Combination View Flat View Tree View
Threads [ Previous | Next ]
raghu N M
LDAP and Liferay Setup
September 13, 2012 11:05 AM
Answer

raghu N M

Rank: Junior Member

Posts: 27

Join Date: July 27, 2010

Recent Posts

Just want to share trouble I have faced and steps I took to resolve them. Using AD as LDAP setting liferay offers different challenges. With careful setup it is possible to import more than 8K users in 6 minutes with out overloading the server. Below steps explains to how to configure the AD in Liferay. I have implemented these steps successfully in 6.0 SP2, 6.1 GA1, 6.2 GA2.

Goto control panel --> Authenticaion --> LDAP and click ADD button
configuring AD Server,
Fill appropriate Server Name, select Microsoft Active Directory Server
Add values to

Connection

a. Base url - ldap://<server>:3268
b. Base DN -<value> dc=<values>,dc=<values>
c. princpal - AD admin user
d. credentials - AD admin password
click on test LDAP connection, if popup window shows "Liferay has successfully connected to the LDAP server" then your good go, else contact your AD admin.

Users

Authentication Search Filter: Use unique value from AD as authentication filter, the default is email address - (mail=@email_address@)

Import search filter: This is a tricky part, liferay looks for Screen name, First Name, Last Name, email address for any AD entries. It throws exception if it fails to identify it. If you have any missing information in AD and not needed in liferay then apply filters else it slows down the server and fills out the log files. I used below entry
(&(objectClass=user)(mail=*)(sn=*)(givenName=*))

User Mapping

Screen Name: - sn
Password - userPassword
EmailAddress - mail
FullName - givenName sn
FirstName - givenName
Middle name -
Last Name - sn
Job Title - title
Portrait
Group
UUID

Click on test ldap users. popup windows shows like 20 entries and all columns are filled up with entries.
Configuring Groups
Import search filter - (objectClass=group)
Group Name - cn
Description - description
User - member

click on test LDAP groups. Popup window shows entries from AD. If your relying on AD groups I would recommend to work with your AD admin.

SAVE the configuration.

Go to Goto control panel --> Authenticaion --> LDAP, check enabled, import enabled and import on start up enabled.

Restart the server, it will take some time to import all the users. repeat the process if you have any AD child domains.

the steps will give clean AD import, if you see any errors like missing screen name, missing firstname, last name and email address, that means u have not set the filters properly. Make necessary correction and restart the server.

How to avoid duplicate screen exception:
AD as default rule that it copies last name as its screen name but liferay consider it as unique entity. If your not using NTLM, there is work around solution to stop all the exceptions
In your portal-ext.properties enable below properties.
users.screen.name.always.autogenerate=true
users.screen.name.validator=com.liferay.portal.security.auth.LiberalScreenNameValidator