A common requirement for enterprises is to have the ability for the users in their Active Directory to be able to login into Liferay Portal(s) with Active Directory credentials. This can be achieved in Liferay by using the Liferay LDAP tool that comes bundled together with Liferay Community Edition. This tool works well when you just want to allow AD users to login with AD credentials into Liferay. There are a number issues with exporting user from Liferay to AD but lets just focus on import for now.

Liferary integrates with AD through importing the users. This means that if user wants to be able to login into the portal his record has to be present in the Liferay User database. So whenever you enter your credentials into the login screen of a Lifray Portal integrated with AD, the LDAP tool would always check your credentials entered againsts the AD and if there is a match you will be logged in. Lets have a look at the configurations required to enable this.

1. Login into Liferay as an admin user.
2. Go to Control Panel -> Portal Settings -> Authentication -> LDAP.
3. Click Add, this will open ‘ADD LDAP Server’ page.
4. Under Server Name – <an appropriate name for the configuration>
5. Base Provider URL: <the URL of the LDAP Server>
   1. Use port 636 if the AD allows secure LDAP connections
   2. Otherwise, port 389 for insecure LDAP connections.
6. Base DN: <enter the distinguished name of the Base OU where Liferay LDAP would search for users>
7. Principal: <the username of the user you’d use to connect with AD>
8. Credentials: <password>
9. If you click ‘Test LDAP Connection’ now, you should see a pop up suggesting that Liferay has successfully connected to the LDAP server. If the message suggests failure to connect, then please make sure your configurations are correct before moving forward.
10. Authentication Search filter: This is the filter that Liferay LDAP would use to search for a user in AD. So if you set it to (mail=@email_address@) then liferay would search would search for the user with the supplied email address in AD. You can set multiple filters on this, for example (&(objectCategory=user)(mail=@email_address@)) would also check that the objectCategory is user in addition to matching the email address.
11. Import Search filter: This filter is used by Liferay LDAP tool for mass import of users. I would recommend to not use mass import if you dont have to and let import only happen at user login. For example, if you set this filter to (objectCategory=user), the LDAP tool will import all users that have objectCategory of user.
12. Screen Name: cn (Screen Name is usually mapped to the cn attribute in AD, you could map it to sAMAccountName as well depending upon your requirements).
13. Password: userPassword
14. Email Address: mail
15. First Name: givenName
16. Last Name: sn
17. Job Title: title
18. If you click ‘Test LDAP Users’ you should see a list of users in a pop up. If you dont see a pop up or there are no users in the pop up, this means that the configurations you entered are not correct. Please go back and check your configurations.
19. Please make sure that the export section is blank as we are not exporting users from Liferay to AD.
20. Press Save.

All your configurations should now be saved in PortalPreferences tables in Liferay database.

Go back to the LDAP tab now and make sure you have checked Enabled and Required checkboxes and save your changes.

If you log out and log in with a user that exists in AD you should be able to login if you’ve enterd the correct credentials.