The first step, of course, is configuring, initializing and adding entries into the OpenLDAP directory as per the guide. We will utilize the example credentials presented herein to provide a consistent setup experience.
As with setting up any LDAP server, we will need to ensure that the Liferay server and the LDAP server are able to communicate, and that the port for OpenLDAP is opened so that the two servers can communicate with each other.
Our configurations will be set and established in Liferay Portal > Control Panel > Portal Settings > Authentication > LDAP
In order to integrate OpenLDAP with Liferay, please make sure LDAP Enabled is checked off on this page. For our test purposes, we will enable LDAP, which will allow Liferay's single-user import. This means that Liferay will not import all of the users from the LDAP server, but import the user's information if the user attempts to sign onto the portal.
Mapping your OpenLDAP server to Liferay
Click on the Add button under "LDAP Servers" to add the LDAP server that we would like to import the directory from. This will bring us to a page which will allow us to enter OpenLDAP's administrator account, and simply map certain attributes which will get imported to each user.
Since we are using values specific to OpenLDAP, feel free to select the OpenLDAP radio bubble and click the Reset Values button. This will populate the configurable fields and establish a common mapping.
1. Obtain the address of the machine housing the OpenLDAP server and the port number. In my example, I have assigned my OpenLDAP server's hostname as "openldaptest". We will use the following ldap://openldaptest:389. In the Add LDAP page, we will enter this address as the Base Provider URL.
2. Obtain the CN of the Base DN that you would like Liferay to perform its import from. Essentially, the Base DN is the base distinguished name, which is the top-most level you are permitting to allow Liferay to search through. My example Base DN will be dc=maxcrc,dc=com.
3. Enter the Principal's CN (i.e. the LDAP server's administrative account mapping). I have configured my principal to be cn=Manager,dc=maxcrc,dc=com
4. Under Credentials, enter the password for the Principal. My password is "Secret".
5. To ensure that a connection is being properly made, and that Liferay is able to communicate with the OpenLDAP directory as the principal, click on "Test LDAP Connection". If the server, port, Base DN and principal's credentials have been entered properly, you will notice a popup indicating that Liferay has successfully connected to the LDAP server. If this is the case, proceed with the rest of the instructions. If you receive a message that indicates that Liferay has failed to connect to the LDAP server, ensure that you have properly configured each field.
The fields in the "Users" section allow us to determine how users will be mapped. Since each LDAP user has particular attributes that make them unique, we are simply directing Liferay to pull this information when importing a user.
1. Authentication Search Filter is simply the search filter we will be using to "find" our users from the Base DN that we have specified. Please note that this search filter is very flexible, and can be configured so that users are searched for based on differed tokens. In this demonstration, we will search our users by the email addresses. The field will read (mail=@email_address@). This means that we have configured Liferay to check the OpenLDAP directory for all elements which have the attribute "mail" assigned to it.
2. Import Search Filter specifies that the users that are to be imported have a certain attribute assigned to them. For example, I want to find everyone in my Base DN that has the object class "inetOrgPerson". The search filter will read (objectClass=inetOrgPerson).
3. User Mapping
Generally speaking, user mapping is quite simple. What we are doing in this portion of the LDAP configuration is configuring which attributes Liferay will pick up from the LDAP server in configuring a user.
Screen Name: This field allows you to map which LDAP attribute will identify the user's Liferay screen name. In our case, we will use "cn" which indicates that their common name will be used.
Password: This field allows you to map which LDAP attribute will identify the user's Liferay password. We will use "userPassword".
Email: This field allows you to map which LDAP attribute will identify the user's Liferay mail. We will use "mail".
Full Name: This allows you to map an attribute containing the user's full name to their Liferay account. This field is optional.
First Name: This allows you to map an attribute containing the user's given name (i.e. first name) to their Liferay account. In my example, this field is mapped to "givenName".
Middle Name: This allows you to map an attribute containing the user's middle name to their Liferay account. This field is optional.
Last Name: This allows you to map an attribute containing the user's surname or last name to their Liferay account. This is a required field. Traditionally, this field will be mapped to "sn".
Job Title: This allows you to map an attribute containing the user's job title to their Liferay account. I have set mine to "title".
Portrait: This field will allow you to import the user's Portrait based on whatever it is mapped to in their LDAP user listing.
Group: This allows you to map an attribute containing the user's Group to their Liferay account.
UUID: This allows you to map an attribute containing the user's UUID to their Liferay account.
Now that you have set up all of the desired fields, click "Test LDAP Users" in order to determine whether you are seeing the properly mapped users. If all goes well, proceed! If not, make sure to change the mappings to the proper mappings associated with your LDAP users.
The fields that follow under Groups allows us to determine how groups will be mapped.
a. Import Search Filter: This field tells us that when importing Liferay will be searching for whatever defined attribute and identify it as a group. In my example, I have (objectClass=groupOfUniqueNames).
Group Name: When imported, what will the group be called? I have configured mine to be called by its cn. This field will read "cn"
Description: How will this group be described when it is imported into Liferay? If the group in your OpenLDAP group has a description set to a particular attribute, we can map it to this field. Mine is set to "description"
User: This mapping deals with the question "Which users belong to this group?" My example is set to "uniqueMember"
The Export function allows you to set up where a created user is added to on the OpenLDAP directory (within the confines of the Base DN), and the object classes that are assigned to this user. It also allows you to do the same with groups. Please note that Exports must be enabled.
We're done setting it up! Let's see how it works.
Using a user that has been created in the LDAP server, "John Doe", with the email address email@example.com and userPassword 'test' we will sign into the portal. If the LDAP settings are properly configured, John will be able to login to Liferay.
1. Liferay is unable to communicate with the OpenLDAP server.
Solution: Check the Control Panel > Portal Settings > Authentication > LDAP > LDAP server configurations and ensure that your Liferay server is able to communicate with the LDAP server. Perform a ping from both servers to ensure that they are able to communicate with each other. If they are, please proceed to check if any firewall settings are blocking the designated port.
2. I'm not able to log in with OpenLDAP when "LDAP Required is enabled"
Solution: Check the LDAP server configurations to ensure that the mappings are correct. Same as the issue above, ensure that the Principal's credentials are set properly, or to make sure that the address and port of the OpenLDAP server have not changed. Also, please ensure that your OpenLDAP's slapd is running and configured properly.