« Back

Keeping user password secure with LDAP integration

Community Blogs November 24, 2010 By Jonas Yuan

Liferay 5.2 EE and 6 improved the capabilities of LDAP integration in many areas (refer to blogs post LDAP Enhancements by Michael C. Han):

  • synchronize user custom attributes between Liferay and LDAP
  • support LDAP chains and LDAP pagination
  • create a role for each LDAP group
  • override LDAP import and export processes via Spring

When importing users from LDAP, user’s info and password got imported. Of course, all passwords stored in Liferay are secure. Especially, the LDAP password mapping field is optional. In some use cases, the fact Liferay stores users’ password is against some companies’ security policy rules.

Liferay should not import user's password from LDAP when required (LPS-13933). That is, an improvement would be nice to allow the portal admin to choose whether to save the user's LDAP password when they login or not. How to implement this? This article will address how to make this feature happening in Liferay 5.2 and 6.

Solution overview

The following diagram shows solution overview.  LDAP contains a lot of users’ info (plus user’s password) and groups’ info. Liferay portal provides users (and contacts), user groups and roles in place with following mappings

LDAP user info <==> Liferay user info (and contact, password is not included)

LDAP groups (and users membership) <==> Liferay user groups and roles (and users membership)

In addition, the portal will use user’s password to authenticate only. When users login, the portal will import (add or update) user’s info, and then, the portal will add default passwords (such as user screen name, user id, email address, or plain text) as temporal and secure passwords.

When LDAP was enabled, the portal will use LDAP user and its password to authenticate. Once LDAP was disabled (or disconnected), the portal will activate “forgot password” process to reset user’s password and send new auto-generated password by email; or the portal will activate “required reset password” password policy to update user’s password after first-time login.

Implementation

This feature could be implemented in two steps.

1) Adding following properties in portal.properties - especially in LDAP section.

# Set this to true if the portal does import LDAP user's password.
# Set this to false if the portal does not import LDAP user's password;

ldap.import.user.password.enabled=false

# Set this to false if LDAP user's password is not auto-generated;
# This property is in use only if the property ldap.import.user.password.enabled is set to false.

ldap.import.user.password.autogenerated=false

# use default password as LDAP user's password: $SCREENNAME$, $USERID$, $EMAILADDRESS$, or plain text.
# This property is in use only if the property ldap.import.user.password.enabled is set to false
# and the property ldap.import.user.password.auto-generated is set to false, too.

ldap.import.user.password.default=test

2) updating methods addUser and updateUser with above settings in Portal LDAP importer.

Results

This feature was tested in 5.2 EE and 6.0 CE / EE. Three testing use cases were included as follows.

Use case A

Set following property to true, LDAP integration was resumed to default behavior; that is, all users’ passwords got imported and stored in secure in Liferay database. This is Liferay default behavior  - nice way to revert back easily.

ldap.import.user.password.enabled=true

Use case B

Set following properties, LDAP integration will not import users' password; instead, random password will be auto-generated for users.

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=true

Use case C

Set following properties, LDAP integration will not import users' password; instead, pre-defined password will be assigned to users.

ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test

This feature will be available at 6.1 and 6.0 EE SP1. This is good news.

Is this feature useful? Your comments or suggestions?

Threaded Replies Author Date
I really need this information. Thank you jonas. ibrahim çağlar November 28, 2010 1:56 PM
Thanks, Ibrahim. This feature is one of cool... Jonas Yuan November 29, 2010 11:01 AM
Hi Jonas. So, is this not live in the current... Brian Scott Schupbach April 26, 2011 1:24 PM
Hi Brian, This feature will be available in... Jonas Yuan April 26, 2011 3:43 PM
Thanks, Jonas. I'm using version 6.0.6 and it... Brian Scott Schupbach April 27, 2011 8:40 AM
Hi Jonas, Do you know when there will be a... Brian Scott Schupbach April 29, 2011 7:16 AM
Hi Brian, thanks. I guess that this feature is... Jonas Yuan April 29, 2011 10:51 AM
Hi Jonas, Nice and easily written, good job! ... Jan Gregor November 29, 2010 11:54 AM
Thank you, Jan. You did great job! You may... Jonas Yuan December 10, 2010 5:08 PM
Hi Jonas, seems that liferay 6.0.5 CE with... Roger CARHUATOCTO January 18, 2011 11:13 AM
Hi Roger, do you get answer? Sorry to read... Jonas Yuan April 29, 2011 10:58 AM
Hi Jonas, I have 6.0.6 CE. It would be... Brian Scott Schupbach May 3, 2011 6:58 PM
Hi Jonas, Could you email the fix patch for... Simon Zhang May 3, 2011 11:08 PM
@Brian and @Simon, let me generate a new fix... Jonas Yuan May 4, 2011 5:39 AM
@Brian and @Simon, the fix patch for CE 6.0.6... Jonas Yuan May 5, 2011 2:49 PM
Very useful, but I would expect that in case C... Rafal N May 24, 2011 3:05 PM
Yes, Rafal, your requirements got covered as... Jonas Yuan May 24, 2011 3:12 PM
Nice to hear from you:) I use LR CE 6.0.6 but... Rafal N May 25, 2011 12:47 PM
Great! you can drop an email to... Jonas Yuan May 25, 2011 1:29 PM
Hi Jonas, Is there a way you could disable... Shuaib K September 12, 2011 4:51 AM
Hi Shuaib, you can set 1) LDAP password is... Jonas Yuan September 12, 2011 5:16 PM
Regarding Case 1, how do we set it to not... Shuaib K September 12, 2011 9:33 PM
Also, in addition to the above, could you also... Shuaib K September 12, 2011 11:13 PM
Hi Shuaib, Use case 1: you can set ... Jonas Yuan September 13, 2011 5:48 PM
Thank you Jonas. Case 1 worked for me. I'd... Shuaib K September 13, 2011 9:46 PM
When I have "ldap required" set to false a user... Brian Scott Schupbach September 28, 2011 11:14 AM
Hi @Jonas I have sent you a mail regarding AD... Ahasan Habib November 23, 2011 11:26 PM
Hi Ahasan, Can you drop an email?... Jonas Yuan November 28, 2011 10:56 AM
Hi Jonas: I am using Liferay 6.0.6 and Apache... shahab mahtab December 12, 2011 5:31 PM
Hi Shahab, 1. Do I need to import users into... Jonas Yuan December 13, 2011 11:52 AM
[...] Hiran Chaudhuri: Just a guess: Why is... Anonymous January 5, 2012 4:15 AM
[...] Hiran Chaudhuri: Just a guess: Why is... Anonymous January 6, 2012 1:10 AM
Hello Jonas, I am working on Liferay 6.0.6 QA.... Neel Darji February 4, 2012 12:25 AM
kindly mail it to me at neel.darji@ril.com... Neel Darji February 4, 2012 12:25 AM
Hi Neel, You may drop an email to... Jonas Yuan February 6, 2012 6:37 AM
Hi Jonas, I am using 6.1 GA and I have the... Jeshurun Daniel February 23, 2012 5:34 PM
Ok I figured it out, in the LDAP settings I... Jeshurun Daniel February 23, 2012 6:02 PM
Cool! Thanks for updates, Jeshurun. Jonas Yuan February 23, 2012 6:07 PM
I am having no success with enabling Active... Andrew Peterson April 16, 2012 12:08 PM
Hi Andrew, Thanks. Please drop an email to... Jonas Yuan April 16, 2012 5:18 PM
[...] This new feature should be available in... Anonymous April 26, 2012 10:52 PM
[...] Finally we've thought of upgrading to... Anonymous June 11, 2012 10:33 AM
[...] This new feature should be available in... Anonymous June 26, 2012 6:26 AM
Hi Jonas, I am using... Dhiraj Minocha November 22, 2012 10:32 PM
Hi Dhiraj, Please drop an email to... Jonas Yuan November 24, 2012 10:20 AM
Hi Dhiraj, The fix patch for 6.1 GA2 CE is... Jonas Yuan November 26, 2012 9:07 PM
Hi Jonas, Thanks for your post. I am beginner ... Jacques Traore January 23, 2013 8:10 AM
Hi Jonas, I am also facing same issue.I am... sujana y September 4, 2013 10:04 PM
@ville @sujana, Please drop email to... Jonas Yuan September 6, 2013 2:15 PM
Hi Jonas, After applying patch also it is not... sujana y September 10, 2013 2:53 AM
Hi Sujana, It seems that your LDAP mapping... Jonas Yuan September 11, 2013 8:49 AM
Hi Jonas, Thanks. Users are imported into the... sujana y September 12, 2013 9:22 PM
Thank you for that post Jonas. I'm trying to... Yannis Arg December 24, 2012 1:44 AM
[...] I'm having the very same problem. Have... Anonymous December 24, 2012 1:53 AM
Hi Jonas, I tried to implement the solution... Amit Dandavate January 9, 2013 2:27 AM
Hello, How a user can modify his password from... THOREL Frederic February 22, 2013 2:56 AM
Hi Frederic, You can allow access to the... Jacques Traore February 22, 2013 7:47 AM
This still doesn't work as of 6.1 CE GA2 or 6.2... Ville Nurmi August 23, 2013 3:25 AM

I really need this information.
Thank you jonas.
Posted on 11/28/10 1:56 PM.
Thanks, Ibrahim.

This feature is one of cool features of Liferay portal 6.1 CE and 6.0 EE SP1.

By the way, you could use this feature in 6.0 EE if you want.

Thanks

Jonas
Posted on 11/29/10 11:01 AM in reply to ibrahim çağlar.
Hi Jonas,

Nice and easily written, good job!

Anyways, by all my projects, where LDAP import was used, i was facing some missing functionality, as importing "nested groups" from LDAP, or importing deactivated users in LDAP, or deleting users from Liferay, after user is deleted in AD. It would be nice to have these feature in next release. Until then I will just "hook" emoticon
Posted on 11/29/10 11:54 AM.
Thank you, Jan. You did great job! You may contribute your "hook" back to Liferay community. Then all of us will benefit a lot. Is it feasible idea?
Posted on 12/10/10 5:08 PM in reply to Jan Gregor.
Hi Jonas,

seems that liferay 6.0.5 CE with standard configuration in LDAP AuthN with "import" enabled does not import the passwords correctly.

All users in LDAP have been imported but the password (SHA1) in the "User_" table are incorrect

Any idea?

Regards.
Posted on 1/18/11 11:13 AM in reply to Jonas X. Yuan.
Hi Jonas. So, is this not live in the current CE ? I see on source forge the latest available is 6.0.6. Are you saying this will not be available until 6.1 is out?

Thanks,

Brian
Posted on 4/26/11 1:24 PM in reply to Jonas X. Yuan.
Hi Brian,

This feature will be available in CE 6.1. But it could be available in 6.0.6 with a special fix patch.

Thanks
Posted on 4/26/11 3:43 PM in reply to Brian Scott Schupbach.
Thanks, Jonas. I'm using version 6.0.6 and it looks like the issue has been fixed. Users are being imported and an auto generated password is being created for them. Unfortunately, I would like the passwords to be imported. I want to allow a user to use liferay to update their ldap password and then sync that with the ldap system.

I have set the following properties in my portal-ext.properties file:
ldap.import.user.password.enabled=true
ldap.import.user.password.autogenerat­ed=false

Unfortunately, it appears like these two properties are not yet working. Any ideas on how I can achieve what I need? If that patch were available I think things would be fine for me. I'd be able to import the passwords just fine.

Thanks!

Brian
Posted on 4/27/11 8:40 AM in reply to Jonas Yuan.
Hi Jonas,

Do you know when there will be a patch available? or what version this was last working in? I briefly checked the message boards and there are dozens of posts about this

http://www.liferay.com/community/forums/-/message_boards/message/8410944

Gett­ing LDAP to work with liferay is a requirement of my project. If I can't get it to work we can't use liferay. If I have to roll back to a previous version it'll be a mess and I'll lose a ton of data but I can do it. I just need to know which version this was last working in so I don't roll back and have it still not working.

Thank you,

Brian
Posted on 4/29/11 7:16 AM in reply to Jonas Yuan.
Hi Brian, thanks. I guess that this feature is in 6.0.6, but it is incomplete.

In fact one client used this patch in 6.0.10 EE, it was working well.

Do you use 6.0 EE? or just CE 6.0.6? if required, I can generated a fix patch for this feature in 6.0.6 for you.

Let me know your plan,

Thanks

Jonas
Posted on 4/29/11 10:51 AM in reply to Brian Scott Schupbach.
Hi Roger, do you get answer?

Sorry to read your comments late,
Posted on 4/29/11 10:58 AM in reply to Roger CARHUATOCTO.
Hi Jonas,

I have 6.0.6 CE. It would be fantastic if I could get a fix.

Thanks Jonas,

Brian
Posted on 5/3/11 6:58 PM in reply to Jonas Yuan.
Hi Jonas,
Could you email the fix patch for this feature in 6.0.6 CE for me?
I have a client want to use this feature.

Thanks!
Posted on 5/3/11 11:08 PM.
@Brian and @Simon, let me generate a new fix patch and test it in 6.0.6. I will come back to you both when the fix patch is ready.

Thanks

Jonas Yuan
Posted on 5/4/11 5:39 AM in reply to Simon Zhang.
@Brian and @Simon, the fix patch for CE 6.0.6 GA 4 is ready. Just tested in 6.0.6 OOB. This feature worked properly.

Could you please drop an email to jonasliferay@gmail.com?

Thus this fix patch could be sent across by email
Posted on 5/5/11 2:49 PM in reply to Jonas Yuan.
Very useful, but I would expect that in case C I would expect authentication against internal database for imported users impossible even if this property is set:

auth.pipeline.enable.liferay.check=true

My requirement is: I want to authenticate some local liferay admins with internal database but regular users with ldap or web sso only (and I don't want their passwords in liferay). I would like to know if this patch fully supports this case. Or maybe it needs to be enhanced to achieve that functionality?
Posted on 5/24/11 3:05 PM.
Yes, Rafal, your requirements got covered as well.

Which version are you using? LR CE 6.0.6? or EE 6.0 SP1?
Posted on 5/24/11 3:12 PM in reply to Qqq Qqqq.
Nice to hear from youemoticon I use LR CE 6.0.6 but it is probable that I will need to deal with EE as well.
Posted on 5/25/11 12:47 PM in reply to Jonas Yuan.
Great! you can drop an email to jonasliferay@gmail.com, thus I could send across the fix patch for 6.0.6.
Posted on 5/25/11 1:29 PM in reply to Rafal N.
Hi Jonas,
Is there a way you could disable password change feature in Liferay 6.0.6 CE? I do not want users to change their LDAP password through the portal. Let me know. Thanks.
Posted on 9/12/11 4:51 AM in reply to Jonas Yuan.
Hi Shuaib,

you can set

1) LDAP password is not imported

2) User password is not exported to LDAP.

Do you want the use cases 1), 2) or both?
Posted on 9/12/11 5:16 PM in reply to Shuaib K.
Regarding Case 1, how do we set it to not import LDAP password? Would this affect the NTLM Single Sign On feature? I don't want the users to type in any user id or password to login to Liferay. Let me know.

I don't need Case 2 as I don't want the users to save anything back into Active Directory.

Thanks much.
Posted on 9/12/11 9:33 PM in reply to Jonas Yuan.
Also, in addition to the above, could you also please reply to the following query I posted in another forum (http://www.liferay.com/community/forums/-/message_boards/message/10738172) for which I got no response. Thanks.

With the NTLM enabled on Liferay CE 6.0.6/Windows Server 2003, when I browse to the Liferay portal on Internet Explorer, I get the default login page. I then have to click on the 'Sign In' link at the top right corner of the page in order to get to the welcome page of the logged-in user without entering in any user name or password. Is this how the Single Sign On works in Liferay? Isn't there any way to go to the welcome page directly as soon as you enter in the Liferay portal URL on your browser? There should be a way to bypass the default login page. Please advise.
Posted on 9/12/11 11:13 PM in reply to Shuaib K.
Hi Shuaib,

Use case 1: you can set

ldap.import.user.password.enabled=false

in order to not import LDAP user password first. Then integrate SSO. You would be set.

Use case 2: http://issues.liferay.com/browse/LPS-21138, is it what you need?
Posted on 9/13/11 5:48 PM in reply to Shuaib K.
Thank you Jonas. Case 1 worked for me.
I'd really appreciate if you could also reply to my other query regarding SSO. Thanks.
Posted on 9/13/11 9:46 PM in reply to Jonas Yuan.
When I have "ldap required" set to false a user can put in ANY password to authenticate. When I have "ldap required" set to true then ldap users cannot authenticate. I have the patch installed...and it doesn't appear to be working like I thought it was. Anyone have any suggestions as to where to start?
Posted on 9/28/11 11:14 AM.
Hi @Jonas I have sent you a mail regarding AD password import problem in liferay 6.0.5. If not possible in 6.0.5 then please send me fix patch of 6.0.6. My mail address tosumon@gmail.com
Posted on 11/23/11 11:26 PM in reply to Brian Scott Schupbach.
Hi Ahasan,

Can you drop an email? jonasliferay@gmail.com

Thanks

Jonas
Posted on 11/28/11 10:56 AM in reply to Ahasan Habib.
Hi Jonas:

I am using Liferay 6.0.6 and Apache DS. I have the following two questions (or issues) -
1. Do I need to import users into Liferay to authenticate? Can I configure Liferay to check directly against LDAP server?

2. While importing, passwords are getting generated by Liferay? Can I keep,the same LDAP password (in case import cannot be avoided)?

Thank you.
Shahab
Posted on 12/12/11 5:31 PM.
Hi Shahab,

1. Do I need to import users into Liferay to authenticate?
not required.
Can I configure Liferay to check directly against LDAP server?
Yes.

2. While importing, passwords are getting generated by Liferay?
there are three options: imported, auto-generated, manual configure

Can I keep,the same LDAP password (in case import cannot be avoided)?
yes.

Thanks

Jonas
Posted on 12/13/11 11:52 AM in reply to shahab mahtab.
[...] Hiran Chaudhuri: Just a guess: Why is password import disabled, but password autogeneration is true? Either that second setting has no value, or it could cause LR to generate new passwords during... [...] Read More
Posted on 1/5/12 4:15 AM.
[...] Hiran Chaudhuri: Just a guess: Why is password import disabled, but password autogeneration is true? Either that second setting has no value, or it could cause LR to generate new passwords during... [...] Read More
Posted on 1/6/12 1:10 AM.
Hello Jonas,
I am working on Liferay 6.0.6 QA.
I am having certain Clients but the application is not allowing the AD integrated login.
your PATCH will be of great help. I really need this part to be done
Thanks
Posted on 2/4/12 12:25 AM.
kindly mail it to me at neel.darji@ril.com
thank a lot
Posted on 2/4/12 12:25 AM in reply to Neel Darji.
Hi Neel,

You may drop an email to jonasliferay@gmail.com.

Thanks
Posted on 2/6/12 6:37 AM in reply to Neel Darji.
Hi Jonas,
I am using 6.1 GA and I have the following scenario:

When I set ldap.import.user.password.enabled=true, and import to false and export to false, when a user successfully logs in via Ldap, they are prompted with a new password screen. I am not sure why this happens, as the password entered here seems to have no effect. The next time the user logs in, only their LDAP password still works.

However when I set ldap.import.user.password.enabled=false, set ldap.import.user.password.autogenerated=true and set a default new password, I can see the user's account in the database, but authentication fails, and they can't login either with the LDAP password or the default password. I wonder if this has anything to do with the ldap password being stored in SSHA and the password in Liferay stored as SHA.

Thank you for any insight you may have!
Posted on 2/23/12 5:34 PM in reply to Jonas Yuan.
Ok I figured it out, in the LDAP settings I checked "use Ldap password policy" and now it doesn't prompt for the password any more. I tried to simply disable "change required" in the local password policy, but that simply caused authentication to fail.
Posted on 2/23/12 6:02 PM in reply to Jeshurun Daniel.
Cool! Thanks for updates, Jeshurun.
Posted on 2/23/12 6:07 PM in reply to Jeshurun Daniel.
I am having no success with enabling Active Directory/LDAP authentication with 6.1GA. I have followed the suggestions here with no success. Here are my settings. Any assistance is appreciated

ldap.users.dn=OU=Locations,DC=Upcommunications,DC=local
ldap.groups.dn­=OU=Groups,DC=Upcommunications,DC=local

ldap.auth.enabled=true
ldap.auth.required­=false
ldap.auth.method=bind
ldap.auth.password.encryption.algorithm=
ldap.auth.pas­sword.encryption.algorithm.types=MD5,SHA
ldap.auth.search.filter=(mail=@email_add­ress@)
ldap.user.mappings=screenName=sAMAccountName\npassword=userPassword\nemail­Address=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=memberOf\n­fullName=cn\portrait=jpegPhoto
ldap.group.mappings=groupName=cn\ndescription=desc­ription\nuser=member
ldap.import.enabled=true
ldap.import.on.startup=true
ldap.impo­rt.interval=10
ldap.import.user.search.filter=(&(objectCategory=Person)(sAMAccoun­tName=*))
ldap.import.group.search.filter=(objectCategory=Group)
ldap.import.metho­d=user
#ldap.import.method=group
ldap.export.enabled=false
ldap.password.policy.ena­bled=false

ldap.import.user.password.enabled=false
ldap.import.user.password.autog­enerated=false
ldap.import.user.password.default=test
Posted on 4/16/12 12:08 PM.
Hi Andrew, Thanks.

Please drop an email to jonasliferay@gmail.com. I will try to help.
Posted on 4/16/12 5:18 PM in reply to Andrew Peterson.
[...] This new feature should be available in the 6.1 by default. No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration. Hope that it helps, Thanks Jonas... [...] Read More
Posted on 4/26/12 10:52 PM.
[...] Finally we've thought of upgrading to Liferay 6.1 to get around the complications we are facing around the security implementation mentioned in this thread. Based on this link, I think in 6.1 we can... [...] Read More
Posted on 6/11/12 10:33 AM.
[...] This new feature should be available in the 6.1 by default. No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration. Hope that it helps, Thanks Jonas... [...] Read More
Posted on 6/26/12 6:26 AM.
Hi Jonas,
I am using Liferay-portal-6.1.0-ce-ga1
My requirements are:
1) AD passwords should not be imported in LR database.
2) User logging in should be authenticated by AD password.

What I have done so far to achive the requirements:
For requirement number 1)
I have set below mentioned properties in my portal-setup-wizard.properties file
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=t­est
By doing so my AD passwords are not getting imported, I am ok with this.

For requirement 2) When an AD user tries to login with his AD password authentication fails, but can successfully login by default password(i.e. test)

I don't want this to happen , user should be authenticated against AD password.

Please help me with this issue.
Posted on 11/22/12 10:32 PM in reply to .
Hi Dhiraj,

Please drop an email to jonasliferay@gmail.com for a fix patch.
Posted on 11/24/12 10:20 AM in reply to Dhiraj Minocha.
Hi Dhiraj,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
Posted on 11/26/12 9:07 PM in reply to Jonas Yuan.
Thank you for that post Jonas.

I'm trying to set my Liferay portal so that :
1)Liferay imports users and passwords from LDAP
2)Liferay exports users and passwords to LDAP. Editing account data and changing password from Liferay, should sync with LDAP
3)New users can register through Liferay, get an auto generated password ( generated from Liferay )and an email to their account.

I've managed to to the first two, but I can't do the 3rd. Users will be given the auto generated password, but it's not exported to LDAP, so they can't login using their temporary password. So the first Log in will not work.

What is the configuration I need to do to achieve exporting the auto-generated password to LDAP ?

Thanks in advance
Yannis
Posted on 12/24/12 1:44 AM.
[...] I'm having the very same problem. Have you managed to solve this issue ? I've read Jona's article, but I'm afraid it's not covering this scenario. Which is a quite common one Flag Please sign in to... [...] Read More
Posted on 12/24/12 1:53 AM.
Hi Jonas,

I tried to implement the solution provided above but it’s still not working and storing the passwords in clear text in the liferay database. I am using 6.0.6 CE.

I see you have provided the fix to @Brian and @Simon[ in the above link].

Could you please also provide the same fix to me? I have dropped you an email [jonasliferay@gmail.com] for the same as well.

Thanks & Regards,
Amit
Posted on 1/9/13 2:27 AM.
Hi Jonas,
Thanks for your post. I am beginner in Liferay and I have some troubles to synchronize LDAP and Liferay database.
I have imported users from LDAP with their passwords but, when I change the AD password, the next import (every 10 min) doesn't upade the LR database.
How could I fix that please?
It will better for me if I can synchronize (only when user log in) LDAP an LR but I don't know if this is possible.

Thanks by advance
Posted on 1/23/13 8:10 AM in reply to Jonas Yuan.
Hello,

How a user can modify his password from his Liferay's account ?

Indeed, Liferay asks for its current password and checks it with its value in database. But passwords are not imported from Active Directory, so the test fails systematically.

Is there one particular configuration to do this ?

Liferay 6.0.6 (or 6.1) - Active Directory

Thanks,
Fred
Posted on 2/22/13 2:56 AM.
Hi Frederic,
You can allow access to the "Forgot Password" link on the sign in page. In that case, users can ask for new resetting password by email.
Don't forget you have to provide your protocol information (SMTP) from Control Panel --> Server Administration --> Mail.
Pls, let us know it this helps.
Posted on 2/22/13 7:47 AM in reply to THOREL Frederic.
This still doesn't work as of 6.1 CE GA2 or 6.2 B1.
Posted on 8/23/13 3:25 AM.
Hi Jonas,

I am also facing same issue.I am using Liferay portal-6.1.1 CE GA2.My requirement is users should be authenticated against AD password.
But not able to import users as not able to import password from AD.I have tried like setting this property in portal-ext.proerties
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=d­efaultpassword
But it did not work fine.
Can you please help me?


Thanks,
Sujana
Posted on 9/4/13 10:04 PM in reply to Jonas Yuan.
@ville @sujana,

Please drop email to jonasliferay@gmail.com for fix patch.
Posted on 9/6/13 2:15 PM in reply to sujana y.
Hi Jonas,
After applying patch also it is not working .I am not able to import users and i m getting this while testing to import users from AD.
"The above results include users which are missing the required attributes(screen name,First Name,Last Name,Email Address,Password).The users will not be improted until these attributes are filled in."

It's importing all attributes except the password.How to import password?Could you please help me in this issue.

Thanks,
Sujana
Posted on 9/10/13 2:53 AM in reply to sujana y.
Hi Sujana,

It seems that your LDAP mapping settings are incorrect. The following is sample mapping. Note that mapping would be different based on your LDAP.

ldap.user.mappings.0=uuid=uuid\nscreenName=cn\npassword=userPassword\nemail­Address=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembe­rship
Posted on 9/11/13 8:49 AM in reply to sujana y.
Hi Jonas,

Thanks. Users are imported into the database.While authenticating , they are able to login with any password .I am using Mysql database.what is the issue here?



Thanks,
Sujana
Posted on 9/12/13 9:22 PM in reply to Jonas Yuan.