LDAP

Set the values used to connect to an LDAP store.

ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.referral=follow

Settings for com.liferay.portal.security.auth.LDAPAuth can be configured from the Admin portlet. It provides out-of-the box support for the Apache Directory Server, Microsoft Active Directory Server, Novell eDirectory and OpenLDAP. The default settings are for the Apache Directory Server.

The LDAPAuth class must be specified in the property auth.pipeline.pre to be executed.

Encryption is implemented by com.liferay.util.Encryptor.provider.class in system.properties.

ldap.auth.enabled=false
ldap.auth.required=false

Set the page size for directory servers that support paging. This value needs to be 1000 or less for the Microsoft Active Directory Server.

ldap.page.size=1000

Set the number of values to return in each query to a multivalued attribute for directory servers that support range retrieval. The range size must be 1000 or less for Windows 2000 and 1500 or less for Windows Server 2003.

ldap.range.size=1000

Set either bind or password-compare for the LDAP authentication method. Bind is preferred by most vendors so that you don’t have to worry about encryption strategies.

Examples:

ldap.auth.method=bind
ldap.auth.method=password-compare

Set the password encryption to used to compare passwords if the property ldap.auth.method is set to password-compare. If set to NONE, which is the default value, passwords are stored in the database as plain text. The SHA-512 algorithm is currently unsupported.

Examples:

ldap.auth.password.encryption.algorithm=BCRYPT
ldap.auth.password.encryption.algorithm=MD2
ldap.auth.password.encryption.algorithm=MD5
ldap.auth.password.encryption.algorithm=NONE
ldap.auth.password.encryption.algorithm=SHA
ldap.auth.password.encryption.algorithm=SHA-256
ldap.auth.password.encryption.algorithm=SHA-384
ldap.auth.password.encryption.algorithm=SSHA
ldap.auth.password.encryption.algorithm=UFC-CRYPT

You can write your own class that implements com.liferay.portal.security.ldap.AttributesTransformer to transform the LDAP attributes before a user or group is imported to the LDAP store.

ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer

Settings for importing users and groups from LDAP to the portal.

ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10

Set either user or group for import method. If set to user, the portal will import all users and the groups associated with those users. If set to group, the portal will import all groups and the users associated those groups. This value should be set based on how your LDAP server stores group membership information.

Examples:

ldap.import.method=user
ldap.import.method=group

If set to true, the group filter will be applied, but only to groups in the specified base DN. If set to false, the filter will not be applied and all groups that are associated with the imported users will be imported regardless of the base DN.

ldap.import.group.search.filter.enabled=true

Specify whether group DN lookups will be cached during LDAP import and login. If set to true, this will speed up LDAP import and login, but updates to group attributes will not be recognized until the cache entry expires. The cache size and timeout may be configured in the configuration file specifed in the property ehcache.single.vm.config.location.

ldap.import.group.cache.enabled=true

Set this to true if the portal should automatically create a role per group imported from LDAP. The role will be assigned to the group so that users can automatically inherit that role when they are assigned to the group.

ldap.import.create.role.per.group=false

Set these values to be a portion of the error message returned by the appropriate directory server to allow the portal to recognize messages from the LDAP server. The default values will work for Fedora DS.

ldap.error.password.age=age
ldap.error.password.expired=expired
ldap.error.password.history=history
ldap.error.password.not.changeable=not allowed to change
ldap.error.password.syntax=syntax
ldap.error.password.trivial=trivial
ldap.error.user.lockout=retry limit

Set this to true to use the LDAP’s password policy instead of the portal password policy.

ldap.password.policy.enabled=false

Set this to false when the LDAP user’s password should not be imported.

ldap.import.user.password.enabled=true

Set this to true to autogenerate the password for imported users from LDAP. This property is only in use if the property ldap.import.user.password.enabled is set to false.

ldap.import.user.password.autogenerated=false

Set either screenName or plain text as the default password for the imported LDAP user. Setting the value to screenName will use the user’s screen name as the password for the imported LDAP user. Setting the value to any other plain text value will use that value as the password for the imported LDAP user. This property is only in use if the properties ldap.import.user.password.enabled and ldap.import.user.password.autogenerated are both set to false.

Examples:

ldap.import.user.password.default=test
ldap.import.user.password.default=screenName

Settings for exporting users from the portal to LDAP. This allows a user to modify his first name, last name, etc. in the portal and have that change pushed to the LDAP server. This setting is not used unless the property ldap.auth.enabled is set to true.

ldap.export.enabled=false

Set this to true if groups and their associations should be exported from the portal to LDAP. This setting is not used unless the property ldap.auth.enabled is set to true.

ldap.export.group.enabled=true

Set the values used to connect to an LDAP store.

The list of properties must end with a subsequent integer (0, 1, etc.) and it is assumed that the list has reached an end when the pattern or replacement is not set.

ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=dc=example,dc=com
ldap.security.principal.0=uid=admin,ou=system
ldap.security.credentials.0=secret

Active Directory stores information about the user account as a series of bit fields in the UserAccountControl attribute.

If you want to prevent disabled accounts from logging into the portal you need to use a search filter similar to the following:

(&(objectclass=person)(userprincipalname=@email_address@)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

See the following links:

• http://support.microsoft.com/kb/305144/
• http://support.microsoft.com/?kbid=269181

Example:

ldap.auth.search.filter.0=(mail=@email_address@)

When importing and exporting users, the portal will use this mapping to connect LDAP user attributes and portal contact attributes.

See com.liferay.portal.model.ContactModel for a list of attributes.

Example:

ldap.contact.mappings.0=

When importing and exporting users, the portal will use this mapping to connect LDAP user attributes and portal contact’s custom attributes.

Example:

ldap.contact.custom.mappings.0=

When a user is exported to LDAP and the user does not exist, the user will be created with the following default object classes.

Example:

ldap.user.default.object.classes.0=top,person,inetOrgPerson,organizationalPerson

When importing and exporting users, the portal will use this mapping to connect LDAP user attributes and portal user attributes.

See com.liferay.portal.model.UserModel for a list of attributes.

Example:

ldap.user.mappings.0=uuid=uuid\nscreenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership

When importing and exporting users, the portal will use this mapping to connect LDAP user attributes and portal user’s custom attributes.

Example:

ldap.user.custom.mappings.0=

Set the user attributes that are controlled from the portal. When adding or updating a user from LDAP, these attributes will be skipped.

Examples:

ldap.user.ignore.attributes=
ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn

When a group is exported to LDAP and the group does not exist, the group will be created with the following default object classes.

Example:

ldap.group.default.object.classes.0=top,groupOfUniqueNames

When importing groups, the portal will use this mapping to connect LDAP group attributes and portal user group attributes.

Example:

ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember

Settings for importing users and groups from LDAP to the portal. These settings are not used unless the property ldap.import.enabled is set to true.

ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)

New users and groups will be created at the specified DN. This will only be active if the property ldap.auth.enabled and ldap.export.enabled are set to true.

ldap.users.dn.0=ou=users,dc=example,dc=com
ldap.groups.dn.0=ou=groups,dc=example,dc=com