« Back

LDAP Enhancements

Company Blogs March 25, 2010 By Michael C. Han Staff

With the upcoming 6.0 release, you will see many product engineers announce cool new features.  Unfortunately, LDAP integration is neither cool nor new.  However, in 6.0, we have improved the capabilities of our LDAP integration in several areas:

1. You can synchronize user custom attributes between Liferay and LDAP

No longer are you limited to the columns in the User_ table, now you can configure attributes like your favorite color between LDAP and Liferay.  This can be done by simply creating the appropriate custom attributes for a User in Liferay's control panel and then configuring the properties "ldap.user.custom.mappings" and/or "ldap.contact.custom.mappings" in your portal-ext.properties.

 

2. In 5.1 and 5.2 EE, we implemented LDAP pagination via PageResultsControls .  We now make this solution available to the community in 6.0.

3. You can configure the portal to create a role for each LDAP group.

Prior to 6.0, the portal synchronized LDAP groups as User Groups and you had to manually associate the user group to roles.  In 6.0, the portal will create the user group, then create a role with the same name as the user group, and then associate the role to the user group.  This capability is deactivated by default.  However, you can activated it by changing "ldap.import.create.role.per.group" to true in portal.properties.

4. You may override LDAP import and export processes via Spring

 

For those who are IOC fans, you were probably frustrated by the inability to customize the import and export process (they were static methods in PortalLDAPUtil or buried in LDAPUser).  In 6.0, we changed LDAP to provide proper interfaces at all levels of the LDAP integration process:

  • Don't like how Liferay converts LDAP attributes to a Liferay user?  You may implement your own LDAPToPortalConverter in the EXT and change a Spring configuration to inject your own implementation.  
  • Don't like how Liferay converts a Liferay user to LDAP attributes?  You may implement your own PortalToLDAPConverter.  
  • Need to change the export process?  Implement a PortalLDAPExporter.
  • Need to change the import process?  Implement a PortalLDAPImporter

 

Threaded Replies Author Date
Nice improvement on LDAP integration, Than you,... Jonas Yuan March 25, 2010 10:33 PM
Great features ! Nico Ekito March 26, 2010 12:53 AM
Very nice :) I like it. Rafał Piotrowski March 26, 2010 1:39 AM
Does this means that if we have an Active... Pablo M Mino March 26, 2010 2:39 PM
In theory, yes, if you mapped the active... Michael C. Han March 26, 2010 2:49 PM
You really got to tell me how to do that :) Pablo M Mino March 26, 2010 4:03 PM
You can try configuring the active_ attribute... Michael C. Han March 28, 2010 7:28 AM
Hi Michael What is the attribute we need to... Rajesh Jain April 26, 2011 3:10 PM
Hi Michael, Will this change make it possible... Rob Worthington March 27, 2010 11:51 PM
Rob, if you are using Liferay's virtual hosting... Michael C. Han March 28, 2010 7:30 AM
Customization possible using Spring is very... Advait Trivedi March 30, 2010 12:48 AM
Thanks Michael, Really great improvement with... Jignesh Vachhani April 14, 2010 1:13 AM
I try to use this but don't work you can help me Marco Paul Timbi Ulloa December 29, 2010 8:33 AM
Nice feature! "In 6.0, the portal will create... Jonas Yuan November 18, 2010 10:44 AM
Do we get an example on "You may override LDAP... raghu N M March 24, 2011 11:26 AM
With the NTLM SSO enabled on Liferay CE... Shuaib K September 13, 2011 9:32 PM

Nice improvement on LDAP integration, Than you, Michael.
Posted on 3/25/10 10:33 PM.
Great features !
Posted on 3/26/10 12:53 AM.
Very nice emoticon I like it.
Posted on 3/26/10 1:39 AM.
Does this means that if we have an Active attribute in LDAP we will be able to activate/deactivate the LR user account from there? or just map the information?

Is this on trunk?
Posted on 3/26/10 2:39 PM.
In theory, yes, if you mapped the active attribute you could do that. However, nothing prevents you from doing that prior to this enhancement.

Yes its in trunk
Posted on 3/26/10 2:49 PM in reply to Pablo M Mino.
You really got to tell me how to do that emoticon
Posted on 3/26/10 4:03 PM in reply to Michael C. Han.
Hi Michael,

Will this change make it possible for a user to use the same login credentials across different Liferay domains on the same instance? We have several different sites, each running as a separate domain, but all ultimately the same instance of Liferay.

We would like to have the possibility for a user with an account on one domain to sign in on another, but without having to create a new account.

Thanks!

Rob
Posted on 3/27/10 11:51 PM.
You can try configuring the active_ attribute to be synchronized from ldap in portal.properties
Posted on 3/28/10 7:28 AM in reply to Pablo M Mino.
Rob, if you are using Liferay's virtual hosting w/ communities and not with portal instances, you users should be able to login into multiple virtually hosted communities w/o a new account. If you are using the instance, concept, then yes, you will need to use some form of centralized credential store like LDAP.
Posted on 3/28/10 7:30 AM in reply to Rob Worthington.
Customization possible using Spring is very good, that is one of the reasons in 5.2EE we went for custom user import module. Now, with above feature set I think we could do a lot many more things in future.
Posted on 3/30/10 12:48 AM.
Thanks Michael,

Really great improvement with LDAP.
And the main improvement is custom attribute mapping.
Posted on 4/14/10 1:13 AM.
Nice feature!

"In 6.0, the portal will create the user group, then create a role with the same name as the user group, and then associate the role to the user group. "
Posted on 11/18/10 10:44 AM.
I try to use this but don't work you can help me
Posted on 12/29/10 8:33 AM in reply to Jignesh Vachhani.
Do we get an example on
"You may override LDAP import and export processes via Spring"?

Its hard to find an example on implementation.
Posted on 3/24/11 11:26 AM.
Hi Michael

What is the attribute we need to configure in the portal.properties for making the LDAP user active, if an active LDAP user logs in the portal?

Thanks
Posted on 4/26/11 3:10 PM in reply to Michael C. Han.
With the NTLM SSO enabled on Liferay CE 6.0.6/Windows Server 2003, when I browse to the Liferay portal on Internet Explorer, I get the default login page. I then have to click on the 'Sign In' link at the top right corner of the page in order to get to the welcome page of the logged-in user without entering in any user name or password. Is this how the Single Sign On works in Liferay? Isn't there any way to go to the welcome page directly as soon as you enter in the Liferay portal URL on your browser? There should be a way to bypass the default login page. Please advise.
Posted on 9/13/11 9:32 PM.