LDAP with AD in Liferay

1. Introduction :

This is an example of a basic LDAP integration in Liferay 6.0.5. In the example we import users/groups into Liferay via LDAP and vice versa.

2. Environment

Windows Server 2003, Active Directory
Liferay 6.0.5


3. LDAP & AD

LDAP

LDAP (Lightweight Directory Access Protocol) is a directory publishing service and specially designed for directory service providers.

Active Directory

AD (Active directory) is a directory service provider, where you can add new user to a directory, remove or modify, specify privilages, assign policy etc. Its just like a phone directory where every person have a unique contact number. Everything in AD(Active Directory) are considered as Objects and every object is given a Unique ID.

LDAP vs AD

AD is a directory services database, and LDAP is one of the protocols you can use to talk to it.


4 : AD Users

First you need to setup the Active Directory.

In Active Directory you need to define 2 OU(Organizational Unit). One is for storing or categorizing all the users. The second is to Create the groups.

For example:-

a) OU=Users

b) OU=Groups

4.1 Create OU in AD:

Go to DN – right click – New – Organizational Unit

4.2 Create Users in AD:
Go to OU (mpower) – right click – New – User

4.3 User’s Attributes:

You can test the users account by login in Active Directory machine with newly created users.

5. LDAP Configuration in Liferay

5.1 : Integration

a. Login as Administrator in liferay portal.

b. Go to Control Panel -> Settings -> Authentication -> LDAP select tab.



c. Check the Enabled box.

d. Id. If the Required box is checked only users in the LDAP server will be able to log into Liferay Portal. For this demonstration leave the box unchecked.

5.2: Server Name

Liferay Portal supports other directory servers in addition to the ones provided. The Apache Directory ServerMicrosoft Active Directory Server, and Novell eDirectory comes preconfigured.

Select Server Name : Microsoft Active directory Server

5.3: Connection :

Provide given values and Test LDAP Connection :

Base Provider Url : ldap://172.22.1.26:389

Base DN : ou=Tech,dc=mpowerglobal,dc=com

Principal : mpowerglobal\administrator

credentials : abc123.


mpowerglobal - domain name in AD

Tech - Organizational Unit

172.22.1.26 : IP in AD Machine

389 : Port No.

ldap://172.22.1.26:389: This tells the portal where the LDAP server is located )

5.4: TEST LDAP CONNECTION :

Now test your connection to see if it validates.. You can test the connection by clicking “Test LDAP Connection” button. If it shows successful message, your connection is successful....

5.5: Users :

If you wish to change how users login (Ex. Login with screen name / emailaddress), then change the settings in the Authentication Search Filter field.

5.5.1 Users:

Provide these values :

Authentication Search Filter : (&objectCategory=Person)(mail=@email_address@)

import search filter: (objectClass=User)

( if objectClass is defined as “User” in AD, then we have to give “User” .

[ObjectClass = UserInetOrgPerson,...etc ] )

5.5.2 User Mapping :

Provide these values :

screenName : sn

password: userPassword

EmailAddress : mail

first Name : givenName

LastName : sn

Jobtitle : title

Group : memberOf

5.6 TEST LDAP USERS:

Now you can test the groups by clicking “Test LDAP Users” button. It will show all the Users from Active Directory.

Step 5.7: Import Users to Liferay

if you checked "Import on Startup Enabled", then restart your App Server.

Log back in, go the Control Panel->Users . Your imported Users will be there!

Imported Users :

Step 5.8: Groups

5.8.1 Groups

Provide these values:

importSearchfilter : (objectClass=group)

5.8.2: GroupMapping:

GroupName : cn

Description: description

User: member


5.9: TEST LDAP GROUPS:

Now you can test the groups by clicking “Test LDAP Groups” button. It will show all the Groups under the given OU ( Tech) from Active Directory. Also It will show Members of that groups.


5.10. Import Groups to Liferay User Group

LDAP groups are pulled into Liferay as UserGroups

Follow the “Step 4.9: Import Users to Liferay” which will import groups from AD to Liferay as follows:

6. AD-GROUPS – USERS Structure

( Create the following groups in AD, test1ss & sss under the “Tech” [OU] and assign some users to that groups)


7. Export Users to AD


We can exports all the users from liferay to AD by providing these values.

Users DN = ou=Tech,dc=mpowerglobal,dc=com

User Default Object Classes = top,person,User,organizationPerson

Groups DN = ou=groups,dc=mpowerglobal,dc=com

Group Default Object Classes= top, group

( Note : if you give object name “User” in User Default Object Classes ,

In AD, object type will be “User” )

7.1: Add Liferay users: Go to Control Panel – Users – Add users

After setting the above value in control panel, if you create users in Liferay, it will be exported to AD.

 

7.2: Verify AD Users from Liferay:

All the Users from Liferay will be populated in AD as follows:

Selected Users from below screen has been exported from Liferay)

 

8. Login into Liferay with Imported User

We need to uncheck this below option in AD : “User must change password at next logon”

If this checkbox is unchecked , then you can login with that particular user into Liferay.

If not, we need to login again in AD and change password, then Import to Liferay.


9. Troubleshooting

1. If User is not imported AD to Liferay,

a. Restart AD Server / Liferay

b. Make sure all the attributes are given while creating User in AD.

For ex, (Screen Name, Password, Email Address, First Name, and Last Name)

 


2. If imported user is not able to login into Liferay, uncheck the below option in AD while

creating user:

“User must change password at next logon”

 


3. If Group is not imported from AD to Liferay,

a. Make sure all the attributes are given while creating Group in AD,

For ex, (name,description)

b. If No member is assigned to Group in AD, That group will not import to Liferay.

 


4. Password Policy

Portal can be configured to use LDAP password policies. To configure the Portal to use LDAP's password policy, go to

· > Control Panel

· > "Settings" tab

· > "Authentication" tab

· > "LDAP" tab

· > and under the "Password Policy" section, click the "Use LDAP Password Policy" checkbox on (at the bottom)

If that has been done correctly, when you try and view the liferay Control Panel - Password Policy, you will get a message saying that “You are using LDAP's password policy. Please change your LDAP password policy settings if you wish to use a local password policy”.

- Gnaniyar Zubair
gnaniyar@gmail.com
1
Blogs