About

Liferay with LDAP

Asked 5/5, 2014 at 9:59 Answered 6/5, 2014 at 10:37

Solved java liferay liferay-6

N

1

1

I am configuring Liferay with my organization LDAP.

1.While configuring LDAP, I specify "ldap.security.principal" and "ldap.security.credentials" as my user id and password to authenticate against LDAP and test connection succeeds.

Are these mandatory attributes? As in production ,I will not be able to specify my own credentials in portal-ext.properties. Do I need separate user created in LDAP to specify in portal-ext for production? I unfortunately do not have control over configuring LDAP as its an org LDAP.

Any pointers would help. Thanks.

Nady answered 5/5, 2014 at 9:59 Comment(3)

You can also do ldap connection by mentioning jndi ldap datasource in conf/config.xml – Kathrynkathryne 5/5, 2014 at 11:13

You also might have LDAPListener created to read ldap properties in your organization. – Kathrynkathryne 5/5, 2014 at 11:16

Thanks for replying. Could you please elaborate? I am trying to understand about the default user name and password we use to connect to LDAP for the first time. Do we really need some user to bind to LDAP first ? I need a functionality where user should be authenticated and bound to LDAP at the time of logging into Liferay. – Nady 5/5, 2014 at 11:33

O

3

There are several use-cases where you need privileged system account for accessing the LDAP database.

Authentication

There are two basic methods how you can authenticate against LDAP:

Do a BIND operation against LDAP - you need to know the user DN
Do a password attribute comparison - you need to know the user DN, name of attribute with the password, attribute value encoding (e.g. plaintext, hashed, ...)

For both approaches you need to know the distinguished name of the target user:

Either you are able to construct the DN from credentials (e.g. cn={screenName},ou=Users,o=MyOrg) - which is not supported by Liferay AFAIK;
or you need to do LDAP SEARCH to find the right user DN... for that you need to have a system account.

Account Import & Export

Next to pulling user information right when the user authenticates Liferay offers also LDAP import and export functionality. For obvious reasons you need to have a privileged system account to be able to search for users in LDAP and / or to write user entries.

TL;DR

Properties ldap.security.principal and ldap.security.credentials are mandatory (they can be configured also via user interface). You will need to have a dedicated system account for Liferay in the LDAP for this.

Orfinger answered 6/5, 2014 at 10:37 Comment(9)

thanks for your reply. Is there a possibility that we can do bind operation using the username of the user? I tried hardcoding the user DN by looking into LDAP server and specifying in portal-ext.prop.I tried login with the same user using sAMAccountName into liferay.It fails authentication.My LDAP id is nonadmin.Is there any way to do bind with login credentials being entered on liferay portal?I have one more web application using same LDAP but not requiring any system account for bind. Its developed using spring security module.Is there any reason Liferay needs separate account for binding? – Nady 6/5, 2014 at 11:38

I have one more question posted at <link>#23478961> .This has details of all properties I am using in portal.ext.properties.Thanks. – Nady 6/5, 2014 at 11:43

Spring Security LDAP needs a system account as well if you don't know the user DN (see 1st point in docs.spring.io/spring-security/site/docs/3.0.x/reference/…). I don't think Liferay supports direct DN construction based on user credentials... this is why you always need a system account. – Orfinger 6/5, 2014 at 11:44

@manni I have a feeling you don't know what DN is. Distinguished name is identifier of an entry in the LDAP hierarichy (check RFC 4514). Distinguished name is a different identifier than user name (aka. screen name in Liferay). DN looks something like cn=John Doe,ou=users,dc=example,dc=com. – Orfinger 6/5, 2014 at 11:49

Thanks for helping. I looked more into existing application and spring URL you gave.It looks like there are 2 ways we can configure spring with LDAP. Found this link while researching more <link>javarevisited.blogspot.in/2011/11/…; .It explains about both of the approaches. In the existing application we are using approach2 ,which does not need any system/manager account .Just wondering if soemthing like this is possible in Liferay. – Nady 6/5, 2014 at 12:21

"Just wondering if soemthing like this is possible in Liferay" - that is what I think they don't support. – Orfinger 6/5, 2014 at 12:31

If you have any link to post/document with you from liferay website which mentions this being the requirement would really help me take this forward. What do you think about using "Password-compare" instead of "bind" in "ldap.auth.method" .Is it something which would make a difference? – Nady 6/5, 2014 at 12:36

After some research it looks like Liferay does first binds to LDAP and retrieves context using credentials given in portal-ext and then authenticates the user entered on login page . If there is someway I can specify the value for portal-ext at runtime,I will be able to bind and login with only one set of credentials i.e. the ones entered on Login page.What do you think? – Nady 8/5, 2014 at 8:20

It is not possible with Liferay LDAP Authentication... However you can always write your own authentication mechanism. – Orfinger 8/5, 2014 at 8:22

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.