Setting up LDAP Authentication without Password Field?

Foren

Klaus Bachmaier, geändert vor 9 Jahren.

Setting up LDAP Authentication without Password Field?

Regular Member Beiträge: 223 Beitrittsdatum: 30.09.13 Neueste Beiträge

I'm asked to aneable LDAP Authentication on a Liferay 6.2 Server, where the LDAP Server is a Microsoft Active Directory. I used an AD Browser to analyze the Fields in each User's Record, so that I know which fields to use in the Mapping Fields in Liferay LDAP Configuration. As far as I've read in other Threads I'll need at least these Fields for each user, even if I don't plan to import the LDAP Data but only autheticate against the LDAP Repository:

- Screenname
- Firstname
- Lastname
- Email
- Password

Unfortunately the AD (Windows 2008) of my customer doesn't expose an userPassword Field. Will LDAP AUthentication work in any way without knowing/mapping the Password Field in Liferay?

David H Nebinger, geändert vor 9 Jahren.

RE: Setting up LDAP Authentication without Password Field?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge

It should.

When authenticating to LDAP, the username and password provided will be used to bind to LDAP (if you're using email address the screen name will be pulled from the DB ). As long as the bind is good, you should be good as well.

Klaus Bachmaier, geändert vor 9 Jahren.

RE: Setting up LDAP Authentication without Password Field?

Regular Member Beiträge: 223 Beitrittsdatum: 30.09.13 Neueste Beiträge

Thank you David!

I asked because in my case authentication hasn't worked initially. Turned out that my User Search Filter Expression was incorrect for Windows Server 2008 R2. This AD Server generally don't expose a userPassword Field, and therefore Liferays Configuration Options are a little bit misleading.

If anyone else should be struggling with WIndows Server 2008 this should be the right User Search Filter:

(&amp;(objectCategory=person)(sAMAccountName=@screen_name@))

Hemant Behera, geändert vor 7 Jahren.

RE: Setting up LDAP Authentication without Password Field?

Junior Member Beiträge: 36 Beitrittsdatum: 01.12.09 Neueste Beiträge

Hi David,

In my case, the userPassword field is not set in Microsoft AD and when I try to login using email id, the authentication fails. Is this required to set userPassword need to be set at Microsoft AD? I just want to bind the user and do not want to store/pass this password to Liferay.
Please suggest.

David H Nebinger, geändert vor 7 Jahren.

RE: Setting up LDAP Authentication without Password Field?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge

Password is a required field and will be copied during LDAP import.

It's not really used normally, when you are using LDAP auth it always verifies using a bind, so you get the effect you're looking for.

The password is mirrored to allow access to the environment when LDAP is down; since Liferay has a password users can log in during an outage.

Come meet me at the LSNA!

Sumit Kumar, geändert vor 7 Jahren.

RE: Setting up LDAP Authentication without Password Field?

New Member Beitrag: 1 Beitrittsdatum: 14.06.16 Neueste Beiträge

Could you please clarify the point Password is a required field and will be copied during LDAP import ? Does this means, even if Liferay don't store Password but it will be fetched password from LDAP. As Hemant mentioned in above post, we are still not able to authenticate. When i talk with customer LDAP Team, they say Liferay is trying to fetch the password for which the LDAP blocks the authentication . Let me know if you have any insight on this?

Please also advice if Liferay is fetching the password, should we go and write hook for this integration?

Eduardo Pantoja Ramírez, geändert vor 7 Jahren.

RE: Setting up LDAP Authentication without Password Field?

New Member Beiträge: 8 Beitrittsdatum: 24.08.13 Neueste Beiträge

Have you found a solution?, i'm facing the same issue, i cannot authenticate users because Active Directory does not give me the user password. Any help may be useful, regards.

David H Nebinger, geändert vor 5 Jahren.

RE: Setting up LDAP Authentication without Password Field?

Liferay Legend Beiträge: 14919 Beitrittsdatum: 02.09.06 Neueste Beiträge

You don't need to.

When you are authenticating, Liferay will bind to LDAP (AD) by looking up your DN using the user search query and the provided password.

The password in the Liferay DB is not at all necessary.

If you cannot authenticate, it is likely because a) the DN cannot be found (meaning your auth search query doesn't find your DN) or your DN/password combo is not allowed to bind.