LDAP
LDAP is a property in the portal.properties file, which is the default configuration file for Sun GlassFish Web Space Server. You can override this property using portal-ext.properties file.
Set the values used to connect to a LDAP store.
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.base.provider.url=ldap://localhost:10389 ldap.base.dn=dc=example,dc=com ldap.security.principal=uid=admin,ou=system ldap.security.credentials=secret ldap.referral=follow |
Settings for com.liferay.portal.security.auth.LDAPAuth can be configured from the Admin portlet. It provides out of the box support for Apache Directory Server, Microsoft Active Directory Server, Novell eDirectory, and OpenLDAP. The default settings are for Apache Directory Server.
The LDAPAuth class must be specified in the property auth.pipeline.pre to be executed.
Encryption is implemented by com.liferay.util.Encryptor.provider.class in system. properties.
ldap.auth.enabled=false ldap.auth.required=false |
Set either bind or password-compare for the LDAP authentication method. Bind is preferred by most vendors so that you don't have to worry about encryption strategies.
ldap.auth.method=bind ldap.auth.method=password-compare |
Set the password encryption to used to compare passwords if the property ldap.auth.method is set to password-compare.
ldap.auth.password.encryption.algorithm= ldap.auth.password.encryption.algorithm.types=MD5,SHA |
Active Directory stores information about the user account as a series of bit fields in the UserAccountControl attribute.
If you want to prevent disabled accounts from logging into the portal you need to use a search filter similar to the following:
(&(objectclass=person)(userprincipalname=@email_address@)(!(UserAccountControl: 1.2.840.113556.1.4.803:=2))) |
See the following links:
http://support.microsoft.com/kb/305144/
http://support.microsoft.com/?kbid=269181
ldap.auth.search.filter=(mail=@email_address@) |
You can write your own class that extends com.liferay.portal.security.ldap.AttributesTransformer to transform the LDAP attributes before a user or group is imported to the LDAP store.
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.Attributes- Transformer |
You can write your own class that extends com.liferay.portal.security.ldap.LDAPUser to customize the behavior for exporting portal users to the LDAP store.
ldap.user.impl=com.liferay.portal.security.ldap.LDAPUser |
When a user is exported to LDAP and the user does not exist, the user will be created with the following default object classes.
ldap.user.default.object.classes=top,person,inetOrgPerson,organizationalPerson |
When importing and exporting users, the portal will use this mapping to connect LDAP user attributes and portal user variables.
ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\n firstName=givenName\nlastName=sn\njobTitle=title\ngroup=groupMembership |
When importing groups, the portal will use this mapping to connect LDAP group attributes and portal user group variables.
ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember |
Settings for importing users and groups from LDAP to the portal.
ldap.import.enabled=false ldap.import.on.startup=false ldap.import.interval=10 ldap.import.user.search.filter=(objectClass=inetOrgPerson) ldap.import.group.search.filter=(objectClass=groupOfUniqueNames) |
Set either user or group for import method. If set to user, portal will import all users and the groups associated with those users. If set to group, the portal import all groups and the users associated those groups.
This value should be set based on how your LDAP server stores group membership information.
ldap.import.method=user ldap.import.method=group |
Settings for exporting users from the portal to LDAP. This allows users to modify their first name, last name, and so on in the portal and have that change get pushed to the LDAP server. This will only be active if the property ldap.auth.enabled is also set to true. New users and groups will be created at the specified DN.
ldap.export.enabled=true ldap.users.dn=ou=users,dc=example,dc=com ldap.groups.dn=ou=groups,dc=example,dc=com |
Set this to true to use the LDAP's password policy instead of the portal password policy.
ldap.password.policy.enabled=false |
Set these values to be a portion of the error message returned by the appropriate directory server to allow the portal to recognize messages from the LDAP server. The default values will work for Fedora DS.
ldap.error.password.age=age ldap.error.password.expired=expired ldap.error.password.history=history ldap.error.password.not.changeable=not allowed to change ldap.error.password.syntax=syntax ldap.error.password.trivial=trivial ldap.error.user.lockout=retry limit |
- © 2010, Oracle Corporation and/or its affiliates