Hey Jonas,
I have tested it couple of times today. All cases works fine but just that when i set
1ldap.import.user.password.enabled=false
2ldap.import.user.password.autogenerated=false
3ldap.import.user.password.default=password
the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.
My entire settings
1terms.of.use.required=false
2users.reminder.queries.enabled=false
3
4#
5# Settings for connecting to LDAP
6#
7ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
8#ldap.referral=follow
9
10
11ldap.base.provider.url.0=ldap://localhost:10389
12ldap.base.dn.0=dc=example,dc=com
13ldap.security.principal.0=uid=admin,ou=system
14ldap.security.credentials.0=secret
15
16auth.pipeline.enable.liferay.check=false
17# setting the LDAP auth for pipelined authentication
18auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
19
20
21ldap.auth.enabled=true
22ldap.auth.required=true
23ldap.auth.method= password-compare
24
25ldap.auth.password.encryption.algorithm=MD5
26ldap.auth.password.encryption.algorithm.types=MD5
27
28ldap.import.group.cache.enabled=false
29
30
31ldap.import.enabled=false
32ldap.import.on.startup=false
33ldap.import.interval=10
34
35ldap.export.enabled=false
36ldap.export.group.enabled=false
37
38ldap.auth.search.filter.0=(mail=@email_address@)
39
40
41ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
42ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
43ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
44ldap.contact.mappings.0=
45ldap.contact.custom.mappings.0=
46
47#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
48
49ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
50ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
51
52ldap.password.policy.enabled=true
53ldap.import.user.password.enabled=false
54ldap.import.user.password.autogenerated=false
55ldap.import.user.password.default=password
As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.
1protected int authenticate(long companyId, long ldapServerId, String emailAddress,
2 String screenName, long userId, String password)
3.....
4....
5........
6if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
7 ldapAuthResult = authenticate(
8 ldapContext, companyId, attributes, fullUserDN,
9 password);
10
11 // Process LDAP failure codes
12
13 String errorMessage = ldapAuthResult.getErrorMessage();
14
15 if (errorMessage != null) {
16 if (errorMessage.indexOf(PrefsPropsUtil.getString(
17 companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
18 != -1) {
19
20 throw new UserLockoutException();
21 }
22 else if (errorMessage.indexOf(PrefsPropsUtil.getString(
23 companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
24 != -1) {
25
26 throw new PasswordExpiredException();
27 }
28 }
29
30 if (!ldapAuthResult.isAuthenticated() &&
31 PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
32
33 return FAILURE;
34 }
35 }....
thank you
Sadish
