Foros de discusión

  1. Inicio
  2. Portal
  3. Liferay 6.2 LDAP authentication

Liferay 6.2 LDAP authentication

thumbnail
Michael A Ikhane, modificado hace 9 años.

Liferay 6.2 LDAP authentication

Junior Member Mensajes: 37 Fecha de incorporación: 27/05/09 Mensajes recientes
Hi All,

When Liferay uses LDAP for authentication, it imports users from the LDAP server. I would like to know if during authentication, Liferay "goes" to the LDAP server to check the user's password, or if it checks an imported copy of the users' passwords.

If the later is the case, how do I ensure Liferay is aware of any changes to the passwords on the LDAP server?

Thanks
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Liferay Legend Mensajes: 14915 Fecha de incorporación: 2/09/06 Mensajes recientes
Liferay will actually bind to the LDAP server using the user's DN and the password given. If the bind is successful, then all is good. If the bind fails, well then your authentication will fail (but typically falls back on the creds the user has set up in the Liferay database).
thumbnail
Michael A Ikhane, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Junior Member Mensajes: 37 Fecha de incorporación: 27/05/09 Mensajes recientes
Hi David,

Thank you for your prompt answer.

However, I am a rookie with LDAP, so I don't totally get the "bind to the LDAP server".

Are you saying that if the bind is successful then LR will always "go" to the LDAP to verify login password and if it is not successful it uses a local copy of the password?

Thanks
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Liferay Legend Mensajes: 14915 Fecha de incorporación: 2/09/06 Mensajes recientes
Sorry, binding to ldap is basically logging in. So the username/password you put in Liferay is used during the 'login' to LDAP. No comparison of passwords is necessary, either you 'login' successfully or you fail.
thumbnail
Michael A Ikhane, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Junior Member Mensajes: 37 Fecha de incorporación: 27/05/09 Mensajes recientes
Hi David,

I suppose that means that LR does not store the passwords. If this is the case, then I am ok.

Thanks
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Liferay Legend Mensajes: 14915 Fecha de incorporación: 2/09/06 Mensajes recientes
Sorry, didn't know that was what you were looking for, but no Liferay does not store the passwords.
Mitesh Kambli, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

New Member Mensaje: 1 Fecha de incorporación: 13/05/14 Mensajes recientes
hi David,

I have few question on my requirement and need your assistance

My Case - requirements: I have organizational multiple web sites which works in their own LDAP login authentication for users to access.
If those such multiple web-sites I tend to merge into the LifeRay portal with Single Sign on such a way Once end users
login at LDAP (life Ray) end and they can have access to other remote distributed web application

Question:
a) Can i bind ldap (life Ray CAS) to various remote LDAP which has their own validation to access to different portals.

Users logs in --> Life ray(LDAP) --> Life Ray(portal page) ---> various web applications pages can be displayed on liferay portal page.

at background Life Ray(ldap) ..> binds with 'X' ldap + web application , also with other 'Y' LDAP + its web application

b) How can achieve the Signle Sign on via CAS for multiple web applications
thumbnail
David H Nebinger, modificado hace 9 años.

RE: Liferay 6.2 LDAP authentication

Liferay Legend Mensajes: 14915 Fecha de incorporación: 2/09/06 Mensajes recientes
You could do a cascade authentication, first against LDAP A and subsequent against LDAP B, C, etc., but this is just for authentication, it does not consolidate privileges or groups or things like that to manage your access against the separate apps.

For CAS, you have the central CAS system that serves out tickets which are typically stored as cookies in the browser. When hitting the various sites, the cookies are used to allow you into the app, but the app needs to know how to deal with CAS. It is not just a matter of setting up CAS and all of a sudden you have single sign on throughout your enterprise.

I would recommend that you try consolidating the separate LDAPs into a single tree and have all of the apps use the single tree rather than separate trees. You can still have the separate administrators, etc., but it would simplify your Liferay integration going forward.