Fórum

  1. Início
  2. Portal
  3. LDAP Import matching on email, but login with screenname (6.2)

LDAP Import matching on email, but login with screenname (6.2)

Kim Zeevaarders, modificado 8 Anos atrás.

LDAP Import matching on email, but login with screenname (6.2)

Junior Member Postagens: 82 Data de Entrada: 07/09/12 Postagens Recentes
Hello Guys,

Currently I have our Liferay 6.2 C GA2 instance connected to our LDAP (MS Active Directory) using the screenname for authentication.

To accomplish this I needed to:
  • Set the portal property company.security.auth.type=screenName
  • Add an authentication search filter to the LDAP config as follows: (sAMAccountName=@screen_name@)

This all works fine, users from the LDAP can login in Liferay with their LDAP Username/Password

Unfortunately we are planning to change our username policy in such a way, that 90% of the usernames in the LDAP will change . After looking into the responsible import class 
com.liferay.portal.security.ldap.PortalLDAPImporterImpl
I came to the conlusion that a modification of the username will lead to duplicate users, since liferay tries to match users by screenname when importing from the LDAP because we set the auth type to screenname.

A solution for us would be to set the auth type back to the default -> email, but then users should also login with their email and we don't want that.

Before I start customizing the PortalLDAPImporterImpl class I would like to ask you guys if it is possible to have the LDAP import match users by email but keep using the screen name for logging in?

Help is very much appreciated!

Thanks in advance!

Regards,

Kim Zeevaarders
The Netherlands
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: LDAP Import matching on email, but login with screenname (6.2)

Liferay Legend Postagens: 14916 Data de Entrada: 02/09/06 Postagens Recentes
There should be no reason to tie the Liferay auth to your import and search filters, so don't do that.

Liferay uses the auth info given to look up the user, then uses the info from the user record to bind to ldap.

Most of the time Liferay auth and ldap bind will be set to the same thing, but that's not a requirement.
Kim Zeevaarders, modificado 8 Anos atrás.

RE: LDAP Import matching on email, but login with screenname (6.2)

Junior Member Postagens: 82 Data de Entrada: 07/09/12 Postagens Recentes
David H Nebinger:
Liferay uses the auth info given to look up the user, then uses the info from the user record to bind to ldap.


David,

I don't seem to understand what you mean... Are you saying that liferay first authenticates and fetches the user in its own database (based on screenname) and then binds to the ldap using other data (f.e email) in the user record?

If so how should that be configured?

Regards,

Kim
thumbnail
David H Nebinger, modificado 8 Anos atrás.

RE: LDAP Import matching on email, but login with screenname (6.2)

Liferay Legend Postagens: 14916 Data de Entrada: 02/09/06 Postagens Recentes
No, it's not authenticating.

When you enter screen name into login form and password, liferay pulls the user record for the screen name and will use the info from the user record and the ldap config and the password given to bind to ldap.

There's no auth, but it will use the user record as necessary to complete the auth.
thumbnail
Jack Bakker, modificado 8 Anos atrás.

RE: LDAP Import matching on email, but login with screenname (6.2)

Liferay Master Postagens: 978 Data de Entrada: 03/01/10 Postagens Recentes
you might look at updating the lportal user_.screenname values to match new LDAP usernames