Foren
RE: Ldap import user password enabled not working as expected
sadish ravi, geändert vor 12 Jahren.
Ldap import user password enabled not working as expected
New Member Beiträge: 2 Beitrittsdatum: 19.04.12 Neueste Beiträge
hi,
I am trying to do auth using LDAP in liferay and i would like to use only ldap as auth and not do a second auth against liferay. Also i do not want to import user passwords to liferay. i am using liferay 6.1 CE
My settings:
When i set ldap.import.user.password.enabled=false, then i found in the LDAPAuth class, in authenticate function it checks for (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) and only if its set to true it does password verification for user, else it skips the block and hence i am able to login with user email and any random passwords and it works.??
Please let me know if there is a fix for this or can i extend the LDAPauth class to fix myself. If so let me know how can that be done??
I am trying to do auth using LDAP in liferay and i would like to use only ldap as auth and not do a second auth against liferay. Also i do not want to import user passwords to liferay. i am using liferay 6.1 CE
My settings:
#
# Settings for connecting to LDAP
#
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# Enable the below setting for enabling LDAP referral follow
#ldap.referral=follow
#LDAP connection settings
ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=dc=example,dc=com
ldap.security.principal.0=uid=admin,ou=system
ldap.security.credentials.0=secret
# enable/disable liferay authentication
auth.pipeline.enable.liferay.check=false
# setting the LDAP auth for pipelined authentication
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
# Set below property to false to disable ldap auth
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind
# LDAP import properties
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
# LDAP Export properties
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter.0=(mail=@email_address@)
# Provide mapping for the 5 mandatory LDAP attributes for liferay to authentiate with LDAP
# other attributes jobTitle=title, group=groupMembership
ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.contact.mappings.0=
ldap.contact.custom.mappings.0=
# Attributes to skip
#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
# Search filters for users and groups. These properties applies only when ldap.import.enabled is True
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
# password policy
ldap.password.policy.enabled=true
# setting this to false will make sure LDAP user password is not imported to the portal
ldap.import.user.password.enabled=false
# autogeneate for userpasswords incase of import password property is false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
When i set ldap.import.user.password.enabled=false, then i found in the LDAPAuth class, in authenticate function it checks for (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) and only if its set to true it does password verification for user, else it skips the block and hence i am able to login with user email and any random passwords and it works.??
Please let me know if there is a fix for this or can i extend the LDAPauth class to fix myself. If so let me know how can that be done??
Jonas Yuan, geändert vor 12 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
This new feature should be available in the 6.1 by default.
No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration.
Hope that it helps,
Thanks
Jonas Yuan
No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration.
Hope that it helps,
Thanks
Jonas Yuan
sadish ravi, geändert vor 12 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 2 Beitrittsdatum: 19.04.12 Neueste Beiträge
Hey Jonas,
I have tested it couple of times today. All cases works fine but just that when i set
the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.
My entire settings
As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.
thank you
Sadish
I have tested it couple of times today. All cases works fine but just that when i set
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=password
the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.
My entire settings
terms.of.use.required=false
users.reminder.queries.enabled=false
#
# Settings for connecting to LDAP
#
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
#ldap.referral=follow
ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=dc=example,dc=com
ldap.security.principal.0=uid=admin,ou=system
ldap.security.credentials.0=secret
auth.pipeline.enable.liferay.check=false
# setting the LDAP auth for pipelined authentication
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method= password-compare
ldap.auth.password.encryption.algorithm=MD5
ldap.auth.password.encryption.algorithm.types=MD5
ldap.import.group.cache.enabled=false
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter.0=(mail=@email_address@)
ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.contact.mappings.0=
ldap.contact.custom.mappings.0=
#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
ldap.password.policy.enabled=true
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=password
As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.
protected int authenticate(long companyId, long ldapServerId, String emailAddress,
String screenName, long userId, String password)
.....
....
........
if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
ldapAuthResult = authenticate(
ldapContext, companyId, attributes, fullUserDN,
password);
// Process LDAP failure codes
String errorMessage = ldapAuthResult.getErrorMessage();
if (errorMessage != null) {
if (errorMessage.indexOf(PrefsPropsUtil.getString(
companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
!= -1) {
throw new UserLockoutException();
}
else if (errorMessage.indexOf(PrefsPropsUtil.getString(
companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
!= -1) {
throw new PasswordExpiredException();
}
}
if (!ldapAuthResult.isAuthenticated() &&
PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
return FAILURE;
}
}....
thank you
Sadish
Jonas Yuan, geändert vor 12 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi sadish
It seems there is a bug related to this new feature.
Could you please grant LDAP access? Thus I may be able to narrow down the bug and generate a fix.
Thanks
Jonas Yuan
It seems there is a bug related to this new feature.
Could you please grant LDAP access? Thus I may be able to narrow down the bug and generate a fix.
Thanks
Jonas Yuan
Jonas Yuan, geändert vor 12 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Sadish,
There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected
Drop email if you still need this feature and fix patch.
The fix patch for 6.0 is also available.
Thanks
Jonas Yuan
There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
Drop email if you still need this feature and fix patch.
The fix patch for 6.0 is also available.
Thanks
Jonas Yuan
Salvador Baena, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 11 Beitrittsdatum: 10.05.12 Neueste Beiträge
Hi Jonas,
I'm using version 6.1 and I have the same problem.
Could you tell me where to download the fix patch and how to install it
Thank you very much
Best Regards
I'm using version 6.1 and I have the same problem.
Could you tell me where to download the fix patch and how to install it
Thank you very much
Best Regards
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Salvador,
You may drop email to jonasliferay@gmail.com. I could send you the patch by email.
Thanks
Jonas Yuan
You may drop email to jonasliferay@gmail.com. I could send you the patch by email.
Thanks
Jonas Yuan
Manuel Hoyos García, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 60 Beitrittsdatum: 11.06.12 Neueste Beiträge
Hi Jonas,
I have same problem but i'm working in liferay 5.0.2. is posible fix it?
Thanks
I have same problem but i'm working in liferay 5.0.2. is posible fix it?
Thanks
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Manuel Hoyos
yes, it is possible.
Is there any reason that you did not use 6.1 CE?
Thanks
Jonas Yuan
yes, it is possible.
Is there any reason that you did not use 6.1 CE?
Thanks
Jonas Yuan
Manuel Hoyos, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 60 Beitrittsdatum: 11.06.12 Neueste Beiträge
For now, our corporative intranet is under version 5.0.2. The change is in progress, but hoped fix the problem in this version.
Thanks
Thanks
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
It is possible to generate a fix patch for 5.0.2. But it requires special care.
Is it urgent for you?
Thanks
Jonas Yuan
Is it urgent for you?
Thanks
Jonas Yuan
Manuel Hoyos, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 60 Beitrittsdatum: 11.06.12 Neueste Beiträge
Thanks for the reply,
it is urgent to know the answer, to assess their cost and the risk apply it.
Thanks again and best regards
it is urgent to know the answer, to assess their cost and the risk apply it.
Thanks again and best regards
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Manuel,
Could you please drop an email to jonasliferay@gmail.com?
Hope that a fix patch could be available in urgent base.
Thanks
Jonas Yuan
Could you please drop an email to jonasliferay@gmail.com?
Hope that a fix patch could be available in urgent base.
Thanks
Jonas Yuan
amit singh, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 12 Beitrittsdatum: 07.02.12 Neueste Beiträge
Hi Jonas ,
I am also facing similar problem for 6.1 CE.
Can you please send me the fix patch for this bug.
I have already requested you from my email id eramitsingh1985@gmail.com, please revert on the same.
Thanks,
Amit Singh
I am also facing similar problem for 6.1 CE.
Can you please send me the fix patch for this bug.
I have already requested you from my email id eramitsingh1985@gmail.com, please revert on the same.
Thanks,
Amit Singh
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Amit,
You should receive the patch.
It would be nice that you could share your testing results here.
Thanks
Jonas Yuan
You should receive the patch.
It would be nice that you could share your testing results here.
Thanks
Jonas Yuan
amit singh, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 12 Beitrittsdatum: 07.02.12 Neueste Beiträge
Hi Jonas,
Applying this patch on 6.1.X Code Base resulted in LDAP authentication working fine as required however User is also able to login with the password stored in Liferay database even when Required is enabled using Control panel for liferay.
Still the problem remains same !!
Regards,
Amit
Applying this patch on 6.1.X Code Base resulted in LDAP authentication working fine as required however User is also able to login with the password stored in Liferay database even when Required is enabled using Control panel for liferay.
Still the problem remains same !!
Regards,
Amit
Sunil Rai, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 57 Beitrittsdatum: 31.01.12 Neueste BeiträgeJonas Yuan:
Hi Sadish,
There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expectedldap.import.user.password.enabled=false ldap.import.user.password.autogenerated=false ldap.import.user.password.default=test
Drop email if you still need this feature and fix patch.
The fix patch for 6.0 is also available.
Thanks
Jonas Yuan
Hi Jonas,
After upgrading to Liferay 6.1.0 CE I am facing problem with LDAP. After disabling the LDAP option only user is able to Login but before upgrade LDAP is working fine on Liferay 5.2.3 CE. Due you think the mentioned patch will help for this?
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Sunil,
Yes, the same feature could be downgraded to 5.2 version. It will require special care.
Thanks,
Jonas
Yes, the same feature could be downgraded to 5.2 version. It will require special care.
Thanks,
Jonas
Sunil Rai, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 57 Beitrittsdatum: 31.01.12 Neueste Beiträge
Hi Jonas,
I have sent you mail on your gmail ID "jonasliferay@gmail.com" regarding the mentioned patch. Please provide me the same.
Regards,
Sunil Rai
I have sent you mail on your gmail ID "jonasliferay@gmail.com" regarding the mentioned patch. Please provide me the same.
Regards,
Sunil Rai
Sunil Rai, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 57 Beitrittsdatum: 31.01.12 Neueste BeiträgeJonas Yuan:
Hi Sunil,
Yes, the same feature could be downgraded to 5.2 version. It will require special care.
Thanks,
Jonas
Hi Jonas,
It is difficult to be depended on forum if you have deadline. Anyway I have cancelled the plan to upgrade to Liferay 6.1.0 CE.
Unfortunately the forum is not active even though the solution is available.
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Sunil,
Sorry that I did not get chance to build the fix patch for 5.2.3.
Is this urgent for you?
Thanks
Jonas Yuan
Sorry that I did not get chance to build the fix patch for 5.2.3.
Is this urgent for you?
Thanks
Jonas Yuan
Sunil Rai, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 57 Beitrittsdatum: 31.01.12 Neueste Beiträge
Hi Jonas,
Thanks for the update but yes it is urgent otherwise there is no other solution than stick with Liferay 5.2.3 CE
Let me know if you need any further details from my side.
Thanks,
Sunil Rai
Thanks for the update but yes it is urgent otherwise there is no other solution than stick with Liferay 5.2.3 CE
Let me know if you need any further details from my side.
Thanks,
Sunil Rai
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Sunil,
Good luck to use the fix patch.
Thanks
Jonas Yuan
Good luck to use the fix patch.
Thanks
Jonas Yuan
Luca Basile, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 2 Beitrittsdatum: 04.07.12 Neueste Beiträge
Hi everyone,
i'm stuck with the same problem.Where can i get this patch?Do i need to follow some specific steps to obtain it?
Thanks in advance,
Cheers.
i'm stuck with the same problem.Where can i get this patch?Do i need to follow some specific steps to obtain it?
Thanks in advance,
Cheers.
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Luca,
Which version are you using?
You may drop an email to jonasliferay@gmail.com for the fix patch.
Thanks
Jonas Yuan
Which version are you using?
You may drop an email to jonasliferay@gmail.com for the fix patch.
Thanks
Jonas Yuan
Sunil Rai, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 57 Beitrittsdatum: 31.01.12 Neueste BeiträgeJonas Yuan:
Hi Sunil,
Good luck to use the fix patch.
Thanks
Jonas Yuan
Thanks a lot Jonas.
I will try to implement this and I will share my experience with you soon.
Regards,
Sunil
amit singh, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 12 Beitrittsdatum: 07.02.12 Neueste Beiträge
Hi Sadish,
Does your problem with Liferay - LDAP integration got resolved using the patch provided by Jonas ?
I am also facing the similar issue with Liferay 6.1 CE.
Has this patch not applied to WAR bundle available on Liferay download website page ?
Thanks,
Amit Singh
Does your problem with Liferay - LDAP integration got resolved using the patch provided by Jonas ?
I am also facing the similar issue with Liferay 6.1 CE.
Has this patch not applied to WAR bundle available on Liferay download website page ?
Thanks,
Amit Singh
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Amit,
The fix patch for 6.1 GA2 CE is ready.
Please drop an email to jonasliferay@gmail.com for the fix.
Thanks
Jonas Yuan
The fix patch for 6.1 GA2 CE is ready.
Please drop an email to jonasliferay@gmail.com for the fix.
Thanks
Jonas Yuan
amit singh, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
New Member Beiträge: 12 Beitrittsdatum: 07.02.12 Neueste Beiträge
Hi Jonas,
Does this patch applies to liferay-portal-6.1.1-ce-ga2 ?
Thanks,
Amit
Does this patch applies to liferay-portal-6.1.1-ce-ga2 ?
Thanks,
Amit
Jonas Yuan, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Liferay Master Beiträge: 993 Beitrittsdatum: 27.04.07 Neueste Beiträge
Hi Amit,
As you mentioned in Google Talk, please share your test results.
Thanks
Jonas Yuan
As you mentioned in Google Talk, please share your test results.
Thanks
Jonas Yuan
Michal R, geändert vor 11 Jahren.
RE: Ldap import user password enabled not working as expected
Junior Member Beiträge: 25 Beitrittsdatum: 28.05.12 Neueste Beiträge
Jonas,
why not raise a liferay jira issue, fix the bug there and distribute it via standard means (i.e. versioning system) to everybody?
why not raise a liferay jira issue, fix the bug there and distribute it via standard means (i.e. versioning system) to everybody?