Foren

  1. Startseite
  2. Development
  3. LDAP password export

LDAP password export

Asier Vara, geändert vor 10 Jahren.

LDAP password export

New Member Beiträge: 8 Beitrittsdatum: 19.07.13 Neueste Beiträge
Hi,

I have a problem with User Password export from Liferay (Liferay 6.1.1 CE GA2) to Microsoft Active Directory. All my tries allow me to export user's information, for example Name and Surname, but the password is impossible to export it after I change it into user My Account password form.

I have tried many things but I have not seen any kind of light in my way yet. I do not know Why it does not work, it could be because my poor knowledge of the Liferay core, but I think both my configuration and my tries are not so bad. These are the tries that I have done:
1. I have configured my LDAP connection by SSL: LDAPS:636. Why? Because somewhere I read that Active directory needs a secure connection to allow a password change.

2. I have created an ext-plugin of "UserLocalServiceUtil" where I have modified the updateUser(a lot of paraemeters here) method to allow to set the password as modfied by using "user.setPasswordModified(true)" method and after it "userPersistence.update(user,false)" method to persist the change. As it does not work I prove just in case the "setPasswordModifiedDate" method to persist fully the password change.

3. After my fail with above Ext-Plugin I modify the same one adding a new element called "PortalLDAPExporterUtil.exportToLDAP". If I do not understand incorrectly this method takes the user object changes and it applies into the Active Directory, but I could not get it to work for this purpose. I send as second parameter of that method the user Attributes obtained through expandoBridge, adding to that empty list of attributes the password in plain text, usign as name "password" and "userPassword" (This is the one used into the LDAP user mapping).

4. I have also tried to use the password-compare method adding to the portal-ext.properties file the next lines:
"ldap.auth.password.encryption.algorithm=SHA
ldap.auth.method=password-compare"
But when I add above lines the login leaves working.

I hope you could help me with the problem because I could not imagine why it does not work only using a correct configuration.

I attach two images to my post to give you an idea of my LDAP configuration. Many thanks in advance and sorry if my English is not so good.

Anhänge:

thumbnail
Antoine Comble, geändert vor 10 Jahren.

RE: LDAP password export

Regular Member Beiträge: 232 Beitrittsdatum: 07.09.12 Neueste Beiträge
Hi,

Can you check password in Active Directory is not read only ?

Antoine
Asier Vara, geändert vor 10 Jahren.

RE: LDAP password export

New Member Beiträge: 8 Beitrittsdatum: 19.07.13 Neueste Beiträge
Antoine Comble:
Hi,

Can you check password in Active Directory is not read only ?

Antoine



Hi Antoine,

Thank you for your answer. I checked the Active Directory configuration, including password policy, but I did not found any kind of indicator it could tell me the password is as read only. I think all is ok.

After I checked that I started reading some information about Microsoft Active Directory and how the password change works, this reading gave me a new clue and the cause of my problem. The problem is in the user mapping configuration, because I put "userPassword" and Active Directory needs "unicodePwd" with some other requisites that after checking the liferay code I saw they had developed. So after I changed that configuration in Liferay the password export started working.

The solution now have another problem, when I try to login it give me bad credentials error but I think it has relation with the "ldap.auth.password.encryption.algorithm". I will try to change it and if all goes ok I will share the solution.

Asier.
Asier Vara, geändert vor 10 Jahren.

RE: LDAP password export

New Member Beiträge: 8 Beitrittsdatum: 19.07.13 Neueste Beiträge
I have finally solved the problem. The final full solution to allow export password with Microsoft Active Directory (I use 2008 server r2):

1. Enable LDAP Password Policy

2. Configure as Ldaps the connection with Active Directory.

3. Use as User Mapping:
"ScreenName=sAMAccountName
Password=unicodePwd
EmailAddress=userprincipalname
FirstName=givenName
LastName=sn
Job Title=title
Group=memberOf"

4. Use as export configuration the info that I put in my first post second image. I use jExplorer to see all the Object classes of the objects.

5. Add this two lines to portal-ext.properties:
"ldap.auth.password.encryption.algorithm=
ldap.auth.password.encryption.algorithm.types=MD5,SHA"

I think I do not forget anything.

I hope this information will help to someone and avoid to be frustrated.
Gustavo Pimenta, geändert vor 10 Jahren.

RE: LDAP password export

New Member Beiträge: 5 Beitrittsdatum: 28.10.13 Neueste Beiträge
Hey buddy!
Fistrable, thanks for you proactive and helpful post. You made the difference...
I think I have the same scenario of yours, I also did the same by I still cannot importing the password from Active Directory, it comes in blank.
The importation process is fine (I guess). I can see all users, groups, but I did not set the EXPORT settings because I have affraid to happen a big problem, so just the user import is good to me.
I have it all, but the passwords. I tried to set a password manually to an imported user account and it works fine. This make me thinks that LDAP is not bringing the passwords from Active Directory.
Do you have mode ideas to solve this?
Many thanks!
Gustavo Pimenta, geändert vor 10 Jahren.

RE: LDAP password export

New Member Beiträge: 5 Beitrittsdatum: 28.10.13 Neueste Beiträge
Just to confirm.
WHat I need to add in the portal-ext.properties is:

"ldap.auth.password.encryption.algorithm=
ldap.auth.password.encryption.algorithm.types=MD5,SHA

OR

ldap.auth.password.encryption.algorithm=ldap.auth.password.encryption.algorithm.types=MD5,SHA (all together...)???
thumbnail
Christoph Rabel, geändert vor 10 Jahren.

RE: LDAP password export

Liferay Legend Beiträge: 1554 Beitrittsdatum: 24.09.09 Neueste Beiträge
You only need this setting:
ldap.auth.password.encryption.algorithm=

The other setting is not necessary.

I took a look at the implementation a while ago. In the default configuration LDAP tries to store the password with encryption NONE aka plaintext. That's not allowed in a lot of LDAP servers for security reasons.

With the above setting, liferay basically does nothing and sends the password plaintext to the ldap server (you should configure your ldap server ldaps!) and ldap server chooses whatever encryption it normally uses.
thumbnail
amir keshavarz, geändert vor 10 Jahren.

RE: LDAP password export

Junior Member Beiträge: 54 Beitrittsdatum: 09.10.10 Neueste Beiträge
Hi,

I had same problem when was trying to export users passwords from Liferay5.2.2 into Active Directory and at last I decided to change the LDAP server and already it is working fine with Oracle OpenDS.