This article is a legacy article. It applies to previous versions of the Liferay product. While the article is no longer maintained, the information may still be applicable.
As many Liferay subscribers use Lightweight Directory Access Protocol (LDAP) to manage their users, this article is intended to address a variety of issues surrounding the Liferay-LDAP configuration. This includes import, LDAP in a cluster, indexing, multiple domains, and more.
Resolution
Frequently Asked Questions
When is an LDAP user imported into Liferay?
There are three ways that LDAP users can be imported into/updated in Liferay.
1. Import upon user logging into Liferay.
This setting is always on. For most users, this setting will be sufficient.
2. Mass import on startup (ldap.import.on.startup=true)
With this option selected, Liferay will update all users from LDAP when the portal starts up. This can be helpful in some cases, but keep in mind that with a large number of users this can make start-up a slower, more resource-intensive process.
3. Mass import on interval (ldap.import.interval=10)
As the name implies, this will allow the portal to constantly update users every x minutes. This can be helpful if you want all users constantly updated. Again, though, with a large number of users this can be extremely resource-intensive.
The above property is set to the default, that being 10 (minutes).
Note: It is recommended that users do not turn both interval and startup importing at the same time. This is likely to cause multiple imports at the same time (which is a highly undesirable occurrence).
LDAP in a Cluster
To avoid mass simultaneous imports (which can slow the system to a halt), cluster the quartz job with org.quartz.jobStore.isClustered=true, and disable "Import on Startup".
However, the Quartz property has been deprecated in Liferay Portal 6.1.x EE and 6.2.x EE.
Indexing Problems
If data in the index is not correct, this could cause issues with an LDAP import as Liferay checks for user information on the index before creating or updating user information. A likely symptom iof this would be a "NoSuchUserException" or duplicate screennames. Re-indexing will alleviate many of these issues.
How do I turn on logging for LDAP?
There are two methods for turning on logging for LDAP- the first is a temporary setting while the second will remain even after a server restart.
-
Temporary
a. Navigate to Control Panel -> Server Administration -> Log Levels. Find "com.liferay.portal.security.ldap" and change the Level to DEBUG. -
Permanent
Add / change the following value to your portal-log4j-ext.xml file<category name="com.liferay.portal.security.ldap"><priority value="DEBUG" /></category>
With option 2, the setting "sticks" during server restarts.
For more information on setting up a [symbolicNameOfBundle]-log4j-ext.xml file for modules see the article at Adjusting Module Logging.
Can I import LDAP users from multiple domains?