goole了许多网页,讲的是五花八门,最后想起来去portal.properties看看,才发现别人讲的不一定正确,或者是自己理解有误。
重要提示:
1. user mapping 中有5个必须映射的字段,否则出错。
- screenName
- password
- emailAddress
- firstName
- lastName
2. 如果在控制面板中配置了LDAP,则portal-ext 中的关于ldap设置会全部失效, 所以只能二选一(控制面板 or portal-ext)
3. 如果想让控制面板中配置的ldap信息失效,只有一个办法:
找到portalpreferences表,删除其中的一条记录, 此记录信息如下
plid=0
portletid=LIFERAY_PORTAL
the "preferences" field will start with "<portlet-preferences><preference><name>ldap.base.dn</name>"
仔细看看portal.properties
##
## LDAP
##
#
# Set the values used to connect to a LDAP store.
#
ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.referral=follow
#
# Settings for com.liferay.portal.security.auth.LDAPAuth can be configured
# from the Admin portlet. It provides out-of-the-box support for Apache
# Directory Server, Microsoft Active Directory Server, Novell eDirectory,
# and OpenLDAP. The default settings are for Apache Directory Server.
#
# The LDAPAuth class must be specified in the property "auth.pipeline.pre"
# to be executed.
#
# Encryption is implemented by com.liferay.util.Encryptor.provider.class in
# system.properties.
#
ldap.auth.enabled=false
ldap.auth.required=false
#
# Set the page size for directory servers that support paging. This value
# needs to be 1000 or less for Microsoft Active Directory Server.
#
ldap.page.size=1000
#
# Set the number of values to return in each query to a multivalued
# attribute for directory servers that support range retrieval. The range
# size must be 1000 or less for Windows 2000 and 1500 or less for Windows
# Server 2003.
#
ldap.range.size=1000
#
# Set either bind or password-compare for the LDAP authentication method.
# Bind is preferred by most vendors so that you don't have to worry about
# encryption strategies.
#
ldap.auth.method=bind
#ldap.auth.method=password-compare
#
# Set the password encryption to use for comparing passwords during import
# and to use for encrypting passwords during export. Comparing passwords
# during import will only be used when the property "ldap.auth.method" is
# set to password-compare. If the encryption is set to NONE, which is the
# default value, passwords are considered as plain text. The SHA-512
# algorithm is currently unsupported.
#
#ldap.auth.password.encryption.algorithm=BCRYPT
#ldap.auth.password.encryption.algorithm=MD2
#ldap.auth.password.encryption.algorithm=MD5
ldap.auth.password.encryption.algorithm=NONE
#ldap.auth.password.encryption.algorithm=SHA
#ldap.auth.password.encryption.algorithm=SHA-256
#ldap.auth.password.encryption.algorithm=SHA-384
#ldap.auth.password.encryption.algorithm=SSHA
#ldap.auth.password.encryption.algorithm=UFC-CRYPT
#
# You can write your own class that implements
# com.liferay.portal.security.ldap.AttributesTransformer to transform the
# LDAP attributes before a user or group is imported to the LDAP store.
#
ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer
#
# Specify the settings for LDAP connections. Any property prefixed with
# "ldap.connection." will be passed to the LDAP context as an environment
# variable.
#
# To enable LDAP connection pooling, you have to set
# "ldap.connection.com.sun.jndi.ldap.connect.pool" to true and provide
# additional JVM system properties via the JVM start-up options via:
#
# java ... -Dcom.sun.jndi.ldap.connect.pool.maxsize=50 -Dcom.sun.jndi.ldap.connect.pool.timeout=10000
#
# See the following link:
# http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#POOL
#
ldap.connection.com.sun.jndi.ldap.connect.pool=true
ldap.connection.com.sun.jndi.ldap.connect.timeout=500
ldap.connection.com.sun.jndi.ldap.read.timeout=15000
#
# Settings for importing users and groups from LDAP to the portal.
#
ldap.import.enabled=false
ldap.import.on.startup=false
ldap.import.interval=10
#
# Set either user or group for import method. If set to user, the portal
# will import all users and the groups associated with those users. If set
# to group, the portal import all groups and the users associated those
# groups. This value should be set based on how your LDAP server stores
# group membership information.
#
ldap.import.method=user
#ldap.import.method=group
#
# Set the lock expiration time for LDAP import. By default, the expiration
# time is 1 day.
#
ldap.import.lock.expiration.time=86400000
#
# If set to true, the group filter will be applied, but only to groups in
# the specified base DN. If set to false, the filter will not be applied and
# all groups that are associated with the imported users will be imported
# regardless of the base DN.
#
ldap.import.group.search.filter.enabled=true
#
# Specify whether group DN lookups will be cached during LDAP import and
# login. If set to true, this will speed up LDAP import and login, but
# updates to group attributes will not be recognized until the cache entry
# expires. The cache size and timeout may be configured in the configuration
# file specifed in the property "ehcache.single.vm.config.location".
#
ldap.import.group.cache.enabled=true
#
# Set this to true if the portal should automatically create a role per
# group imported from LDAP. The role will be assigned to the group so that
# users can automatically inherit that role when they are assigned to the
# group.
#
ldap.import.create.role.per.group=false
#
# Set these values to be a portion of the error message returned by the
# appropriate directory server to allow the portal to recognize messages
# from the LDAP server. The default values will work for Fedora DS.
#
ldap.error.password.age=age
ldap.error.password.expired=expired
ldap.error.password.history=history
ldap.error.password.not.changeable=not allowed to change
ldap.error.password.syntax=syntax
ldap.error.password.trivial=trivial
ldap.error.user.lockout=retry limit
#
# Set this to true to use LDAP's password policy instead of the portal
# password policy.
#
# If set to true, it is possbile that portal generated passwords will not
# match the LDAP policy. See the "passwords.regexptoolkit.*" properties for
# details on configuring RegExpToolkit in generating these passwords.
#
ldap.password.policy.enabled=false
#
# Set this to false when the LDAP user's password should not be imported to
# the Liferay user.
#
ldap.import.user.password.enabled=true
#
# Set this to true to autogenerate passwords for users imported from
# LDAP.
#
# This property is only in use if the property
# "ldap.import.user.password.enabled" is set to false.
#
# If an LDAP password policy is enabled (see the property
# "ldap.password.policy.enabled"), the password will be generated using
# RegExpToolkit. Set the "auth.pipeline.enable.liferay.check" property to
# false to disable password checking by the portal's internal authentication
# (which is not compatible with LDAP), and set the "auth.pipeline.pre"
# property to com.liferay.portal.security.auth.LDAPAuth so that password
# checking will be delegated to the LDAPAuth authenticator.
#
# Note that enabling LDAP export, by setting the "ldap.export.enabled"
# property to true, may lead to overwriting the LDAP user's password with an
# autogenerated password.
#
ldap.import.user.password.autogenerated=false
#
# Set either screenName or plain text as the default password for the
# imported LDAP user. Setting the value to screenName will use the user's
# screen name as the password for the imported LDAP user. Setting the value
# to any other plain text value will use that value as the password for the
# imported LDAP user.
#
# This property is only in use if the properties
# "ldap.import.user.password.enabled" and
# "ldap.import.user.password.autogenerated" are both set to false.
#
ldap.import.user.password.default=test
#ldap.import.user.password.default=screenName
#
# Settings for exporting users from the portal to LDAP. This allows a user
# to modify his first name, last name, etc. in the portal and have that
# change pushed to the LDAP server. This setting is not used unless the
# property "ldap.auth.enabled" is set to true.
#
ldap.export.enabled=false
#
# Set this to true if groups and their associations should be exported from
# the portal to LDAP. This setting is not used unless the property
# "ldap.auth.enabled" is set to true.
#
ldap.export.group.enabled=true
#
# Set the values used to connect to a LDAP store.
#
# The list of properties must end with a subsequent integer (0, 1, etc.) and
# it is assumed that the list has reached an end when the pattern or
# replacement is not set.
#
#ldap.base.provider.url.0=ldap://localhost:10389
#ldap.base.dn.0=dc=example,dc=com
#ldap.security.principal.0=uid=admin,ou=system
#ldap.security.credentials.0=secret
#
# Active Directory stores information about the user account as a series of
# bit fields in the UserAccountControl attribute.
#
# If you want to prevent disabled accounts from logging into the portal you
# need to use a search filter similiar to the following:
# (&(objectclass=person)(userprincipalname=@email_address@)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
#
# See the following links:
# http://support.microsoft.com/kb/305144/
# http://support.microsoft.com/?kbid=269181
#
#ldap.auth.search.filter.0=(mail=@email_address@)
#
# When importing and exporting users, the portal will use this mapping to
# connect LDAP user attributes and portal contact attributes.
#
# See com.liferay.portal.model.ContactModel for a list of attributes.
#
#ldap.contact.mappings.0=aimSn=\nbirthday=\nfacebookSn=\nicqSn=\njabberSn=\njobTitle=\nmsnSn=\nmySpaceSn=\nskypeSn=\nsmsSn=\ntwitterSn=\nymSn=
#
# When importing and exporting users, the portal will use this mapping to
# connect LDAP user attributes and portal contact's custom attributes.
#
#ldap.contact.custom.mappings.0=
#
# When a user is exported to LDAP and the user does not exist, the user will
# be created with the following default object classes.
#
#ldap.user.default.object.classes.0=top,person,inetOrgPerson,organizationalPerson
#
# When importing and exporting users, the portal will use this mapping to
# connect LDAP user attributes and portal user attributes.
#
# See com.liferay.portal.model.UserModel for a list of attributes.
#
#ldap.user.mappings.0=emailAddress=mail\nfirstName=givenName\ngroup=groupMembership\njobTitle=title\nlastName=sn\npassword=userPassword\nscreenName=cn\nuuid=uuid\n
#
# When importing and exporting users, the portal will use this mapping to
# connect LDAP user attributes and portal user's custom attributes.
#
#ldap.user.custom.mappings.0=
#
# Set the user attributes that are controlled from the portal. When adding
# or updating a user from LDAP, these attributes will be skipped.
#
ldap.user.ignore.attributes=
#ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn
#
# When a group is exported to LDAP and the group does not exist, the group
# will be created with the following default object classes.
#
#ldap.group.default.object.classes.0=top,groupOfUniqueNames
#
# When importing groups, the portal will use this mapping to connect LDAP
# group attributes and portal user group attributes.
#
#ldap.group.mappings.0=description=description\ngroupName=cn\nuser=uniqueMember
#
# Settings for importing users and groups from LDAP to the portal. These
# setttings are not used unless the property "ldap.import.enabled" is set
# to true.
#
#ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
#ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)
#
# New users and groups will be created at the specified DN. This will only
# be active if the property "ldap.auth.enabled" and "ldap.export.enabled"
# are set to true.
#
#ldap.users.dn.0=ou=users,dc=example,dc=com
#ldap.groups.dn.0=ou=groups,dc=example,dc=com