Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

LDAP Related Queries

Written By

Kartik Singh

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  1. If the password is changed in the Active Directory, the user will still be able to log in to DXP?
  2. If we delete the user from Active Directory, the user will still be able to log in to DXP?
  3. How to import/ export the users from LDAP Directory to Liferay DB and vice versa.
  4. How users would only be able to log in through the LDAP?
  5. If we enabled the Password Policy but did not enable the LDAP then LDAP is working?
  6. During the process of import/export, will the passwords of the users also be imported or exported?

Environment

  • Liferay DXP 7.0
  • Liferay DXP 7.1
  • Liferay DXP 7.2
  • Liferay DXP 7.3
  • Liferay DXP 7.4
  • Liferay DXP Q3.1
  • Liferay DXP Q3.2

Resolution

1. If the password is changed in the Active Directory, the user will still be able to log in to DXP?

  • Yes, if we change the password in the "Active Directory", the user will be able to log in to the portal. This is because when the user log-in for the first time in the portal, the user will be imported from AD to the Liferay database. Since the authentication check is carried out on both, Liferay as well as AD, the user would be able to log-in if the credentials match on either place. 

2. If we delete the user from Active Directory, the user will still be able to log in to DXP?

  • Yes, if we delete the user in the "Active Directory", still the user's data will be stored in the Liferay's Database because the user import takes place when any user tries to log in for the very first time [as mentioned above]. Hence the authentication would happen from Liferay DB

3. How the users will import/export from LDAP Directory to LIferay DB and vice versa?

  • Enable Import: If you do not check the Enable Import option, the user import will happen when any user tries to log in for the very first time. If you do check the Enable Import option, the application checks at some defined interval for any new entry in the LDAP server and imports them, if any. This interval depends upon the value provided in the text box "Import Interval". By default, the text box has the value 10, which means Liferay will check the LDAP server for any new entries every 10 minutes.

  • Enable Export: If you check this box to export user accounts to LDAP. A listener tracks changes made to the User object and pushes updates to the LDAP server whenever a User object is modified. Note that by default on every login, fields such as lastLoginDate are updated. When export is enabled, this causes a user to export every time the user logs in. You can prevent updates to users’ lastLoginDate fields from triggering LDAP user exports by setting the following property in your portal-ext.properties file: users.update.last.login=false

4. How users would only be able to log in through the LDAP directory?

  • If you check the "Required" check box by navigating to "Control Panel -> Configuration -> Instance Settings -> Security -> LDAP -> Authentication -> Required". With this, users would only be able to log in through the LDAP directory but not with the Liferay DB.

5. If we enabled the Password Policy but did not enable the LDAP then LDAP is working?

  • The LDAP password policy would not work if LDAP were not enabled, as Liferay would not be able to pass authentication requests to LDAP. In addition, if the LDAP password policy is enabled (regardless of LDAP being enabled or not), the password policies at the company and user levels within the given company will be ignored.

6. During the process of import/export, will the passwords of the users also be imported or exported?

  • No, during this process, the passwords of users will not be imported from LDAP to Liferay and will not be exported from Liferay to LDAP. The remaining details will be imported/exported in this process.

 

Additional Information

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?