FAQ for LDAP on Liferay DXP

This article documents some of the most frequently asked questions regarding the use of Lightweight Directory Access Protocol (LDAP) to manage users in Liferay DXP. Specifically, the aim of this article regards common configuration issues that have arisen in this product version.


What's the difference between configuring the LDAP in Instance Setting versus the System Settings in the Control Panel?

Although most LDAP configuration can be done from Instance Settings, there are several configuration parameters that are only available in System Settings. In previous Liferay Portal versions, certain system scoped settings for LDAP were set in the portal.properties file and modified using a portal-ext.properties file. In Liferay DXP, modify the following settings in the System Settings:

  • LDAP Auth
  • LDAP Export
  • LDAP Import
  • LDAP Servers
  • System LDAP Configuration

Lastly, configurations made in the System Settings will control all instances up to a certain point. If Virtual Instance A was created before a change (e.g. Error password history keywords) was made in the System Settings, Virtual Instance A will not inherit those changes. Therefore, if Virtual Instance B was created after those changes, then Virtual Instance B (but not A) will have the updated Error password history keywords.

If a user has to update his password in DXP, how can the sys administrator update the LDAP? That is, if the password was changed, how does the listener retrieve the actual password (and not its hash)?

One solution is to build a custom module or portlet to pass in password changes made in the Control Panel to import into the LDAP server such as MS Active Directory. Because changes to the password must be done over SSL, the two servers must be configured to communicate over SSL. In the bnd.bnd file, enter the following:




The listener will retrieve the unencrypted password using this class:


What's the difference between the difference between Enable Import and Enable Import on Startup?

These are actually two different processes and should not be enabled at the same time. Each process is a massive use of CPU resources especially if there are tens of thousands (if not hundreds of thousands) users. Enable Import in general will import users from the LDAP server. Enable Import on Startup also imports users from the LDAP server whenever the server starts (or restarts).

Administrators should consider disabling Import in a clustered environment so that there are no massive imports whenever a node starts up.

1 人中有 1 人觉得有帮助