Introduction #

The purpose of this document is to explain how to integrate NTLM Single Sign-On (SSO) into the Liferay portal with an example. By default, the portal uses its own authorization, i.e. user name and password, to identify a user. Liferay portal supports external authorization methods like Lightweight Directory Access Protocol (LDAP) to any compliant LDAP database as well as a Central Authorization Service (JA-SIG CAS), OpenID, and OpenSSO, Computer Associate’s (CA) Siteminder.

Overview #

Suppose that you have a server: Microsoft Active Directory Server (ADS) with IP e.g. 192.168.2.230 and a domain, e.g., cignex.net. By default, the port number is 389.

Users and groups are in CN=Users,DC=CIGNEX,DC=NET

The administrator: CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

We are planning to integrate this NTLM in Liferay portal.

ADS Settings #

Default settings #

Check the checkbox Enabled.

Check the checkbox Required.

Select Microsoft Active Directory Server.

Connection #

Connect to the ADS server

Base Provider URL: for example, ldap://192.168.2.230:389.

Base DN: for example, CN=Users,DC=CIGNEX,DC=NET

Principal: for example, CN=Administrator,CN=Users,DC=CIGNEX,DC=NET

Credentials: the password of the Administrator.

Users Mapping #

Note: use Authentication Search Filter: (cn=@screen_name@) for screenName login

Groups Mapping #

Import and Export #

Save when you are ready.

NTLM Settings #

Check the checkbox Enabled.

Input Domain Controller: for example, cignex.net.

Input Domain: e.g., 192.168.2.230.

Note that the server (where Liferay portal installed) must have access on the domain by the domain controller.

Testing Results #

You should get similar screenshot as follows.

Imported Users #

Imported Groups #

User Groups

Users in User Groups

SSO authentication #

That's it. You got!

[Adding dynamic content model in Document Library]

[Upgrade - migration from 4.3.1 to 5.2.3 - successfully]

[How do you develop - Development Strategies]

[Remote Publishing - what and how]

[Web services - Manage Users, Organizations, User Groups, and Roles via SOAP ]

[Custom Query in the Ext - What and How ]

[JBoss-Tomcat-Liferay portal Clustering - what and how]

[Tomcat 6 as a Windows Service in Windows server 2008 and a 64-bit JDK 6]

Web Services

[Errata for the Liferay Portal 5.2 Systems Development]

Issues #

As for now NTLM is deactivated for other browsers than Internet Explorer due to security issues. To activate it, one have to replace the current NtlmFilter by a new class (e.g. adding a new class by an extension and override the SSO Ntlm Filter class in ROOT/WEB-INF/liferay-web.xml).

Unlike Internet Explorer, in Firefox one have to add the portal url in "about:config" to the "network.automatic-ntlm-auth.trusted-uris" setting.

0 添付ファイル
109757 参照数
平均 (1 投票)
平均評価は1.0星中の5です。
コメント
コメント 作成者 日時
Section "ADS Settings": I set all values, press... Gerimint Allat 2009/06/18 3:41
MSAD server does not need to be checked. It is... Amos Fong 2009/08/11 10:43
I followed all the steps, and I still can not... alamut avani 2009/09/17 3:07
Hi Jona, This article is very nice. Like this i... G P 2009/10/22 2:45
In my case all the tests go well but liferay... Tomasz Ryzner 2009/11/27 1:26
Section "Connection": Is it a must that you... Gerimint Allat 2009/06/22 6:43
I currently have LDAP authentication working... Matthew Snider 2010/10/13 10:54
I had a working installation with 5.2.3 and MS... Martin Lungershausen 2010/10/14 4:16
Where can I find the Ntlmv2Filter? Jason Smith 2011/04/18 23:56
Pictures arent displayed for me in this... Greg Dray 2012/02/23 2:34
Looks like NTLM SSO is not working with Liferay... Hendrik Lampe 2012/03/09 6:15
Anyone know the new location of broken image... Sailesh Ranjit 2014/05/16 6:19

Section "ADS Settings":
I set all values, press "Save", but "Microsoft Active Directory Server" is still unchecked. I tried it several times but it remains unchecked no matter.
Is this an error or just a UI bug?
投稿日時:09/06/18 3:41
Section "Connection":
Is it a must that you specify a domain administrator account in field "Principal"? The "Test LDAP Connection" is successful but I still cannot login to Web Space with any AD login so I'd like to know if this may be the problem?
投稿日時:09/06/22 6:43
MSAD server does not need to be checked. It is meant for resetting the default values. (each different LDAP server has different default values)
Gerimint Allatへのコメント。投稿日時:09/08/11 10:43
I followed all the steps, and I still can not connect via AD, is there a solution?
Amos Fongへのコメント。投稿日時:09/09/17 3:07
Hi Jona,
This article is very nice. Like this i have been imported all the users and groups from openldap to liferay. And now the problem is, whenevr i'm trying to create a user through liferay UI then that user in not exported to ldap?
is there any work around?
alamut avaniへのコメント。投稿日時:09/10/22 2:45
In my case all the tests go well but liferay does not import (export) users. Neither while saving nor while starting up the liferay (tried with tomcat 6 and tomcat 5.5) AD on windows 2008 server enterprise, liferay running on the same machine. Principal user has all maximum privileges (domain admin etc.) Of course I am unable to login on that user to liferay.

Anyone is invited to send any hint because I am stuck.
java user 007へのコメント。投稿日時:09/11/27 1:26
I currently have LDAP authentication working and would like to setup SSO via NTLM. Once SSO is setup, how can I additionally log in as other users using LDAP? (I want to use SSO but also have a manual method for logging in as other users)
投稿日時:10/10/13 10:54
I had a working installation with 5.2.3 and MS AD, but it does not work anymore with 6.0.5 ... I followed this site and that http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration site but it is not able to connect to LDAP or has anyone solved the problem???
Matthew Sniderへのコメント。投稿日時:10/10/14 4:16
Martin Lungershausenへのコメント。投稿日時:11/04/18 23:56
Pictures arent displayed for me in this article, and it seems that they contain a fair amount of the info needed to set this up. :/
Vili Perttiläへのコメント。投稿日時:12/02/23 2:34
Looks like NTLM SSO is not working with Liferay 6.1 and Winserver 2008 R2. Any suggestions?!
Greg Drayへのコメント。投稿日時:12/03/09 6:15
Anyone know the new location of broken image links on this page? Seems like they are no longer in the original location http://liferay.cignex.com/ntlm/LDAP_01.png
投稿日時:14/05/16 6:19