Followup to Linux Pro Mag article on Liferay integration
This section was omitted from the recent Linux Pro Mag article on Liferay:
… HOME STRETCH!!!
Now we have Liferay running in Tomcat and Apache is handing off web requests for Liferay to Tomcat using mod_jk. The next phase is Active Directory authentication. We will assume that you already have a Windows domain controller to tie in to.
First, download and install Jxplorer from www.jxplorer.org
Start Jxplorer and enter the following information into the connection dialog:
Protocol: LDAPv3 Base DN: DC=testdomain DC=com
Level: User + Password
User DN: CN=liferay-access,CN=Users,DC=testdomain,DC=com
Replace the host IP address with your AD server’s IP. Replace all instances of DC=testdomain,DC=com with your domain information. My Liferay user’s name is liferay-access and the account resides within the users container directly under testdomain.com in AD. Modify your User DN accordingly.
This was the most difficult part of the process for me when I first tried to get anything (non Microsoft) to use an AD server for LDAP authentication. The MMC snap-ins water down the technology to the point that you initially don’t have to understand LDAP object naming conventions to get up and running, or to manage a small domain. The complication comes in when you need to do any LDAP binding from a non-Microsoft platform.
Once you are able to successfully bind to your AD server using the Liferay account’s credentials, write down the information you used.
Next, we will backup the Liferay database in case we need to quickly restore our settings. SSH into the Liferay server and
mysqldump lportal -u lportal -p > pre-ldap-dump.sql
Next, we will create the portal-ext.properties to contain all of our LDAP settings. For the configuration options, I relied heavily on the Liferay user forums. If you run into issues, especially with LDAP, that is the first place to go looking for a solution. The
portal-ext.properties is meant to override the settings in
portal.properties file resides under
liferay-4.4.2/webapps/ROOT/WEB-INF/classes and contains the defults for a ton of liferay settings. Don’t see the file? It only exists there in the event you built Liferay from source. Why? Who knows. You can find
portal.properties in the source tree under
portal-impl/classes . If you intend to tweak Liferay further, it would be a good idea to place the
portal.properties file in the
liferay-4.4.2/webapps/ROOT/WEB-INF/classes directory and copy the values you want to change to the
portal-ext.properties file in the same directory.
Tweak the information here to coincide with your LDAP settings. Again, thanks to the Liferay user forums for the great explanation for these values. Because the change we just made is to a Liferay configuration file, we must bounce the portal to see the results.
service liferay restart
If all is well, you should be able to log in using the email@example.com credentials and use the Directory Portlet to see the users and groups imported from Active Directory. Watch the
catalina.out file for errors on startup with
tail -f /opt/liferay-4.4.2/logs/catalina.out
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory ldap.base.provider.url=ldap://192.168.25.128:389 ldap.base.dn=dc=testdomain,dc=com ldap.security.principal=liferay-access ldap.security.credentials=liferay-access ldap.auth.enabled=true ldap.auth.required=false ldap.auth.method=bind ldap.auth.password.encryption.algorithm= ldap.auth.password.encryption.algorithm.types=MD5,SHA #ldap.auth.search.filter=(cn=@screen_name@) ldap.auth.search.filter=(mail=@email_address@) ldap.user.mappings=screenName=sAMAccountName\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn\njobTitle=title\ngroup=memberOf\nfullName=cn #ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember ldap.group.mappings=groupName=cn\ndescription=description\nuser=member ldap.import.enabled=true ldap.import.on.startup=true ldap.import.interval=10 ldap.import.user.search.filter=(&(objectCategory=Person)(sAMAccountName=*)) ldap.import.group.search.filter=(objectCategory=Group) ldap.import.method=user #ldap.import.method=group ldap.export.enabled=false ldap.password.policy.enabled=false