Fórumok

Ideas for LDAP chaining authentication

thumbnail
Jonas Yuan, módosítva 14 év-val korábban

Ideas for LDAP chaining authentication

Liferay Master Bejegyzések: 993 Csatlakozás dátuma: 2007.04.27. Legújabb bejegyzések
It is very nice that the portal supported any LDAP authentication, import and export. As you can see, this integration is implemented for any LDAP individually. But in large environments, the portal should be able to authenticate to more than one LDAP server. That is, the portal should support chaining authentication against LDAP servers.

How to implement it?

The following is an option.
• Set a property in portal.properties like
ldap.chaining.auth.enabled=false

As you can see, you can set the property ldap.chaining.auth.enabled to true to enable LDAP chaining authentication in portal-ext.properties.
• Configure LDAP chaining authentication in an XML file called ldap-chaining-authentication.xml under the folder $PORTAL_ROOT_HOME/WEB-INF.
• Update LDAP Auth like com.liferay.portal.security.auth.LDAPAuth to consume above settings.

Related tickets

1) Support for multiple LDAP servers to authenticate against: http://issues.liferay.com/browse/LEP-1443
2) LDAP settings per org: http://issues.liferay.com/browse/LEP-1444

Your comments or suggestions?

Thanks

Jonas Yuan
-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets
thumbnail
Jonas Yuan, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Liferay Master Bejegyzések: 993 Csatlakozás dátuma: 2007.04.27. Legújabb bejegyzések
Thanks to Ryan Park, an implementation is in process at (for 5.3)

Allow Authentication from Multiple LDAP Servers

Multiple LDAP Servers can be specified and Liferay will try to authenticate with them from top to bottom in order.

Jonas Yuan
-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets
thumbnail
Jonas Yuan, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Liferay Master Bejegyzések: 993 Csatlakozás dátuma: 2007.04.27. Legújabb bejegyzések
Good news, authentication from Multiple LDAP Servers will get supported at

5.2 EE SP 3 (5.2.7) or above
and
5.3.0 or above

Thanks

Jonas Yuan
-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets
thumbnail
Gere P, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 137 Csatlakozás dátuma: 2009.08.20. Legújabb bejegyzések
Really great. This is what most of the customers are looking for. Thanks Ryan and Jonas.
thumbnail
Faris Abdulla, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 183 Csatlakozás dátuma: 2009.09.02. Legújabb bejegyzések
Hi Friends,


I've query regarding LDAP and liferay Portal.

Using sun Web Directory Server7:
1. Created 2 Web directory server instances. ldap://..:1389 and ldap://...:2389

2. In liferay portal created 2 portal instances "first" and "second":8080

3. I want to configure ldap: 1389 to "first" portal instance and ldap:2389 to "second" portal instance.

Awaiting for valuable reply..

I tried in localhost:8080 login as admin, configured LDAP settings.

When I logged in portal instance and tried to configure LDAP its already there that I setup for localhost:8080

Advanced thanks and regards,

Faris
thumbnail
Jonas Yuan, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Liferay Master Bejegyzések: 993 Csatlakozás dátuma: 2007.04.27. Legújabb bejegyzések
Hi Faris,

You may refer to Wiki articles for details

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Full+Integration+-+Liferay%2C+Alfresco%2C+SSO+and+LDAP

http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration+with+NTLM+plus+ADS

Hope that it helps,

Thanks

Jonas Yuan
-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets
thumbnail
Faris Abdulla, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 183 Csatlakozás dátuma: 2009.09.02. Legújabb bejegyzések
Thank you Jonas,


I have another question. How to map liferay portal roles and LDAP roles (vice-versa).

Created roles in LDAP and assigned users into that role.

After login to admin in portal. The role I created is not imported to liferay portal..

I need to map LDAP v/s Portal data

Thanks and regards..

Faris Abdulla
thumbnail
Jonas Yuan, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Liferay Master Bejegyzések: 993 Csatlakozás dátuma: 2007.04.27. Legújabb bejegyzések
Hi Faris,

in LDAP, you will have users and groups.

Import Users and Groups into the Portal first, then define roles in the portal and assign users to the groups;

Last but not least, you can assign groups to the roles. That's it.

Hope that it helps,

Thanks

Jonas Yuan
-----------------
The Author of Liferay Books:
Liferay Portal 5.2 Systems Development
Liferay Portal Enterprise Intranets
thumbnail
Faris Abdulla, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 183 Csatlakozás dátuma: 2009.09.02. Legújabb bejegyzések
Thank you Jonas,

That is fine..

But I've another question regarding LDAP and portal.

I'm using LDAP(DSEE) data source and Liferay 5.2.2 .

I dont want to import the user from LDAP to the portal database. I've more 10,000 users and it'll be more for future. I need to keep all the user credentials in LDAP not in portal database.

Can I achieve this and to make use of liferay default portlets with role permissions?

Please help me!!

Thanks & regards,
Faris Abdulla
thumbnail
Faris Abdulla, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 183 Csatlakozás dátuma: 2009.09.02. Legújabb bejegyzések
Hi Jonas,

I need to login OpenSSO through Liferay login portlet..

How to achieve this...

By default when we configure OpenSSO, its taking to localhost:8080/opensso and opensso login page.

How to customize the current liferay login portlet for openSSO.

Thanks,
Faris
thumbnail
G P, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 137 Csatlakozás dátuma: 2009.08.20. Legújabb bejegyzések
Hi Faris, It is the expected behavior only.
Open SSO is a 3rd part application which will take care of authenticating your existed application. When you try to access your application it redirects to the OpenSSO where you need to give your credentials. I don't think that we can customize this behavior to do authentication from SignIn portlet itself.
thumbnail
Faris Abdulla, módosítva 14 év-val korábban

RE: Ideas for LDAP chaining authentication

Regular Member Bejegyzések: 183 Csatlakozás dátuma: 2009.09.02. Legújabb bejegyzések
Thank you friend!!..

But I dont want to redirect to opensso page and login..

I created opensso login portlet refering this link
http://wikis.sun.com/display/websynergy/Developing+Custom+Login+Portlet+for+OpenSSO

But what its happening its internally get login in opensso but not in liferay portal..
Its asking for login in liferay portal.

So can it be achieved by customizing existing login portlet?
I'm using glassfish webspace 10.

So can u please guide me ..
and please send me the portal-ext.properties for open SSO

thanks & regards,
Faris
Aymen Kamoun, módosítva 10 év-val korábban

RE: Ideas for LDAP chaining authentication

New Member Bejegyzések: 3 Csatlakozás dátuma: 2013.03.05. Legújabb bejegyzések
Hi,
Im using Liferay 6.1 CE bundled with JBoss 7.

i need to authenticate and import users using an LDAP1 server which is configured with (chaining and referral) to another LDAP2.

Is it necessary to create the XML file "ldap-chaining-authentication.xml" ? If yes, so can you give me an example of this file ?

WHen i start Liferay, it cannot import users who are in LDAP2. I get the folowing errors:
Unable to import user (not relative)ldap://ldap1:389/cn=papa,dc=laas,dc=fr: null:null:{cn=cn: papa}
18:44:31,870 INFO [stdout] (liferay/scheduler_dispatch-3) javax.naming.InvalidNameException: "ldap://ldap1:389/cn=papa,dc=laas,dc=fr,dc=imagine,dc=eu": [LDAP: error code 34 - invalid DN]; remaining name '"ldap://ldap1:389/cn=papa,dc=laas,dc=fr,dc=imagine,dc=eu"'

Help please