Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Josh Bonczkowski
User password change exporting to LDAP (AD)?
17 de agosto de 2010 11:42
Respuesta

Josh Bonczkowski

Ranking: Junior Member

Mensajes: 59

Fecha de incorporación: 8 de junio de 2010

Mensajes recientes

I am currently using Liferay 6.0.2 for my tests. Later this week or early next, I'll be able to test with Liferay 6.0.5.

I have my LDAP (Active Directory) source configured within Liferay for authentication. When users log in, Liferay authenticates against LDAP. I configured LDAP using the secure LDAP port so that AD will accept changes for passwords (unicodePwd attribute).

When I go to the user details control panel and change a password, this results in the userPassword attribute being updated within LDAP and it now contains the plaintext password that was just set. Is Liferay properly configured to update the unicodePwd attribute with the properly formatted password for Active Directory?

To try and work around this, I have been trying to extend the UpdatePasswordAction class in Liferay. I believe this is called when a user submits a new password through the control panel. The code to update the password in AD isn't that hard since I have already worked that out previously. I defined my new action class in the com.liferay.portal.action package within the ext-impl/src/ directory. In ext-web/docroot/WEB-INF/, I updated struts-config-ext.xml to include the new mapping for this one action.

1
2<action path="/portal/update_password" type="com.liferay.portal.action.MyUpdatePasswordAction">
3  <forward name="portal.update_password" path="portal.update_password" />
4</action>


Unfortunately, it does not appear that my code is being executed, so I am not able to force the password to be set through the unicodePwd attribute using this method at this time.


Suggestions? Thoughts?
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
17 de agosto de 2010 11:57
Respuesta

Josh Bonczkowski

Ranking: Junior Member

Mensajes: 59

Fecha de incorporación: 8 de junio de 2010

Mensajes recientes

I just remembers the LDAP mappings in portal-ext.properties. I changed the ldap.user.mappings entry to map password=unicodePwd (was previously userPassword). A quick restart of my application server (tomcat) and tried to change my password through the control panel. The password was not updated. Just to make sure, I ran that test a few times.

Perhaps that setting is not taking effect. It appears that the userPassword attribute is still being updated within LDAP to the plaintext password that I changed to in the control panel. Is there a way to check the current settings? Is it read from the file then stored in the DB?
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
18 de agosto de 2010 7:04
Respuesta

Josh Bonczkowski

Ranking: Junior Member

Mensajes: 59

Fecha de incorporación: 8 de junio de 2010

Mensajes recientes

I believe I found at least part of my own answer.

com.liferay.portal.action.UpdatePasswordAction is not used to change a users password from the control panel.

com.liferay.portlet.myaccount.action.EditUserAction is used to change a users password from the control panel. I was able transform my extension of UpdatePasswordAction to an extension of EditUserAction to push the new users password to Active Directory.

There is a second EditUserAction in com.liferay.portlet.enterpriseadmin.action. This is the base class for the one in the myaccount.action package. Does anyone know how this one is used? It is used for when an administrator edits a user? I'll play with it a bit this morning to see if I need to override this as well.


I still have no idea if changing portlet-ext.properties and modifying the ldap.user.mappings property to have 'password=unicodePwd' will work. For some reason, that property is still not being used by my server even after multiple reboots. I have cleared the tomcat cache directory (work/Catalina/localhost/*) to see if that would matter as well. Somewhere, there appears to be a cached value where 'password=userPassword' and I have yet to find it to force the proper change. Getting help on this would be beneficial as well.
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
18 de agosto de 2010 8:24
Respuesta

Josh Bonczkowski

Ranking: Junior Member

Mensajes: 59

Fecha de incorporación: 8 de junio de 2010

Mensajes recientes

It appears that I do need to extend com.liferay.portlet.enterpriseadmin.action.EditUserAction as well. And it is used in 7 different actions (in Liferay 6.0.2).
Samuel Liu
RE: User password change exporting to LDAP (AD)?
18 de agosto de 2010 9:46
Respuesta

Samuel Liu

LIFERAY STAFF

Ranking: Expert

Mensajes: 301

Fecha de incorporación: 27 de mayo de 2010

Mensajes recientes

Hi Josh,

I would recommend switching to 6.0.5 before getting this to work. From what I understand, 6.0.5 and 6.0.2 differ a bit in terms of LDAP configuration.

I don't know LDAP well enough to answer your other questions, but this is just a recommendation emoticon I also have the settings that makes LDAP work for our test servers, so you can refer to them if you get stuck.

Warm regards,
Sam
Josh Bonczkowski
RE: User password change exporting to LDAP (AD)?
18 de agosto de 2010 10:04
Respuesta

Josh Bonczkowski

Ranking: Junior Member

Mensajes: 59

Fecha de incorporación: 8 de junio de 2010

Mensajes recientes

Thanks Sam.

I have been planning on upgrading my test environment to 6.0.5 next week. But that might just happen today or tomorrow.

I figured out my issue with changing the ldap.user.mappings property in portal-ext.properties. This value is only used when creating a new LDAP configuration. Once the configuration is created, I have to update it using the Liferay UI for editing an LDAP configuration.

Changing the associate of Liferay password to AD unicodePwd (again, in 6.0.2) does not work either. When using a secure connection (only way AD will allow password changes), the AD server throws an LDAP error code 53, problem 5003 (WILL_NOT_PERFORM). I am not at all surprised to see this as the password has to be specifically formatted for AD.

I'll give 6.0.5 a try soon and see how it fares out of the box.
Alan Robertson
RE: User password change exporting to LDAP (AD)?
20 de enero de 2011 8:43
Respuesta

Alan Robertson

Ranking: New Member

Mensajes: 19

Fecha de incorporación: 4 de noviembre de 2010

Mensajes recientes

Josh, were you able to get this working? I'm trying to use Liferay 6.0.5 to change passwords in Active Directory and It's not working for me.
Ryan Ward
RE: User password change exporting to LDAP (AD)?
24 de enero de 2011 11:06
Respuesta

Ryan Ward

Ranking: New Member

Mensajes: 18

Fecha de incorporación: 12 de febrero de 2010

Mensajes recientes

I'm also interested in this answer. I'm unable to set AD passwords from within Liferay, I just get plain text storage of the password in the userPassword attribute in AD.
Fezrul fizree
RE: User password change exporting to LDAP (AD)?
25 de marzo de 2011 1:19
Respuesta

Fezrul fizree

Ranking: New Member

Mensajes: 5

Fecha de incorporación: 13 de marzo de 2011

Mensajes recientes

hi there, i have a question, i need to bind AD with liferay using LDAP option in portal setting authentication. My problem is, In AD, there is no userPassword attribute for user,

How i'm suppose to mapping password attribute?

my AD have 3400++ user and i dont see any attribute userPassword on it, only have pwdLastSet attribute witch is nothing to do with user password.
William Liu
RE: User password change exporting to LDAP (AD)?
21 de junio de 2011 17:46
Respuesta

William Liu

Ranking: New Member

Mensajes: 1

Fecha de incorporación: 21 de junio de 2011

Mensajes recientes

I am currently using Liferay 6.0.6 and having the same issue.

I have LDAPS connection and password fields mapped to unicodePwd, and when I change password i got the exception below.

1[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0 ]

Anyone got it working here? Thanks!
Sandip Patel
RE: User password change exporting to LDAP (AD)?
7 de enero de 2013 23:04
Respuesta

Sandip Patel

Ranking: Regular Member

Mensajes: 171

Fecha de incorporación: 4 de enero de 2011

Mensajes recientes

Hi,
I am currently facing issue like:::
i have map Liferay User password field to unicodePwd of LDAP (AD). When i am creating user in Liferay it will give error as below.

Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=testone,OU=Users,OU=Radisson Edwardian,DC=rbehtest,DC=ed-mstest,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)


If i am map Liferay user password field to userPassword of LDAP (AD) then it successfully create user in LDAP.

Please help me.. Do I need to change any code for this ??