掲示板

Liferay 6.2 LDAP authentication

thumbnail
9年前 に Michael A Ikhane によって更新されました。

Liferay 6.2 LDAP authentication

Junior Member 投稿: 37 参加年月日: 09/05/27 最新の投稿
Hi All,

When Liferay uses LDAP for authentication, it imports users from the LDAP server. I would like to know if during authentication, Liferay "goes" to the LDAP server to check the user's password, or if it checks an imported copy of the users' passwords.

If the later is the case, how do I ensure Liferay is aware of any changes to the passwords on the LDAP server?

Thanks
thumbnail
9年前 に David H Nebinger によって更新されました。

RE: Liferay 6.2 LDAP authentication

Liferay Legend 投稿: 14914 参加年月日: 06/09/02 最新の投稿
Liferay will actually bind to the LDAP server using the user's DN and the password given. If the bind is successful, then all is good. If the bind fails, well then your authentication will fail (but typically falls back on the creds the user has set up in the Liferay database).
thumbnail
9年前 に Michael A Ikhane によって更新されました。

RE: Liferay 6.2 LDAP authentication

Junior Member 投稿: 37 参加年月日: 09/05/27 最新の投稿
Hi David,

Thank you for your prompt answer.

However, I am a rookie with LDAP, so I don't totally get the "bind to the LDAP server".

Are you saying that if the bind is successful then LR will always "go" to the LDAP to verify login password and if it is not successful it uses a local copy of the password?

Thanks
thumbnail
9年前 に David H Nebinger によって更新されました。

RE: Liferay 6.2 LDAP authentication

Liferay Legend 投稿: 14914 参加年月日: 06/09/02 最新の投稿
Sorry, binding to ldap is basically logging in. So the username/password you put in Liferay is used during the 'login' to LDAP. No comparison of passwords is necessary, either you 'login' successfully or you fail.
thumbnail
9年前 に Michael A Ikhane によって更新されました。

RE: Liferay 6.2 LDAP authentication

Junior Member 投稿: 37 参加年月日: 09/05/27 最新の投稿
Hi David,

I suppose that means that LR does not store the passwords. If this is the case, then I am ok.

Thanks
thumbnail
9年前 に David H Nebinger によって更新されました。

RE: Liferay 6.2 LDAP authentication

Liferay Legend 投稿: 14914 参加年月日: 06/09/02 最新の投稿
Sorry, didn't know that was what you were looking for, but no Liferay does not store the passwords.
9年前 に Mitesh Kambli によって更新されました。

RE: Liferay 6.2 LDAP authentication

New Member 投稿: 1 参加年月日: 14/05/13 最新の投稿
hi David,

I have few question on my requirement and need your assistance

My Case - requirements: I have organizational multiple web sites which works in their own LDAP login authentication for users to access.
If those such multiple web-sites I tend to merge into the LifeRay portal with Single Sign on such a way Once end users
login at LDAP (life Ray) end and they can have access to other remote distributed web application

Question:
a) Can i bind ldap (life Ray CAS) to various remote LDAP which has their own validation to access to different portals.

Users logs in --> Life ray(LDAP) --> Life Ray(portal page) ---> various web applications pages can be displayed on liferay portal page.

at background Life Ray(ldap) ..> binds with 'X' ldap + web application , also with other 'Y' LDAP + its web application

b) How can achieve the Signle Sign on via CAS for multiple web applications
thumbnail
9年前 に David H Nebinger によって更新されました。

RE: Liferay 6.2 LDAP authentication

Liferay Legend 投稿: 14914 参加年月日: 06/09/02 最新の投稿
You could do a cascade authentication, first against LDAP A and subsequent against LDAP B, C, etc., but this is just for authentication, it does not consolidate privileges or groups or things like that to manage your access against the separate apps.

For CAS, you have the central CAS system that serves out tickets which are typically stored as cookies in the browser. When hitting the various sites, the cookies are used to allow you into the app, but the app needs to know how to deal with CAS. It is not just a matter of setting up CAS and all of a sudden you have single sign on throughout your enterprise.

I would recommend that you try consolidating the separate LDAPs into a single tree and have all of the apps use the single tree rather than separate trees. You can still have the separate administrators, etc., but it would simplify your Liferay integration going forward.