Liferay Authorization

Question

I need to implement liferay authentication against organization LDAP. Once user successfully logs in I want user to be checked against a local group created in liferay.

For e.g. users in certain team should only be able to get into the application.As there is nothing in LDAP which distinguish these users from other users in LDAP ,I need to implement something locally in liferay.

When user logs in he/she should be authenticated against LDAP and then local liferay group should be looked up to check whether user is part of that group.This group should be configurable by liferay admin. Only when he/she is part of that group home page of application with data should be displayed.

Any pointers on this would help.Thanks.

Answer 1

One thing to remember is that there is already an LDAP Authenticator class in Liferay source LDAPauth.

If you want to log in to test@liferay.com, you can add it to your LDAP. (I realize this may break the requirements for the use of the LDAP). It is also common to create a special admin account for yourself/organization(in LDAP and Liferay) Simply revert to standard Liferay Authentication, log in to your test@liferay.com default admin, and make sure the Liferay-version of that user has correct GLOBAL Administrator role.

Also, You can add multiple authentications in your Liferay Authentication pipeline.

I am assuming you have added to portal-ext.properties(or hook properties override) the following line:

auth.pipeline.pre=com.YourLDAPAuthenticator

You may also have this line:

auth.pipeline.enable.liferay.check=false

You can keep Liferay check (set to true) and you can login with Liferay credentials for you default admin, but that is not recommended if you are not syncing Liferay and LDAP passwords - for all other Users.

In your custom Authenticator authenticateBy*() overrides, you can programmatically check the current user trying to log in, and you can retrieve the User from Liferay (UserLocalServiceUtil) and perform a few custom checks, only for one(or few) Users you do not want to store in LDAP.

Answer 2

Here is what I have understood:

1. Users are stored in LDAP.
2. The Users are not categorized in LDAP. No ldap groups exist.
3. So when you authenticate against LDAP all the Users present in LDAP will be logged-in to Liferay.
4. But what you want is that, only those Users who belong to a certain group in Liferay should be able to login and others should not.

If this is what you want then here are my few pointers:

1. The best thing would be to have groups in LDAP itself. In terms of maintenance this will be better, since authentication is already happening through LDAP. Here is how you can leverage Liferay with LDAP groups. Ofcourse if you went this approach you would need to manually assign the Users to each group through any LDAP client like LDAP admin or jExplorer.
2. But if this is not possible, then you can either group users through Organizations or UserGroups or may be a Site (with or without pages) in liferay.
3. After successful authentication from LDAP you can check whether the particular User belongs to the desired Organization or UserGroup or Site. You can use LoginPostAction hook for this purpose.
4. If the User is not a member of the desired group then you can log him out of the system and re-direct him to the login page or some other page as is your requirement.
5. You can also have a hook to prevent update and delete of the UserGroup or Organization or Site so that Admins don't accidentally delete or update the concerned group which might cause authentication failure.

Hope this helps, let me know if what I have understood is correct.