Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

How to prevent an AD user from logging into Liferay using the old password if LDAP authentication cannot set to be required

Written By

Laura Li

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

Issue

  • After the user changes the password in Microsoft Active Directory (AD), the user can still log into Liferay using the old password. If enabling "Required" option, the issue can be resolved. But users created manually in Liferay (not imported from AD) can not sign into Liferay anymore.

Environment

  • Liferay DXP 7.3

Resolution

  • Enable "Autogenerate User Password on Import" option

Additional Information

Here is the explanation for the three options:

"Enable User Password on Import"

"Autogenerate User Password on Import"

"Default User Password"

 

I. "Enable User Password on Import" option is enabled

Even the LDAP scheduled import is enabled, the user's password will not be imported to Liferay database on a regularly configured interval  (10 minutes by default). The user’s password will only be imported to Liferay database during user authentication.

  1. New user in Liferay
      An auto-generated password is stored in the database when Liferay imports the user from LDAP. The        real LDAP password is synced in the database when the user signs into Liferay for the first time.

  2. Existing user in Liferay

      If the user changes the LDAP password, the new password will be stored in the Liferay database              only after the user signs into Liferay with the new password. Before that, the user can still sign into            Liferay with the old password.

II. "Enable User Password on Import" option is not enabled

Liferay will not import user’s password to Liferay database no matter during the scheduled import or the user authentication. Liferay will check whether "Autogenerate User Password on Import" is enabled.

  1. "Autogenerate User Password on Import" is enabled

      a. New user in Liferay

          An auto-generated password is stored in the database when Liferay imports the user from LDAP.

      b. Existing user in Liferay
          The auto-generated password will be updated at configured import interval.

  2. "Autogenerate User Password on Import" is not enabled

      Because the Password field cannot have a NULL value, the value set in "Default User Password" is          used and stored in the database.

 

 

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?