Combination View Flat View Tree View
Threads [ Previous | Next ]
Hervé Ménage
Exporting users' password to LDAP is not working
August 23, 2009 10:48 PM
Answer

Hervé Ménage

Rank: Junior Member

Posts: 50

Join Date: March 1, 2007

Recent Posts

Hi everybody,

Please have a look to this issue : http://issues.liferay.com/browse/LPS-4608

The problem is that a user's password is not exported to LDAP when he is created. As I performs authentication on LDAP, created users cannot login to Liferay.

In the process of creating a user, either from the Control panel, by self-rgistration or by using the web-services, the UserLocalServiceImpl performs as follows:
- Create the user object in Liferay DB
- Create the contact object in Liferay DB
- The Default ContactListener hook exports the contact to LDAP (I would have expected that the user is exported, not the contact)

I did not find a good way to create a hook to export the user password to LDAP:
- Using a User model hook "onAfterCreate" is not working, as the contact is not exported yet in LDAP when the method gets called : generates an error

In my humble opinion, the password should be exported by the UserLocalServiceImpl.

Liferay's team answer:
Actually when it goes to exportContact, it will(should) export all the user attributes including password. However the variable passwordUnencrypted because that field isn't stored in the database...

So these lines in LDAPUser.java are essentially never run

if (Validator.isNotNull(_user.getPasswordUnencrypted())) {
_attrs.put(
userMappings.getProperty("password"),
_user.getPasswordUnencrypted());
}
[ Show » ]
Amos Fong added a comment - 21/Aug/09 05:34 PM - Visible to - edited Hi Hervé, Actually when it goes to exportContact, it will(should) export all the user attributes including password. However the variable passwordUnencrypted because that field isn't stored in the database... So these lines in LDAPUser.java are essentially never run if (Validator.isNotNull(_user.getPasswordUnencrypted())) { _attrs.put( userMappings.getProperty("password"), _user.getPasswordUnencrypted()); }


My reply:
Thank you for the clarification. I understand and agree the security reason for which the unencrypted password is not stored in the DB. However, as the encrypted is not (should not) exported to LDAP, something is missing.

Moreover, you are mentioning the Contact object. Password is a User attribute, and it is exported to LDAP by the UserListener hook. In hooks, at l east when I create mine, the unencrypted password is not null.

It looks like there is a kind of confusion between Contact and Contact in the design and in the Contact/User lifecyle, is not there?

From a design point of view, I would suggest to separate the User and Contact export process:
- User object should be exported to the security user directory (identification, authentication, and why not externalized authorizations). It is the minima requirement to sign in to Liferay
- Contact object should be exported to a user directory, which could be the internal DB, the LDAP is used as such (common usage of Domino Address Book), or even more valuable to any repository, such as a CRM system (which is my current challenge)

Finally, the user lifecycle is not handled at 100%: when a user is deleted from Liferay, it is not deleted from LDAP. Thus is imported again automatically....