Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Connect to LDAP via VPN for Liferay Cloud

Written By

Ha Tang

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Liferay DXP supports LDAP connectivity, and Liferay Cloud provides VPN capabilities to connect to an on-premise network. In this article, we will outline the steps to have Liferay DXP in Liferay Cloud connect to an on-premise LDAP through VPN:

  • Install a VPN service in VPS Ubuntu
  • Populate an LDAP service in the VPS Ubuntu
  • Connect an environment in Liferay Cloud to a VPN server
  • Configure Liferay DXP to reach the LDAP server behind VPN

1. Install a VPN service in VPS Ubuntu

For testing purposes, we can have a VPS somewhere, then set up a VPN ourselves following these steps:

  1. Having an Ubuntu box in any cloud service, would be 18.04 LTS or so.
  2. Follow the instructions in VPN Setup Example to install and configure VPN. Either OpenVPN or IPSec works.

    Note: In step 8 of this guide, we’ll need to adjust the FORWARD rule to match the IP of the LDAP server.  Take note of this in the steps below.
  3. For this, we’ll use IPSec with the help of StrongSwan in Ubuntu. When properly setup, run the following command to test it out: 
    sudo systemctl status strongswan

    It should say something in active (running) as below:

    strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-04-21 04:48:10 UTC; 2 days ago
 Main PID: 878 (starter)
    Tasks: 18 (limit: 1152)
   CGroup: /system.slice/strongswan.service
           ├─878 /usr/lib/ipsec/starter --daemon charon --nofork
           └─946 /usr/lib/ipsec/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

    Since StrongSwan works via UDP port 500 and 4500, we’ll see if the firewall was open in VPS by this command:

    sudo ufw status numbered

    It should give you information about allowed ports, which must contain 2 rows of UDP ports:

    Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 500,4500/udp               ALLOW IN    Anywhere
[ 2] OpenSSH                    ALLOW IN    Anywhere
[ 3] 500,4500/udp (v6)          ALLOW IN    Anywhere (v6)
[ 4] OpenSSH (v6)               ALLOW IN    Anywhere (v6)
  4. At this point, you’ll have these pieces of information available: The VPN server IP (VPS public IP), VPN port would be 500, myuser, mypassword, ca-cert.pem. We’ll use those in section 3 to connect to VPN from Liferay Cloud.
  5. Please be aware of the LDAP IP address, as we’ll need to define a rule in the firewall that helps forward incoming connection to LDAP behind the VPN.

    For this example, we’ll have the LDAP service run inside the same VPS, which means we’ll need to forward the connection from VPN private network 10.10.10.x to the local IP address of the VPS. So, we’ll get the local private IP with command: 
    ip addr
  6. Take note of the local IP on NIC card eth0 10.0.15.5/16 
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 66:9b:11:0f:76:dd brd ff:ff:ff:ff:ff:ff
    inet 206.189.43.70/20 brd 206.189.47.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.15.0.5/16 brd 10.15.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::649b:11ff:fe0f:76dd/64 scope link
       valid_lft forever preferred_lft forever
  7. Edit Forward rule with this command:  
    sudo nano /etc/ufw/before.rules
  8. Scroll to the second to last line, which mentions about FORWARD rule. Replace:
    -s 10.10.10.0/24 with -s 10.15.0.0/16
    1. Ctrl O to save, then Ctrl X to close the file.
    2. Restart firewall service with command: sudo service ufw restart 

2. Populate an LDAP service in the VPS Ubuntu

We'll use ApacheDS which serves the role of an LDAP service. These steps can make LDAP configuration work:

  1. ApacheDS will need JRE/JDK to run. You should have one installed before proceeding to the next steps.
  2. Download the zip file and upload to the VPS via scp command: apacheds-2.0.0.AM25-preloaded.zip
  3. This is ApacheDS with sample data pre-loaded. Unzip it. Go to bin folder, then run this command to start ApacheDS: 
    ./apacheds run
  4. After starting ApacheDS successfully, verify there is a service listening on port 10389 We will need to open another terminal instead of closing the current one. 
    netstat -ntpl

3. Connect an environment in Liferay Cloud to a VPN server

We will follow the instructions outlined in Connecting a VPN to Liferay Cloud and put in the VPN connection information.

  • Server Address: The VPS’s public IP address. It also needs a port, 500 is the default known value.
  • Account Name: The user name configured in VPN server myuser.
  • Password: The password to connect to VPN server mypassword.
  • Certificate: The certificate code. Just open ca-cert.pem in a text editor, copy the whole text there, and paste it into this field.

We’ll also need port forwarding in the same page. The following fields will be filled in:

  • Forwarding IP: LDAP server IP address 10.15.0.5, which stays behind VPN (actually the local IP of VPS we figured above).
  • Forwarding Port: LDAP server port behind VPN. We’ll use ApacheDS LDAP port 10389.
  • Local Hostname: Auto-generated vpn. Please note, the term “Local” here actually is staying locally in Liferay Cloud.
  • Local Port: The VPN’s local port number. This field can be auto-generated, or we can choose to fill in any port. For example, we could use 33389. We’ll use this port to configure the LDAP server in Liferay DXP.

Below, you can see the inputs entered for this example:

Image_1.png

 

When connecting successfully, it should show something like this:

Image_2.png

 

4. Configure Liferay DXP to reach LDAP server behind VPN

Now, follow these steps to configure the LDAP server in Liferay DXP 7.2:

  1. Go to the webserver address of the Liferay Cloud environment. Sign-in to Liferay as an administrator.
  2. Go to Control Panel > Configuration > Instance Settings in the Menu.
  3. Select LDAP in group Security.
  4. Select Servers section, then click Add button.
  5. Type ApacheDS LDAP via VPN for the Server Name.
  6. Type the following under the Connection heading:
    • Base Provider URL: ldap://vpn:33389
    • Base DN: dc=training,dc=liferay,dc=com
    • Principal: uid=admin,ou=system
    • Security Credential: secret
  7. Click on the Test LDAP Connection button to confirm Liferay can connect to the LDAP server.
    Image_3.png

Now, we’ve verified that the LDAP connection works.  Liferay DXP can reach the LDAP server behind the VPN server.

5. Config Authentication using LDAP

Now, we’ll check some configurations that enable Liferay DXP to authenticate via the LDAP settings above:

  1. On the same screen as Edit LDAP Server, scroll down to the Users section.
  2. Make sure the following fields are filled out properly:
    • Authentication Search Filter: (mail=@email_address@)
    • Import Search Filter: (objectClass=inetOrgPerson)
    • UUID: uuid
    • Screen Name: cn
    • Email Address: mail
    • Password: userPassword
    • First Name: givenName
    • Last Name: sn
    • Job Title: title
    • Group: groupMembership
    • Click on Test LDAP Users to confirm the fields are entered correctly. You should see a list of users which come from the LDAP directory.
      Added_Image_1.png
  3. Scroll to the Groups section.
  4. Check that the following fields are filled out properly:
    • Import Search Filter: (objectClass=groupOfUniqueNames)
    • Group Name: cn
    • Description: description
    • User: uniqueMember
  5. Click on the Test LDAP Groups button to confirm the fields are entered correctly. You should see the three groups listed as below:
    Added_Image_2.png
  6. Click Save to store configuration and go back to the Servers list.
  7. On Instance Settings > LDAP, select General section
  8. Check the Enable box to turn on LDAP authentication. Then click Save to persist.
    Added_Image_3.png

Open another browser or incognito window, then login with cbuckley@royalnavy.mod.uk and password, you should be able to login to Liferay via LDAP authentication.

Added_Image_4.png

Additional Information

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?