Liferay Active Directory Integration

Followup to Linux Pro Mag article on Liferay integration

This section was omitted from the recent Linux Pro Mag article on Liferay:

… HOME STRETCH!!!

Now we have Liferay running in Tomcat and Apache is handing off web requests for Liferay to Tomcat using mod_jk. The next phase is Active Directory authentication. We will assume that you already have a Windows domain controller to tie in to.

First, download and install Jxplorer from www.jxplorer.org

Start Jxplorer and enter the following information into the connection dialog:

Host: 192.168.25.128

Protocol: LDAPv3 Base DN: DC=testdomain DC=com

Level: User + Password

User DN: CN=liferay-access,CN=Users,DC=testdomain,DC=com

Password: liferay-access

Replace the host IP address with your AD server’s IP. Replace all instances of DC=testdomain,DC=com with your domain information. My Liferay user’s name is liferay-access and the account resides within the users container directly under testdomain.com in AD. Modify your User DN accordingly.

This was the most difficult part of the process for me when I first tried to get anything (non Microsoft) to use an AD server for LDAP authentication. The MMC snap-ins water down the technology to the point that you initially don’t have to understand LDAP object naming conventions to get up and running, or to manage a small domain. The complication comes in when you need to do any LDAP binding from a non-Microsoft platform.

Once you are able to successfully bind to your AD server using the Liferay account’s credentials, write down the information you used.

Next, we will backup the Liferay database in case we need to quickly restore our settings. SSH into the Liferay server and mysqldump lportal -u lportal -p > pre-ldap-dump.sql

Next, we will create the portal-ext.properties to contain all of our LDAP settings. For the configuration options, I relied heavily on the Liferay user forums. If you run into issues, especially with LDAP, that is the first place to go looking for a solution. The portal-ext.properties is meant to override the settings in portal.properties. the portal.properties file resides under liferay-4.4.2/webapps/ROOT/WEB-INF/classes and contains the defults for a ton of liferay settings. Don’t see the file? It only exists there in the event you built Liferay from source. Why? Who knows. You can find portal.properties in the source tree under portal-impl/classes . If you intend to tweak Liferay further, it would be a good idea to place the portal.properties file in the liferay-4.4.2/webapps/ROOT/WEB-INF/classes directory and copy the values you want to change to the portal-ext.properties file in the same directory.

vi /opt/liferay/liferay-4.4.2/webapps/ROOT/WEB-INF/classes/portal-ext.properties

__see portal-ext.properties__

Tweak the information here to coincide with your LDAP settings. Again, thanks to the Liferay user forums for the great explanation for these values. Because the change we just made is to a Liferay configuration file, we must bounce the portal to see the results.

service liferay restart

If all is well, you should be able to log in using the test@liferay.com credentials and use the Directory Portlet to see the users and groups imported from Active Directory. Watch the catalina.out file for errors on startup with tail -f /opt/liferay-4.4.2/logs/catalina.out

portal-ext.properties

ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.base.provider.url=ldap://192.168.25.128:389
ldap.base.dn=dc=testdomain,dc=com
ldap.security.principal=liferay-access
ldap.security.credentials=liferay-access
ldap.auth.enabled=true
ldap.auth.required=false
ldap.auth.method=bind
ldap.auth.password.encryption.algorithm=
ldap.auth.password.encryption.algorithm.types=MD5,SHA
#ldap.auth.search.filter=(cn=@screen_name@)
ldap.auth.search.filter=(mail=@email_address@)
ldap.user.mappings=screenName=sAMAccountName\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=memberOf\nfullName=cn
#ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.group.mappings=groupName=cn\ndescription=description\nuser=member
ldap.import.enabled=true
ldap.import.on.startup=true
ldap.import.interval=10
ldap.import.user.search.filter=(&(objectCategory=Person)(sAMAccountName=*))
ldap.import.group.search.filter=(objectCategory=Group)
ldap.import.method=user
#ldap.import.method=group
ldap.export.enabled=false
ldap.password.policy.enabled=false