Hi All,

Our team has developed a user profile portlet to read and edit user data stored in LDAP. Is there a best practice to integrate this with Liferay?

The LDAP user data is being assigned to both pre-defined and custom user fields.

Currently we have custom LDAP services in place to read and update since the LDAP import/export provided OOTB occurs only upon specifed events such as login. I am worried about data consistency between the Liferay DB and LDAP so if there is a way to build the needed functionality on top of the LDAP features this may be more desirable.

Thanks.

Well, you're now stuck between a rock and a hard place...

When the LDAP is enabled in Liferay, Liferay will bind to LDAP using the user's credentials to ensure they have access, but the lookup of the LDAP info to use comes from Liferay's database which is populated via the LDAP import.

Basically the path you're on, you'd need to disable the LDAP import/export and, when you're pushing to LDAP, also use Liferay's API to update the user records.

Unfortunately, I think there is a flag that is stored on the User object which indicates if they come from LDAP or not (this is set during the LDAP import). So if you create a new user, they would not have been imported from LDAP and, even though the user may also be defined in LDAP, the auth mechanism may not try to bind to LDAP to validate a user.

It may be better to leave the Liferay import in place (so authentication happens correctly) and acknowledge that there may be inconsistencies between the Liferay user and LDAP. As long as you treat LDAP as the master (disable the LDAP export and only do your user mods in your LDAP portlet), you shouldn't have any problem as the delayed sync will, eventually, occur in a JIT fashion (as long as LDAP is updated when the user is logging in, their info and access will be up-to-date before they actually get into the system).

wrt OOTB import, I suspect you have looked at following properties:

ldap.import.on.startup
ldap.import.interval

Sounds to me like you might want to let Liferay import on login, startup, interval ; and turn off export ; and let your portlet do the update to LDAP

And aside from worry ; are you seeing a specific problem with what you have tried ?

I am already seeing some issues with reading stale data so I wanted to get some input on best practices.

Definitely stuck in a pretty hard place - authentication is actually handled by CAS external to Liferay as we have multiple portals on different platforms. It makes sense for our solution however this has been a pain point for multiple Liferay features that require authentication.

It sounds to me like LDAP master with import on login will be the most sound approach. If we receive an update success response from LDAP call the Liferay updates user information and it should be set as we use user data in other portlets (rather than setting an import interval and hoping that it has hit when using the user data).

Thanks for the input.