フォーラム

ホーム » Liferay Portal » English » 6. Portal Framework

構造的に表示 平面上に表示 ツリー上に表示
スレッド [ 前へ | 次へ ]
sadish ravi
Ldap import user password enabled not working as expected
2012/04/19 9:18
答え

sadish ravi

ランク: New Member

投稿: 2

参加年月日: 2012/04/19

最近の投稿

hi,

I am trying to do auth using LDAP in liferay and i would like to use only ldap as auth and not do a second auth against liferay. Also i do not want to import user passwords to liferay. i am using liferay 6.1 CE

My settings:
 1#
 2# Settings for connecting to LDAP
 3#
 4ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 5# Enable the below setting for enabling LDAP referral follow
 6#ldap.referral=follow
 7
 8#LDAP connection settings
 9ldap.base.provider.url.0=ldap://localhost:10389
10ldap.base.dn.0=dc=example,dc=com
11ldap.security.principal.0=uid=admin,ou=system
12ldap.security.credentials.0=secret
13
14# enable/disable liferay authentication
15auth.pipeline.enable.liferay.check=false
16# setting the LDAP auth for pipelined authentication
17auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
18
19# Set below property to false to disable ldap auth
20ldap.auth.enabled=true
21ldap.auth.required=true
22ldap.auth.method=bind
23
24# LDAP import properties
25ldap.import.enabled=false
26ldap.import.on.startup=false
27ldap.import.interval=10
28
29# LDAP Export properties
30ldap.export.enabled=false
31ldap.export.group.enabled=false
32
33ldap.auth.search.filter.0=(mail=@email_address@)
34
35# Provide mapping for the 5 mandatory LDAP attributes for liferay to authentiate with LDAP
36# other attributes jobTitle=title, group=groupMembership
37ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
38ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
39ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
40ldap.contact.mappings.0=
41ldap.contact.custom.mappings.0=
42
43# Attributes to skip
44#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
45
46# Search filters for users and groups. These properties applies only when ldap.import.enabled is True
47ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
48ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
49
50# password policy
51ldap.password.policy.enabled=true
52# setting this to false will make sure LDAP user password is not imported to the portal
53ldap.import.user.password.enabled=false
54# autogeneate for userpasswords incase of import password property is false
55ldap.import.user.password.autogenerated=false
56ldap.import.user.password.default=test


When i set ldap.import.user.password.enabled=false, then i found in the LDAPAuth class, in authenticate function it checks for (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) and only if its set to true it does password verification for user, else it skips the block and hence i am able to login with user email and any random passwords and it works.??

Please let me know if there is a fix for this or can i extend the LDAPauth class to fix myself. If so let me know how can that be done??
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/04/20 6:47
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

This new feature should be available in the 6.1 by default.

No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration.

Hope that it helps,

Thanks

Jonas Yuan
sadish ravi
RE: Ldap import user password enabled not working as expected
2012/04/20 11:17
答え

sadish ravi

ランク: New Member

投稿: 2

参加年月日: 2012/04/19

最近の投稿

Hey Jonas,

I have tested it couple of times today. All cases works fine but just that when i set
1ldap.import.user.password.enabled=false
2ldap.import.user.password.autogenerated=false
3ldap.import.user.password.default=password


the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.

My entire settings
 1terms.of.use.required=false
 2users.reminder.queries.enabled=false
 3
 4#
 5# Settings for connecting to LDAP
 6#
 7ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
 8#ldap.referral=follow
 9
10
11ldap.base.provider.url.0=ldap://localhost:10389
12ldap.base.dn.0=dc=example,dc=com
13ldap.security.principal.0=uid=admin,ou=system
14ldap.security.credentials.0=secret
15
16auth.pipeline.enable.liferay.check=false
17# setting the LDAP auth for pipelined authentication
18auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth
19
20
21ldap.auth.enabled=true
22ldap.auth.required=true
23ldap.auth.method= password-compare
24
25ldap.auth.password.encryption.algorithm=MD5
26ldap.auth.password.encryption.algorithm.types=MD5
27
28ldap.import.group.cache.enabled=false
29
30
31ldap.import.enabled=false
32ldap.import.on.startup=false
33ldap.import.interval=10
34
35ldap.export.enabled=false
36ldap.export.group.enabled=false
37
38ldap.auth.search.filter.0=(mail=@email_address@)
39
40
41ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
42ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
43ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
44ldap.contact.mappings.0=
45ldap.contact.custom.mappings.0=
46
47#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
48
49ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
50ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
51
52ldap.password.policy.enabled=true
53ldap.import.user.password.enabled=false
54ldap.import.user.password.autogenerated=false
55ldap.import.user.password.default=password



As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.

 1protected int authenticate(long companyId, long ldapServerId, String emailAddress,
 2                  String screenName, long userId, String password)
 3.....
 4....
 5........
 6if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
 7                              ldapAuthResult = authenticate(
 8                                    ldapContext, companyId, attributes, fullUserDN,
 9                                    password);
10
11                              // Process LDAP failure codes
12
13                              String errorMessage = ldapAuthResult.getErrorMessage();
14
15                              if (errorMessage != null) {
16                                    if (errorMessage.indexOf(PrefsPropsUtil.getString(
17                                                companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
18                                                      != -1) {
19
20                                          throw new UserLockoutException();
21                                    }
22                                    else if (errorMessage.indexOf(PrefsPropsUtil.getString(
23                                          companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
24                                                != -1) {
25
26                                          throw new PasswordExpiredException();
27                                    }
28                              }
29
30                              if (!ldapAuthResult.isAuthenticated() &&
31                                    PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
32
33                                    return FAILURE;
34                              }
35                        }....


thank you

Sadish
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/04/23 14:09
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi sadish

It seems there is a bug related to this new feature.

Could you please grant LDAP access? Thus I may be able to narrow down the bug and generate a fix.

Thanks

Jonas Yuan
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/04/26 22:48
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

1ldap.import.user.password.enabled=false
2
3ldap.import.user.password.autogenerated=false
4
5ldap.import.user.password.default=test


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan
Salvador Baena
RE: Ldap import user password enabled not working as expected
2012/05/14 7:13
答え

Salvador Baena

ランク: New Member

投稿: 11

参加年月日: 2012/05/10

最近の投稿

Hi Jonas,

I'm using version 6.1 and I have the same problem.
Could you tell me where to download the fix patch and how to install it

Thank you very much
Best Regards
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/05/14 15:27
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Salvador,

You may drop email to jonasliferay@gmail.com. I could send you the patch by email.

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
2012/06/10 22:48
答え

Manuel Hoyos

ランク: Junior Member

投稿: 44

参加年月日: 2012/06/10

最近の投稿

Hi Jonas,

I have same problem but i'm working in liferay 5.0.2. is posible fix it?

Thanks
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/06/11 11:10
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Manuel Hoyos

yes, it is possible.

Is there any reason that you did not use 6.1 CE?

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
2012/06/11 22:44
答え

Manuel Hoyos

ランク: Junior Member

投稿: 44

参加年月日: 2012/06/10

最近の投稿

For now, our corporative intranet is under version 5.0.2. The change is in progress, but hoped fix the problem in this version.

Thanks
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/06/19 15:53
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

It is possible to generate a fix patch for 5.0.2. But it requires special care.

Is it urgent for you?

Thanks

Jonas Yuan
Manuel Hoyos
RE: Ldap import user password enabled not working as expected
2012/06/19 22:51
答え

Manuel Hoyos

ランク: Junior Member

投稿: 44

参加年月日: 2012/06/10

最近の投稿

Thanks for the reply,

it is urgent to know the answer, to assess their cost and the risk apply it.

Thanks again and best regards
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/06/20 11:56
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Manuel,

Could you please drop an email to jonasliferay@gmail.com?

Hope that a fix patch could be available in urgent base.

Thanks

Jonas Yuan
amit singh
RE: Ldap import user password enabled not working as expected
2012/07/05 0:00
答え

amit singh

ランク: New Member

投稿: 12

参加年月日: 2012/02/07

最近の投稿

Hi Jonas ,

I am also facing similar problem for 6.1 CE.
Can you please send me the fix patch for this bug.

I have already requested you from my email id eramitsingh1985@gmail.com, please revert on the same.

Thanks,
Amit Singh
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/07/05 13:33
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Amit,

You should receive the patch.

It would be nice that you could share your testing results here.

Thanks

Jonas Yuan
amit singh
RE: Ldap import user password enabled not working as expected
2012/07/08 21:46
答え

amit singh

ランク: New Member

投稿: 12

参加年月日: 2012/02/07

最近の投稿

Hi Jonas,

Applying this patch on 6.1.X Code Base resulted in LDAP authentication working fine as required however User is also able to login with the password stored in Liferay database even when Required is enabled using Control panel for liferay.

Still the problem remains same !!

Regards,
Amit
Sunil Rai
RE: Ldap import user password enabled not working as expected
2012/06/26 6:21
答え

Sunil Rai

ランク: Junior Member

投稿: 43

参加年月日: 2012/01/31

最近の投稿

Jonas Yuan:
Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

1ldap.import.user.password.enabled=false
2
3ldap.import.user.password.autogenerated=false
4
5ldap.import.user.password.default=test


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan


Hi Jonas,

After upgrading to Liferay 6.1.0 CE I am facing problem with LDAP. After disabling the LDAP option only user is able to Login but before upgrade LDAP is working fine on Liferay 5.2.3 CE. Due you think the mentioned patch will help for this?
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/06/26 7:18
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas
Sunil Rai
RE: Ldap import user password enabled not working as expected
2012/06/26 23:33
答え

Sunil Rai

ランク: Junior Member

投稿: 43

参加年月日: 2012/01/31

最近の投稿

Hi Jonas,

I have sent you mail on your gmail ID "jonasliferay@gmail.com" regarding the mentioned patch. Please provide me the same.

Regards,
Sunil Rai
Sunil Rai
RE: Ldap import user password enabled not working as expected
2012/06/27 22:57
答え

Sunil Rai

ランク: Junior Member

投稿: 43

参加年月日: 2012/01/31

最近の投稿

Jonas Yuan:
Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas


Hi Jonas,

It is difficult to be depended on forum if you have deadline. Anyway I have cancelled the plan to upgrade to Liferay 6.1.0 CE.
Unfortunately the forum is not active even though the solution is available.
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/07/02 15:31
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Sunil,

Sorry that I did not get chance to build the fix patch for 5.2.3.

Is this urgent for you?

Thanks

Jonas Yuan
Sunil Rai
RE: Ldap import user password enabled not working as expected
2012/07/02 22:33
答え

Sunil Rai

ランク: Junior Member

投稿: 43

参加年月日: 2012/01/31

最近の投稿

Hi Jonas,

Thanks for the update but yes it is urgent otherwise there is no other solution than stick with Liferay 5.2.3 CE emoticon
Let me know if you need any further details from my side.

Thanks,
Sunil Rai
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/07/05 13:34
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan
Luca Basile
RE: Ldap import user password enabled not working as expected
2012/07/06 1:58
答え

Luca Basile

ランク: New Member

投稿: 2

参加年月日: 2012/07/04

最近の投稿

Hi everyone,

i'm stuck with the same problem.Where can i get this patch?Do i need to follow some specific steps to obtain it?

Thanks in advance,

Cheers.
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/07/07 14:12
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Luca,

Which version are you using?

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas Yuan
Sunil Rai
RE: Ldap import user password enabled not working as expected
2012/07/08 22:46
答え

Sunil Rai

ランク: Junior Member

投稿: 43

参加年月日: 2012/01/31

最近の投稿

Jonas Yuan:
Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan


Thanks a lot Jonas. emoticon
I will try to implement this and I will share my experience with you soon.

Regards,
Sunil
amit singh
RE: Ldap import user password enabled not working as expected
2012/07/05 0:03
答え

amit singh

ランク: New Member

投稿: 12

参加年月日: 2012/02/07

最近の投稿

Hi Sadish,

Does your problem with Liferay - LDAP integration got resolved using the patch provided by Jonas ?
I am also facing the similar issue with Liferay 6.1 CE.

Has this patch not applied to WAR bundle available on Liferay download website page ?


Thanks,
Amit Singh
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/11/26 20:37
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Amit,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
amit singh
RE: Ldap import user password enabled not working as expected
2012/11/30 3:50
答え

amit singh

ランク: New Member

投稿: 12

参加年月日: 2012/02/07

最近の投稿

Hi Jonas,

Does this patch applies to liferay-portal-6.1.1-ce-ga2 ?

Thanks,
Amit
Jonas Yuan
RE: Ldap import user password enabled not working as expected
2012/12/05 6:58
答え

Jonas Yuan

ランク: Liferay Master

投稿: 993

参加年月日: 2007/04/26

最近の投稿

Hi Amit,

As you mentioned in Google Talk, please share your test results.

Thanks

Jonas Yuan
Michal R
RE: Ldap import user password enabled not working as expected
2013/01/18 6:54
答え

Michal R

ランク: New Member

投稿: 23

参加年月日: 2012/05/28

最近の投稿

Jonas,
why not raise a liferay jira issue, fix the bug there and distribute it via standard means (i.e. versioning system) to everybody?