1
votes

I am configuring Liferay with my organization LDAP.

1.While configuring LDAP, I specify "ldap.security.principal" and "ldap.security.credentials" as my user id and password to authenticate against LDAP and test connection succeeds.

Are these mandatory attributes? As in production ,I will not be able to specify my own credentials in portal-ext.properties. Do I need separate user created in LDAP to specify in portal-ext for production? I unfortunately do not have control over configuring LDAP as its an org LDAP.

Any pointers would help. Thanks.

1
You can also do ldap connection by mentioning jndi ldap datasource in conf/config.xmlPramod S. Nikam
You also might have LDAPListener created to read ldap properties in your organization.Pramod S. Nikam
Thanks for replying. Could you please elaborate? I am trying to understand about the default user name and password we use to connect to LDAP for the first time. Do we really need some user to bind to LDAP first ? I need a functionality where user should be authenticated and bound to LDAP at the time of logging into Liferay.Mani

1 Answers

3
votes

There are several use-cases where you need privileged system account for accessing the LDAP database.

Authentication

There are two basic methods how you can authenticate against LDAP:

  1. Do a BIND operation against LDAP - you need to know the user DN
  2. Do a password attribute comparison - you need to know the user DN, name of attribute with the password, attribute value encoding (e.g. plaintext, hashed, ...)

For both approaches you need to know the distinguished name of the target user:

  • Either you are able to construct the DN from credentials (e.g. cn={screenName},ou=Users,o=MyOrg) - which is not supported by Liferay AFAIK;
  • or you need to do LDAP SEARCH to find the right user DN... for that you need to have a system account.

Account Import & Export

Next to pulling user information right when the user authenticates Liferay offers also LDAP import and export functionality. For obvious reasons you need to have a privileged system account to be able to search for users in LDAP and / or to write user entries.

TL;DR

Properties ldap.security.principal and ldap.security.credentials are mandatory (they can be configured also via user interface). You will need to have a dedicated system account for Liferay in the LDAP for this.