Liferay LDAP Integration
Liferay 6.1 version:
Please go through following link to get understanding about Ldap liferay integration
Please go through following link to get understanding about Ldap liferay integration
Login as admin and go to control panel. Left side Manu in portal category click on portal settings.
Click on Add button you can add your LDAP server configuration. You can also add multiple LDAP servers.
Server Name: anything that your choice.
Server Types: This server you have used like Apache AD, Microsoft AD or OpenLDA.
Base Provider URL: this is LDAP URL to connect your server. General port number for LDAP is 389.
Base DN: This specify that where exactly your user nodes available
Example:
meera.com is my company
I have organization units Finance, IT
In organization I have users
Then Base DN likes: CN=users,OU=finance,DC=meera,DC=com
If I have two users in names are Peter in finance and Tom in IT
Then exact user Node like this
CN=Peter,CN=users,OU=finance,DC=meera,DC=com
CN=Tom ,CN=users,OU=IT,DC=meera,DC=com
The following are the base DN for above server
CN=users,OU=finance,DC=meera,DC=com : find users in meera company finance organization
OR
CN=users,OU=IT,DC=meera,DC=com : find users in meera company IT organization
OR
OU=IT,DC=meera,DC=com : find users and others type objects in meera company in IT organization
OR
OU=finance,DC=meera,DC=com : find users and others type objects in meera company in finance organization
OR
DC=meera,DC=com : find users and other objects /nodes in meera company in both organizations IT and finance
Above all we can specify as base DN based on your requirement
Principle: this is like user name to connect to your LDAP server means admin username
Credentials: this is password means admin password of LDAP
Once you complete all above then click on test server button and see the result you will get following pop up
Now we successfully connected to LDAP server
Configure Authentication Filter and Import Filter
Now go to user section in same screen you can find following screen
You can find first text box is Authentication Search Filter
Note: Here authentication filters and import filter is very important.
Authentication Filter:
This means in which base user will be searched in ldap when user trying login in life ray means when we use liferay authentication by emailAddreess then we need to map liferay email address with appropriate attribute in ldap
Like
(mail=@email_address@)
When its by screen name
Then we need to map liferay screen name with appropriate attribute in LDAP
Like
(cn=@screen_name@)
Or
(sAMAccountName==@screen_name@)
Note here whatever attribute you are going to use then value of attribute should not be duplicate.
Import filter:
This is used to search users from ldap based on filter and all matched results will be imported into
Liferay User_ table
Here we need to consider one thing whatever the import filter used that results should have email address related ldap attribute and screen name mapping ldap attribute otherwise we will get more exceptions.
Here generally we import mostly users means in ldap is objectClass=person.
We can also narrow the filter by using ldap filters more details how to pass ldap filter go through following link
Note: Some times in ldap all nodes may not be persons and if persons them may not have email address related attributes or screen name attribute in ldap then we get more import problems
So here we need to give proper import filter so that all nodes have mail related attribute or screen name related attributes
Generally the life ray screen name equal attribute cn or sAMAccountName
Similarly liferay email address equal attribute in ldap is userPrincipalName or mail
These attributes should be present in each object class=person node otherwise import issues we can expect.
Example import filer
(objectClass=person) means it will search all ldap nodes that would be object class is person nothing but user. Some time object class may be organizationUsertoo.
Another Example Filter:
& is operator like and operator in java similarly | is like || operator in java
(&(objectClass=person)(|(department=finace)(department=it)(department=sales)))
The above meaning is the node is person and he is belongs to any one of the department.
Import mappings
Import mapping used when user is import from ldap to liferay User_ table.
Here we are mapping required attribute for liferay from ldap.
In ldap has many attribute for user or objectClass=person.
So we map each appropriate ldap attribute with liferay attributes
Example
Liferay attribute | LDAP attribute |
emailAddress(should not duplicate) | mail / userPrincipalName |
Screenname(should not duplicate) | cn/ sAMAccountName / name |
password | userPassword |
First Name | name/ |
Last Name | sn |
Job Title | title |
Group | department |
Now we successfully created LDAP server and we also specify the user mappings to import users into liferay
Now we need set some configuration so that when user should be import what are the password policies we need when create password.
The following screen show that configurations
Enabled:
This is starting point to LDAP integration when we enable then only LDAP is integrated to Liferay so we should enable when you want integrate ldap with liferay.
When we enable LDap when the user going to authenticate will search in LDAP tree if user find then it will set ladapAuthentication true and user will be imported.
This for every user when they login first time or first attempt then user will be imported.
Required:
Make exceptions for omni admins so that if they break the LDAP configuration, they can still login to fix the problem
Import Enable:
When we enable this all LDAP user will be imported into liferay User_ table and related entries in other tables like Group_
Import on Startup Enabled:
when we enable this all users will be imported at the time of liferay server starts.
when we enable this all users will be imported at the time of liferay server starts.
Once user is imported then one entry is created in LOCK_ table. This specifies that for what intervals import should be happened. This property we can set in portal properties
Use LDAP Password Policy:
When enable Use LDAP Password Policy option in configuration then when login it won’t ask change new password. Only ask terms and conditions otherwise it will ask change to new password when user is attempt first login.
Important Observations:
GroupFriendlyException:
Reason when the user import it is based on liferay user attributes mapping to ldap attribute user will be created.
Generally cn or sAMsaccount as screen name.
When user imported cnwill become as screen name in User_ table. And one more entry is created in group_ table the friendly url same as screen name means /the secreen nameor /cn
When this Friedly URL is duplicate in Group table then you can see GroupFriendlyException when you get these exceptions the user won’t be imported.
So here we need to very much care full screen name should not be duplicate mean in ldap there are thousands of users, we need to identify attribute value in ldap that should not be duplicate.
If the ldap some thing duplicate mean cn or saMsAccount then should not use these attribute as screen name.
One more thing when we enable import enables then all users will automatically import into User_ table based on configuration.
So here thing is when we enable import enable option in configuration means all ldap users will be imported into liferay.
If we not enable import enable then each user their first login will be imported.
Import on start up means when server start then all user will be imported automatically. The entry will be created in LOCK_ table there you can see expiration Datecolumn. One expiration date less than current date then again import will be start until import won’t be activated.
We can choose authentication either by email Address or by screen name
If we choose any one email mapping in ldap attribute and screen name mapping in ldap should not be duplicate if such case we get
UserScreenNameException or UserEmail Address exceptions
When we use authentication by email address as our authentication type its better we can make auto generated screen name then it won’t be any problem when all users is importing. But email should be unique.
When we use screen name it should not be numbers in start of screen name. If such case please set portal property users.screen.name.allow.numeric=true.
You can also change screen name valuator according to your choice by following property.
users.screen.name.validator=com.liferay.portal.security.auth.DefaultScreenNameValidator
Input a class names that implements com.liferay.portal.security.auth.ScreenNameValidator. This class will be called to validate user screen names
users.screen.name.generator=com.liferay.portal.security.auth.DefaultScreenNameGenerator
Input a class names that implements com.liferay.portal.security.auth.ScreenNameGenerator. This class will be called to generate user screen names.
Email address should not be starting with number such case you will get UsereEmaillAddress exception.
You can change userEmaildAddressPolicies you can also skip email address when user in imported by following property.
Related Properties:
users.email.address.required=true
Set this to false if you want to be able to create users without an email address. An email address will be automatically assigned to a user based on the property "users.email.address.auto.suffix".
Set the suffix of the email address that will be automatically generated for a user that does not have an email address. This property is not used unless the property "users.email.address.required" is set to false. The auto generated email address will be the user id plus the specified suffix.
users.email.address.generator=com.liferay.portal.security.auth.DefaultEmailAddressGenerator
Input a class names that implementscom.liferay.portal.security.auth.EmailAddressGenerator. This class will be called to generate an email address for a user that does not specify anemail address. This class will only be used if the propertyusers.email.address.required" is set to false.
users.email.address.validator=com.liferay.portal.security.auth.DefaultEmailAddressValidator
Input a class names that implementscom.liferay.portal.security.auth.EmailAddressValidator. This class will be called to validate user email addresses
users.full.name.generator=com.liferay.portal.security.auth.DefaultFullNameGenerator
Input a class names that implementscom.liferay.portal.security.auth.FullNameGenerator. This class will be called to generate a full name from the user's first, middle and last names
users.full.name.validator=com.liferay.portal.security.auth.DefaultFullNameValidator
Input a class names that implements com.liferay.portal.security.auth.FullNameValidator. This class will be called to validate user first, middle and last names.
Important LDAP Properties In liferay:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
Set the values used to connect to a LDAP store means LDAP implementation class
ldap.referral=follow
ldap.page.size=1000
Set the page size for directory servers that support paging. This value needs to be 1000 or less for Microsoft Active Directory Server.
If you want more search results for Microsoft AD server then AD server admin can configure this number in AD configuration. Please contac admin to set this value from AD server configurations.
ldap.range.size=1000
Set the number of values to return in each query to a multivaluedattribute for directory servers that support range retrieval. The range size must be 1000 or less for Windows 2000 and 1500 or less for Windows Server 2003.
ldap.auth.method=bind / dap.auth.method=password-compare
Set either bind or password-compare for the LDAP authentication method. Bind is preferred by most vendors so that you don't have to worry about encryption strategies.
LDAP Password Import Algorithm:
Set the password encryption to use for comparing passwords during import and to use for encrypting passwords during export. Comparing password during import will only be used when the property "ldap.auth.method" is set to password-compare. If the encryption is set to NONE, which is the default value, passwords are considered as plain text. The SHA-51 algorithm is currently unsupported.
#ldap.auth.password.encryption.algorithm=BCRYPT
#ldap.auth.password.encryption.algorithm=MD2
#ldap.auth.password.encryption.algorithm=MD5
ldap.auth.password.encryption.algorithm=NONE
#ldap.auth.password.encryption.algorithm=SHA
#ldap.auth.password.encryption.algorithm=SHA-256
#ldap.auth.password.encryption.algorithm=SHA-384
#ldap.auth.password.encryption.algorithm=SSHA
#ldap.auth.password.encryption.algorithm=UFC-CRYPT
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer
You can write your own class that implements com.liferay.portal.security.ldap.AttributesTransformer to transform the LDAP attributes before a user or group is imported to the LDAP store.
LDAP Connection Properties:
Specify the settings for LDAP connections. Any property prefixed with "ldap.connection." will be passed to the LDAP context as an environment variable. See the following link:
ldap.connection.com.sun.jndi.ldap.connect.pool=true
ldap.connection.com.sun.jndi.ldap.connect.timeout=500
ldap.connection.com.sun.jndi.ldap.read.timeout=15000
ldap.import.interval=10
ldap.import.method=user or ldap.import.method=group
We have choose any one of two
Set either user or group for import method. If set to user, the portal will import all users and the groups associated with those users. If set to group, the portal import all groups and the users associated thosegroups. This value should be set based on how your LDAP server stores group membership information.
ldap.import.lock.expiration.time=86400000
Set the lock expiration time for LDAP import. By default, the expiration time is 1 day.
ldap.import.group.search.filter.enabled=true
If set to true, the group filter will be applied, but only to groups in the specified base DN. If set to false, the filter will not be applied and all groups that are associated with the imported users will be imported regardless of the base DN.
ldap.import.group.cache.enabled=true
Specify whether group DN lookups will be cached during LDAP import and login. If set to true, this will speed up LDAP import and login, but updates to group attributes will not be recognized until the cache entry expires. The cache size and timeout may be configured in the configuration file specified in the property "ehcache.single.vm.config.location".
ldap.import.create.role.per.group=false
Set this to true if the portal should automatically create a role per group imported from LDAP. The role will be assigned to the group so that users can automatically inherit that role when they are assigned to the group.
Set these following values to be a portion of the error message returned by the appropriate directory server to allow the portal to recognize messages from the LDAP server. The default values will work for Fedora DS.
ldap.error.password.age=age
ldap.error.password.expired=expired
ldap.error.password.history=history
ldap.error.password.not.changeable=not allowed to change
ldap.error.password.syntax=syntax
ldap.error.password.trivial=trivial
ldap.error.user.lockout=retry limit
ldap.import.user.password.enabled=true
Set this to false when the LDAP user's password should not be imported.
ldap.import.user.password.autogenerated=false
Set this to true to auto generate the password for imported users from LDAP This property is only in use if the property "ldap.import.user.password.enabled" is set to false.
ldap.import.user.password.default=test
#ldap.import.user.password.default=screenName
Set either screenName or plain text as the default password for the imported LDAP user. Setting the value to screenName will use the user's screen name as the password for the imported LDAP user. Setting the value to any other plain text value will use that value as the password for the imported LDAP user. This property is only in use if the properties "ldap.import.user.password.enabled" and "ldap.import.user.password.autogenerated" are both set to false.
ldap.user.ignore.attributes=
Set the user attributes that are controlled from the portal. When adding or updating a user from LDAP, these attributes will be skipped.
#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
Note: If you want change any portal properties related to LDAP simple you can create portal-ext.properties file and add properties and change to required value. This file should be in Liferay_Home directory.
Important java classes involved in LDAP liferay integration:
com.liferay.portal.security.auth.LDAPAuth.java
com.liferay.portal.security.ldap.PortalLDAPImporterImpl.java
com.liferay.portal.security.ldap.DefaultLDAPToPortalConverter.java
com.liferay.portlet.login.action.LoginAction.java
com.liferay.portal.security.auth.LDAPAuth.java
com.liferay.portal.security.ldap.PortalLDAPImporterImpl.java
com.liferay.portal.security.ldap.DefaultLDAPToPortalConverter.java
com.liferay.portlet.login.action.LoginAction.java
Example of LDAP tree
CN=Users ,OU=finance,DC=watsons,DC=local DC=com
CN=Commn Name
OU=Organization Unit
DC=Domain Name
CN=Users,DC=watsons,DC=local
0 comments:
Post a Comment