Forums

Home » Liferay Portal » English » 3. Development

Combination View Flat View Tree View
Threads [ Previous | Next ]
toggle
Keith Freeman
LDAP credentials problem
July 31, 2012 12:30 PM
Answer

Keith Freeman

Rank: New Member

Posts: 11

Join Date: October 12, 2010

Recent Posts

I'm using 6.1 CE, and have configured the authentication to use my LDAP (Active Directory) with the new password import suppression feature set in my portal-ext.properties:

# Set this to true if the portal does import LDAP user's password.
# Set this to false if the portal does not import LDAP user's password;
ldap.import.user.password.enabled=false

# Set this to false if LDAP user's password is not auto-generated;
# This property is in use only if the property ldap.import.user.password.enabled is set to false.
ldap.import.user.password.autogenerated=false

# use default password as LDAP user's password: $SCREENNAME$, $USERID$, $EMAILADDRESS$, or plain text.
# This property is in use only if the property ldap.import.user.password.enabled is set to false
# and the property ldap.import.user.password.auto-generated is set to false, too.
ldap.import.user.password.default=fake-password

Since I don't want Liferay to use the local password ("fake-password"), I also turned off local password checking:

#
# Set this to true to enable password checking by the internal portal
# authentication. If set to false, you're essentially delegating password
# checking is delegated to the authenticators configured in
# "auth.pipeline.pre" and "auth.pipeline.post" settings.
#
auth.pipeline.enable.liferay.check=false

This seems to work: users can use their LDAP id/passwords to login and no passwords are stored in the liferay DB. But when I login, I get this error in the log every 30 seconds:

19:26:28,516 ERROR [PollerRequestHandlerImpl:342] Invalid credentials for company id 10154 and user id oLRPM1emoticonhY4=

I looked at the class buy I'm no liferay expert so I can't tell what it's purpose is.

Do I have to worry about this error? Is there anything I should do to prevent it?
Amit Doshi
RE: LDAP credentials problem
August 1, 2012 5:49 AM
Answer

Amit Doshi

Rank: Liferay Master

Posts: 543

Join Date: December 29, 2010

Recent Posts

Hi Keith,

In order to credential only with LDAP Strictly, then you have to set below properties.

ldap.auth.enabled=true
ldap.auth.required=true

Then only it will bind Strictly bind with ldap.

Please check with this and then try to do LDAP Authentication and also one more thing. And also make other properties what to changes as it is(Default liferay). If you don't need them.

Thanks & Regards,
Amit Doshi
Subhasis Roy
RE: LDAP credentials problem
August 1, 2012 6:07 AM
Answer

Subhasis Roy

Rank: Regular Member

Posts: 223

Join Date: January 19, 2012

Recent Posts

I did the LDAP authentication of liferay with the help of CAS server.

I agree with amit that you need to set those keys in your portal-ext.properties file. But if you don't want to set up those entries then you have to set the LDAP authentication properly from Control Panel->Portal Settings-> Authentication -> LDAP

Can you please paste few more lines from your log file . So that it will give a better idea about the problem you are facing.
Keith Freeman
RE: LDAP credentials problem
August 1, 2012 8:58 AM
Answer

Keith Freeman

Rank: New Member

Posts: 11

Join Date: October 12, 2010

Recent Posts

Thanks for the reply. I do have those settings in my portal-ext.properties (below). I've got all of my LDAP settings in there, and as I mentioned the LDAP authentication is working. The problem is those errors in the log -- they don't seem to have any effect on use of liferay, but indicate that something is wrong, right?

 1    ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 2    ldap.base.provider.url.0=ldap://server.local:389
 3    ldap.base.dn.0=ou=xx3,dc=xx3,dc=local
 4    ldap.security.principal.0=user@server.local
 5    ldap.security.credentials.0=password
 6    ldap.referral=follow
 7
 8    ldap.auth.enabled=true
 9    ldap.auth.required=true
10
11    ldap.page.size=1000
12    ldap.range.size=1000
13
14    ldap.auth.method=bind
15    #ldap.auth.method=password-compare
16
17    #ldap.auth.search.filter=(mail=@email_address@)
18    ldap.auth.search.filter.0=(&(objectCategory=person)(sAMAccountName=@screen_name@))
19
20    ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer
21
22    ldap.contact.mappings.0=
23    ldap.contact.custom.mappings.0=
24    ldap.user.default.object.classes.0=top,person,inetOrgPerson,organizationalPerson
25    #ldap.user.mappings=uuid=uuid\nscreenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership
26    ldap.user.mappings.0=uuid=uuid\nscreenName=sAMAccountName\npassword=userPassword\nemailAddress=userprincipalname\nfirstName=givenName\nlastName=sn\njobTitle=\ngroup=memberOf
27    ldap.user.custom.mappings.0=
28    ldap.group.default.object.classes.0=top,groupOfUniqueNames
29    ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
30
31    ldap.import.enabled=true
32    ldap.import.on.startup=true
33    ldap.import.interval=60
34    ldap.import.user.search.filter.0=(objectClass=person)
35    ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
36    ldap.import.method=user
37    #ldap.import.method=group
38    ldap.import.create.role.per.group=false
39
40    ldap.export.enabled=false
41    ldap.users.dn.0=ou=is3,dc=is3,dc=local
42    ldap.groups.dn.0=ou=is3,dc=is3,dc=local
43
44    ldap.password.policy.enabled=false
45
46    ldap.error.password.age=age
47    ldap.error.password.expired=expired
48    ldap.error.password.history=history
49    ldap.error.password.not.changeable=not allowed to change
50    ldap.error.password.syntax=syntax
51    ldap.error.password.trivial=trivial
52    ldap.error.user.lockout=retry limit
53
54    ldap.import.user.password.enabled=false
55    ldap.import.user.password.autogenerated=false
56    ldap.import.user.password.default=fake-password
Keith Freeman
RE: LDAP credentials problem
August 1, 2012 12:18 PM
Answer

Keith Freeman

Rank: New Member

Posts: 11

Join Date: October 12, 2010

Recent Posts

This problem has disappeared in CE 6.1.1-ga2.