Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Group mapping required for LDAP export

Written By

Liferay Support

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

This article addresses one issue for Active Directory users attempting to log in to the Liferay platform.

  1. Liferay is configured for use with an LDAP server (without mapping the "Group" attribute in the User section)
  2. LDAP export is enabled
  3. LDAP user, "user1" is able to log in to Liferay
  4. user1 joins a user group, "Group1"
  5. user1 tries to log into Liferay using the same LDAP credentials

Results:

Unfortunately, the user is denied and the following stacktrace occurs:

com.liferay.portal.ModelListenerException: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - invalid type '']; remaining name 'cn=john.johnson,ou=Users,ou=test,dc=test-dev,dc=com'
at com.liferay.portal.model.UserListener.onAfterUpdate(UserListener.java:75)
at com.liferay.portal.model.UserListener.onAfterUpdate(UserListener.java:1)
at com.liferay.portal.model.BaseModelListener.onAfterUpdate(BaseModelListener.java:1)
at com.liferay.portal.service.persistence.impl.BasePersistenceImpl.update(BasePersistenceImpl.java:264)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticate(UserLocalServiceImpl.java:5012)
at com.liferay.portal.service.impl.UserLocalServiceImpl.authenticateByEmailAddress(UserLocalServiceImpl.java:855)

Resolution

When the LDAP export is enabled, a Liferay user's information will normally be exported to the LDAP server upon log-in. In this case, the user was in a user group in Liferay, so when that user tried to log in, Liferay tried to export the group that the user was in. Unfortunately, the group setting was not mapped in Liferay so the export failed along with the login.

The solution is simply to set the mapping for the users' groups in Settings -> Authentication -> LDAP -> (Select LDAP server). Under the User heading select an appropriate mapping for the "Group" field (e.g. "memberOf").

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?