Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Ldap import user password enabled not working as expected sadish ravi 19. April 2012 09:18
RE: Ldap import user password enabled not working as expected Jonas Yuan 20. April 2012 06:47
RE: Ldap import user password enabled not working as expected sadish ravi 20. April 2012 11:17
RE: Ldap import user password enabled not working as expected Jonas Yuan 23. April 2012 14:09
RE: Ldap import user password enabled not working as expected Jonas Yuan 26. April 2012 22:48
RE: Ldap import user password enabled not working as expected Salvador Baena 14. Mai 2012 07:13
RE: Ldap import user password enabled not working as expected Jonas Yuan 14. Mai 2012 15:27
RE: Ldap import user password enabled not working as expected Manuel Hoyos 10. Juni 2012 22:48
RE: Ldap import user password enabled not working as expected Jonas Yuan 11. Juni 2012 11:10
RE: Ldap import user password enabled not working as expected Manuel Hoyos 11. Juni 2012 22:44
RE: Ldap import user password enabled not working as expected Jonas Yuan 19. Juni 2012 15:53
RE: Ldap import user password enabled not working as expected Manuel Hoyos 19. Juni 2012 22:51
RE: Ldap import user password enabled not working as expected Jonas Yuan 20. Juni 2012 11:56
RE: Ldap import user password enabled not working as expected amit singh 5. Juli 2012 00:00
RE: Ldap import user password enabled not working as expected Jonas Yuan 5. Juli 2012 13:33
RE: Ldap import user password enabled not working as expected amit singh 8. Juli 2012 21:46
RE: Ldap import user password enabled not working as expected Sunil Rai 26. Juni 2012 06:21
RE: Ldap import user password enabled not working as expected Jonas Yuan 26. Juni 2012 07:18
RE: Ldap import user password enabled not working as expected Sunil Rai 26. Juni 2012 23:33
RE: Ldap import user password enabled not working as expected Sunil Rai 27. Juni 2012 22:57
RE: Ldap import user password enabled not working as expected Jonas Yuan 2. Juli 2012 15:31
RE: Ldap import user password enabled not working as expected Sunil Rai 2. Juli 2012 22:33
RE: Ldap import user password enabled not working as expected Jonas Yuan 5. Juli 2012 13:34
RE: Ldap import user password enabled not working as expected Luca Basile 6. Juli 2012 01:58
RE: Ldap import user password enabled not working as expected Jonas Yuan 7. Juli 2012 14:12
RE: Ldap import user password enabled not working as expected Sunil Rai 8. Juli 2012 22:46
RE: Ldap import user password enabled not working as expected amit singh 5. Juli 2012 00:03
RE: Ldap import user password enabled not working as expected Jonas Yuan 26. November 2012 20:37
RE: Ldap import user password enabled not working as expected amit singh 30. November 2012 03:50
RE: Ldap import user password enabled not working as expected Jonas Yuan 5. Dezember 2012 06:58
RE: Ldap import user password enabled not working as expected Michal R 18. Januar 2013 06:54
sadish ravi
Ldap import user password enabled not working as expected
19. April 2012 09:18
Antwort

sadish ravi

Rang: New Member

Nachrichten: 2

Eintrittsdatum: 19. April 2012

Neue Beiträge

hi,

I am trying to do auth using LDAP in liferay and i would like to use only ldap as auth and not do a second auth against liferay. Also i do not want to import user passwords to liferay. i am using liferay 6.1 CE

My settings:
 1#
 2# Settings for connecting to LDAP
 3#
 4ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 5# Enable the below setting for enabling LDAP referral follow
 6#ldap.referral=follow
 7
 8#LDAP connection settings
 9ldap.base.provider.url.0=ldap://localhost:10389
10ldap.base.dn.0=dc=example,dc=com
11ldap.security.principal.0=uid=admin,ou=system
12ldap.security.credentials.0=secret
13
14# enable/disable liferay authentication
15auth.pipeline.enable.liferay.check=false
16# setting the LDAP auth for pipelined authentication
17auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
18
19# Set below property to false to disable ldap auth
20ldap.auth.enabled=true
21ldap.auth.required=true
22ldap.auth.method=bind
23
24# LDAP import properties
25ldap.import.enabled=false
26ldap.import.on.startup=false
27ldap.import.interval=10
28
29# LDAP Export properties
30ldap.export.enabled=false
31ldap.export.group.enabled=false
32
33ldap.auth.search.filter.0=(mail=@email_address@)
34
35# Provide mapping for the 5 mandatory LDAP attributes for liferay to authentiate with LDAP
36# other attributes jobTitle=title, group=groupMembership
37ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
38ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
39ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
40ldap.contact.mappings.0=
41ldap.contact.custom.mappings.0=
42
43# Attributes to skip
44#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
45
46# Search filters for users and groups. These properties applies only when ldap.import.enabled is True
47ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
48ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
49
50# password policy
51ldap.password.policy.enabled=true
52# setting this to false will make sure LDAP user password is not imported to the portal
53ldap.import.user.password.enabled=false
54# autogeneate for userpasswords incase of import password property is false
55ldap.import.user.password.autogenerated=false
56ldap.import.user.password.default=test


When i set ldap.import.user.password.enabled=false, then i found in the LDAPAuth class, in authenticate function it checks for (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) and only if its set to true it does password verification for user, else it skips the block and hence i am able to login with user email and any random passwords and it works.??

Please let me know if there is a fix for this or can i extend the LDAPauth class to fix myself. If so let me know how can that be done??
Jonas Yuan
RE: Ldap import user password enabled not working as expected
20. April 2012 06:47
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

This new feature should be available in the 6.1 by default.

No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration.

Hope that it helps,

Thanks

Jonas Yuan
sadish ravi
RE: Ldap import user password enabled not working as expected
20. April 2012 11:17
Antwort

sadish ravi

Rang: New Member

Nachrichten: 2

Eintrittsdatum: 19. April 2012

Neue Beiträge

Hey Jonas,

I have tested it couple of times today. All cases works fine but just that when i set
1ldap.import.user.password.enabled=false
2ldap.import.user.password.autogenerated=false
3ldap.import.user.password.default=password


the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.

My entire settings
 1terms.of.use.required=false
 2users.reminder.queries.enabled=false
 3
 4#
 5# Settings for connecting to LDAP
 6#
 7ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 8#ldap.referral=follow
 9
10
11ldap.base.provider.url.0=ldap://localhost:10389
12ldap.base.dn.0=dc=example,dc=com
13ldap.security.principal.0=uid=admin,ou=system
14ldap.security.credentials.0=secret
15
16auth.pipeline.enable.liferay.check=false
17# setting the LDAP auth for pipelined authentication
18auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
19
20
21ldap.auth.enabled=true
22ldap.auth.required=true
23ldap.auth.method= password-compare
24
25ldap.auth.password.encryption.algorithm=MD5
26ldap.auth.password.encryption.algorithm.types=MD5
27
28ldap.import.group.cache.enabled=false
29
30
31ldap.import.enabled=false
32ldap.import.on.startup=false
33ldap.import.interval=10
34
35ldap.export.enabled=false
36ldap.export.group.enabled=false
37
38ldap.auth.search.filter.0=(mail=@email_address@)
39
40
41ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
42ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
43ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
44ldap.contact.mappings.0=
45ldap.contact.custom.mappings.0=
46
47#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
48
49ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
50ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
51
52ldap.password.policy.enabled=true
53ldap.import.user.password.enabled=false
54ldap.import.user.password.autogenerated=false
55ldap.import.user.password.default=password



As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.

 1protected int authenticate(long companyId, long ldapServerId, String emailAddress,
 2                  String screenName, long userId, String password)
 3.....
 4....
 5........
 6if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
 7                              ldapAuthResult = authenticate(
 8                                    ldapContext, companyId, attributes, fullUserDN,
 9                                    password);
10
11                              // Process LDAP failure codes
12
13                              String errorMessage = ldapAuthResult.getErrorMessage();
14
15                              if (errorMessage != null) {
16                                    if (errorMessage.indexOf(PrefsPropsUtil.getString(
17                                                companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
18                                                      != -1) {
19
20                                          throw new UserLockoutException();
21                                    }
22                                    else if (errorMessage.indexOf(PrefsPropsUtil.getString(
23                                          companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
24                                                != -1) {
25
26                                          throw new PasswordExpiredException();
27                                    }
28                              }
29
30                              if (!ldapAuthResult.isAuthenticated() &&
31                                    PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
32
33                                    return FAILURE;
34                              }
35                        }....


thank you

Sadish
Jonas Yuan
RE: Ldap import user password enabled not working as expected
23. April 2012 14:09
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi sadish

It seems there is a bug related to this new feature.

Could you please grant LDAP access? Thus I may be able to narrow down the bug and generate a fix.

Thanks

Jonas Yuan
Jonas Yuan
RE: Ldap import user password enabled not working as expected
26. April 2012 22:48
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

1ldap.import.user.password.enabled=false
2
3ldap.import.user.password.autogenerated=false
4
5ldap.import.user.password.default=test


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan
Salvador Baena
RE: Ldap import user password enabled not working as expected
14. Mai 2012 07:13
Antwort

Salvador Baena

Rang: New Member

Nachrichten: 11

Eintrittsdatum: 10. Mai 2012

Neue Beiträge

Hi Jonas,

I'm using version 6.1 and I have the same problem.
Could you tell me where to download the fix patch and how to install it

Thank you very much
Best Regards
Jonas Yuan
RE: Ldap import user password enabled not working as expected
14. Mai 2012 15:27
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Salvador,

You may drop email to jonasliferay@gmail.com. I could send you the patch by email.

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
10. Juni 2012 22:48
Antwort

Manuel Hoyos

Rang: Junior Member

Nachrichten: 42

Eintrittsdatum: 10. Juni 2012

Neue Beiträge

Hi Jonas,

I have same problem but i'm working in liferay 5.0.2. is posible fix it?

Thanks
Jonas Yuan
RE: Ldap import user password enabled not working as expected
11. Juni 2012 11:10
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Manuel Hoyos

yes, it is possible.

Is there any reason that you did not use 6.1 CE?

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
11. Juni 2012 22:44
Antwort

Manuel Hoyos

Rang: Junior Member

Nachrichten: 42

Eintrittsdatum: 10. Juni 2012

Neue Beiträge

For now, our corporative intranet is under version 5.0.2. The change is in progress, but hoped fix the problem in this version.

Thanks
Jonas Yuan
RE: Ldap import user password enabled not working as expected
19. Juni 2012 15:53
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

It is possible to generate a fix patch for 5.0.2. But it requires special care.

Is it urgent for you?

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
19. Juni 2012 22:51
Antwort

Manuel Hoyos

Rang: Junior Member

Nachrichten: 42

Eintrittsdatum: 10. Juni 2012

Neue Beiträge

Thanks for the reply,

it is urgent to know the answer, to assess their cost and the risk apply it.

Thanks again and best regards
Jonas Yuan
RE: Ldap import user password enabled not working as expected
20. Juni 2012 11:56
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Manuel,

Could you please drop an email to jonasliferay@gmail.com?

Hope that a fix patch could be available in urgent base.

Thanks

Jonas Yuan
Sunil Rai
RE: Ldap import user password enabled not working as expected
26. Juni 2012 06:21
Antwort

Sunil Rai

Rang: Junior Member

Nachrichten: 43

Eintrittsdatum: 31. Januar 2012

Neue Beiträge

Jonas Yuan:
Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

1ldap.import.user.password.enabled=false
2
3ldap.import.user.password.autogenerated=false
4
5ldap.import.user.password.default=test


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan


Hi Jonas,

After upgrading to Liferay 6.1.0 CE I am facing problem with LDAP. After disabling the LDAP option only user is able to Login but before upgrade LDAP is working fine on Liferay 5.2.3 CE. Due you think the mentioned patch will help for this?
Jonas Yuan
RE: Ldap import user password enabled not working as expected
26. Juni 2012 07:18
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas
Sunil Rai
RE: Ldap import user password enabled not working as expected
26. Juni 2012 23:33
Antwort

Sunil Rai

Rang: Junior Member

Nachrichten: 43

Eintrittsdatum: 31. Januar 2012

Neue Beiträge

Hi Jonas,

I have sent you mail on your gmail ID "jonasliferay@gmail.com" regarding the mentioned patch. Please provide me the same.

Regards,
Sunil Rai
Sunil Rai
RE: Ldap import user password enabled not working as expected
27. Juni 2012 22:57
Antwort

Sunil Rai

Rang: Junior Member

Nachrichten: 43

Eintrittsdatum: 31. Januar 2012

Neue Beiträge

Jonas Yuan:
Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas


Hi Jonas,

It is difficult to be depended on forum if you have deadline. Anyway I have cancelled the plan to upgrade to Liferay 6.1.0 CE.
Unfortunately the forum is not active even though the solution is available.
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2. Juli 2012 15:31
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Sunil,

Sorry that I did not get chance to build the fix patch for 5.2.3.

Is this urgent for you?

Thanks

Jonas Yuan
Sunil Rai
RE: Ldap import user password enabled not working as expected
2. Juli 2012 22:33
Antwort

Sunil Rai

Rang: Junior Member

Nachrichten: 43

Eintrittsdatum: 31. Januar 2012

Neue Beiträge

Hi Jonas,

Thanks for the update but yes it is urgent otherwise there is no other solution than stick with Liferay 5.2.3 CE emoticon
Let me know if you need any further details from my side.

Thanks,
Sunil Rai
amit singh
RE: Ldap import user password enabled not working as expected
5. Juli 2012 00:00
Antwort

amit singh

Rang: New Member

Nachrichten: 12

Eintrittsdatum: 7. Februar 2012

Neue Beiträge

Hi Jonas ,

I am also facing similar problem for 6.1 CE.
Can you please send me the fix patch for this bug.

I have already requested you from my email id eramitsingh1985@gmail.com, please revert on the same.

Thanks,
Amit Singh
amit singh
RE: Ldap import user password enabled not working as expected
5. Juli 2012 00:03
Antwort

amit singh

Rang: New Member

Nachrichten: 12

Eintrittsdatum: 7. Februar 2012

Neue Beiträge

Hi Sadish,

Does your problem with Liferay - LDAP integration got resolved using the patch provided by Jonas ?
I am also facing the similar issue with Liferay 6.1 CE.

Has this patch not applied to WAR bundle available on Liferay download website page ?


Thanks,
Amit Singh
Jonas Yuan
RE: Ldap import user password enabled not working as expected
5. Juli 2012 13:33
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Amit,

You should receive the patch.

It would be nice that you could share your testing results here.

Thanks

Jonas Yuan
Jonas Yuan
RE: Ldap import user password enabled not working as expected
5. Juli 2012 13:34
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan
Luca Basile
RE: Ldap import user password enabled not working as expected
6. Juli 2012 01:58
Antwort

Luca Basile

Rang: New Member

Nachrichten: 2

Eintrittsdatum: 4. Juli 2012

Neue Beiträge

Hi everyone,

i'm stuck with the same problem.Where can i get this patch?Do i need to follow some specific steps to obtain it?

Thanks in advance,

Cheers.
Jonas Yuan
RE: Ldap import user password enabled not working as expected
7. Juli 2012 14:12
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Luca,

Which version are you using?

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas Yuan
amit singh
RE: Ldap import user password enabled not working as expected
8. Juli 2012 21:46
Antwort

amit singh

Rang: New Member

Nachrichten: 12

Eintrittsdatum: 7. Februar 2012

Neue Beiträge

Hi Jonas,

Applying this patch on 6.1.X Code Base resulted in LDAP authentication working fine as required however User is also able to login with the password stored in Liferay database even when Required is enabled using Control panel for liferay.

Still the problem remains same !!

Regards,
Amit
Sunil Rai
RE: Ldap import user password enabled not working as expected
8. Juli 2012 22:46
Antwort

Sunil Rai

Rang: Junior Member

Nachrichten: 43

Eintrittsdatum: 31. Januar 2012

Neue Beiträge

Jonas Yuan:
Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan


Thanks a lot Jonas. emoticon
I will try to implement this and I will share my experience with you soon.

Regards,
Sunil
Jonas Yuan
RE: Ldap import user password enabled not working as expected
26. November 2012 20:37
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Amit,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
amit singh
RE: Ldap import user password enabled not working as expected
30. November 2012 03:50
Antwort

amit singh

Rang: New Member

Nachrichten: 12

Eintrittsdatum: 7. Februar 2012

Neue Beiträge

Hi Jonas,

Does this patch applies to liferay-portal-6.1.1-ce-ga2 ?

Thanks,
Amit
Jonas Yuan
RE: Ldap import user password enabled not working as expected
5. Dezember 2012 06:58
Antwort

Jonas Yuan

Rang: Liferay Master

Nachrichten: 993

Eintrittsdatum: 26. April 2007

Neue Beiträge

Hi Amit,

As you mentioned in Google Talk, please share your test results.

Thanks

Jonas Yuan
Michal R
RE: Ldap import user password enabled not working as expected
18. Januar 2013 06:54
Antwort

Michal R

Rang: New Member

Nachrichten: 23

Eintrittsdatum: 28. Mai 2012

Neue Beiträge

Jonas,
why not raise a liferay jira issue, fix the bug there and distribute it via standard means (i.e. versioning system) to everybody?