Liferay import/export user's password through LDAPS

1
votes

I wish someone here can help me,

Liferay version : Liferay 7.0-ga4. Microsoft Active Directory on Windows Server 2008 R2.

I have managed to install and configure a CAS Server + LDAPS connection to my Active Directory. Authentication through CAS to my AD is working well, I can import users, user groups from AD into Liferay database.

The only thing which does not work is the password attribute : when I click on "Test LDAP Users" in the instance settings section, all attributes are well shown (screen name, name, mail etc..) except the password. I have tried to map it with unicodePwd, or with userPassword without success.

So I checked in the "attribute editor" section of my active directory (for any of my users) to see those attributes. And currently both unicodePwd and userPassword are "".

My goal is to be able to update active directory user's password from my Liferay portal.

When I try to update the user's password from Liferay portal/account settings, it shows me "Your request completed successfully" but I have an error in my console about export : Unable to execute transaction commit callback javax.naming.directory.NoSuchAttributeException: [LDAP: error code 16 - 00000057: LDAPErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data0, v1db1_].

So as I understand it, Liferay tells me that it cannot export this new password in Active Directory because no LDAP attribute is matching the password. But I have no idea where is the problem, if it's an Active Directory issue or a Liferay property not well configured..

If anyone has an idea, please let me know. Thanks in advance for reading this message,

Regards,

Axel.

2
active-directoryldapliferay

2 Answers

1
votes

If i understand you correctly and you want to authenticate users in Liferay using CAS, you dont have to map password from AD to Liferay, because it is not necessary for Liferay to store password in DB if you have only CAS auth. Just enable CAS in Liferay Setting and configure it properly. In LDAP setting in password field input cn or sAMAccountName. Liferay should handle everything for you

0
votes

Thank you for your time and answers,

I have resolved it.

I really advise to go check this Microsoft AD + Liferay configuration web-page which describe exactly what you have to do and how to solve the problem. Wish I could find this way earlier..

On the one hand: "@ Screen Name: If you just import user to Liferay, just map any field in AD, eg “sAMAccountName”(“sAMAccountName” is User login name(pre-Windows 2000)), “cn”, please make sure the filed is unique in AD. But if you also want to export user to AD, just map screen name with cn, there’s no second choice" Yes, I've discovered that when exporting users into AD, Liferay will always take the attribute you've mapped with @screen_name@ to build the Distinguished Name and update/create the user. So apparently you have to map it with CN, otherwise the export cannot be done.

But on the other hand: "Take care that, cn in AD is for “First Name + Last Name” by default, it contains whitespace, so it can’t be imported to liferay as screen name. So you need to change it in AD". Yes, because Liferay will refuse to import user that have whitespace or different caracters than .,-,_ in their LDAP CN attribute, in fact in LR Database it is going to be the screen name.

From here, if you have configured well your ldaps connection, you can map Liferay Password Attribute with unicodePwd and the export password is working well. (Or userPassword, depends on you Active Directory Configuration).

This second point is problematic though because I cannot change all 300+ users CN LDAP attribute in my Active Directory to avoid whitespace. So I will continue to search for a solution. (Maybe a hook?). But on my Test Active Directory it is working well.

Hoping that Liferay will add some clarifications to their LDAP Configuration page. Hope to help someone one day with this post as well..

Regards,

Axel.