Submit Feedback
Connecting to a User Directory

Configuring User Import and Export

The import/export settings configure mappings between LDAP and Liferay to match users between the two systems.

Finding Users in Your LDAP Directory

Authentication Search Filter: Use this search filter box to determine the search criteria for user logins. By default, Liferay uses users’ email addresses for their login names. The value here must use the authentication type you use.

(cn=@email_address@)
Note

If you changed Liferay’s authentication method to use screen names instead of the email addresses, modify the search filter so it can match the entered login name: (cn=@screen_name@)

Important

Liferay matches LDAP users to existing users based on the configured authentication type (for example, email address or screen name). If the value of this attribute changes in LDAP, Liferay may not recognize the user and can create a new user instead of updating the existing one.

To avoid duplicate users, use a stable identifier such as the LDAP UUID and configure the Import User Sync Strategy to UUID, with the corresponding UUID field mapped in the LDAP User Mapping.

Import Search Filter: Depending on the LDAP schema, there are different ways to identify the user. The default setting is usually fine:

(objectClass=inetOrgPerson)

If you want to search for only a subset of users or users that have different LDAP object classes, you can change this.

Mapping LDAP User Attributes to Liferay Fields

Next, define mappings from LDAP attributes to Liferay fields. Liferay requires five fields for user recognition, though LDAP attributes may vary across servers:

  • Screen Name (e.g., uid or cn)
  • Password (e.g., userPassword)
  • Email Address (e.g., mail or email)
  • First Name (e.g., name or givenName)
  • Last Name (e.g., sn)
Note

If you intend to create or import users with no email addresses, you must set users.email.address.required=false in portal-ext.properties. Liferay generates an email using the user ID plus the suffix defined in users.email.address.auto.suffix=. Ensure authentication is not based on email in this case.

To preserve group membership during user import, map the Group field (e.g., member). See Mapping LDAP Groups to Liferay User Groups for group configuration.

The other LDAP user mapping fields are optional.

The Control Panel provides default mappings for commonly used LDAP attributes. You can also add your own mappings.

Test LDAP Users: Once you have your attribute mappings set up (see above), click the Test LDAP Users button and Liferay attempts to pull LDAP users and match them with their mappings as a preview.

You should see a list of users when you click the Test LDAP Users button.

Mapping LDAP Groups to Liferay User Groups

This section contains settings for mapping LDAP groups to Liferay user groups.

Import Search Filter: This is the filter for mapping LDAP groups to Liferay user groups. For example,

(objectClass=groupOfNames)

Enter the LDAP group attributes you want retrieved for this mapping. The following attributes can be mapped. The Group Name and User fields are required, the Description is optional.

  • Group Name (e.g., cn or o)
  • Description (e.g., description)
  • User (e.g., member)

Test LDAP Groups: Click the Test LDAP Groups button to display a list of the groups returned by your search filter.

Important

During sync, only missing groups are added to Liferay based on LDAP membership data. Deleted LDAP groups are not removed automatically, so you must delete them manually in Liferay. When a group is renamed in LDAP, Liferay creates a new group and transfers user memberships, and removes users from the group with the old name.

Export

This section contains settings for exporting Liferay user data to LDAP.

Users DN: Enter the location in your LDAP tree where the users are stored. Liferay exports the users to this location.

User Default Object Classes: Users are exported with the listed default object classes. To find out what your default object classes are, use an LDAP browser tool such as Apache Directory Studio to locate a user and view the Object Class attributes stored in LDAP for that user.

Groups DN: Enter the location in your LDAP tree where the groups are stored. When Liferay does an export, it exports the groups to this location.

Group Default Object Classes: When a group is exported, the group is created with the listed default object classes. To find out what your default object classes are, use an LDAP browser tool such as Apache Directory Studio to locate a group and view the Object Class attributes stored in LDAP for that group.

When you’ve set all your options and tested your connection, click Save.

Note

If a user changes a value like a password in Liferay, that change is passed to the LDAP server, provided Liferay has enough schema access to make the change.

Now you know how to connect an LDAP server to Liferay and how to configure user import behavior, export behavior, and other LDAP settings. See LDAP Configuration Reference for more information on other configurable options.

Capability:
Security
Resource Type:
Official Documentation
Feature:
Identity Management and Authentication
Deployment Approach:
Liferay PaaS
Liferay SaaS
Liferay Self-Hosted