LDAP Configuration in 7.0/DXP

There are a great number of changes in Liferay 7.0/DXP, and one of them is how LDAP settings are managed when dealing with configuration files. In 6.2 and earlier, one could simply copy all the relevant settings into portal-ext.properties and have that load on startup. However, in 7.0, the old LDAP settings are no longer present in portal.properties, and the old way doesn't work. So how is that done?

What we need here is a *.config file. In fact, we need 4 of them.

com.liferay.portal.security.ldap.authenticator.configuration.LDAPAuthConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.configuration.LDAPServerConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPExportConfiguration-${HASH_VALUE}.config
com.liferay.portal.security.ldap.exportimport.configuration.LDAPImportConfiguration-${HASH_VALUE}.config

Those are some very long filenames, and once the hash value is added in, it gets longer. This begs the question: where does the hash value come from? There are two possible ways to get a filename with a hash value: get the file from someone else, or use the UI.

Here is a straightforward way of using the UI to generate the config files.

  1. In a running Liferay system, go to Control Panel -> System Settings -> Foundation. One could search for "LDAP" from the System Settings panel as well.
  2. Edit the values as desired for LDAP Auth, LDAP Servers, and if desired, LDAP Export and LDAP Import configs. 
  3. From the Control Panel -> System Settings -> Foundation page, use the 3-dot menu (aka ellipsis menu etc...) to export the settings and save the file. These files now have the hash value along with the file name.
  4. Copy these files into the Liferay system to be configured and place them at ${LIFERAY_HOME}/osgi/modules.
  5. (Optional) To revert the LDAP settings back to default values and have them be read from the config files, use the 3-dot menu and select "Revert to Default".

Long time Liferay users will recognize the fact that once something has been entered into the UI, it will always supercede config files. The "Revert to Default" option is a new feature that allows for the config files to be read once again even after something has been entered into the UI. In short, to have LDAP be read by config files, the settings have to be entered into the UI to generate the config files.

The hash value is not unique to the system and can be used across multiple systems.

Some things to note:

  • The hash value is necessary. Liferay will not read the file properly without the hash value.
  • The file content can be edited without changing the hash value.
  • Changes to the file content are picked up without a restart.

The last note above is the major difference between the old way via portal-ext.properties, and the new way with OSGi. Changes to the files do not require a restart. No longer does a single typo cost several minutes (or more) of time waiting for the system to restart once it has been fixed!

LDAP setup via config files in Liferay 7.0/DXP has consumed my last 2.5 days, and I hope I have saved you some time and frustration.

Blogs
Hi Jonas,
Thank you for your article. I have a question about the fourth point : Copy these files into the Liferay system to be configured and place them at ${LIFERAY_HOME}/osgi/modules.

Do we have to copy them in configs or modules folder ?

Thank you,
Hi Mounir,
Great question! To quote the great Olaf Kock: it depends.

Well, what does it depend on? Whatever you want, really. In my testing, I was told to put it in modules, which worked fine, however, to properly answer your question, I went back and tested again with putting the files into configs, to confirm that it works, and it does.

Short answer: both locations work.