Amendment to LDAP in 7.0/DXP entry

Technical Blogs July 28, 2017 By Jonas Choi Staff

The other day I posted a blog entry about LDAP settings in 7.0/DXP and how generating the hash values precludes the ability to have the files configured without having to go into the UI. You can read it here.

In discussion with other technical resources and through further testing, it is, in fact, possible to create the files without the need for a hash. Instead of the hash value, we replace it with the word "default" so the files look like this:

com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration-default.config
com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration-default.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPExportConfiguration-default.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration-default.config

Now since we're not generating those files, we need to know what to put in them, right? Here are the necessary contents. Values marked <LIKE-THIS> are values that need to be filled in at the very least, and these are only in the LDAPServerConfiguration file.

LDAPAuthConfiguration

companyId="0"
enabled="true"
passwordEncryptionAlgorithm="NONE"
passwordPolicyEnabled="false"
required="false"
method="bind"
LDAPServerConfiguration
contactMappings=""
groupSearchFilterEnabled="true"
authSearchFilter="(&(objectCategory\=person)(mail\=@email_address@))"
userIgnoreAttributes=""
baseProviderURL="<LDAP-SERVER-HERE>"
baseDN="<LDAP-BASE-DN>"
securityPrincipal="<LDAP-PRINCIPAL>"
serverName="<SERVER-NAME>"
ldapServerId="0"
userSearchFilter="<USER-SEARCH-FILTER>"
groupMappings=["description\=description","groupName\=cn","user\=member"]
groupDefaultObjectClasses=["top","group"]
securityCredential="<LDAP-PRINCIPAL-PW>"
userDefaultObjectClasses=["top","person","inetOrgPerson","organizationalPerson"]
companyId="0"
groupsDN=""
userMappings=["emailAddress\=mail","firstName\=givenName","group\=memberOf","jobTitle\=title","lastName\=sn","password\=unicodePwd","screenName\=sAMAccountName"]
groupSearchFilter="<USER-SEARCH-FILTER>"
contactCustomMappings=""
usersDN=""
userCustomMappings=""

(Optional) LDAPExportConfiguration

companyId="0"
exportEnabled="false"
exportGroupEnabled="false"
(Optional) LDAPImportConfiguration
importGroupCacheEnabled="true"
importUserPasswordEnabled="false"
importUserPasswordAutogenerated="true"
importUserPasswordDefault="test"
importCreateRolePerGroup="false"
importOnStartup="false"
importLockExpirationTime="86400000"
companyId="0"
importEnabled="false"
importInterval="10"
importUserSyncStrategy="auth-type"
importMethod="user"
Again, once those files are filled in, they can be placed in the ${LIFERAY_HOME}/osgi/modules, or ${LIFERAY_HOME}/osgi/configs. No restart needed.
 
One final thing to note is *.cfg vs *.config. Which one is the correct one, and why? I tested this on DE 7.0 SP4 (DXP SP4), and at least from that version onward, *.config files are the correct way to go. They're a bit more versatile than *.cfg files.

LDAP Configuration in 7.0/DXP

Technical Blogs July 26, 2017 By Jonas Choi Staff

There are a great number of changes in Liferay 7.0/DXP, and one of them is how LDAP settings are managed when dealing with configuration files. In 6.2 and earlier, one could simply copy all the relevant settings into portal-ext.properties and have that load on startup. However, in 7.0, the old LDAP settings are no longer present in portal.properties, and the old way doesn't work. So how is that done?

What we need here is a *.config file. In fact, we need 4 of them.

com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPExportConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration-${HASH_VALUE}.config

Those are some very long filenames, and once the hash value is added in, it gets longer. This begs the question: where does the hash value come from? There are two possible ways to get a filename with a hash value: get the file from someone else, or use the UI.

Here is a straightforward way of using the UI to generate the config files.

  1. In a running Liferay system, go to Control Panel -> System Settings -> Foundation. One could search for "LDAP" from the System Settings panel as well.
  2. Edit the values as desired for LDAP Auth, LDAP Servers, and if desired, LDAP Export and LDAP Import configs. 
  3. From the Control Panel -> System Settings -> Foundation page, use the 3-dot menu (aka ellipsis menu etc...) to export the settings and save the file. These files now have the hash value along with the file name.
  4. Copy these files into the Liferay system to be configured and place them at ${LIFERAY_HOME}/osgi/modules.
  5. (Optional) To revert the LDAP settings back to default values and have them be read from the config files, use the 3-dot menu and select "Revert to Default".

Long time Liferay users will recognize the fact that once something has been entered into the UI, it will always supercede config files. The "Revert to Default" option is a new feature that allows for the config files to be read once again even after something has been entered into the UI. In short, to have LDAP be read by config files, the settings have to be entered into the UI to generate the config files.

The hash value is not unique to the system and can be used across multiple systems.

Some things to note:

  • The hash value is necessary. Liferay will not read the file properly without the hash value.
  • The file content can be edited without changing the hash value.
  • Changes to the file content are picked up without a restart.

The last note above is the major difference between the old way via portal-ext.properties, and the new way with OSGi. Changes to the files do not require a restart. No longer does a single typo cost several minutes (or more) of time waiting for the system to restart once it has been fixed!

LDAP setup via config files in Liferay 7.0/DXP has consumed my last 2.5 days, and I hope I have saved you some time and frustration.

Showing 2 results.