Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Disabling the Authentication System and Delegating It to an LDAP Server

Written By

Liferay Support

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.

By default, the Liferay platform always uses its own authentication system that checks and validates the user password in its own database. Even if you enable LDAP settings and set it as required, the Liferay platform will always check and validate the user password in its own database before delegating it to the LDAP server.

In some casessuch as a custom application that imports users to the Liferay platform without a passwordyou may wish to disable this internal checking and set it to only check in the LDAP server. 

Resolution

To turn off this check, use the following instructions. 

For Liferay Portal 6.1 EE GA2 and Below

Add the following properties in the portal-ext.properties file:

ldap.auth.enabled=true
ldap.auth.required=true
auth.pipeline.enable.liferay.check=false

The first two properties can also be set in the UI. Just go to: 

  1. Control Panel -> Portal Settings -> Authentication -> LDAP
  2. Check both the Enabled and Required checkboxes 

For Liferay Portal 6.1 EE GA3 and Above 

This behavior changed for Portal 6.1 EE GA3 and above with the introduction of LPS-28709. If the user successfully authenticates against LDAP, then the Liferay platform authentication will be skipped. Therefore, the user does not need to set auth.pipeline.enable.liferay.check=false.

Adding the following two properties will be sufficient: 

ldap.auth.enabled=true
ldap.auth.required=true

These settings can be changed through the UI as well. 

Additional Information

If a user changes their password on LDAP, there is the possibility that they can still login using their old password.

Here are two possible resolutions for this: 

  1. Add ldap.auth.required=true into portal-ext.properties or check the Required checkbox for LDAP Authentication by navigating to Control Panel → Portal Settings → Authentication → LDAP 

  2. Some LDAP servers have a grace period/count for when passwords are changed. This means that a user can log in with an old or expired password for a set period of time or a set number of instances after changing their password. For example, Novell eDirectory allows for "grace logins" by default (the default value is six). If this is the case, consider changing or disabling the grace period on the LDAP server side. 
Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?