留言板

RE: Ldap import user password enabled not working as expected

sadish ravi,修改在11 年前。

Ldap import user password enabled not working as expected

New Member 帖子: 2 加入日期: 12-4-19 最近的帖子
hi,

I am trying to do auth using LDAP in liferay and i would like to use only ldap as auth and not do a second auth against liferay. Also i do not want to import user passwords to liferay. i am using liferay 6.1 CE

My settings:
#
# Settings for connecting to LDAP
#
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# Enable the below setting for enabling LDAP referral follow
#ldap.referral=follow

#LDAP connection settings
ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=dc=example,dc=com
ldap.security.principal.0=uid=admin,ou=system
ldap.security.credentials.0=secret

# enable/disable liferay authentication
auth.pipeline.enable.liferay.check=false
# setting the LDAP auth for pipelined authentication
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth

# Set below property to false to disable ldap auth
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind

# LDAP import properties
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10

# LDAP Export properties
ldap.export.enabled=false
ldap.export.group.enabled=false

ldap.auth.search.filter.0=(mail=@email_address@)

# Provide mapping for the 5 mandatory LDAP attributes for liferay to authentiate with LDAP
# other attributes jobTitle=title, group=groupMembership
ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.contact.mappings.0=
ldap.contact.custom.mappings.0=

# Attributes to skip
#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn

# Search filters for users and groups. These properties applies only when ldap.import.enabled is True
ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)

# password policy
ldap.password.policy.enabled=true
# setting this to false will make sure LDAP user password is not imported to the portal
ldap.import.user.password.enabled=false
# autogeneate for userpasswords incase of import password property is false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test


When i set ldap.import.user.password.enabled=false, then i found in the LDAPAuth class, in authenticate function it checks for (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) and only if its set to true it does password verification for user, else it skips the block and hence i am able to login with user email and any random passwords and it works.??

Please let me know if there is a fix for this or can i extend the LDAPauth class to fix myself. If so let me know how can that be done??
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
This new feature should be available in the 6.1 by default.

No customization is in need. Refer to the blogs post Keeping user password secure with LDAP integration.

Hope that it helps,

Thanks

Jonas Yuan
sadish ravi,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 2 加入日期: 12-4-19 最近的帖子
Hey Jonas,

I have tested it couple of times today. All cases works fine but just that when i set
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=password


the liferay is not authenticating the ldap password. I can able to login with email and any password combination and user gets imported to liferay with the default password of 'password' thats set above.

My entire settings
terms.of.use.required=false
users.reminder.queries.enabled=false

#
# Settings for connecting to LDAP
#
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
#ldap.referral=follow


ldap.base.provider.url.0=ldap://localhost:10389
ldap.base.dn.0=dc=example,dc=com
ldap.security.principal.0=uid=admin,ou=system
ldap.security.credentials.0=secret

auth.pipeline.enable.liferay.check=false
# setting the LDAP auth for pipelined authentication
auth.pipeline.pre=com.liferay.portal.security.auth.LDAPAuth


ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method= password-compare

ldap.auth.password.encryption.algorithm=MD5
ldap.auth.password.encryption.algorithm.types=MD5

ldap.import.group.cache.enabled=false


ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10

ldap.export.enabled=false
ldap.export.group.enabled=false

ldap.auth.search.filter.0=(mail=@email_address@)


ldap.user.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings.0=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings.0=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.contact.mappings.0=
ldap.contact.custom.mappings.0=

#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn

ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)

ldap.password.policy.enabled=true
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=password



As i sent you a mail, i feel this section of code is what bypassing the password check in case the property is false.
In the class LDAPAuth.java, I could see the below check which calls another authenticate method for ldap password verification is not getting executed
And hence I could able to login with any ldap password just that the account should exist. Also I have turned of liferay auth.

protected int authenticate(long companyId, long ldapServerId, String emailAddress,
                  String screenName, long userId, String password) 
.....
....
........
if (PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {
                              ldapAuthResult = authenticate(
                                    ldapContext, companyId, attributes, fullUserDN,
                                    password);

                              // Process LDAP failure codes

                              String errorMessage = ldapAuthResult.getErrorMessage();

                              if (errorMessage != null) {
                                    if (errorMessage.indexOf(PrefsPropsUtil.getString(
                                                companyId, PropsKeys.LDAP_ERROR_USER_LOCKOUT))
                                                      != -1) {

                                          throw new UserLockoutException();
                                    }
                                    else if (errorMessage.indexOf(PrefsPropsUtil.getString(
                                          companyId, PropsKeys.LDAP_ERROR_PASSWORD_EXPIRED))
                                                != -1) {

                                          throw new PasswordExpiredException();
                                    }
                              }

                              if (!ldapAuthResult.isAuthenticated() &&
                                    PropsValues.LDAP_IMPORT_USER_PASSWORD_ENABLED) {

                                    return FAILURE;
                              }
                        }....


thank you

Sadish
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi sadish

It seems there is a bug related to this new feature.

Could you please grant LDAP access? Thus I may be able to narrow down the bug and generate a fix.

Thanks

Jonas Yuan
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

ldap.import.user.password.enabled=false
 
ldap.import.user.password.autogenerated=false
 
ldap.import.user.password.default=test 


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan
Salvador Baena,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 11 加入日期: 12-5-10 最近的帖子
Hi Jonas,

I'm using version 6.1 and I have the same problem.
Could you tell me where to download the fix patch and how to install it

Thank you very much
Best Regards
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Salvador,

You may drop email to jonasliferay@gmail.com. I could send you the patch by email.

Thanks

Jonas Yuan
thumbnail
Manuel Hoyos García,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 60 加入日期: 12-6-11 最近的帖子
Hi Jonas,

I have same problem but i'm working in liferay 5.0.2. is posible fix it?

Thanks
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Manuel Hoyos

yes, it is possible.

Is there any reason that you did not use 6.1 CE?

Thanks

Jonas Yuan
thumbnail
Manuel Hoyos,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 60 加入日期: 12-6-11 最近的帖子
For now, our corporative intranet is under version 5.0.2. The change is in progress, but hoped fix the problem in this version.

Thanks
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
It is possible to generate a fix patch for 5.0.2. But it requires special care.

Is it urgent for you?

Thanks

Jonas Yuan
thumbnail
Manuel Hoyos,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 60 加入日期: 12-6-11 最近的帖子
Thanks for the reply,

it is urgent to know the answer, to assess their cost and the risk apply it.

Thanks again and best regards
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Manuel,

Could you please drop an email to jonasliferay@gmail.com?

Hope that a fix patch could be available in urgent base.

Thanks

Jonas Yuan
thumbnail
amit singh,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 12 加入日期: 12-2-7 最近的帖子
Hi Jonas ,

I am also facing similar problem for 6.1 CE.
Can you please send me the fix patch for this bug.

I have already requested you from my email id eramitsingh1985@gmail.com, please revert on the same.

Thanks,
Amit Singh
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Amit,

You should receive the patch.

It would be nice that you could share your testing results here.

Thanks

Jonas Yuan
thumbnail
amit singh,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 12 加入日期: 12-2-7 最近的帖子
Hi Jonas,

Applying this patch on 6.1.X Code Base resulted in LDAP authentication working fine as required however User is also able to login with the password stored in Liferay database even when Required is enabled using Control panel for liferay.

Still the problem remains same !!

Regards,
Amit
thumbnail
Sunil Rai,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 57 加入日期: 12-1-31 最近的帖子
Jonas Yuan:
Hi Sadish,

There is a bug related to the feature (Keeping user password secure with LDAP integration) in 6.1. Fortunately I have generated fix patch. With the following settings and the fix patch, the feature works as expected

ldap.import.user.password.enabled=false
 
ldap.import.user.password.autogenerated=false
 
ldap.import.user.password.default=test 


Drop email if you still need this feature and fix patch.

The fix patch for 6.0 is also available.

Thanks

Jonas Yuan


Hi Jonas,

After upgrading to Liferay 6.1.0 CE I am facing problem with LDAP. After disabling the LDAP option only user is able to Login but before upgrade LDAP is working fine on Liferay 5.2.3 CE. Due you think the mentioned patch will help for this?
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas
thumbnail
Sunil Rai,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 57 加入日期: 12-1-31 最近的帖子
Hi Jonas,

I have sent you mail on your gmail ID "jonasliferay@gmail.com" regarding the mentioned patch. Please provide me the same.

Regards,
Sunil Rai
thumbnail
Sunil Rai,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 57 加入日期: 12-1-31 最近的帖子
Jonas Yuan:
Hi Sunil,

Yes, the same feature could be downgraded to 5.2 version. It will require special care.

Thanks,

Jonas


Hi Jonas,

It is difficult to be depended on forum if you have deadline. Anyway I have cancelled the plan to upgrade to Liferay 6.1.0 CE.
Unfortunately the forum is not active even though the solution is available.
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Sunil,

Sorry that I did not get chance to build the fix patch for 5.2.3.

Is this urgent for you?

Thanks

Jonas Yuan
thumbnail
Sunil Rai,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 57 加入日期: 12-1-31 最近的帖子
Hi Jonas,

Thanks for the update but yes it is urgent otherwise there is no other solution than stick with Liferay 5.2.3 CE emoticon
Let me know if you need any further details from my side.

Thanks,
Sunil Rai
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan
Luca Basile,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 2 加入日期: 12-7-4 最近的帖子
Hi everyone,

i'm stuck with the same problem.Where can i get this patch?Do i need to follow some specific steps to obtain it?

Thanks in advance,

Cheers.
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Luca,

Which version are you using?

You may drop an email to jonasliferay@gmail.com for the fix patch.

Thanks

Jonas Yuan
thumbnail
Sunil Rai,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 57 加入日期: 12-1-31 最近的帖子
Jonas Yuan:
Hi Sunil,

Good luck to use the fix patch.

Thanks

Jonas Yuan


Thanks a lot Jonas. emoticon
I will try to implement this and I will share my experience with you soon.

Regards,
Sunil
thumbnail
amit singh,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 12 加入日期: 12-2-7 最近的帖子
Hi Sadish,

Does your problem with Liferay - LDAP integration got resolved using the patch provided by Jonas ?
I am also facing the similar issue with Liferay 6.1 CE.

Has this patch not applied to WAR bundle available on Liferay download website page ?


Thanks,
Amit Singh
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Amit,

The fix patch for 6.1 GA2 CE is ready.

Please drop an email to jonasliferay@gmail.com for the fix.

Thanks

Jonas Yuan
thumbnail
amit singh,修改在11 年前。

RE: Ldap import user password enabled not working as expected

New Member 帖子: 12 加入日期: 12-2-7 最近的帖子
Hi Jonas,

Does this patch applies to liferay-portal-6.1.1-ce-ga2 ?

Thanks,
Amit
thumbnail
Jonas Yuan,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Liferay Master 帖子: 993 加入日期: 07-4-27 最近的帖子
Hi Amit,

As you mentioned in Google Talk, please share your test results.

Thanks

Jonas Yuan
Michal R,修改在11 年前。

RE: Ldap import user password enabled not working as expected

Junior Member 帖子: 25 加入日期: 12-5-28 最近的帖子
Jonas,
why not raise a liferay jira issue, fix the bug there and distribute it via standard means (i.e. versioning system) to everybody?