« Back

Amendment to LDAP in 7.0/DXP entry

Technical Blogs July 28, 2017 By Jonas Choi Staff

The other day I posted a blog entry about LDAP settings in 7.0/DXP and how generating the hash values precludes the ability to have the files configured without having to go into the UI. You can read it here.

In discussion with other technical resources and through further testing, it is, in fact, possible to create the files without the need for a hash. Instead of the hash value, we replace it with the word "default" so the files look like this:

com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration-default.config
com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration-default.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPExportConfiguration-default.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration-default.config

Now since we're not generating those files, we need to know what to put in them, right? Here are the necessary contents. Values marked <LIKE-THIS> are values that need to be filled in at the very least, and these are only in the LDAPServerConfiguration file.

LDAPAuthConfiguration

companyId="0"
enabled="true"
passwordEncryptionAlgorithm="NONE"
passwordPolicyEnabled="false"
required="false"
method="bind"
LDAPServerConfiguration
contactMappings=""
groupSearchFilterEnabled="true"
authSearchFilter="(&(objectCategory\=person)(mail\=@email_address@))"
userIgnoreAttributes=""
baseProviderURL="<LDAP-SERVER-HERE>"
baseDN="<LDAP-BASE-DN>"
securityPrincipal="<LDAP-PRINCIPAL>"
serverName="<SERVER-NAME>"
ldapServerId="0"
userSearchFilter="<USER-SEARCH-FILTER>"
groupMappings=["description\=description","groupName\=cn","user\=member"]
groupDefaultObjectClasses=["top","group"]
securityCredential="<LDAP-PRINCIPAL-PW>"
userDefaultObjectClasses=["top","person","inetOrgPerson","organizationalPerson"]
companyId="0"
groupsDN=""
userMappings=["emailAddress\=mail","firstName\=givenName","group\=memberOf","jobTitle\=title","lastName\=sn","password\=unicodePwd","screenName\=sAMAccountName"]
groupSearchFilter="<USER-SEARCH-FILTER>"
contactCustomMappings=""
usersDN=""
userCustomMappings=""

(Optional) LDAPExportConfiguration

companyId="0"
exportEnabled="false"
exportGroupEnabled="false"
(Optional) LDAPImportConfiguration
importGroupCacheEnabled="true"
importUserPasswordEnabled="false"
importUserPasswordAutogenerated="true"
importUserPasswordDefault="test"
importCreateRolePerGroup="false"
importOnStartup="false"
importLockExpirationTime="86400000"
companyId="0"
importEnabled="false"
importInterval="10"
importUserSyncStrategy="auth-type"
importMethod="user"
Again, once those files are filled in, they can be placed in the ${LIFERAY_HOME}/osgi/modules, or ${LIFERAY_HOME}/osgi/configs. No restart needed.
 
One final thing to note is *.cfg vs *.config. Which one is the correct one, and why? I tested this on DE 7.0 SP4 (DXP SP4), and at least from that version onward, *.config files are the correct way to go. They're a bit more versatile than *.cfg files.
No comments yet. Be the first.