Foren
Authentication issue with LDAP and Liferay Portal 5.1.2 - Password Problem?
Robert L Zinn, geändert vor 15 Jahren.
Authentication issue with LDAP and Liferay Portal 5.1.2 - Password Problem?
New Member Beiträge: 14 Beitrittsdatum: 19.02.09 Neueste Beiträge
I have a problem with Liferay Portal 5.1.2 authenticating against LDAP.
I can connect to LDAP successfully,
I can list uses by using the Test LDAP Users button.
I can list the two groups of users in LDAP using the Test LDAP Groups.
It appears that the users are being found, but the password will not authenticate against LDAP.
This same LDAP is being used by a different (non-Liferay) portal without a problem.
Can anyone tell me what might be the problem?
Here are my settings in the Enterprise Admin Screen:
Authentication >> General Tab
[indent]Authentication >> General Tab: How do users authenticate? By Screen Name
Authentication >> General Tab: Allow users to automatically login? Yes (Checked)[/indent]
Authentication >> LDAP Tab
[indent]Authentication >> LDAP Tab: Enabled: (Checked)
Authentication >> LDAP Tab: Required (unchecked)
Default Values:
Test LDAP Connection worked fine "Liferay successfully connected to LDAP
Users:
Authentication Search Filter: (cn=@screen_name@)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Test LDAP Users button worked fine and listed users just fine.
Groups:
Import Search Filter: (name=*-SALES-GROUP)
Group Name: cn
Description: description
User: Member
Test LDAP Groups Button: This worked fine and displayed two groups matching the Import Search Pattern.
Import/Export:
Import Enabled: (checked)
Import on Start-up Enabled: (checked)
Import Interval: 5 minutes
Export Enabled: (not checked)
Password Policy:
Use LDAP Password Policy (Checked)[/indent]
I can connect to LDAP successfully,
I can list uses by using the Test LDAP Users button.
I can list the two groups of users in LDAP using the Test LDAP Groups.
It appears that the users are being found, but the password will not authenticate against LDAP.
This same LDAP is being used by a different (non-Liferay) portal without a problem.
Can anyone tell me what might be the problem?
Here are my settings in the Enterprise Admin Screen:
Authentication >> General Tab
[indent]Authentication >> General Tab: How do users authenticate? By Screen Name
Authentication >> General Tab: Allow users to automatically login? Yes (Checked)[/indent]
Authentication >> LDAP Tab
[indent]Authentication >> LDAP Tab: Enabled: (Checked)
Authentication >> LDAP Tab: Required (unchecked)
Default Values:
Test LDAP Connection worked fine "Liferay successfully connected to LDAP
Users:
Authentication Search Filter: (cn=@screen_name@)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Test LDAP Users button worked fine and listed users just fine.
Groups:
Import Search Filter: (name=*-SALES-GROUP)
Group Name: cn
Description: description
User: Member
Test LDAP Groups Button: This worked fine and displayed two groups matching the Import Search Pattern.
Import/Export:
Import Enabled: (checked)
Import on Start-up Enabled: (checked)
Import Interval: 5 minutes
Export Enabled: (not checked)
Password Policy:
Use LDAP Password Policy (Checked)[/indent]
Boden Larson, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Regular Member Beiträge: 200 Beitrittsdatum: 10.07.08 Neueste Beiträge
Are your users being imported? If you've got your LDAP settings correct, and I see you have import enabled, then you should have a bunch of new users in Liferay.
Anyhow, if you're able, you might try enabling NTLM in addition to LDAP. I've got this working and my domain users are able to instantly sign on without entering a username or password.
Anyhow, if you're able, you might try enabling NTLM in addition to LDAP. I've got this working and my domain users are able to instantly sign on without entering a username or password.
Robert L Zinn, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 14 Beitrittsdatum: 19.02.09 Neueste BeiträgeBoden Larson:
Are your users being imported? If you've got your LDAP settings correct, and I see you have import enabled, then you should have a bunch of new users in Liferay.
Anyhow, if you're able, you might try enabling NTLM in addition to LDAP. I've got this working and my domain users are able to instantly sign on without entering a username or password.
Yes, my users are being imported. I can see them by searching in the Enterprise Admin's User Tab. Should I be able to authenticate during a manual login by manually signing in with a screen name and password without using the NTLM?
Boden Larson, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Regular Member Beiträge: 200 Beitrittsdatum: 10.07.08 Neueste Beiträge
I'm sorry, I don't know enough about this. I do know that NTLM+LDAP works great.
I think that if you're going to use LDAP that your passwords are going to have to be stored using reversible encryption, which I don't think is the way AD is setup by default, nor is it recommended. I don't remember where I heard that, sorry. If that's the case though, then LDAP isn't used really for authentication so much as it is for importing users. I hope that somebody else will chime in with better details for you.
I think that if you're going to use LDAP that your passwords are going to have to be stored using reversible encryption, which I don't think is the way AD is setup by default, nor is it recommended. I don't remember where I heard that, sorry. If that's the case though, then LDAP isn't used really for authentication so much as it is for importing users. I hope that somebody else will chime in with better details for you.
Victor Zorin, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Liferay Legend Beiträge: 1228 Beitrittsdatum: 14.04.08 Neueste Beiträgemanual login by manually signing in with a screen name and password without using the NTLM
Yes, you can manually sign-in with or without NTLM.
If you can see users using Administration portlets, but can not sign in, this is most likely that you are using authentication details that dop not match your settings,
email or screenname or userId. Check what is you default setting in portal.properties, and your custom setting in portal-ext.properties, and use this one.
If all the above does not work, go directly to liferay db, user_ table.
Find row for this user. Modify passwordEncrypted field from true to false, modify password field to something simple like '1234'. Try to log in using '1234'. If it does not work either, only god can help you from there.
If you have modified user_ table manually, to restore it to previous condition delete the modified row. Upon next log-in portal will go to LDAP and re-create entire row with password in encrypted form.
David Latty, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Junior Member Beiträge: 96 Beitrittsdatum: 16.06.08 Neueste Beiträge
I have the same issue. I followed your steps, and set the pwd to 1234, and it works fine. Where can i get some debug info. I also am using other applications with the same ldap store (domino), and those applications authenticate with no issue. Is the LDAP policy restricting on other things? Its hard to debug with no debug info - you know +
Victor Zorin, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Liferay Legend Beiträge: 1228 Beitrittsdatum: 14.04.08 Neueste Beiträge
I do not envy you. While extensively using domino from liferay for data retrieval, we never used it as auth store.
So, if 1234 in unencrypted form works, not many options are left. It could be:
- wrong password value is fetched and stored in liferay or
- right password is fetched but authentication path does not work properly
How to debug.
- You may add line
- You may force portal to use an un-encrypted storage of password across entire portal and see whether password is the same. Not a good idea though, but if you disable full load for all users and leave it just for one, might do the verification trick. Never tried myself.
- Most LDAP settings are done from Admin GUI, but some can only be set from portal-ext.properties. Check your portal.properties, may be there are some ldap.* settings which might adjust your settings, eg. encryption algorithms.
- Insert your own actions into authentication path, you may copy and modify original source code from liferay, eg. com.liferay.portal.security.auth.LDAPAuth.java , put more debugging lines, and stick it into the auth pipe.
What else?
I have noticed in the messages above that "Use LDAP Password Policy" is checked. We always have it unchecked.
If I have more suggestions, will post later.
So, if 1234 in unencrypted form works, not many options are left. It could be:
- wrong password value is fetched and stored in liferay or
- right password is fetched but authentication path does not work properly
How to debug.
- You may add line
log4j.category.com.liferay.portal=DEBUG- You may force portal to use an un-encrypted storage of password across entire portal and see whether password is the same. Not a good idea though, but if you disable full load for all users and leave it just for one, might do the verification trick. Never tried myself.
- Most LDAP settings are done from Admin GUI, but some can only be set from portal-ext.properties. Check your portal.properties, may be there are some ldap.* settings which might adjust your settings, eg. encryption algorithms.
- Insert your own actions into authentication path, you may copy and modify original source code from liferay, eg. com.liferay.portal.security.auth.LDAPAuth.java , put more debugging lines, and stick it into the auth pipe.
What else?
I have noticed in the messages above that "Use LDAP Password Policy" is checked. We always have it unchecked.
If I have more suggestions, will post later.
David Latty, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Junior Member Beiträge: 96 Beitrittsdatum: 16.06.08 Neueste Beiträge
So I attempted to see if another tool would validate. I downloaded cas 331. I installed - completely separate from liferay. yes the default install works. I then configure for LDAP. I can bind and everything is fine; however, I can not authenticate.
So both Liferay and Cas are not authenticating. Again, I can get bugzilla to authenticate against the ldap server, and it works. What is different here. I can't find the answer - though I am still looking ~
So both Liferay and Cas are not authenticating. Again, I can get bugzilla to authenticate against the ldap server, and it works. What is different here. I can't find the answer - though I am still looking ~
Victor Zorin, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Liferay Legend Beiträge: 1228 Beitrittsdatum: 14.04.08 Neueste Beiträge
May be publishing a thread with clear name like 'Anyone uses Domino LDAP?' would help.
David Latty, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Junior Member Beiträge: 96 Beitrittsdatum: 16.06.08 Neueste Beiträge
Hey, I got cas to authenticate.
Not sure exactely which part, but I added the following
+ configured cas.properties to use correct URL & added database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+ added the following configuration tags in deployerconfigcontext, bindldapauthenticationhandler params
<property name="filter" value="uid=%u" /> // I WAS AT FIRST USING UID
<property name="scope" value="2" />
And I can authenticate with cas and domino.
I still cant authenticate with Liferay though.
Not sure exactely which part, but I added the following
+ configured cas.properties to use correct URL & added database.hibernate.dialect=org.hibernate.dialect.MySQLDialect
+ added the following configuration tags in deployerconfigcontext, bindldapauthenticationhandler params
<property name="filter" value="uid=%u" /> // I WAS AT FIRST USING UID
<property name="scope" value="2" />
And I can authenticate with cas and domino.
I still cant authenticate with Liferay though.
Jason Bourne, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 3 Beitrittsdatum: 28.02.09 Neueste Beiträge
Hello,
I have the same problem using Liferay Portal 5.1.2 bundled with Tomcat 6 on an Ubuntu OS.
I use Apache Directory Server, which works properly. I use Eclipse to manage the users and the groups.
I have used the Liferay Control Panel to describe the LDAP connexion.
How do users authenticate? By Email Address
Allow users to automatically login? YES
Enabled YES
Required YES
Apache Directory Server YES
Test LDAP Connection : Liferay has successfully connected to the LDAP server.
Test LDAP Users : A subset of users has been displayed for you to review.
Test LDAP groups : A subset of groups has been displayed for you to review.
Use LDAP Password Policy = YES
And stil cannot use the password stored in the Apache Directory Server for authentication.
The logs in the catalina.out log file are :
19:31:37,174 ERROR [UserImpl:108] com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 11142
com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 11142
at com.liferay.portal.service.persistence.ContactPersistenceImpl.findByPrimaryKey(ContactPersistenceImpl.java:231)
at sun.reflect.GeneratedMethodAccessor286.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
...
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
19:31:37,182 ERROR [LDAPAuth:243] Problem accessing LDAP server: null
19:31:37,182 ERROR [LDAPAuth:84] java.lang.NullPointerException
java.lang.NullPointerException
at java.util.Calendar.setTime(Calendar.java:1070)
at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:857)
at com.liferay.portal.security.auth.LDAPAuth.authenticate(LDAPAuth.java:213)
at com.liferay.portal.security.auth.LDAPAuth.authenticateByEmailAddress(LDAPAuth.java:80)
at com.liferay.portal.security.auth.AuthPipeline._authenticate(AuthPipeline.java:149)
at com.liferay.portal.security.auth.AuthPipeline.authenticateByEmailAddress(AuthPipeline.java:46)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:2444)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticateByEmailAddress(UserLocalServiceImpl.java:499)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy171.authenticateByEmailAddress(Unknown Source)
at com.liferay.portal.service.UserLocalServiceUtil.authenticateByEmailAddress(UserLocalServiceUtil.java:157)
at com.liferay.portlet.login.util.LoginUtil.login(LoginUtil.java:157)
...
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Any idea ?
I have the same problem using Liferay Portal 5.1.2 bundled with Tomcat 6 on an Ubuntu OS.
I use Apache Directory Server, which works properly. I use Eclipse to manage the users and the groups.
I have used the Liferay Control Panel to describe the LDAP connexion.
How do users authenticate? By Email Address
Allow users to automatically login? YES
Enabled YES
Required YES
Apache Directory Server YES
Test LDAP Connection : Liferay has successfully connected to the LDAP server.
Test LDAP Users : A subset of users has been displayed for you to review.
Test LDAP groups : A subset of groups has been displayed for you to review.
Use LDAP Password Policy = YES
And stil cannot use the password stored in the Apache Directory Server for authentication.
The logs in the catalina.out log file are :
19:31:37,174 ERROR [UserImpl:108] com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 11142
com.liferay.portal.NoSuchContactException: No Contact exists with the primary key 11142
at com.liferay.portal.service.persistence.ContactPersistenceImpl.findByPrimaryKey(ContactPersistenceImpl.java:231)
at sun.reflect.GeneratedMethodAccessor286.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
...
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
19:31:37,182 ERROR [LDAPAuth:243] Problem accessing LDAP server: null
19:31:37,182 ERROR [LDAPAuth:84] java.lang.NullPointerException
java.lang.NullPointerException
at java.util.Calendar.setTime(Calendar.java:1070)
at com.liferay.portal.security.ldap.PortalLDAPUtil.importLDAPUser(PortalLDAPUtil.java:857)
at com.liferay.portal.security.auth.LDAPAuth.authenticate(LDAPAuth.java:213)
at com.liferay.portal.security.auth.LDAPAuth.authenticateByEmailAddress(LDAPAuth.java:80)
at com.liferay.portal.security.auth.AuthPipeline._authenticate(AuthPipeline.java:149)
at com.liferay.portal.security.auth.AuthPipeline.authenticateByEmailAddress(AuthPipeline.java:46)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:2444)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticateByEmailAddress(UserLocalServiceImpl.java:499)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:307)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:89)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy171.authenticateByEmailAddress(Unknown Source)
at com.liferay.portal.service.UserLocalServiceUtil.authenticateByEmailAddress(UserLocalServiceUtil.java:157)
at com.liferay.portlet.login.util.LoginUtil.login(LoginUtil.java:157)
...
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Any idea ?
Jason Bourne, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 3 Beitrittsdatum: 28.02.09 Neueste Beiträge
I have finally fixed the problem and i am now able to use the password stored in the Apache Directory Server to authenticate into Liferay Portal.
But it is not that simple, because you have to be very clean on the users and group declaration in the LDAP schema.
In the Apache Directory Server, declare the following :
1 - Create a domain "dc=mycompany,dc=com"
2 - Create an OrganisationalUnit "ou=users,dc=mycompany,dc=com"
3 - Create an OrganisationalUnit "ou=groups,dc=mycompany,dc=com"
4 - Create some users using the inetOrgPerson objectClass
5 - Create some groups using the groupOfUniqueNames objectClass
For the users, you have to add some more attributes. If you don't, Liferay will not work properly.
Finally, make sure you have the following :
cn : <name>-<firstname>
sn : <name>
givenName : <firstname>
uid : <f><name> (I mean first letter of the firstname added before name)
mail : <firstname>.<name>@<mycompany>.com
businessCategory : cn=Writer,ou=groups,dc=mycompany,dc=com (for the Writer group for instance)
userPassword : what you want ...
For the groups, make sure you have the following :
cn : Writer (or whatever the name of the group is)
description : Group dedicated to those that are allowed to modify the portal of my beautiful company
uniqueMember : uid=uidofperson1,ou=users,dc=mycompany,dc=com
uniqueMember : uid=uidofperson2,ou=users,dc=mycompany,dc=com
uniqueMember : uid=uidofperson3,ou=users,dc=mycompany,dc=com ...
In the Liferay Portal Control Panel, declare the following
1 - Create an organization "mycompany" using the "Regular Organization" type
2 - In the LDAP section, declare the following :
Authentication Search Filter : (mail=@email_address@)
Import Search Filter : (objectClass=inetOrgPerson)
Screen Name : cn
Password : userPassword
Email Address : mail
Full Name :
First Name : givenName
Last Name : sn
Job Title : businessCategory
Group : businessCategory
3 - Don't forget to choose "Use LDAP Password Policy".
4 - All users MUST be create in the Liferay Portal in the Organization if you want this to work. Creating the users in the Apache Directory Server is not enough. The LDAP is used only for the password. If you don't do this, you get the following error in the catalina.out :
ERROR [PortalLDAPUtil:912] Problem adding user with screen name name-firstname and email address firstname.name@mycompany.com
com.liferay.portal.kernel.dao.orm.ObjectNotFoundException: No row with the given identifier exists: [com.liferay.portal.model.impl.UserImpl#11134]
This is a surprise for me, because it means that I will have to create all my users in the Apache Directory Server, and create them once more in the Liferay Portal. This is (in my opinion) not the best way to do it (and I don't want to import/export massively from the LDAP for evident security reasons). What I wanted is to rely on the Apache Directory Server to check both username and password, giving back only the groups so that the Liferay Portal could grant grant the good access. But whatever, I don't know how to get this ...
One more thing : Once you've choosen "Use LDAP Password Policy", you cannot see users anymore in the Portal/Users section of the Liferay Control Panel. So, in order to create users, you need first to display the organizations (using the Portal/Organizations section of the Liferay Control Panel), and then you can use the "Actions" menu for your organization to "View users" or "Add user".
Hope it can help ...
But it is not that simple, because you have to be very clean on the users and group declaration in the LDAP schema.
In the Apache Directory Server, declare the following :
1 - Create a domain "dc=mycompany,dc=com"
2 - Create an OrganisationalUnit "ou=users,dc=mycompany,dc=com"
3 - Create an OrganisationalUnit "ou=groups,dc=mycompany,dc=com"
4 - Create some users using the inetOrgPerson objectClass
5 - Create some groups using the groupOfUniqueNames objectClass
For the users, you have to add some more attributes. If you don't, Liferay will not work properly.
Finally, make sure you have the following :
cn : <name>-<firstname>
sn : <name>
givenName : <firstname>
uid : <f><name> (I mean first letter of the firstname added before name)
mail : <firstname>.<name>@<mycompany>.com
businessCategory : cn=Writer,ou=groups,dc=mycompany,dc=com (for the Writer group for instance)
userPassword : what you want ...
For the groups, make sure you have the following :
cn : Writer (or whatever the name of the group is)
description : Group dedicated to those that are allowed to modify the portal of my beautiful company
uniqueMember : uid=uidofperson1,ou=users,dc=mycompany,dc=com
uniqueMember : uid=uidofperson2,ou=users,dc=mycompany,dc=com
uniqueMember : uid=uidofperson3,ou=users,dc=mycompany,dc=com ...
In the Liferay Portal Control Panel, declare the following
1 - Create an organization "mycompany" using the "Regular Organization" type
2 - In the LDAP section, declare the following :
Authentication Search Filter : (mail=@email_address@)
Import Search Filter : (objectClass=inetOrgPerson)
Screen Name : cn
Password : userPassword
Email Address : mail
Full Name :
First Name : givenName
Last Name : sn
Job Title : businessCategory
Group : businessCategory
3 - Don't forget to choose "Use LDAP Password Policy".
4 - All users MUST be create in the Liferay Portal in the Organization if you want this to work. Creating the users in the Apache Directory Server is not enough. The LDAP is used only for the password. If you don't do this, you get the following error in the catalina.out :
ERROR [PortalLDAPUtil:912] Problem adding user with screen name name-firstname and email address firstname.name@mycompany.com
com.liferay.portal.kernel.dao.orm.ObjectNotFoundException: No row with the given identifier exists: [com.liferay.portal.model.impl.UserImpl#11134]
This is a surprise for me, because it means that I will have to create all my users in the Apache Directory Server, and create them once more in the Liferay Portal. This is (in my opinion) not the best way to do it (and I don't want to import/export massively from the LDAP for evident security reasons). What I wanted is to rely on the Apache Directory Server to check both username and password, giving back only the groups so that the Liferay Portal could grant grant the good access. But whatever, I don't know how to get this ...
One more thing : Once you've choosen "Use LDAP Password Policy", you cannot see users anymore in the Portal/Users section of the Liferay Control Panel. So, in order to create users, you need first to display the organizations (using the Portal/Organizations section of the Liferay Control Panel), and then you can use the "Actions" menu for your organization to "View users" or "Add user".
Hope it can help ...
Prasan Arora, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 2 Beitrittsdatum: 27.02.09 Neueste Beiträge
Hi,
Even I have a problem with Liferay Portal authenticating against LDAP.
When I test the LDAP connection, the connection is successful.
But when i try to test LDAP users, it doesn't display any list of users.
Also when i try to login with LDAP users, again it shows error msg.
I'm using the same LDAP settings for user authentication for some other application where it's working perfectly fine,
but out here in Liferay it's giving problem.
Can anyone help me out with this?
Here are my settings in the Enterprise Admin Screen:
Authentication >> General Tab
Authentication >> General Tab: How do users authenticate? By Screen Name
Authentication >> LDAP Tab
Authentication >> LDAP Tab: Enabled: (Checked)
Authentication >> LDAP Tab: Required (unchecked)
Default Values:
Test LDAP Connection worked fine "Liferay successfully connected to LDAP
Users:
Authentication Search Filter: (cn=@screen_name@)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Test LDAP Users - not working
Import/Export:
Import Enabled: (checked)
Import on Start-up Enabled: (checked)
Import Interval: 10 minutes
Export Enabled: (not checked)
Password Policy:
Use LDAP Password Policy (Checked)
Even I have a problem with Liferay Portal authenticating against LDAP.
When I test the LDAP connection, the connection is successful.
But when i try to test LDAP users, it doesn't display any list of users.
Also when i try to login with LDAP users, again it shows error msg.
I'm using the same LDAP settings for user authentication for some other application where it's working perfectly fine,
but out here in Liferay it's giving problem.
Can anyone help me out with this?
Here are my settings in the Enterprise Admin Screen:
Authentication >> General Tab
Authentication >> General Tab: How do users authenticate? By Screen Name
Authentication >> LDAP Tab
Authentication >> LDAP Tab: Enabled: (Checked)
Authentication >> LDAP Tab: Required (unchecked)
Default Values:
Test LDAP Connection worked fine "Liferay successfully connected to LDAP
Users:
Authentication Search Filter: (cn=@screen_name@)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Test LDAP Users - not working
Import/Export:
Import Enabled: (checked)
Import on Start-up Enabled: (checked)
Import Interval: 10 minutes
Export Enabled: (not checked)
Password Policy:
Use LDAP Password Policy (Checked)
Robert L Zinn, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 14 Beitrittsdatum: 19.02.09 Neueste BeiträgePrasan Arora:
Hi,
Even I have a problem with Liferay Portal authenticating against LDAP.
When I test the LDAP connection, the connection is successful.
But when i try to test LDAP users, it doesn't display any list of users.
Also when i try to login with LDAP users, again it shows error msg.
I'm using the same LDAP settings for user authentication for some other application where it's working perfectly fine,
but out here in Liferay it's giving problem.
Can anyone help me out with this?
Here are my settings in the Enterprise Admin Screen:
Authentication >> General Tab
Authentication >> General Tab: How do users authenticate? By Screen Name
Authentication >> LDAP Tab
Authentication >> LDAP Tab: Enabled: (Checked)
Authentication >> LDAP Tab: Required (unchecked)
Default Values:
Test LDAP Connection worked fine "Liferay successfully connected to LDAP
Users:
Authentication Search Filter: (cn=@screen_name@)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Test LDAP Users - not working
Import/Export:
Import Enabled: (checked)
Import on Start-up Enabled: (checked)
Import Interval: 10 minutes
Export Enabled: (not checked)
Password Policy:
Use LDAP Password Policy (Checked)
Your problem was the sam as mine. Use these settings for Authentication Search Filter.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Screen Name: sAMAccountName
Prasan Arora, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 2 Beitrittsdatum: 27.02.09 Neueste BeiträgeRobert L Zinn:
Your problem was the sam as mine. Use these settings for Authentication Search Filter.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Screen Name: sAMAccountName
Hi Robert,
I have tried using the settings as suggested by you, but still its not fetching any user info.
Can you suggest something else? or may be u can post a screen shot of settings used by you.
I forget to mention that i am using default import search filter settings in my last post.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Import Search filter = (objectClass=inetOrgPerson)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Thanks !
Robert L Zinn, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 14 Beitrittsdatum: 19.02.09 Neueste BeiträgePrasan Arora:
Hi Robert,
I have tried using the settings as suggested by you, but still its not fetching any user info.
Can you suggest something else? or may be u can post a screen shot of settings used by you.
I forget to mention that i am using default import search filter settings in my last post.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Import Search filter = (objectClass=inetOrgPerson)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Thanks !
You stated that your LDAP connection works. This is good.
You were not specific with your problem fetching users. When you click on "Test LDAP Users", do you get any results back, or is the problem importing users?
If you do not get any results back from the "Test LDAP Users", then your Import Search Filter will require adjustment. I really can't help you with that filter since I am not familiar with your LDAP setup.
If you get results back in the "Test LDAP Users", then the issue with Importing may be...
1 - You need to wait a few minutes for the Import process to work. You should check your log files for your java server.
2 - Your may not be connecting to the correct LDAP controller. I have found that even if you see users in the "Test LDAP Users" screen, they may not be imported if they are on another LDAP controller but visible from the one that you connected to. This may be a rare situation.
Branden Boucher, geändert vor 14 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 11 Beitrittsdatum: 14.09.09 Neueste BeiträgePrasan Arora:
Robert L Zinn:
Your problem was the sam as mine. Use these settings for Authentication Search Filter.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Screen Name: sAMAccountName
Hi Robert,
I have tried using the settings as suggested by you, but still its not fetching any user info.
Can you suggest something else? or may be u can post a screen shot of settings used by you.
I forget to mention that i am using default import search filter settings in my last post.
Users:
Authentication Search Filter: (sAMAccountName=@screen_name@)
Import Search filter = (objectClass=inetOrgPerson)
Screen Name: sAMAccountName
Password: userPassword
Email Address: mail
Fullname: (blank)
First Name: givenName
Last Name: sn
User Mapping: Job Title: title
Group: memberOf
Thanks !
I would say try changing (objectClass=inetOrgPerson) to (objectClass=Person). That made a difference for me.
Content Chemist, geändert vor 13 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beitrag: 1 Beitrittsdatum: 07.01.10 Neueste Beiträge
Yep! Changing (objectClass=inetOrgPerson) to (objectClass=Person) also worked for me.
I was also struggling to "Test LDAP Groups" so did a similar thing by changing (objectClass=groupOfUniqueNames) to (objectClass=Names).
Worked like a charm! Thanks for all the help.
I was also struggling to "Test LDAP Groups" so did a similar thing by changing (objectClass=groupOfUniqueNames) to (objectClass=Names).
Worked like a charm! Thanks for all the help.
Bijan Vakili, geändert vor 13 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Junior Member Beiträge: 38 Beitrittsdatum: 05.04.10 Neueste Beiträge
Robert,
Thanks for sharing the solution with everyone. Will you please add [RESOLVED] to the title so everyone know this thread has the resolution?
It is recommended by the forum guidelines at the following URI:
http://www.liferay.com/community/forums/-/message_boards/message/572822
Thanks!
Thanks for sharing the solution with everyone. Will you please add [RESOLVED] to the title so everyone know this thread has the resolution?
It is recommended by the forum guidelines at the following URI:
http://www.liferay.com/community/forums/-/message_boards/message/572822
Thanks!
Robert L Zinn, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 14 Beitrittsdatum: 19.02.09 Neueste BeiträgeRobert L Zinn:
Boden Larson:Are your users being imported? If you've got your LDAP settings correct, and I see you have import enabled, then you should have a bunch of new users in Liferay.
Anyhow, if you're able, you might try enabling NTLM in addition to LDAP. I've got this working and my domain users are able to instantly sign on without entering a username or password.
Yes, my users are being imported. I can see them by searching in the Enterprise Admin's User Tab. Should I be able to authenticate during a manual login by manually signing in with a screen name and password without using the NTLM?
My problem was resolved and it was an issue with the Authentication Search Filter parameter.
It should be: (sAMAccountName=@screen_name@). Once I changed this, it was fine.
Jason Bourne, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
New Member Beiträge: 3 Beitrittsdatum: 28.02.09 Neueste Beiträge
Maybe it's the same for you ?
I have some doubt on you declaration :
User Mapping: Job Title: title
Group: memberOf
My "Job Title" and "Group" are linked to my "businessCategory" which look like "cn=Writer,ou=groups,dc=mycompany,dc=com" for instance
Whatever the problem is, I recommend looking at the catalina.out file just after the unsuccessfull login attempt. You can find it in<tomcat_dir>/logs
I have some doubt on you declaration :
User Mapping: Job Title: title
Group: memberOf
My "Job Title" and "Group" are linked to my "businessCategory" which look like "cn=Writer,ou=groups,dc=mycompany,dc=com" for instance
Whatever the problem is, I recommend looking at the catalina.out file just after the unsuccessfull login attempt. You can find it in<tomcat_dir>/logs
David Latty, geändert vor 15 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password
Junior Member Beiträge: 96 Beitrittsdatum: 16.06.08 Neueste Beiträge
Finally got domino to authenticate; however, I am not exactely sure which specific setting did it. I quoted those settings that I believe played a part.
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.base.provider.url=ldap://X:389
ldap.base.dn=ou=U,o=V
ldap.security.principal=Q
ldap.security.credentials=Q
ldap.import.enabled=true
ldap.export.enabled=false
ldap.referral=follow
ldap.auth.enabled=true
ldap.auth.required=false
ldap.auth.method=bind
ldap.import.on.startup=true
ldap.import.interval=20
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.base.provider.url=ldap://X:389
ldap.base.dn=ou=U,o=V
ldap.security.principal=Q
ldap.security.credentials=Q
ldap.import.enabled=true
ldap.password.policy.enabled=false
ldap.export.enabled=false
ldap.referral=follow
ldap.auth.enabled=true
ldap.auth.required=false
ldap.auth.method=bind
ldap.import.on.startup=true
ldap.import.interval=20
ldap.user.mappings=screenName=uid\npassword=userpassword\nfullName=cn\nemailAddress=mail\nfirstName=givenname\nlastName=sn\njobTitle=title\ngroup=groupMembership
ldap.auth.search.filter=(uid=@screen_name@)
passwords.encryption.algorithm=MD5
Deepanshu Seth, geändert vor 8 Jahren.
RE: Authentication issue with LDAP and Liferay Portal 5.1.2 - Password Prob
Junior Member Beiträge: 55 Beitrittsdatum: 12.10.15 Neueste Beiträge
Hi Robert,
My Test LDAP Connection is working fine, but Test LDAP User is not working fine, no users are shown, although all values are set correctly.
Authentication Search Filter - (mail=@email_address@)
Import Search filter - (objectClass=inetOrgPerson)
Screen Name - cn
Email Address - mail
Password - userPassword
First Name - givenName
Last Name - sn
Regards,
Deepanshu Seth
My Test LDAP Connection is working fine, but Test LDAP User is not working fine, no users are shown, although all values are set correctly.
Authentication Search Filter - (mail=@email_address@)
Import Search filter - (objectClass=inetOrgPerson)
Screen Name - cn
Email Address - mail
Password - userPassword
First Name - givenName
Last Name - sn
Regards,
Deepanshu Seth