Export pasword ldap (openldap) on liferay not working - passwords

I have configured liferay to authenticated to OpenLdap. Cas, import and export is activated.
User create from OpenLdap can authenticate to portal, also is imported into Liferay. It seems importing process is ok.
When user try to modify an attribute other than password the data is modified on OpenLdap.
The problem is when user try to modify their password. Liferay ask for current pass and the new one. It get a error saying credentials an incorrect.
If i try to modify the password of the user with a administrator user, Liferay only ask for the new password. After that, the user with de password changed by de admin user can log in with the new password. So, it seems password is modified correctly on OpenLdap. If user, try to modify again the password, Liferay say that everything was ok, but the user cannot autenticate with the new passord, only with old password.
After that if I try to change de password again with admin user, Liferay say that everthing was ok but the user now cannot authenticate with new password.
I'm using Liferay 6.2 ce.
I have modified :
ldap.auth.method=password-compare
ldap.auth.password.encryption.algorithm=SHA
ldap.auth.method=bind
on portal-setup-wizard.propertiesenter code here
Any Idea?
Thanks very much in advance.
with several values without success.

Compare is not a best practice for LDAP in general.
"Bind is preferred by most vendors so that you don't have to worry about encryption strategies."
Also there appears to be a bug in LifeRay that may affect your version.

Related

Change admin password alfresco share

I can't login with my user administrator "admin" and I can't reset the password
I try to reset the password in Postgresql data base with this comande
UPDATE alf_node_properties SET string_value='f59601091e5cbb1dcf28bbb15a30c50b' WHERE node_id=4 and qname_id=12;
but don't resolve the problème !!!
Are you using the correct Alfresco's reset password method ?
Things have changed since Alfresco 5.1, you might be doing it the wrong way.
You globally have three ways to do it :
Set a user with a known password as admin :
in alfresco-global.properties set the alfresco_user_store.adminusername=username property
Configure the authentication component to accept all logins using org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl
Change the admin password in the DB (By following the correct alfresco's version instructions)

Grafana: Any way to integrate invite users with LDAP login

I am trying to configure Grafana for my organization. I was able to configure LDAP and MySQL database pretty easily but when I try to invite a new user to an org in Grafana, it always asks the user to join Grafana.
This would be an OK behavior if at that point Grafana would authenticate against LDAP. Instead, it creates a new user in its own database. This would lead to conflict with LDAP in case the user's AD passwords changes.
This works perfectly when a user had previously logged in to Grafana. An invite sent after would directly take the user to login page.
Is it possible to do the same in case the user is not already registered in Grafana? I really want to avoid saving user credentials in Grafana database.
Any help would be appreciated. Thanks.
I am not a Grafana expert, but looking through the source code on GitHub it certainly seems that new user registration will not go through LDAP. This is obvious in the LDAP related configuration file where you see the read-only credentials needed to look up users in the LDAP directory. A read-only administrator in LDAP will not be able to create new users as this would be necessary during a registration step. The code also indicates that registration creates temporary users in the internal store.

Liferay login with internal users and ldap users

i want to customize login in Liferay 6.2. I've internal liferay users and ldap users. All users have a record in liferay user_ table. The differences are: internal users must change password at first login and see password reminder question.
Ldap users make only login with their password.
Acutally Liferay ask to ldap users to change their password and set password reminder question. These users change password but at next login, login is possible by old ldap password (correct). Liferay must not write in ldap.
How can i remove password change and password reminder question for ldap user?
There's a password policy that you can set per organization. If you introduce a new organization for each of the groups (or just one might suffice as well) you can have individual password policies per organization.
In Password policies you can configure quite a lot of stuff, e.g. should passwords be changed on first login etc. You can also select the "LDAP Password Policy" in the LDAP configuration screen. I'm rarely working with password policies, thus it's hard to give detailed directions - let me know if this is sufficient or if you need more detailed pointers

Liferay and user password during the export into OpenLDAP

I have a question about Liferay.
I have configuate my system with Liferay + Jasig CAS Authentication and OpenLDAP.
I can authenticate my user correctly and I can import user account from LDAP (Ldap import).
I have also configurate the user export to OpenLDAP..so, now I can export an account when this will be create.
Infact I can see this new account in my OpenLDAP server.
When Liferay create a new account it generate a random password for this new account (for example 4hdsdsh) and the user receive an e-mail after the registration.
The problem is: I my OpenLDAP server this password does not seem to be equal to the one just generated by Liferay..
So, the new user will never be able to authenticate into my Liferay (because I use CAS + LDAP).
I also found a funny/strange thing: If I modify this new password in Liferay (using an administrator account) I see this password correctly into my OpenLDAP server and so, the user can finally log into my Liferay..
I am not sure but it seems while user registration it is just exporting the fields entered by user in registration screen and since the password is auto generated after registration, it is not exported to LDAP and might be blank till User has not updated his password by Logging in.
You can debug this class PortalLDAPExporterImpl.Java and also watch user detail in LDAP via jxplorer whats the password & user status as well. If password is blank you could extend class and your logic to pass auto generated or default password for first time case.
This is a bug of Liferay:
See following issue: https://issues.liferay.com/browse/LPS-43045

Liferay export user into Ldap: Password policy

I have this problem:
I have enabled Liferay to import and export users from/to OpenLDAP server.
When I create a user in Liferay I obtain this page:
So, I have create a new user and Liferay has assigned to it a password (3zbPk6KA).
But.. if I try to login with new user (and generated password) I obtain the error message of incorrect credentials. In LDAP server I can see the new account but, the corresponding password seems to be different from that generated by Liferay..
In Java console i read this warning:
14:20:15,882 WARN [http-bio-8080-exec-6][LDAPAuth:208] Passwords do not match for userDN cn=myUser,ou=users,dc=myProject,dc=com
Some suggestions?
Had this problem too. what's your value for Ldap password policy and what's your liferay version ?
I think you have 2 options :
Disable Ldap password policy, and if your Liferay version has no bug on exporting new user's autogenerated passwords, Your scenario is supposed to work. Else, you'll have to create a patch/hook that sends that password to LDAP
Enable LDAP password policy, setup a fixed default LDAP password, and hook the login process, so that you inform the new registered user (Screen Message + validation email) on her initial password. Note that there's still a security issue here, because of the fixed password, as someone could create accounts for other users if he knows their e-mails and tries to register before them.
You have to unmark "required" in controlpanel→portal→configuration→autenticathion→LDAP to di
I don't know why that specific scenario doesn't work. I have used Liferay 6.1 and know there are a number of bugs with the LDAP function of version 6.1. The problem that I faced was that checking "Use LDAP Password Policy" resulted in a user being created without a password.
However, if your password is being created in Liferay, you can turn off the export in Liferay LDAP wizard and programmatically export users through a hook using Java LDAP look up. I had to do it and it fixed a number of similar issues for me.
The link is a below
http://abhirampal.com/2014/12/20/liferay-ldap-export-to-active-directory-disabled-user-bug/