Dear Friends,

I want to integrate Liferay 4.2 (JBOSS+Tomcat) with Active Directory Server.

I read the developer guide and did accordingly. I gave the active directory details and saved. But am not able to authenticate the users from active directory.

BTW, I was successfull in integrating Liferay 4.0.2 with Active Directory with small code tweaking in the class
com.liferay.portal.security.auth.LDAPAuth.

Kindly let me know if any of you had gone through similar scenarios.


Thanks in adavance.


Regards
Sharmiq.K

I integrated AD in LR 4.1.2.
Try to map email to userprincipalname and userid to sammaccountname. This should work.

Dear Ebeling,

Thanks for your response.

I tried the same. But no luck.

The following are my settings.

Base Provider URL : ldap://192.168.20.20:389

Base DN :

Principal : CN=Administrator,CN=Users,DC=daralshifa,DC=com

Credentials : ******************


Enter the search filter that will be used to test the validity of a user. The tokens @company_id@, @email_address@, and @user_id@ are replaced at runtime with the correct values.

(&(objectCategory=person)(sAMAccountName=@user_id@))

If the user is valid and the user exists in the LDAP server but not in Liferay, the user will be synchronized from the LDAP server to Liferay. Below is a mapping of Liferay attributes and the pair name used to populate the Liferay field from LDAP.

fullName=cn
userId=sAMAccountName
emailAddress=userprincipalname


Looking forward to your help.

regards
Sharmiq.K

try to set base-dn to DC=daralshifa,DC=com

Thanks Ebeling, It worked with small code change.

hi folks,

actually i try to do the same . as you i try to combine liferay 4.2.1 with an active directory.
if i try to set the checkbox "enable" in the portlet for authentication i allways get the message: Failed to bind to the LDAP server with given values.
so i hope you can give me a hint. here are my informations which my admin gave to me for the testsystem:
____________________________________

Root: Administrator
Pass: ******
Host-IP: 192.168.1.85
Host-Name: howe-server
DNS-Suffix: semnet.oio.de
WinDNS: SEMNET or "semnet.oio.de"

__________________________________

i inserted as follows to the portlet:

Base Provider URL: ldap://192.168.1.85:389
Base DN : dc=semnet.oio,dc=de
Principal : cn=Administrator
Credentials : ******
____________________________________

best regards,

ben

Hi Ben,
I think you have to use the full distinqueshed name for yout principal.
Something like cn=Administrator,ou=Users,dc=semnet.oio,dc=de.

Good luck.

Jörn

hi Jörn,

i have tried this too, but even this do not work. the same error occures. i guess it could be a problem with the active d itself because this is just a small test active d which my sysadmin provides so me.

i made some extra tries to connect. some other looked like:
__________________________________

i inserted as follows to the portlet:

Base Provider URL: ldap://192.168.1.85:389
Base DN : dc=semnet.oio,dc=de
Principal : ccn=Administrator,ou=Users,dc=semnet.oio,dc=de
Credentials : ******
____________________________________

as i said this fails too.

thanks, ben

are you able to connect with this details with another application (an ldapbrowser e.g.)?

i havent tryed, but i ll do so, which application would you propose to me. www.jxplorer.org as in the flash demo of liferay ?


best regards,

ben

I'm using Softerra LDAP Browser.

http://www.ldapbrowser.com/download.htm

hi jörn,

thanks for your responses, i ll try this browser as soon as possible.


best regards,

ben

back again ,

i have used your preferred ldap browser to access the test active directory, but actually this system is not as expected. the ldap browser is able to connect to the active d wit the following informations:

ldap://192.168.1.85:389
base dn: DC=semnet,DC=oio,DC=de
principal :cn=Adminstrator,c=Users,DC=semnet,DC=oio,DC=de
credentials: whatever

_________
,but the main difference to the example ldaps which are delieverd with the browser by default is, that i am not possible to extend the tree view in the side navigation which is working for the example ldaps which come with the application. so i guess that my active d is missing a setting to allow the access as expected. because liferay is still not able to connect to the active d with this settings and i only can see some "header" informations regaring my test system.
have you any idea?

best regards,

ben

back,

now i can see the structure.... and i am connect to the ldap with my liferay .
so what have i done? nothing just 100 time clicked in liferay "save"

so active directory is a tool for sysadmins.

thanks for your support.

ben

Hi Benjamin and all,

I am trying to connect my Liferay 4.2.1 with AD but no success,

This is my configuration:
================================================
Base Provider URL : ldap://10.20.*.*:389
Base DN : DC=kaioaprueba,DC=com
Principal : CN=Administrador,CN=Users,DC=kaioaprueba,DC=com
Credentials : **********

Enter the search filter that will be used to test the validity of a user. The tokens @company_id@, @email_address@, and @user_id@ are replaced at runtime with the correct values.

(&(objectCategory=person)(sAMAccountName=@user_id@))

If the user is valid and the user exists in the LDAP server but not in Liferay, the user will be synchronized from the LDAP server to Liferay. Below is a mapping of Liferay attributes and the pair name used to populate the Liferay field from LDAP.

fullName=cn
userId=sAMAccountName
emailAddress=userprincipalname
================================================
Using JXplorer I have got to connect with these parameters and Liferay tells me "Your request processed successfully" meaning that the bind is correct. I don't know if it is necessary to modify LDAPAuth.java, if it is necessary to select the algorithm in the checkbox...

Can you help me out please?

Thanks.

Most likely the problem is this:



Is your portal configured to log in with userid or e-mail address? If it's e-mail address, you'll want to replace 'sAMAcountName=@user_id@' with 'mail=@email_address@'. If you're logging in with a user id, then you need to make sure that the value that you're entering in the userid field of the login screen matches the 'sAMAccountName' defined in AD, or choose a different AD attribute that corresponds to the value the user will enter in the user id field.

This was a handy reference for figuring out Active Directory attributes.

Hope this helps.

Elisabeth

hi pipe,

for my case i have not edited the fields in the box after changing the auth mechanism to active directory. means i just selected active directory from the dropdown menu and filled in my credentials as written above.
after saving the inserted values i tried to login with my admin and the user contract of the portal occures to accept the licence agreement and after accepting i was successfully logged in.
there are two questions regarding the config you re trying to use for your active directory.

a) are you sure that your active directory is the main domain controller, means are there really the users your looking for?
in my cae my active directory was responsible for a subdomain called semnet. see my config above.

b) i used the c for users in my principal :cn=Adminstrator,c=Users,DC=semnet,DC=oio,DC=de, compared to your principal cn=Users, but i am not a sysadmin so perhaps you should ask your admin or use the link which was posted by elisabeth.


best regards,

ben

Thanks to all for your fast answers!

I have got to bind and authenticate Liferay with my AD. My mistake was that I was mapping "mail=@email_address@" without having mail defined in AD, so I used "userPrincipalName=@email_address@" and it worked!

regards

Felipe

there's one think you should care about if you are integrating AD:
in liferay the userid cannot be changed. If you map the AD samaccountname to liferays userid you have to create a new user if the samaccountname has to be changed in your directory. (e.g. marriege)

I'm using objectguid as userid and I've enabled login via email. As I want the people to login with there username and not with email-Adress I'm not mapping email to email but the ad's userprincipalname. This is always sammaccountname@domain.ads. I modified liferays login to add "@domain.ads" to the users submitted username.

If you have to change the sammaccountname in ad, you can easily update the liferay email adress of this user and the user can login with his new username as the old user.

Hi,

now I have to bind an external AD with another Liferay portal (both are in a LAN) but I'm can't access to the AD information. They only have provided me the IP, the domain name (type dc=enterprise,dc=com), and one administrator user /password. My question is: Do they have to provide me more information (such as the folder that contain this user, the atributte of this user...)?

I am accesing with CN but also can be UID,SN and others to refer the user, am I right?

Any success for binding with the ldap, could you give me some light on this?

regards

hi sharmiq,

I'd like to know which "small code changes" have you done to get the authentication work with AD.Have you modified the LDAPAuth.java?

I can bind with the AD but not authenticate. In the filter I have what is by default: (sAMAccountName=@user_id@) and in the General Tab I have "authenticate by user", is it ok?

thanks on advance

he guys,

so actually i can successfully authenticate my domain users to the active directory. some questions are remaining:
1. how can i manage that a domain user which accesses the portal the first time must not "accept" the contract - means that the contract is automatically accepted ?
System Liferay 4.2.2.

2. if i try to enable the automatic ldap importer which can be configured as descriped in the liferay wiki http://wiki.liferay.com/index.php/LDAP i always getting exceptions like:

12:00:17,653 ERROR [LDAPImportUtil:60] Error importing LDAP users and groups
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=schulung,dc=oio,dc=de'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at com.liferay.portal.security.ldap.LDAPImportUtil.importLDAP(LDAPImportUtil.java:218)
at com.liferay.portal.security.ldap.LDAPImportUtil.importLDAP(LDAPImportUtil.java:150)
at com.liferay.portlet.admin.job.LDAPImportJob.execute(LDAPImportJob.java:70)
at org.quartz.core.JobRunShell.run(JobRunShell.java:195)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)

can give me somebody a hint regarding point 2 ?
my actual configuration(see code snippet) of the portal.properties in the portal-ejb.jar looks like
##
## LDAP Import
##

ldap.import.enabled=true
ldap.import.on.startup=false
ldap.import.method=user

#
# Enter time in minutes. This is how often the importer will synchronize
# with LDAP. This property is portal wide. Company override will be ignored.
#
ldap.import.interval=10

ldap.import.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.import.base.provider.url=ldap://testsystem:389
ldap.import.base.dn=dc=schulung,dc=oio,dc=de
ldap.import.security.principal=cn=coachingadmin,cn=users,dc=schulung,dc=oio,dc=de
ldap.import.security.credentials=whatever
ldap.import.search.filter=(objectClass=organizationalPerson)
ldap.import.user.mappings=fullname=cn\npassword=userPassword\nemailAddress=userprincipalname
\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership
ldap.import.group.mappings=groupName=cn\ndescription=description

additional infos:
1. the groupMembership,title in my active directory is empty
2. i changed the objectClass from inetOrgPerson to organizationalPerson because the inetOrgPerson i haven't found as attribute of my users in the testsystem.


best regards,

ben

he all,
i got the importer run. but the users and group which are imported are not associated with each other. so is there a possibility to configure the importer in my liferay 4.2.2 setting the user groups of the active directory to the imported users during import?

best regards,
ben

got it.

best regards,
ben