Skip navigation

Tag Archives: server admin

Our CTO came to me recently with the results of a PCI audit. One area of non-compliance that the audit discovered was the need to have users log in only through a SSL encrypted gateway. I set about finding a way to accomplish this with Liferay. Thankfully, it was a pretty easy change and didn’t require any custom log in code (as I initially feared.)

At first, I just happened to come across a relevant property in my portal-ext.properties file.

servlet.always.encrypt=false

On my local machine, I changed this value to true, restarted the server, and all traffic on my local server redirects to the ssl encrypted version on port 8181!

“Hooray”, I thought. “I’m done!” I talked to our Ops team to get the changes made in our other environments and he promptly burst my this-is-too-easy bubble. “Why is it encrypting our marketing site? We shouldn’t be encrypting everything, just the stuff we need protected.” Damnit! Now I have to find an alternative. Fortunately for me, the same Ops guy found the relevant properties to include in our portal-ext.properties file:

#require https for login
web.server.http.port=8080
web.server.https.port=8181
company.security.auth.requires.https=true

This is exactly the technique we needed. Our site doesn’t encrypt any public-facing page (unless you are already logged in) and all logged-in traffic is SSL-encrypted. Liferay team really did me a solid by making this so easy to configure. Thanks girls & guys of Liferay!

I have been struggling with getting Liferay to play nicely with our OpenLDAP server for the past two days.

I finally was able to figure out my mistake this afternoon.

Liferay expects ‘user’ entries (objectClass = inetOrgPerson, in my case) to be in the following format:

objectClass = inetOrgPerson

objectClass = organizationalPerson

objectClass = person

objectClass = top

cn = beardy@liferay.com

sn = Beard

givenName = Doctor

mail = beardy@liferay.com

title = Hirsute Physician

userPassword = <whatever encryption you use>

After much struggling and cursing, I found that my trouble was with the cn=beardy@liferay.com. An email address is not allowed in this field.

Once I changed the cn to ‘beardy’, I was able to login to my Liferay portal using LDAP authentication, the user was imported to the Liferay database, blah blah blah. Everything works great now.

Probably a simple fix for an experienced LDAP administrator, but for a n00b like me, it was an infuriating minor detail that made all the difference in my portal working versus not working.

…I’ve got to find a way to add code to my blog.

 

UPDATE (06.28.2012) – I’ve found a decent enough way to do it.

%d bloggers like this: