I am using Liferay 6.1 CE and I have the following issue related to the below blog
Ref: http://www.liferay.com/web/jonas.yuan/blog/-/blogs/6583930
I am trying to do LDAP auth and I am not supposed to import ldap user password and I would also like to use only ldap as auth source and not do liferay auth for second time.
These are my settings in portal-ext.properties:
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.referral=follow
ldap.base.provider.url=ldap://localhost:10389
ldap.base.dn=dc=example,dc=com
ldap.security.principal=uid=admin,ou=system
ldap.security.credentials=secret
auth.pipeline.enable.liferay.check=false
ldap.auth.enabled=true
ldap.auth.required=true
ldap.auth.method=bind
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
ldap.export.enabled=false
ldap.export.group.enabled=false
ldap.auth.search.filter=(mail=#email_address#)
ldap.user.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.user.custom.mappings=screenName=cn\npassword=userPassword\nemailAddress=mail\nfirstName=givenName\nlastName=sn
ldap.group.mappings=groupName=cn\ndescription=description\nuser=uniqueMember
ldap.import.user.search.filter=(objectClass=inetOrgPerson)
ldap.import.group.search.filter=(objectClass=groupOfUniqueNames)
ldap.password.policy.enabled=false
ldap.import.user.password.enabled=false
ldap.import.user.password.autogenerated=false
ldap.import.user.password.default=test
What is happening is , if I keep auth.pipeline.enable.liferay.check=false, then I am not able to login even using test#liferay.com user since he is not in ldap (others users also not able to login due to reason given in question 1 below). If I enable the property then the liferay does second validation after ldap and it fails since the password in ldap is different from the local dummy password(test) due to password not import setting.
Also, i have 2 separate questions.
When I load ldap props using this property file, then I can see it in the portalproperties table only after the test user logs in for the first time and goes to control panel (ldap page). If I don do this none of the other users able to do ldap auth (since the props file is not loaded to that portalproperties table)
Is there a way in liferay so that I can do only ldap auth and not create an liferay user
Almost two years late!! But in case that any other people find this thread, Liferay always passes the Auth Pipeline and , if passed, always checks the password again against its database unless
auth.pipeline.enable.liferay.check=false
In portal.properties . In that case, independently of the password stored in Liferay User_ table, the password would be checked only against the LDAP.
Sorry for being two years late!!
Related
In tomcat, I can setup security constraints that require certain resources to only be accessed by authorized users. The users are authenticated using either BASIC or FORM authentication, where a username and password is provided.
However, I'd also like to allow users to authenticate externally using an oauth provider. Is this possible?
Note that I can already pass all the information I need to acquire the access tokens for the user. From there I can get the username and other profile metadata.
But how do I then log the user into tomcat? The only way I can think to make this work is to take this username and create a tomcat account, maybe setting the access token as the password. Then I could do a tomcat login on behalf of the user, so she is locally authenticated. On subsequent logins I'd just update the password to the new access token.
But this seems like a hack, and when it comes to users and security I'd prefer to avoid hacks.
It looks like JASPIC might offer a solution for this? Unfortunately, it looks like it became available to tomcat starting at 8.5 but I'm stuck using 8.
Are there any other options?
Thanks!
I am configuring Liferay with my organization LDAP.
1.While configuring LDAP, I specify "ldap.security.principal" and "ldap.security.credentials" as my user id and password to authenticate against LDAP and test connection succeeds.
Are these mandatory attributes? As in production ,I will not be able to specify my own credentials in portal-ext.properties. Do I need separate user created in LDAP to specify in portal-ext for production? I unfortunately do not have control over configuring LDAP as its an org LDAP.
Any pointers would help. Thanks.
There are several use-cases where you need privileged system account for accessing the LDAP database.
Authentication
There are two basic methods how you can authenticate against LDAP:
Do a BIND operation against LDAP - you need to know the user DN
Do a password attribute comparison - you need to know the user DN, name of attribute with the password, attribute value encoding (e.g. plaintext, hashed, ...)
For both approaches you need to know the distinguished name of the target user:
Either you are able to construct the DN from credentials (e.g. cn={screenName},ou=Users,o=MyOrg) - which is not supported by Liferay AFAIK;
or you need to do LDAP SEARCH to find the right user DN... for that you need to have a system account.
Account Import & Export
Next to pulling user information right when the user authenticates Liferay offers also LDAP import and export functionality. For obvious reasons you need to have a privileged system account to be able to search for users in LDAP and / or to write user entries.
TL;DR
Properties ldap.security.principal and ldap.security.credentials are mandatory (they can be configured also via user interface). You will need to have a dedicated system account for Liferay in the LDAP for this.
I have a web application which is hosted on apache web server. And i have external java application which runs on tomcat integrated in this web application.
The apache is kerberized and I get the username of the person accessing it in the intranet. I want to use the same username and pass it on tomcat to check against ldap and authorize the user.
I was looking into JNDI realm which supports LDAP module. But the problem is I do not have access to the user's password. But I'm able to get the groups the user belongs to and based on that I want to authenticate the user.
So my question is will i be able to authenticate a user against Tomcat server via LDAP with just the username and not the password?
PS: Sorry there is no code or configuration that I can post at this point. The only resources i found implemented both username and password. I cannot kerberize the tomcat server because I have other issues in the network.
"I was looking into JNDI realm which supports LDAP module. But the problem is I do not have
access to the user's password. But I'm able to get the groups the user belongs to and based
on that I want to authenticate the user."
Once I was asked to write some code to do the very same thing. I found a way to make it work. However, although it seemed to work well enough with Internet Explorer which would automatically detect the Windows username (because my code was parsing some NTLM information that only Internet Explorer passes in as a header), in Firefox or any other browser the user would be presented with an authentication box and any username they typed in would be accepted! Its very insecure.
(Well, its not really true that only IE passes the header in. Only IE passes it in automatically; but Firefox also passes it in after someone gets the authentication box and types in any name they want. That's the problem.)
What I would suggest is writing a C#.NET service to do the authentication for real on a webserver that is IIS and has Integrated Authentication on. Then, redirect to the C# service when someone hits the Java site and the username session variable is null. Have the C# service save the info in a trusted/secure database including ip address and browser and redirect to the Java app which reads the db to validate IP address and browser and that the record was just created.
Edit: I just noticed you said your Apache is kerberized and already gets the Windows username, which may render the problem above about the unreliability of parsing the NTLM header null and void. In this case, if you can get the AD groups via LDAP you can authenticate the user in your webapp with your own code, but probably not using the official Tomcat authentication scheme. What is described above is just because my Tomcat is not paired with an Apache server but with a IIS server. So basically, its the same thing, except you won't need C#.
I need to know if a user entered correct login information to Microsoft Active directory
I want the user to enter username and password on an xpage and it should only return if these values was entered correctly or not.
I know I can use ldap requests and send in credentials but have not seen any working solutions for this.
I need to use java as the code should be able to run on non windows servers
There are a number of approaches you can take:
The easiest would be to link the AD to Domino using DirectoryAssistance and let users login using their AD credentials in the first place.
If IIS is running on the AD server you could send an HTTP request using the Apache HTTPClient (and basic authentication) and see what's coming back
The best working Java libraries are listed in the Apache Directory project. There you would do an LDAP query (e.g. the user herself)
Let us know which one works for you
You can use JNDI to access the Active Directory. There are a lot of ressources on the web on how to do this, for example have a look at http://mhimu.wordpress.com/2009/03/18/active-directory-authentication-using-javajndi/
You have tagged the question as XPage, do you want to do the authentication from inside domino? In that case the domino server could do the authentication.
Since I'm running Java with Tomcat6 as servlet container I found it appropriate to use the Tomcat JNDIRealm feature so that LDAP users can log into my site without any additional efforts. The LDAP server I'm using is OpenLDAP on Ubuntu.
On top of this I have the login page using form-based authentication over an https connection.
I found two very good examples of authentication users via LDAP, here and here, that both achieve what I feel I almost achieved. Why almost achieved?
When I attempt to login with the wrong credentials I'm appropriately sent to the <form-error-page>, login-failed.html in my case.
When my credentials are good and I authenticate successfully I start getting a 403 for all urls in the site. And I cannot remove the 403 error (not even for the login page!) unless I restart Tomcat.
I suspect the reason is because I don't have roles in the realm or other config files set up correctly. For the sake of brevity I put the relevant config files excerpts on pastebin:
Realm in Tomcat server.xml
Relevant tomcat-users.xml part
Relevant web.xml part
Basic LDAP structure, dashes indicate tree structure
Note that Tomcat-based auth works perfectly since the role is easily attached to the user in the tomcat-users.xml. Therefore I believe it's a problem in getting the role for an authenticated user from LDAP once it has been successfully been authenticated.
TL/DR
I have a config issue in connecting Tomcat to LDAP auth. User data fetched properly, but not the user's role. LDAP log messages available on request ;)
UPDATE: I pasted the LDAP data here.
That is correct. Your LDAP roles aren't being found by the JNDIRealm. You need to test your role search string outside Tomcat to ensure it yields what you think it should yield. As you haven't provided any LDAP details it isn't possible to comment further.
Putting a security-permission on the entire site with /* is a mistake. You need to exclude the login page and probably also the front page and the forgot-password page, maybe more, from requiring a role.