remove or modify, specify privilages, assign policy etc. Its just like a phone directory where every person have a unique contact number. Everything in AD(Active Directory) are considered as Objects and every object is given a Unique ID.
LDAP vs AD
AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.
4 : AD Users
First you need to setup the Active Directory.
In Active Directory you need to define 2 OU(Organizational Unit). One is for storing or categorizing all the users. The second is to Create the groups.
4.1 Create OU in AD:
Go to DN – right click – New – Organizational Unit
4.2 Create Users in AD:
Go to OU (mpower) – right click – New – User
4.3 User’s Attributes:
You can test the users account by login in Active Directory machine with newly created users.
5. LDAP Configuration in Liferay
5.1 : Integration
a. Login as Administrator in liferay portal.
b. Go to Control Panel -> Settings -> Authentication -> LDAP select tab.
c. Check the Enabled box.
d. Id. If the Required box is checked only users in the LDAP server will be able to log into Liferay Portal. For this demonstration leave the box unchecked.
5.2: Server Name
Liferay Portal supports other directory servers in addition to the ones provided. The Apache Directory Server, Microsoft Active Directory Server, and Novell eDirectory comes preconfigured.
Select Server Name : Microsoft Active directory Server
5.3: Connection :
Provide given values and Test LDAP Connection :
Base Provider Url : ldap://172.22.1.26:389
Base DN : ou=Tech,dc=mpowerglobal,dc=com
Principal : mpowerglobal\administrator
credentials : abc123.
mpowerglobal - domain name in AD
Tech - Organizational Unit
389 : Port No.
ldap://172.22.1.26:389: This tells the portal where the LDAP server is located )
5.4: TEST LDAP CONNECTION :
Now test your connection to see if it validates.. You can test the connection by clicking “Test LDAP Connection” button. If it shows successful message, your connection is successful....
5.5: Users :
If you wish to change how users login (Ex. Login with screen name / emailaddress), then change the settings in the Authentication Search Filter field.
Provide these values :
Authentication Search Filter : (&objectCategory=Person)(mail=@email_address@)
import search filter: (objectClass=User)
( if objectClass is defined as “User” in AD, then we have to give “User” .
[ObjectClass = User, InetOrgPerson,...etc ] )
5.5.2 User Mapping :
Provide these values :
screenName : sn
EmailAddress : mail
first Name : givenName
LastName : sn
Jobtitle : title
Group : memberOf
5.6 TEST LDAP USERS:
Now you can test the groups by clicking “Test LDAP Users” button. It will show all the Users from Active Directory.
Step 5.7: Import Users to Liferay
if you checked "Import on Startup Enabled", then restart your App Server.
Log back in, go the Control Panel->Users . Your imported Users will be there!
Imported Users :
Step 5.8: Groups
Provide these values:
importSearchfilter : (objectClass=group)
GroupName : cn
5.9: TEST LDAP GROUPS:
Now you can test the groups by clicking “Test LDAP Groups” button. It will show all the Groups under the given OU ( Tech) from Active Directory. Also It will show Members of that groups.
5.10. Import Groups to Liferay User Group
LDAP groups are pulled into Liferay as UserGroups
Follow the “Step 4.9: Import Users to Liferay” which will import groups from AD to Liferay as follows:
6. AD-GROUPS – USERS Structure
( Create the following groups in AD, test1, ss & sss under the “Tech” [OU] and assign some users to that groups)
7. Export Users to AD
We can exports all the users from liferay to AD by providing these values.
Users DN = ou=Tech,dc=mpowerglobal,dc=com
User Default Object Classes = top,person,User,organizationPerson
Groups DN = ou=groups,dc=mpowerglobal,dc=com
Group Default Object Classes= top, group
( Note : if you give object name “User” in User Default Object Classes ,
In AD, object type will be “User” )
7.1: Add Liferay users: Go to Control Panel – Users – Add users
After setting the above value in control panel, if you create users in Liferay, it will be exported to AD.
7.2: Verify AD Users from Liferay:
All the Users from Liferay will be populated in AD as follows:
( Selected Users from below screen has been exported from Liferay)
8. Login into Liferay with Imported User
We need to uncheck this below option in AD : “User must change password at next logon”
If this checkbox is unchecked , then you can login with that particular user into Liferay.
If not, we need to login again in AD and change password, then Import to Liferay.
1. If User is not imported AD to Liferay,
a. Restart AD Server / Liferay
b. Make sure all the attributes are given while creating User in AD.
For ex, (Screen Name, Password, Email Address, First Name, and Last Name)
2. If imported user is not able to login into Liferay, uncheck the below option in AD while
“User must change password at next logon”
3. If Group is not imported from AD to Liferay,
a. Make sure all the attributes are given while creating Group in AD,
For ex, (name,description)
b. If No member is assigned to Group in AD, That group will not import to Liferay.
4. Password Policy
Portal can be configured to use LDAP password policies. To configure the Portal to use LDAP's password policy, go to
· > Control Panel
· > "Settings" tab
· > "Authentication" tab
· > "LDAP" tab
· > and under the "Password Policy" section, click the "Use LDAP Password Policy" checkbox on (at the bottom)
If that has been done correctly, when you try and view the liferay Control Panel - Password Policy, you will get a message saying that “You are using LDAP's password policy. Please change your LDAP password policy settings if you wish to use a local password policy”.