Keeping user password secure with LDAP integration
General Blogs November 24, 2010 By Jonas Yuan
Liferay 5.2 EE and 6 improved the capabilities of LDAP integration in many areas (refer to blogs post LDAP Enhancements by Michael C. Han):
- synchronize user custom attributes between Liferay and LDAP
- support LDAP chains and LDAP pagination
- create a role for each LDAP group
- override LDAP import and export processes via Spring
When importing users from LDAP, user’s info and password got imported. Of course, all passwords stored in Liferay are secure. Especially, the LDAP password mapping field is optional. In some use cases, the fact Liferay stores users’ password is against some companies’ security policy rules.
Liferay should not import user's password from LDAP when required (LPS-13933). That is, an improvement would be nice to allow the portal admin to choose whether to save the user's LDAP password when they login or not. How to implement this? This article will address how to make this feature happening in Liferay 5.2 and 6.
The following diagram shows solution overview. LDAP contains a lot of users’ info (plus user’s password) and groups’ info. Liferay portal provides users (and contacts), user groups and roles in place with following mappings
LDAP user info <==> Liferay user info (and contact, password is not included)
LDAP groups (and users membership) <==> Liferay user groups and roles (and users membership)
In addition, the portal will use user’s password to authenticate only. When users login, the portal will import (add or update) user’s info, and then, the portal will add default passwords (such as user screen name, user id, email address, or plain text) as temporal and secure passwords.
When LDAP was enabled, the portal will use LDAP user and its password to authenticate. Once LDAP was disabled (or disconnected), the portal will activate “forgot password” process to reset user’s password and send new auto-generated password by email; or the portal will activate “required reset password” password policy to update user’s password after first-time login.
This feature could be implemented in two steps.
1) Adding following properties in portal.properties - especially in LDAP section.
# Set this to true if the portal does import LDAP user's password.
# Set this to false if the portal does not import LDAP user's password;
# Set this to false if LDAP user's password is not auto-generated;
# This property is in use only if the property ldap.import.user.password.enabled is set to false.
# use default password as LDAP user's password: $SCREENNAME$, $USERID$, $EMAILADDRESS$, or plain text.
# This property is in use only if the property ldap.import.user.password.enabled is set to false
# and the property ldap.import.user.password.auto-generated is set to false, too.
2) updating methods addUser and updateUser with above settings in Portal LDAP importer.
This feature was tested in 5.2 EE and 6.0 CE / EE. Three testing use cases were included as follows.
Use case A
Set following property to true, LDAP integration was resumed to default behavior; that is, all users’ passwords got imported and stored in secure in Liferay database. This is Liferay default behavior - nice way to revert back easily.
Use case B
Set following properties, LDAP integration will not import users' password; instead, random password will be auto-generated for users.
Use case C
Set following properties, LDAP integration will not import users' password; instead, pre-defined password will be assigned to users.
This feature will be available at 6.1 and 6.0 EE SP1. This is good news.
Is this feature useful? Your comments or suggestions?