Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

FAQ for LDAP on Liferay DXP

Written By

Justin Choi

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

This article documents some of the most frequently asked questions regarding the use of Lightweight Directory Access Protocol (LDAP) to manage users in Liferay DXP. Specifically, the aim of this article regards common configuration issues that have arisen in this product version.

Resolution

What's the difference between configuring the LDAP in Instance Setting versus the System Settings in the Control Panel?

Although most LDAP configuration can be done from Instance Settings, there are several configuration parameters that are only available in System Settings. In previous Liferay Portal versions, certain system scoped settings for LDAP were set in the portal.properties file and modified using a portal-ext.properties file. In Liferay DXP, modify the following settings in the System Settings:

  • LDAP Auth
  • LDAP Export
  • LDAP Import
  • LDAP Servers
  • System LDAP Configuration

Lastly, configurations made in the System Settings will control all instances up to a certain point. If Virtual Instance A was created before a change (e.g. Error password history keywords) was made in the System Settings, Virtual Instance A will not inherit those changes. Therefore, if Virtual Instance B was created after those changes, then Virtual Instance B (but not A) will have the updated Error password history keywords.

If a user has to update his password in DXP, how can the sys administrator update the LDAP? That is, if the password was changed, how does the listener retrieve the actual password (and not its hash)?

One solution is to build a custom module or portlet to pass in password changes made in the Control Panel to import into the LDAP server such as MS Active Directory. Because changes to the password must be done over SSL, the two servers must be configured to communicate over SSL. In the bnd.bnd file, enter the following:

Import-Package:\

javax.net.ssl,\

*

The listener will retrieve the unencrypted password using this class:

user.getPasswordUnencrypted()

What's the difference between the difference between Enable Import and Enable Import on Startup?

These are actually two different processes and should not be enabled at the same time. Each process is a massive use of CPU resources especially if there are tens of thousands (if not hundreds of thousands) users. Enable Import in general will import users from the LDAP server. Enable Import on Startup also imports users from the LDAP server whenever the server starts (or restarts).

Administrators should consider disabling Import in a clustered environment so that there are no massive imports whenever a node starts up.

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?