This guide provides a detailed, beginner-friendly approach to integrating Liferay DXP 7.4 with an LDAP server for authentication and user management. It explains each step, highlights common pitfalls, and compares LDAP filters to help you optimize your configuration.
- Overview
- Prerequisites
- Step-by-Step Configuration
- Understanding LDAP Filters
- Troubleshooting
- Example Use Cases
Before you begin, ensure you have the following:
- Access to the Liferay Control Panel as an administrator.
- LDAP server details:
- Base Provider URL: Address of your LDAP server (e.g.,
ldap://your-ldap-server:389). - Base DN: The distinguished name to use as the base (e.g.,
dc=example,dc=com). - Principal: A user with access to query LDAP (e.g.,
cn=admin,dc=example,dc=com). - Credentials: The password for the principal user.
- Base Provider URL: Address of your LDAP server (e.g.,
- Knowledge of LDAP object classes and attributes (e.g.,
sAMAccountName,userPrincipalName, etc.).
-
Log in to Liferay as an administrator.
-
Navigate to Control Panel > Instance Settings > LDAP.
-
Enable the LDAP configuration.
-
Add a new LDAP server and fill in the following details:
- Base Provider URL:
ldap://your-ldap-server:389 - Base DN:
dc=example,dc=com - Principal:
cn=admin,dc=example,dc=com - Credentials: The password for the principal.
- Base Provider URL:
-
Save the configuration and proceed to testing.
Configure how Liferay maps its users to LDAP attributes:
-
Go to User Mapping.
-
Map the following attributes:
- Screen Name:
sAMAccountName(or another unique identifier). - Email Address:
userPrincipalNameormail. - Password:
unicodePwd(ensure your LDAP supports this). - Full Name:
cn. - First Name:
givenName. - Last Name:
sn.
- Screen Name:
-
Save the configuration.
Configure group synchronization if required:
-
Go to Group Mapping.
-
Map the following attributes:
- Group Name:
cn. - Description:
description(optional). - Users:
member.
- Group Name:
-
Add an Import Search Filter to filter specific groups:
(objectClass=group)
To verify the connection between Liferay and your LDAP server:
- Click the Test LDAP Connection button in the Liferay LDAP settings.
- If the connection fails:
- Check the LDAP server address, credentials, and Base DN for accuracy.
- Ensure the LDAP server is reachable from the Liferay server (e.g., no firewalls blocking the connection).
- Use the Test LDAP Users button to verify that user synchronization settings are correct.
- If users are not being imported, adjust the User Import Filter. A basic filter example is:
(objectClass=person)
- Use the Test LDAP Groups button to verify that group synchronization settings are correct.
- If groups are not being imported, adjust the Group Import Filter. A common filter example is:
(objectClass=group)
LDAP filters allow you to control which users and groups are imported into Liferay. Here are some common filter examples:
(objectClass=person)
(&(objectClass=person)(sAMAccountName=username))
(objectCategory=person)
(objectClass=group)
(&(objectClass=group)(cn=employees))
- Verify the Base Provider URL, Base DN, and credentials.
- Ensure there are no firewall rules blocking the connection.
- Check the Liferay logs for specific error messages.
- Double-check your filters to ensure they are not too restrictive.
- Ensure that attributes like
sAMAccountNameorcnexist in your LDAP schema.
- Confirm that the Authentication Search Filter is correctly configured. A common example:
(&(objectClass=person)(sAMAccountName=@user_id@))
User Filter:
(objectClass=person)
User Filter:
(&(objectClass=person)(memberOf=cn=employees,dc=example,dc=com))
Group Filter:
(objectClass=group)