Login/Register
LDAP configuration with Liferay portal not working
Asked Answered
javaliferayliferay-6
R

1

0

I need to configure Liferay with organization LDAP.

My requirement is to import users on demand( on login) to Liferay database.

When I try to login by using screen name which is mapped to sAMAccountNumber in LDAP, I get

authentication failure error

I do not see any users imported in db too.

After a lot of debugging it looks life LDAP connection is done successfully. But no results are returned from LDAP.

I am seeing something like this in the logs .

Search filter before transformation (sAMAccountName=@screen_name‌​@)
Search filter after transformation (sAMAccountName=@screen_name‌​@)

I am not sure why its appending junk characters at the end .

It should just be

"sAMAccountName=@screen_name@ "

Any quick pointers would really help.

Thanks!

Relationship answered 5/5, 2014 at 17:42 Comment(10)
ldap.security.principal.0=domainname/myusername feels incorrect. RDN (relative DN) is expected here (relative to ldap.base.dn). Check github.com/liferay/liferay-portal/blob/master/portal-impl/src/… .Burble
@Pavel Horal Thanks for reply!I made changes you suggested as below ldap.security.principal.0=CN=my name,OU=Users,OU=MyLocation,OU=MyCity,OU=MyCountry,OU=Myregion,OU=Mycompany,DC=companydomain,DC=com I fetched this value from LDAP server using Jxplorer i.e. value of distinguishedname field in there.Restarted tomcat and tried login by username,which is mapped to sAMAccountName in portal.ext. Exception I am getting now is "com.liferay.portal.NoSuchUserException: No User exists with the key {companyId=10157, screenName=username}".Relationship
@Pavel Horal ,I tried with proncipal value as "CN=my name,OU=Users,OU=MyLocation,OU=MyCity,OU=MyCountry,OU=Myregion,OU=Mycompany". Did server restart. I am getting new exception as: Failed to bind to the LDAP server javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1_] [Sanitized] is there anything else I am missing? Thanks.Relationship
@Pavel Horal ,after doing some more analysis on the method in liferay source ,I found that what it seem to be doing is only making a call to liferay DB and check whether correopsnding screen name is present. I do not see my user imported in DB yet. I am nor sure at what point does the import of users actually happens in liferay DB and why its checking in DB even before import .So in this case import not happening looks be an issue.What do you suggest?Relationship
@Pavel Horal ,As per liferay documentation ,enabling this attribute would do the mass import of all the users from LDAP. As the LDAP I am dealing with organization LDAP ,there are very large no of users.I want to do the LDAP user import on demand i.e. only when user logs in. <link>liferay.com/community/wiki/-/wiki/Main/LDAP </link>Relationship
You are right... this option is irrelevant for your use-case. LDAP users should be imported automatically during the authentication process. github.com/liferay/liferay-portal/blob/master/portal-impl/src/…Burble
@Pavel Horal , I am getting this exception in logs :[LDAPAuth:341]Problem accessing LDAP server , javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:_ 'DC=mydomainname DC=com'__]; Also ,I see below exception javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection.I have verified my LDAP details by using Jxplorer and able to connect fine.Any clue?Relationship
'DC=mydomainname DC=com' - make sure your DN is correct. Here I am missing comma between DN components. Not sure whether it is missing in your configuration as well or not.Burble
@Pavel Horal , Comma is present in my configuration.I tested the same config with Jxplorer too and it gets connected.Do I need to have any privileges to be able to to bind to LDAP or normal users can bind too?Relationship
@Pavel Horal , I have edited original question.Let me know if you get any clue from it.Thank you.Relationship
R
1

After lot of debugging and server restarts finally I got to know the issue. Hope it helps somebody else.

As shown in my question there were some junk characters getting appended to authentication search filter ,this was the reason it was not replacing the SAMAccountNamr with actual value I entered on login screen.

This Junk characters were not visible in the text editor I was using and hence not visible to the human eye.

It was only when I changed my text editor encoding to ANSI ,I was able to see these junk characters . I really have no knowledge on how character encoding work ,I tried it just thinking whether text editor is hiding something. I had copied this string from one of the tutorial i.e. web page and might be a reason these junk characters got appended.

After removing them everything was all fine.Thanks Pavel for your suggestions in the debugging process.

Relationship answered 8/5, 2014 at 8:9 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.