Foros de discusión

Login with wrong password

Alex Alex, modificado hace 8 años.

Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Hello. I have Liferay Portal Community Edition 6.2 CE GA4 (Newton / Build 6203 / April 16, 2015). Ubuntu Server, Oracle Java 7, domain auth.
There was an interesting situation. I could login with wrong password. I can't understand how it can be.
thumbnail
Vilmos Papp, modificado hace 8 años.

RE: Login with wrong password

Liferay Master Mensajes: 529 Fecha de incorporación: 21/10/10 Mensajes recientes
If you switch off this settings and you are not configured well your authentication, it could happen:


    #
    # Set this to true to enable password checking by the internal portal
    # authentication. If set to false, you're essentially delegating password
    # checking is delegated to the authenticators configured in
    # "auth.pipeline.pre" and "auth.pipeline.post" settings.
    #
    auth.pipeline.enable.liferay.check=true
thumbnail
Olaf Kock, modificado hace 8 años.

RE: Login with wrong password

Liferay Legend Mensajes: 6396 Fecha de incorporación: 23/09/08 Mensajes recientes
Assuming you didn't fiddle with the authentication (in that case: check Vilmos' answer) what I've seen often is a misconfigured caching proxy in front of Liferay: This proxy might cache data of logged-in users and deliver them to unauthenticated users. Under certain circumstances this might look like your login succeeded even though you provided a wrong password (because you suddenly start seeing a personalized UI). If you have a proxy in front of your Java Appserver, this is what you should take care of first. One hint (if you have many users) is that you login as user 1, but see the content for user 2.
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
I did as Vilmo said. So I can log in only by my correct password, but users, that nevet didn't log in, couldn't log in at all with correct and incorrect password!
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Some lines from my portal-ext.properties:

ldap.auth.password.encryption.algorithm=MD5
auth.pipeline.enable.liferay.check=true
ldap.import.user.password.enabled=true

layout.parallel.render.timeout=30000
session.store.password=true
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Please, help...
thumbnail
Vilmos Papp, modificado hace 8 años.

RE: Login with wrong password

Liferay Master Mensajes: 529 Fecha de incorporación: 21/10/10 Mensajes recientes
Alex Alex:
Some lines from my portal-ext.properties:

ldap.auth.password.encryption.algorithm=MD5
auth.pipeline.enable.liferay.check=true
ldap.import.user.password.enabled=true

layout.parallel.render.timeout=30000
session.store.password=true


Hi,

I would suggest to disable this property:
ldap.import.user.password.enabled=true

So it should be:
ldap.import.user.password.enabled=false


Further more session.store.password is not necessary for LDAP.

Could you try it with this setting?
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Thank you for the answer. I did it. It didn't work.
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Please, help
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
Please, help...
thumbnail
Olaf Kock, modificado hace 8 años.

RE: Login with wrong password

Liferay Legend Mensajes: 6396 Fecha de incorporación: 23/09/08 Mensajes recientes
If nobody posts any more answers, it's typically a good hint that there's not enough information. Please go back, start over and give us more information: Where are you, what have you tried, what steps can we use to reproduce? Is there anything in the logs? How and where do you create those users? In Liferay or LDAP? The more information you give, the greater is the chance that it rings a bell with somebody and they'll be able to help you.
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
ok. I'm from Belarus.
what log must I read? there are no mistakes in catalina.out file when the user can't log in.
I didn't create users. The users were imported from Active Directory (Windows Server 2012 R2 x64). I can mistake in it. The users are displayed in Control Panel - Users and organizations. But they aren't displayed in the users in my site. So I add manually some users in the users of the site. After that I could log in with incorrect password and change password as Liferay offers. So I could log in with this "new" password. I did it the same as in the Active Directory.

In that mometh there were theese lines in properties:

ldap.auth.password.encryption.algorithm=MD5
auth.pipeline.enable.liferay.check=false
ldap.import.user.password.enabled=true

layout.parallel.render.timeout=30000
session.store.password=true


In this situation all users from AD can log in with incorrect passwords.
I did
auth.pipeline.enable.liferay.check=true
, as Vilmos said. After that users from AD couldn't log in with correct and incorrect password at all.
Users that manually added to the users of the site could log in but not all. Some users could, some - not. For example, I (the owner) could log in, another user - couldn't.

I attach logs. Dublicate it on google.drive

Archivos adjuntos:

thumbnail
Gurumurthy Godlaveeti, modificado hace 8 años.

RE: Login with wrong password

Regular Member Mensajes: 208 Fecha de incorporación: 12/08/11 Mensajes recientes
Hi Alex,

After seeing all your threads, I believe your AD setup with Liferay is done in proper way. You either need to follow LIferay password policy or AD password policy. Check whether your properties sticks to one kind only.

The other thing is, You can do as much as set up related from control panel. Not required to update from portal-ext.properties file.

https://www.liferay.com/community/wiki/-/wiki/Main/LDAP+with+AD+in+Liferay+6.0.5?_36_pageResourcePrimKey=6397714

The above link explains all installation, configuration and password policy related things. Please check it once.

I hope this will help you in understanding the steps.

Thanks
Guru
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
I read this article many times and did it. It doesn't help.
thumbnail
Vilmos Papp, modificado hace 8 años.

RE: Login with wrong password

Liferay Master Mensajes: 529 Fecha de incorporación: 21/10/10 Mensajes recientes
Can you create screenshots about your config in Control Panel and the test results if you test the connection from the LDAP configuration page?
thumbnail
Vilmos Papp, modificado hace 8 años.

RE: Login with wrong password

Liferay Master Mensajes: 529 Fecha de incorporación: 21/10/10 Mensajes recientes
Hey, it seems to me that the issue is pretty straight forward from your logs:

[PortalLDAPImporterImpl:717] Unable to import user CN=BR-DC02,OU=Domain Controllers: null:null:{samaccountname=sAMAccountName: BR-DC02$}
com.liferay.portal.UserEmailAddressException: Email address cannot be null for BR-DC02 BR-DC02
	at com.liferay.portal.security.ldap.DefaultLDAPToPortalConverter.importLDAPUser(DefaultLDAPToPortalConverter.java:139)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importUser(PortalLDAPImporterImpl.java:913)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAPByUser(PortalLDAPImporterImpl.java:707)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:203)
	at com.liferay.portal.security.ldap.PortalLDAPImporterImpl.importFromLDAP(PortalLDAPImporterImpl.java:139)
	at com.liferay.portal.security.ldap.PortalLDAPImporterUtil.importFromLDAP(PortalLDAPImporterUtil.java:43)
	at com.liferay.portlet.admin.messaging.LDAPImportMessageListener.doImportOnStartup(LDAPImportMessageListener.java:38)
	at com.liferay.portlet.admin.messaging.LDAPImportMessageListener.doReceive(LDAPImportMessageListener.java:48)
	at com.liferay.portal.kernel.messaging.BaseMessageListener.receive(BaseMessageListener.java:26)
	at sun.reflect.GeneratedMethodAccessor706.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at com.liferay.portal.kernel.bean.ClassLoaderBeanHandler.invoke(ClassLoaderBeanHandler.java:67)
	at com.sun.proxy.$Proxy296.receive(Unknown Source)
	at com.liferay.portal.kernel.scheduler.messaging.SchedulerEventMessageListenerWrapper.receive(SchedulerEventMessageListenerWrapper.java:77)
	at com.liferay.portal.kernel.messaging.InvokerMessageListener.receive(InvokerMessageListener.java:72)
	at com.liferay.portal.kernel.messaging.ParallelDestination$1.run(ParallelDestination.java:69)
	at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask._runTask(ThreadPoolExecutor.java:682)
	at com.liferay.portal.kernel.concurrent.ThreadPoolExecutor$WorkerTask.run(ThreadPoolExecutor.java:593)
	at java.lang.Thread.run(Thread.java:745)


It means, you want to login with a user who has no e-mail address in LDAP.

If you want to import users without e-mail address, you should try to set these in your portal-ext.properties:

#
    # Set this to false if you want to be able to create users without an email
    # address. An email address will be automatically assigned to a user based
    # on the property "users.email.address.auto.suffix".
    #
    users.email.address.required=false

    #
    # Set the suffix of the email address that will be automatically generated
    # for a user that does not have an email address. This property is not used
    # unless the property "users.email.address.required" is set to false. The
    # autogenerated email address will be the user ID plus the specified suffix.
    #
    users.email.address.auto.suffix=@no-emailaddress.com
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
The errors were displayed because the liferay wants import the computer's accounts, not user's. So it doesn't create the problem.
I attached two screenshots of my auth config.
thumbnail
Vilmos Papp, modificado hace 8 años.

RE: Login with wrong password

Liferay Master Mensajes: 529 Fecha de incorporación: 21/10/10 Mensajes recientes
Then the problem is simple. You have to refine the LDAP filter to filter out computer accounts.
Alex Alex, modificado hace 8 años.

RE: Login with wrong password

Junior Member Mensajes: 42 Fecha de incorporación: 14/08/15 Mensajes recientes
The computer accounts don't make any problems for me. This problem is another. And this is the second.
For first I want to log in only with correct password.
Klaus Bachmaier, modificado hace 8 años.

RE: Login with wrong password

Regular Member Mensajes: 223 Fecha de incorporación: 30/09/13 Mensajes recientes
I've run into the same Problems with Liferay, LDAP and Active Directoy. I had setup everything as recommended in this Thread and here

Anyway AD Users still wheren't able to login to my Portal.

So I went to Control Panel-> Server Administration->Log Level and set the Levels for com.liferay.portal.security.ldap and com.liferay.portal.security.ldap.PortalLDAPUtil to DEBUG.

Next Time I tried to Log into my Portal with an AD User I've got this:


12:53:37,683 DEBUG [http-bio-8080-exec-8][LDAPAuth:272] Search filter returned at least one result
12:53:37,687 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute sn: Tester
12:53:37,689 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute sAMAccountName: Test
12:53:37,691 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute givenName: Test
12:53:37,693 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute mail: Test.Tester@mycompany.com
12:53:37,695 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute company: ABC
12:53:37,696 DEBUG [http-bio-8080-exec-8][PortalLDAPUtil:593] LDAP user attribute cn: Test Tester
12:53:37,711 DEBUG [http-bio-8080-exec-8][LDAPAuth:176] Failed to bind to the LDAP server with userDN CN=Test Tester,OU=ABC,DC=DEF, DC=COM and password XYZXYZ
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 773, v2580_] [Sanitized]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
        at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)


Google brought me this when I searched for the Line with the Error Code::

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

From that I learned that the Code 773 (after "data") means "user must reset password", and BINGO that was my Problem! The AD Admin has set up my Testuser so that he would have to reset his Password first before it could be used with LDAP.