Foren

  1. Startseite
  2. Development
  3. Multiple AD domains, Liferay is not storing the users domain?

Multiple AD domains, Liferay is not storing the users domain?

thumbnail
Cameron McBride, geändert vor 12 Jahren.

Multiple AD domains, Liferay is not storing the users domain?

Expert Beiträge: 269 Beitrittsdatum: 08.02.11 Neueste Beiträge
We have 200k+ users spread across multiple domains. It looks like Liferay does not store the user's domain in the user table or even take this into account when logging in. It looks like it will flip through each domain, in the order you specify them, until it finds the user.

Is the domain stored somewhere in the Liferay database? If I wanted to search for users in the Hillbilly domain, would that not be possible?

Thanks!
thumbnail
David H Nebinger, geändert vor 12 Jahren.

RE: Multiple AD domains, Liferay is not storing the users domain?

Liferay Legend Beiträge: 14917 Beitrittsdatum: 02.09.06 Neueste Beiträge
Nope. You could perchance add this as a custom field, hook the ldap import to populate the custom field, then use the value during authentication to identify the AD to use for authentication, but it's not going to do these things out of the box..

Liferay is just storing the least common denominator when it comes to the external auth systems. Hence the iteration through each of the AD nodes looking for one willing to authenticate the user.
thumbnail
Cameron McBride, geändert vor 12 Jahren.

RE: Multiple AD domains, Liferay is not storing the users domain?

Expert Beiträge: 269 Beitrittsdatum: 08.02.11 Neueste Beiträge
I'm not 100% sure of the impact in our organization because of this, it may not be needed. After speaking with the Active Directory architect we do have cases where a user name exists across multiple domains BUT they don't want that to happen. Those are few cases that need to be cleaned up.

For Kerberos (Spnego) or NTLMv2 (Jespa or possibly the built in Liferay) SSO filter the authentication will happen against the correct domain controller. For example DOMAIN-A\BUBBA will always be authenticated against DOMAIN-A and never DOMAIN-B. Because the user is authenticated, I can immediately log them in if their account exists. It will only be flipping through multiple domains looking for a user in a form based login.

Adding a custom field via a hook and adding the domain from ldap is a pretty decent idea. I've already done something similar to this on an external site to require accounts to be approved. I might see what I can whip up.