RE: OPENLDAP

RE: problems with encryption in openLDAP

2007-06-26T10:12:41Z

Hi,

finally I did solve my problems importing AD users to Liferay watching the traces modifying LDAPAuth.java. You can enable debug for LDAP by modifying the file portal-log4j.xml located in ../portal-ejb/classes/META-INF/ . I had the same problem and the solution was to modify the mappings that Liferay does.

regards

RE: problems with encryption in openLDAP

2007-06-21T07:55:29Z

Hi, i have one problem. I have installed liferay 4.2.2 and I have imported the users of my company's LDAP and when I try to log in with the email everything is OK, but when I try to log in with the userid(and this is what i need) i can't. There isn't any errors at the console and I don't know what the problem is, because the userid is the right one and the password too, because with the email it works.

Any idea?, thanks.

RE: problems with encryption in openLDAP

2007-04-17T10:13:58Z

Hi all,

we have solved the problem with our Zimbra-LDAP(openLDAP) connection with Liferay.

What we did was to modify the file LDAPAuth.java adding the support for SSHA algorithm as it says in this post: http://www.liferay.com/web/guest/community/forums/message_boards/message/104475

Regards,

Felipe

RE: problems with encryption in openLDAP

2007-04-06T23:23:46Z

Sorry for the late responce,
as you can see in your error message:

pipe melero:

but watching the log I have seen this error message:
ERROR [LDAPAuth:52] LDAP password {SSHA} jlsjj4l5n44564khrwewr+ does not match with given password {md5} 34e3f34t24r4r4545454g for user id

the problem is that you are storing the password in {SSHA} and not {md5}.
Change the password in OpenLdap and store it in md5.

problems with encryption in openLDAP

2007-03-26T10:02:33Z

Hi,

In my Liferay Admin Portlet I can see that I can reach the ldap server with the configuration:
- ldap://localhost:389
- uid=zimbra,cn=admins,cn=zimbra
- credentials=*********

but watching the log I have seen this error message:
ERROR [LDAPAuth:52] LDAP password {SSHA} jlsjj4l5n44564khrwewr+ does not match with given password {md5} 34e3f34t24r4r4545454g for user id

I have seen the Liferay's lifecast about LDAP but unfortunatelly I am using openLDAP which is not prepared for Liferay but it can be used. I have changed the portal-ext.properties writting SSHA instead of md5 but no success, does it mean that Zimbra-openLDAP is giving me the password with SSHA (Liferay doesnt accept this type of encryption).

Can anyone help in this trouble? I have also modified the LDAPAuth.java as it sais one post about this but, no success

Thanks

RE: OPENLDAP

2007-03-24T02:31:00Z

Hello guys,

I have not yet tried out the built-in LDAP feature of Liferay, but we have successfully built this feature for our own using the Spring LDAP support. It works fine! Of course, we have to make a few changes to Liferay.

I think this should be considered when you would like to deploy Liferay with LDAP in production environment.

Regards,

RE: Failed to bind with LDAP server error

2007-03-19T16:21:30Z

pipe melero:

zimbra_ldap_userdn= uid=zimbra,cn=admins,cn=zimbra

hi, sorry for the late response,
i don't have experience with zimbra, but it looks to me that the information you are entering is the user that the system uses to connect to the LDAP server. In Liferay that information should be put in the Principal field in the Admin Portlet on the User - Athentication - LDAP tab.

You can see a tutorial for LDAP integration in this page: Liferay documentation

Failed to bind with LDAP server error

2007-03-16T08:50:12Z

Thaks Stuardo for your fast replied!

I have done what you told about md5 in portal-ext.properties but I have a problem with the connection with the LDAP server and Liferay. Watching the properties of my openLDAP I have the following parameter but I dont know where to put and how in the admin portlet of liferay:

zimbra_ldap_userdn= uid=zimbra,cn=admins,cn=zimbra

I am a newbie in LDAP and I would appreciate any help with this!

Thanks

RE: OPENLDAP

2007-03-16T05:17:38Z

You should add this line:
auth.impl.ldap.password.encryption.algorithm.types=md5

in this file: /tomcat/webapps/ROOT/WEB-INF/classes/portal-ext.properties
if you are using tomcat. If you are not using tomcat, look for portal-ext.properties in the correct location for your application server/servlet engine.

After that, create test@liferay.com user account in OpenLdap, then start tomcat and logon with test@liferay.com , enable and change the ldap preferences in the Admin portlet and test the configuration.

Look for more details in this message thread.

RE: OPENLDAP

2007-03-15T16:08:11Z

Hi Stuardo,

I am trying to get openLDAP working with Liferay but I can't. What type of changes in the configuration have you made to get it working? My aim is to use the same LDAP (openLDAP) for Zimbra and Liferay.

Thanks in advance,

Felipe

RE: OPENLDAP

2007-02-22T00:18:08Z

Pere Cortada Bonjoch:

To avoid the encryption schema problems the best solution is not to compare passwords. Instead you must bind with the server with the user password. The bind mechanism don't depend in the encryption function choosen for the password.

I agree with you, bind is the correct way to check user-password. This work around can help you if you don't want to change source code. I hope that version 4.2.2 is released soon

RE: OPENLDAP

2007-02-22T00:06:04Z

Siddharth Karandikar:

auth.pipeline.enable.liferay.check=false

I think you should change auth.pipeline.enable.liferay.check to true, see the comments for this parameter in portal.properties:

    #
    # Set this to true to ensable password checking by the internal portal
    # authentication. If set to false, you're essentially delegating password
    # checking is delegated to the authenticators configured in
    # "auth.pipeline.pre" and "auth.pipeline.post" settings.
    #
    auth.pipeline.enable.liferay.check=true

Just remember to put this parameter in the portal-ext.properties file.

Also:
I think you should put ldap authentication to enable and required in the Enterprise Admin portlet. Maybe you checked the "Enabled" option for LDAP authentication, but "Required" is not checked.

good luck.

RE: OPENLDAP

2007-02-21T13:21:43Z

To avoid the encryption schema problems the best solution is not to compare passwords. Instead you must bind with the server with the user password. The bind mechanism don't depend in the encryption function choosen for the password.

It's a entry in the JIRA to change it in the new 4.2.2 and a workaround mangling the code can be found at
this thread

RE: OPENLDAP

2007-02-21T05:01:31Z

Thanks, It seems that liferay is doing the password check with 'md5'.

Now there is one more (more serious) issue.

I have a user named 'sss' in liferay. I have entry for 'sss' in apache-ds as well.
sss has 'ssss' as its liferay password and 'abcd' as ldap password.

After making the suggested 'md5' changes, (putting auth.impl.ldap.password.encryption.algorithm.types=md5 in portal-ext.properties), I get
error (see below) when I type wrong ldap password on login screen and no error in case of right ldap password.


2007-02-21 04:48:16,519 1229809 [http-8080-Processor25] ERROR com.liferay.portal.security.auth.LDAPAuth - LDAP password {md5}4vxxTEcn7pOV8yTNLn8zHw== does not match with given password {md5}o9y00ineb94NtWht7kcUXQ== for user id

Strange thing is ... In both the cases (right and wrong password), user logs in successfully !!

Note: I have following in portal-ext.properties as well.
auth.pipeline.enable.liferay.check=false

Any help on this will be appreciated

RE: OPENLDAP

2007-02-20T14:40:57Z

Siddharth Karandikar:

I have tried using JXplorer and setting the password in md5 as well as sha. Still there is a error.
See message posted in,

http://www.liferay.com/web/guest/community/forums/message_boards/message/103156

The problem described on that message board (27919) can be resolved if you change this:
auth.impl.ldap.password.encryption.algorithm.types=md5
you can see that "md5" is in lower case.
See more detailed instructions in previous messages above.

RE: OPENLDAP

2007-02-20T14:33:39Z

When you are editing or inserting a new user, you can enter the userPassword attribute doing a double click on this attribute name, when a dialog window apears you can enter the password and confirmation, in the bottom of that window you can choose Plain Text or MD5 or SHA. After choose md5 hit OK.

RE: OPENLDAP

2007-02-20T03:47:11Z

I have tried using JXplorer and setting the password in md5 as well as sha. Still there is a error.
See message posted in,

http://www.liferay.com/web/guest/community/forums/message_boards/message/103156

RE: OPENLDAP

2007-02-20T01:22:02Z

I have Xplorer but where do you choose md5 for the userPassword attribute?

Thanks

Pat

RE: OPENLDAP

2007-02-19T15:06:46Z

Make sure your password is encrypted with md5. I use a tool named XPlorer to view, create and modify ldap entries, in this tool you can choose md5 to store the userPassword attribute.
I am not familiar with Kerberos so i can't help you with that. Just remenber that Liferay compares the userPassword attribute with the password given by the user, it is a string comparation and does not connect to the ldap server with end user credentials to verify the password.

RE: OPENLDAP

2007-02-19T12:32:27Z

I tried putting the line

auth.impl.ldap.password.encryption.algorithm.types=md5

in the portal-ext.properties file.

Liferay does pick it up but I still can't log onto LDAP

In the catalina.out file I get one of the following errors depending on which I choose
in liferay.

LDAP password ******** does not match with given password "password plain text" for user id
LDAP password ******** does not match with given password {MD5}D6X8wmLZ6K2+zUPKEXMlsw== for user id
LDAP password ******** does not match with given password {md5}D6X8wmLZ6K2+zUPKEXMlsw== for user id
LDAP password ******** does not match with given password {SHA}3UFCJrMi9a6pI1cCO6eIsG2vpaI= for user id

So apparently my LDAP (which by the way is on OS X, which is OpenLDAP) uses some other scheme to
encrypt the password. Would having Kerberos turned on cause this? Does it used something else?

Pat.