« Back to LDAP with AD

LDAP with AD in Liferay 6.0.5

1. Introduction :

This is an example of a basic LDAP integration in Liferay 6.0.5. In the example we import users/groups into Liferay via LDAP and vice versa.

2. Environment

Windows Server 2003, Active Directory
Liferay 6.0.5

3. LDAP & AD


LDAP (Lightweight Directory Access Protocol) is a directory publishing service and specially designed for directory service providers.

Active Directory

AD (Active directory) is a directory service provider, where you can add new user to a directory, remove or modify, specify privilages, assign policy etc. Its just like a phone directory where every person have a unique contact number. Everything in AD(Active Directory) are considered as Objects and every object is given a Unique ID.


AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.

4 : AD Users

First you need to setup the Active Directory.

In Active Directory you need to define 2 OU(Organizational Unit). One is for storing or categorizing all the users. The second is to Create the groups.

For example:-

a) OU=Users

b) OU=Groups

4.1 Create OU in AD:

Go to DN – right click – NewOrganizational Unit

4.2 Create Users in AD:
Go to OU (mpower) – right click – NewUser

4.3 User’s Attributes:

You can test the users account by login in Active Directory machine with newly created users.

5. LDAP Configuration in Liferay

5.1 : Integration

a. Login as Administrator in liferay portal.

b. Go to Control Panel -> Settings -> Authentication -> LDAP select tab.

c. Check the Enabled box.

d. Id. If the Required box is checked only users in the LDAP server will be able to log into Liferay Portal. For this demonstration leave the box unchecked.

5.2: Server Name

Liferay Portal supports other directory servers in addition to the ones provided. The Apache Directory Server, Microsoft Active Directory Server, and Novell eDirectory comes preconfigured.

Select Server Name : Microsoft Active directory Server

5.3: Connection :

Provide given values and Test LDAP Connection :

Base Provider Url : ldap://

Base DN : ou=Tech,dc=mpowerglobal,dc=com

Principal : mpowerglobal\administrator

credentials : abc123.

mpowerglobal - domain name in AD

Tech - Organizational Unit : IP in AD Machine

389 : Port No.

ldap:// This tells the portal where the LDAP server is located )


Now test your connection to see if it validates.. You can test the connection by clicking “Test LDAP Connection” button. If it shows successful message, your connection is successful....

5.5: Users :

If you wish to change how users login (Ex. Login with screen name / emailaddress), then change the settings in the Authentication Search Filter field.

5.5.1 Users:

Provide these values :

Authentication Search Filter : (&objectCategory=Person)(mail=@email_address@)

import search filter: (objectClass=User)

( if objectClass is defined as “User” in AD, then we have to give “User” .

[ObjectClass = User, InetOrgPerson,...etc ] )

5.5.2 User Mapping :

Provide these values :

screenName : sn

password: userPassword

EmailAddress : mail

first Name : givenName

LastName : sn

Jobtitle : title

Group : memberOf


Now you can test the groups by clicking “Test LDAP Users” button. It will show all the Users from Active Directory.

Step 5.7: Import Users to Liferay

if you checked "Import on Startup Enabled", then restart your App Server.

Log back in, go the Control Panel->Users . Your imported Users will be there!

Imported Users :

Step 5.8: Groups

5.8.1 Groups

Provide these values:

importSearchfilter : (objectClass=group)

5.8.2: GroupMapping:

GroupName : cn

Description: description

User: member


Now you can test the groups by clicking “Test LDAP Groups” button. It will show all the Groups under the given OU ( Tech) from Active Directory. Also It will show Members of that groups.

5.10. Import Groups to Liferay User Group

LDAP groups are pulled into Liferay as UserGroups

Follow the “Step 4.9: Import Users to Liferay” which will import groups from AD to Liferay as follows:

6. AD-GROUPS – USERS Structure

( Create the following groups in AD, test1, ss & sss under the “Tech” [OU] and assign some users to that groups)

7. Export Users to AD

We can exports all the users from liferay to AD by providing these values.

Users DN = ou=Tech,dc=mpowerglobal,dc=com

User Default Object Classes = top,person,User,organizationPerson

Groups DN = ou=groups,dc=mpowerglobal,dc=com

Group Default Object Classes= top, group

( Note : if you give object name “User” in User Default Object Classes ,

In AD, object type will be “User” )

7.1: Add Liferay users: Go to Control Panel – Users – Add users

After setting the above value in control panel, if you create users in Liferay, it will be exported to AD.


7.2: Verify AD Users from Liferay:

All the Users from Liferay will be populated in AD as follows:

( Selected Users from below screen has been exported from Liferay)


8. Login into Liferay with Imported User

We need to uncheck this below option in AD : “User must change password at next logon”

If this checkbox is unchecked , then you can login with that particular user into Liferay.

If not, we need to login again in AD and change password, then Import to Liferay.

9. Troubleshooting

1. If User is not imported AD to Liferay,

a. Restart AD Server / Liferay

b. Make sure all the attributes are given while creating User in AD.

For ex, (Screen Name, Password, Email Address, First Name, and Last Name)


2. If imported user is not able to login into Liferay, uncheck the below option in AD while

creating user:

“User must change password at next logon”


3. If Group is not imported from AD to Liferay,

a. Make sure all the attributes are given while creating Group in AD,

For ex, (name,description)

b. If No member is assigned to Group in AD, That group will not import to Liferay.


4. Password Policy

Portal can be configured to use LDAP password policies. To configure the Portal to use LDAP's password policy, go to

· > Control Panel

· > "Settings" tab

· > "Authentication" tab

· > "LDAP" tab

· > and under the "Password Policy" section, click the "Use LDAP Password Policy" checkbox on (at the bottom)

If that has been done correctly, when you try and view the liferay Control Panel - Password Policy, you will get a message saying that “You are using LDAP's password policy. Please change your LDAP password policy settings if you wish to use a local password policy”.


0 Attachments
Average (0 Votes)
The average rating is 0.0 stars out of 5.
Threaded Replies Author Date
Esto esta muy bien explicado Fernando Maza January 25, 2011 5:42 PM
nice tutorial. and I have an issue when... Santhosh Kumar Poornachandra February 15, 2011 9:21 AM
I have never been able to use the email address... Tom Thomas March 1, 2011 1:17 PM
i could import the users but they cant login.... Joel Ferreira July 14, 2011 2:51 AM
Solved, thanks Tom Thomas! Joel Ferreira July 19, 2011 3:40 AM
Hi Joel, I am facing the same problem. Can u... Deawn Md Alimozzaman November 16, 2011 1:14 AM
Hi Paradise Lost, Sorry for the so long delay,... Joel Ferreira June 12, 2013 12:54 PM
I have a question, we synchronized the AD users... Rogelio Meza February 8, 2012 7:36 AM
Hi all, How I configuration auto add user in... Hau Van May 21, 2012 11:55 PM
I had the issue and I see no one answers how to... Aaron Weikle October 31, 2012 12:37 PM
I installed Apache DS and integrated with... Pradip A Bhatt June 11, 2013 5:24 AM
Has anybody tried this on Windows server 2008? John Peterson June 29, 2013 10:27 PM
Yes this works on Windows Server 2008 Josef Krzywon October 3, 2013 9:39 AM
Accordingly to the X.500 User schema definition... Ricardo Lorenzo January 8, 2014 12:49 AM
I am working with Liferay 6.0.5 . I am trying... ahmed almolla January 30, 2015 8:03 AM

Esto esta muy bien explicado
Posted on 1/25/11 5:42 PM.
nice tutorial. and I have an issue when importing user from LDAP. User in LDAP does not have mail attribute, when user logins in liferay forwards to a page to manually enter email address. but this step should be skipped as per our requirements. can somebody help?
Posted on 2/15/11 9:21 AM.
I have never been able to use the email address from LDAP to login. That is using the settings in this wiki article and variations on it - even though I get a valid list of users when I press the "test LDAP users" button.
I've only been able to use the screen name for logins with the authentication search filter set to (sAMAccountName=@screen_name@)
Posted on 3/1/11 1:17 PM.
i could import the users but they cant login. What could be the reason? Thanks.
Posted on 7/14/11 2:51 AM.
Solved, thanks Tom Thomas!
Posted on 7/19/11 3:40 AM in reply to Joel Ferreira.
Hi Joel,
I am facing the same problem. Can u pls tell me how did you fix it?
Posted on 11/16/11 1:14 AM in reply to Joel Ferreira.
I have a question, we synchronized the AD users and reboot the server, and can not enter the portal, or with AD users or the administrator who creates the principle of the installation, I can do?
Posted on 2/8/12 7:36 AM.
Hi all,
How I configuration auto add user in Liferay when one user added in AD. I mean when I add new user in AD, it auto add user in Liferay
Posted on 5/21/12 11:55 PM.
I had the issue and I see no one answers how to fix it....well for most of us who are integrating with AD you have a User Logon ID that AD uses for authentication. Here is how you fix it:

Step one set How to authenticate to "By Screen Name"
Step two set Authentication Search Filter to "(sAMAccountName=@screen_name@)"
Step three set ScreenName to "sAMAccountName"

Save your LDAP configuration and you will be able to authenticate against AD

Posted on 10/31/12 12:37 PM in reply to Hau Van.
I installed Apache DS and integrated with Liferay. I am using Liferay 6.2.0 m2 CE version., But now If I delete user from LDAP then also Liferay provides login facility. It should be deleted from Liferay table also. As well as at the time of creation of new user in liferay, it must be added into LDAP automatically.

please reply me.
Posted on 6/11/13 5:24 AM.
Hi Paradise Lost,

Sorry for the so long delay, only have came here now because an email from last reply. If i remember correctly i followed the Tom Thomas suggestion. Anyway i hope you have already this solved eheheh

Posted on 6/12/13 12:54 PM in reply to Paradise Lost.
Has anybody tried this on Windows server 2008?
Posted on 6/29/13 10:27 PM.
Yes this works on Windows Server 2008
Posted on 10/3/13 9:39 AM in reply to John Peterson.
Accordingly to the X.500 User schema definition for LDAPv3 (http://www.ietf.org/rfc/rfc2256.txt), the attribute "sn" always refer to the surname, and should not be mapped to the screenname. The proper attribute on AD should be sAMAccountName and "uid" in the case of other directories.
Posted on 1/8/14 12:49 AM.
I am working with Liferay 6.0.5 . I am trying to set the active directory settings on Liferay.
when I set the configurations and click on save the settings and reopen it again to edit i find that user mapping data is empty , How to fix this ?
note : when i click on test users its succeeds
and when i try to authenticat active directory user I get
"ERROR [LDAPAuth:318] Problem accessing LDAP server
3com.liferay.portal.UserEmailAddressException: Email address cannot be null for"
what is the cause of this
I have some questions :
1)Can the user change his active directory password from Liferay?
if yes, is there a special configuration for that on both liferay and active directory ?
if no,what is the alternative ?

2) If the user active directory password is going to expire will he get a notification on liferay before it expires ?

3) If the user entered a wrong password more than say 3 times and the active directory policy is lock the user account , is this going to affect Liferay user and how?
Posted on 1/30/15 8:03 AM.