Fórumok

  1. Nyitólap
  2. Development
  3. User password change exporting to LDAP (AD)?

User password change exporting to LDAP (AD)?

Josh Bonczkowski, módosítva 13 év-val korábban

User password change exporting to LDAP (AD)?

Junior Member Bejegyzések: 59 Csatlakozás dátuma: 2010.06.08. Legújabb bejegyzések
I am currently using Liferay 6.0.2 for my tests. Later this week or early next, I'll be able to test with Liferay 6.0.5.

I have my LDAP (Active Directory) source configured within Liferay for authentication. When users log in, Liferay authenticates against LDAP. I configured LDAP using the secure LDAP port so that AD will accept changes for passwords (unicodePwd attribute).

When I go to the user details control panel and change a password, this results in the userPassword attribute being updated within LDAP and it now contains the plaintext password that was just set. Is Liferay properly configured to update the unicodePwd attribute with the properly formatted password for Active Directory?

To try and work around this, I have been trying to extend the UpdatePasswordAction class in Liferay. I believe this is called when a user submits a new password through the control panel. The code to update the password in AD isn't that hard since I have already worked that out previously. I defined my new action class in the com.liferay.portal.action package within the ext-impl/src/ directory. In ext-web/docroot/WEB-INF/, I updated struts-config-ext.xml to include the new mapping for this one action.


<action path="/portal/update_password" type="com.liferay.portal.action.MyUpdatePasswordAction">
  <forward name="portal.update_password" path="portal.update_password" />
</action>


Unfortunately, it does not appear that my code is being executed, so I am not able to force the password to be set through the unicodePwd attribute using this method at this time.


Suggestions? Thoughts?
Josh Bonczkowski, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

Junior Member Bejegyzések: 59 Csatlakozás dátuma: 2010.06.08. Legújabb bejegyzések
I just remembers the LDAP mappings in portal-ext.properties. I changed the ldap.user.mappings entry to map password=unicodePwd (was previously userPassword). A quick restart of my application server (tomcat) and tried to change my password through the control panel. The password was not updated. Just to make sure, I ran that test a few times.

Perhaps that setting is not taking effect. It appears that the userPassword attribute is still being updated within LDAP to the plaintext password that I changed to in the control panel. Is there a way to check the current settings? Is it read from the file then stored in the DB?
Josh Bonczkowski, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

Junior Member Bejegyzések: 59 Csatlakozás dátuma: 2010.06.08. Legújabb bejegyzések
I believe I found at least part of my own answer.

com.liferay.portal.action.UpdatePasswordAction is not used to change a users password from the control panel.

com.liferay.portlet.myaccount.action.EditUserAction is used to change a users password from the control panel. I was able transform my extension of UpdatePasswordAction to an extension of EditUserAction to push the new users password to Active Directory.

There is a second EditUserAction in com.liferay.portlet.enterpriseadmin.action. This is the base class for the one in the myaccount.action package. Does anyone know how this one is used? It is used for when an administrator edits a user? I'll play with it a bit this morning to see if I need to override this as well.


I still have no idea if changing portlet-ext.properties and modifying the ldap.user.mappings property to have 'password=unicodePwd' will work. For some reason, that property is still not being used by my server even after multiple reboots. I have cleared the tomcat cache directory (work/Catalina/localhost/*) to see if that would matter as well. Somewhere, there appears to be a cached value where 'password=userPassword' and I have yet to find it to force the proper change. Getting help on this would be beneficial as well.
Josh Bonczkowski, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

Junior Member Bejegyzések: 59 Csatlakozás dátuma: 2010.06.08. Legújabb bejegyzések
It appears that I do need to extend com.liferay.portlet.enterpriseadmin.action.EditUserAction as well. And it is used in 7 different actions (in Liferay 6.0.2).
thumbnail
Samuel Liu, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

Expert Bejegyzések: 301 Csatlakozás dátuma: 2010.05.27. Legújabb bejegyzések
Hi Josh,

I would recommend switching to 6.0.5 before getting this to work. From what I understand, 6.0.5 and 6.0.2 differ a bit in terms of LDAP configuration.

I don't know LDAP well enough to answer your other questions, but this is just a recommendation emoticon I also have the settings that makes LDAP work for our test servers, so you can refer to them if you get stuck.

Warm regards,
Sam
Josh Bonczkowski, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

Junior Member Bejegyzések: 59 Csatlakozás dátuma: 2010.06.08. Legújabb bejegyzések
Thanks Sam.

I have been planning on upgrading my test environment to 6.0.5 next week. But that might just happen today or tomorrow.

I figured out my issue with changing the ldap.user.mappings property in portal-ext.properties. This value is only used when creating a new LDAP configuration. Once the configuration is created, I have to update it using the Liferay UI for editing an LDAP configuration.

Changing the associate of Liferay password to AD unicodePwd (again, in 6.0.2) does not work either. When using a secure connection (only way AD will allow password changes), the AD server throws an LDAP error code 53, problem 5003 (WILL_NOT_PERFORM). I am not at all surprised to see this as the password has to be specifically formatted for AD.

I'll give 6.0.5 a try soon and see how it fares out of the box.
thumbnail
Alan Robertson, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

New Member Bejegyzések: 19 Csatlakozás dátuma: 2010.11.05. Legújabb bejegyzések
Josh, were you able to get this working? I'm trying to use Liferay 6.0.5 to change passwords in Active Directory and It's not working for me.
Ryan Ward, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

New Member Bejegyzések: 18 Csatlakozás dátuma: 2010.02.12. Legújabb bejegyzések
I'm also interested in this answer. I'm unable to set AD passwords from within Liferay, I just get plain text storage of the password in the userPassword attribute in AD.
Fezrul fizree, módosítva 13 év-val korábban

RE: User password change exporting to LDAP (AD)?

New Member Bejegyzések: 5 Csatlakozás dátuma: 2011.03.14. Legújabb bejegyzések
hi there, i have a question, i need to bind AD with liferay using LDAP option in portal setting authentication. My problem is, In AD, there is no userPassword attribute for user,

How i'm suppose to mapping password attribute?

my AD have 3400++ user and i dont see any attribute userPassword on it, only have pwdLastSet attribute witch is nothing to do with user password.
William Liu, módosítva 12 év-val korábban

RE: User password change exporting to LDAP (AD)?

New Member Bejegyzés: 1 Csatlakozás dátuma: 2011.06.22. Legújabb bejegyzések
I am currently using Liferay 6.0.6 and having the same issue.

I have LDAPS connection and password fields mapped to unicodePwd, and when I change password i got the exception below.

[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0 ]

Anyone got it working here? Thanks!
thumbnail
Sandip Patel, módosítva 11 év-val korábban

RE: User password change exporting to LDAP (AD)?

Regular Member Bejegyzések: 205 Csatlakozás dátuma: 2011.01.05. Legújabb bejegyzések
Hi,
I am currently facing issue like:::
i have map Liferay User password field to unicodePwd of LDAP (AD). When i am creating user in Liferay it will give error as below.

Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
]; remaining name 'cn=testone,OU=Users,OU=Radisson Edwardian,DC=rbehtest,DC=ed-mstest,DC=com'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840)


If i am map Liferay user password field to userPassword of LDAP (AD) then it successfully create user in LDAP.

Please help me.. Do I need to change any code for this ??