Keeping user password secure with LDAP integration

Liferay 5.2 EE and 6 improved the capabilities of LDAP integration in many areas (refer to blogs post LDAP Enhancements by Michael C. Han):

synchronize user custom attributes between Liferay and LDAP
support LDAP chains and LDAP pagination
create a role for each LDAP group
override LDAP import and export processes via Spring

When importing users from LDAP, user’s info and password got imported. Of course, all passwords stored in Liferay are secure. Especially, the LDAP password mapping field is optional. In some use cases, the fact Liferay stores users’ password is against some companies’ security policy rules.

Liferay should not import user's password from LDAP when required (LPS-13933). That is, an improvement would be nice to allow the portal admin to choose whether to save the user's LDAP password when they login or not. How to implement this? This article will address how to make this feature happening in Liferay 5.2 and 6.

Solution overview

The following diagram shows solution overview. LDAP contains a lot of users’ info (plus user’s password) and groups’ info. Liferay portal provides users (and contacts), user groups and roles in place with following mappings

LDAP user info <==> Liferay user info (and contact, password is not included)

LDAP groups (and users membership) <==> Liferay user groups and roles (and users membership)

In addition, the portal will use user’s password to authenticate only. When users login, the portal will import (add or update) user’s info, and then, the portal will add default passwords (such as user screen name, user id, email address, or plain text) as temporal and secure passwords.

When LDAP was enabled, the portal will use LDAP user and its password to authenticate. Once LDAP was disabled (or disconnected), the portal will activate “forgot password” process to reset user’s password and send new auto-generated password by email; or the portal will activate “required reset password” password policy to update user’s password after first-time login.

Implementation

This feature could be implemented in two steps.

1) Adding following properties in portal.properties - especially in LDAP section.

# Set this to true if the portal does import LDAP user's password.
# Set this to false if the portal does not import LDAP user's password;
ldap.import.user.password.enabled=false

# Set this to false if LDAP user's password is not auto-generated;
# This property is in use only if the property ldap.import.user.password.enabled is set to false.
ldap.import.user.password.autogenerated=false

# use default password as LDAP user's password: $SCREENNAME$, $USERID$, $EMAILADDRESS$, or plain text.
# This property is in use only if the property ldap.import.user.password.enabled is set to false
# and the property ldap.import.user.password.auto-generated is set to false, too.
ldap.import.user.password.default=test

2) updating methods addUser and updateUser with above settings in Portal LDAP importer.

Results

This feature was tested in 5.2 EE and 6.0 CE / EE. Three testing use cases were included as follows.

Use case A

Set following property to true, LDAP integration was resumed to default behavior; that is, all users’ passwords got imported and stored in secure in Liferay database. This is Liferay default behavior - nice way to revert back easily.

ldap.import.user.password.enabled=true

Use case B

Set following properties, LDAP integration will not import users' password; instead, random password will be auto-generated for users.

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=true

Use case C

Set following properties, LDAP integration will not import users' password; instead, pre-defined password will be assigned to users.

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

This feature will be available at 6.1 and 6.0 EE SP1. This is good news.

Is this feature useful? Your comments or suggestions?

52 Comments

Please sign in to comment.

I really need this information.
Thank you jonas.

Please sign in to reply.

Thanks, Ibrahim.

This feature is one of cool features of Liferay portal 6.1 CE and 6.0 EE SP1.

By the way, you could use this feature in 6.0 EE if you want.

Thanks

Jonas

Please sign in to reply.

Hi Jonas. So, is this not live in the current CE ? I see on source forge the latest available is 6.0.6. Are you saying this will not be available until 6.1 is out?

Thanks,

Brian

Please sign in to reply.

Hi Brian,

This feature will be available in CE 6.1. But it could be available in 6.0.6 with a special fix patch.

Thanks

Please sign in to reply.

Thanks, Jonas. I'm using version 6.0.6 and it looks like the issue has been fixed. Users are being imported and an auto generated password is being created for them. Unfortunately, I would like the passwords to be imported. I want to allow a user to use liferay to update their ldap password and then sync that with the ldap system.

I have set the following properties in my portal-ext.properties file:
ldap.import.user.password.enabled=true
ldap.import.user.password.autogenerated=false

Unfortunately, it appears like these two properties are not yet working. Any ideas on how I can achieve what I need? If that patch were available I think things would be fine for me. I'd be able to import the passwords just fine.

Thanks!

Brian

Please sign in to reply.

Hi Jonas,

Do you know when there will be a patch available? or what version this was last working in? I briefly checked the message boards and there are dozens of posts about this

http://www.liferay.com/community/forums/-/message_boards/message/8410944

Getting LDAP to work with liferay is a requirement of my project. If I can't get it to work we can't use liferay. If I have to roll back to a previous version it'll be a mess and I'll lose a ton of data but I can do it. I just need to know which version this was last working in so I don't roll back and have it still not working.

Thank you,

Brian

Please sign in to reply.

Hi Brian, thanks. I guess that this feature is in 6.0.6, but it is incomplete.

In fact one client used this patch in 6.0.10 EE, it was working well.

Do you use 6.0 EE? or just CE 6.0.6? if required, I can generated a fix patch for this feature in 6.0.6 for you.

Let me know your plan,

Thanks

Jonas

Please sign in to reply.

Hi Jonas,

Nice and easily written, good job!

Anyways, by all my projects, where LDAP import was used, i was facing some missing functionality, as importing "nested groups" from LDAP, or importing deactivated users in LDAP, or deleting users from Liferay, after user is deleted in AD. It would be nice to have these feature in next release. Until then I will just "hook" emoticon

Please sign in to reply.

Thank you, Jan. You did great job! You may contribute your "hook" back to Liferay community. Then all of us will benefit a lot. Is it feasible idea?

Please sign in to reply.

Hi Jonas,

seems that liferay 6.0.5 CE with standard configuration in LDAP AuthN with "import" enabled does not import the passwords correctly.

All users in LDAP have been imported but the password (SHA1) in the "User_" table are incorrect

Any idea?

Regards.

Please sign in to reply.

Hi Roger, do you get answer?

Sorry to read your comments late,

Please sign in to reply.

Hi Jonas,

I have 6.0.6 CE. It would be fantastic if I could get a fix.

Thanks Jonas,

Brian

Please sign in to reply.

Hi Jonas,
Could you email the fix patch for this feature in 6.0.6 CE for me?
I have a client want to use this feature.

Thanks!

Please sign in to reply.

@Brian and @Simon, let me generate a new fix patch and test it in 6.0.6. I will come back to you both when the fix patch is ready.

Thanks

Jonas Yuan

Please sign in to reply.

@Brian and @Simon, the fix patch for CE 6.0.6 GA 4 is ready. Just tested in 6.0.6 OOB. This feature worked properly.

Could you please drop an email to jonasliferay@gmail.com?

Thus this fix patch could be sent across by email

Please sign in to reply.

Very useful, but I would expect that in case C I would expect authentication against internal database for imported users impossible even if this property is set:

auth.pipeline.enable.liferay.check=true

My requirement is: I want to authenticate some local liferay admins with internal database but regular users with ldap or web sso only (and I don't want their passwords in liferay). I would like to know if this patch fully supports this case. Or maybe it needs to be enhanced to achieve that functionality?

Please sign in to reply.

Yes, Rafal, your requirements got covered as well.

Which version are you using? LR CE 6.0.6? or EE 6.0 SP1?

Please sign in to reply.

Nice to hear from you emoticon

I use LR CE 6.0.6 but it is probable that I will need to deal with EE as well.

Please sign in to reply.

Great! you can drop an email to jonasliferay@gmail.com, thus I could send across the fix patch for 6.0.6.

Please sign in to reply.

Hi Jonas,
Is there a way you could disable password change feature in Liferay 6.0.6 CE? I do not want users to change their LDAP password through the portal. Let me know. Thanks.

Please sign in to reply.

Hi Shuaib,

you can set

1) LDAP password is not imported

2) User password is not exported to LDAP.

Do you want the use cases 1), 2) or both?

Please sign in to reply.

Regarding Case 1, how do we set it to not import LDAP password? Would this affect the NTLM Single Sign On feature? I don't want the users to type in any user id or password to login to Liferay. Let me know.

I don't need Case 2 as I don't want the users to save anything back into Active Directory.

Thanks much.

Please sign in to reply.

Also, in addition to the above, could you also please reply to the following query I posted in another forum (http://www.liferay.com/community/forums/-/message_boards/message/10738172) for which I got no response. Thanks.

With the NTLM enabled on Liferay CE 6.0.6/Windows Server 2003, when I browse to the Liferay portal on Internet Explorer, I get the default login page. I then have to click on the 'Sign In' link at the top right corner of the page in order to get to the welcome page of the logged-in user without entering in any user name or password. Is this how the Single Sign On works in Liferay? Isn't there any way to go to the welcome page directly as soon as you enter in the Liferay portal URL on your browser? There should be a way to bypass the default login page. Please advise.

Please sign in to reply.

Hi Shuaib,

Use case 1: you can set

ldap.import.user.password.enabled=false

in order to not import LDAP user password first. Then integrate SSO. You would be set.

Use case 2: http://issues.liferay.com/browse/LPS-21138, is it what you need?

Please sign in to reply.

Thank you Jonas. Case 1 worked for me.
I'd really appreciate if you could also reply to my other query regarding SSO. Thanks.

Please sign in to reply.

When I have "ldap required" set to false a user can put in ANY password to authenticate. When I have "ldap required" set to true then ldap users cannot authenticate. I have the patch installed...and it doesn't appear to be working like I thought it was. Anyone have any suggestions as to where to start?

Please sign in to reply.

Hi @Jonas I have sent you a mail regarding AD password import problem in liferay 6.0.5. If not possible in 6.0.5 then please send me fix patch of 6.0.6. My mail address tosumon@gmail.com

Please sign in to reply.

Hi Ahasan,

Can you drop an email? jonasliferay@gmail.com

Thanks

Jonas

Please sign in to reply.

Hi Jonas:

I am using Liferay 6.0.6 and Apache DS. I have the following two questions (or issues) -
1. Do I need to import users into Liferay to authenticate? Can I configure Liferay to check directly against LDAP server?

2. While importing, passwords are getting generated by Liferay? Can I keep,the same LDAP password (in case import cannot be avoided)?

Thank you.
Shahab

Please sign in to reply.

Hi Shahab,

1. Do I need to import users into Liferay to authenticate?
not required.
Can I configure Liferay to check directly against LDAP server?
Yes.

2. While importing, passwords are getting generated by Liferay?
there are three options: imported, auto-generated, manual configure

Can I keep,the same LDAP password (in case import cannot be avoided)?
yes.

Thanks

Jonas

Please sign in to reply.

Hello Jonas,
I am working on Liferay 6.0.6 QA.
I am having certain Clients but the application is not allowing the AD integrated login.
your PATCH will be of great help. I really need this part to be done
Thanks

Please sign in to reply.

kindly mail it to me at neel.darji@ril.com
thank a lot

Please sign in to reply.

Hi Neel,

You may drop an email to jonasliferay@gmail.com.

Thanks

Please sign in to reply.

Hi Jonas,
I am using 6.1 GA and I have the following scenario:

When I set ldap.import.user.password.enabled=true, and import to false and export to false, when a user successfully logs in via Ldap, they are prompted with a new password screen. I am not sure why this happens, as the password entered here seems to have no effect. The next time the user logs in, only their LDAP password still works.

However when I set ldap.import.user.password.enabled=false, set ldap.import.user.password.autogenerated=true and set a default new password, I can see the user's account in the database, but authentication fails, and they can't login either with the LDAP password or the default password. I wonder if this has anything to do with the ldap password being stored in SSHA and the password in Liferay stored as SHA.

Thank you for any insight you may have!

Please sign in to reply.

Ok I figured it out, in the LDAP settings I checked "use Ldap password policy" and now it doesn't prompt for the password any more. I tried to simply disable "change required" in the local password policy, but that simply caused authentication to fail.

Please sign in to reply.

Cool! Thanks for updates, Jeshurun.

Please sign in to reply.

I am having no success with enabling Active Directory/LDAP authentication with 6.1GA. I have followed the suggestions here with no success. Here are my settings. Any assistance is appreciated

ldap.users.dn=OU=Locations,DC=Upcommunications,DC=local
ldap.groups.dn=OU=Groups,DC=Upcommunications,DC=local

ldap.auth.enabled=true
ldap.auth.required=false
ldap.auth.method=bind
ldap.auth.password.encryption.algorithm=
ldap.auth.password.encryption.algorithm.types=MD5,SHA
ldap.auth.search.filter=(mail=@email_address@)
ldap.user.mappings=screenName=sAMAccountName\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=memberOf\nfullName=cn\portrait=jpegPhoto
ldap.group.mappings=groupName=cn\ndescription=description\nuser=member
ldap.import.enabled=true
ldap.import.on.startup=true
ldap.import.interval=10
ldap.import.user.search.filter=(&(objectCategory=Person)(sAMAccountName=*))
ldap.import.group.search.filter=(objectCategory=Group)
ldap.import.method=user
#ldap.import.method=group
ldap.export.enabled=false
ldap.password.policy.enabled=false

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

Please sign in to reply.

Hi Andrew, Thanks.

Please drop an email to jonasliferay@gmail.com. I will try to help.

Please sign in to reply.

Hi Jonas,
I am using Liferay-portal-6.1.0-ce-ga1
My requirements are:
1) AD passwords should not be imported in LR database.
2) User logging in should be authenticated by AD password.

What I have done so far to achive the requirements:
For requirement number 1)
I have set below mentioned properties in my portal-setup-wizard.properties file
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
By doing so my AD passwords are not getting imported, I am ok with this.

For requirement 2) When an AD user tries to login with his AD password authentication fails, but can successfully login by default password(i.e. test)

I don't want this to happen , user should be authenticated against AD password.

Please help me with this issue.

Please sign in to reply.

Hi Dhiraj,

Please drop an email to jonasliferay@gmail.com for a fix patch.

Please sign in to reply.

Hi Dhiraj,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan

Please sign in to reply.

Hi Jonas,
Thanks for your post. I am beginner in Liferay and I have some troubles to synchronize LDAP and Liferay database.
I have imported users from LDAP with their passwords but, when I change the AD password, the next import (every 10 min) doesn't upade the LR database.
How could I fix that please?
It will better for me if I can synchronize (only when user log in) LDAP an LR but I don't know if this is possible.

Thanks by advance

Please sign in to reply.

Hi Jonas,

I am also facing same issue.I am using Liferay portal-6.1.1 CE GA2.My requirement is users should be authenticated against AD password.
But not able to import users as not able to import password from AD.I have tried like setting this property in portal-ext.proerties
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=defaultpassword
But it did not work fine.
Can you please help me?

Thanks,
Sujana

Please sign in to reply.

@ville @sujana,

Please drop email to jonasliferay@gmail.com for fix patch.

Please sign in to reply.

Hi Jonas,
After applying patch also it is not working .I am not able to import users and i m getting this while testing to import users from AD.
"The above results include users which are missing the required attributes(screen name,First Name,Last Name,Email Address,Password).The users will not be improted until these attributes are filled in."

It's importing all attributes except the password.How to import password?Could you please help me in this issue.

Thanks,
Sujana

Please sign in to reply.

Hi Sujana,

It seems that your LDAP mapping settings are incorrect. The following is sample mapping. Note that mapping would be different based on your LDAP.

ldap.user.mappings.0=uuid=uuid\nscreenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership

Please sign in to reply.

Hi Jonas,

Thanks. Users are imported into the database.While authenticating , they are able to login with any password .I am using Mysql database.what is the issue here?

Thanks,
Sujana

Please sign in to reply.

Thank you for that post Jonas.

I'm trying to set my Liferay portal so that :
1)Liferay imports users and passwords from LDAP
2)Liferay exports users and passwords to LDAP. Editing account data and changing password from Liferay, should sync with LDAP
3)New users can register through Liferay, get an auto generated password ( generated from Liferay )and an email to their account.

I've managed to to the first two, but I can't do the 3rd. Users will be given the auto generated password, but it's not exported to LDAP, so they can't login using their temporary password. So the first Log in will not work.

What is the configuration I need to do to achieve exporting the auto-generated password to LDAP ?

Thanks in advance
Yannis

Please sign in to reply.

Hi Jonas,

I tried to implement the solution provided above but it’s still not working and storing the passwords in clear text in the liferay database. I am using 6.0.6 CE.

I see you have provided the fix to @Brian and @Simon[ in the above link].

Could you please also provide the same fix to me? I have dropped you an email [jonasliferay@gmail.com] for the same as well.

Thanks & Regards,
Amit

Please sign in to reply.

Hello,

How a user can modify his password from his Liferay's account ?

Indeed, Liferay asks for its current password and checks it with its value in database. But passwords are not imported from Active Directory, so the test fails systematically.

Is there one particular configuration to do this ?

Liferay 6.0.6 (or 6.1) - Active Directory

Thanks,
Fred

Please sign in to reply.

Hi Frederic,
You can allow access to the "Forgot Password" link on the sign in page. In that case, users can ask for new resetting password by email.
Don't forget you have to provide your protocol information (SMTP) from Control Panel --> Server Administration --> Mail.
Pls, let us know it this helps.

Please sign in to reply.

Menu Display

Blogs

Category Filter

More Blog Entries

Use proper case for JSP tag attributes

Community Bug Management