Resolution: No Longer Reproducible
Affects Version/s: 7.0.2 CE GA3
Component/s: Application Security > LDAP
JDK:Oracle Sun JDK 8
Application Servers:Apache Tomcat 8.0.x
History of my issue can be found here: https://web.liferay.com/en/community/forums/-/message_boards/message/78818698
There were a number of configuration issues around LDAP, but I'll keep this ticket to a single issue with my most workable LDAP configuration.
Liferay 7.0.2 GA3 (Wilberforce / Build 7002 / August 5, 2016)
10.1.17-MariaDB MariaDB Server
CentOS Linux release 7.2.1511
list of configurations (portal-ext.properties, openldap, LDAP configs in liferay).
Liferay LDAP troubleshooting.pdf
The issue that I'm seeing is that newly created users do not have a userPassword created in ldap. this should be considered a bug since the UI and email provides the user their initial password. But, that password will not auth as it's not persisted to the ldap. here's a use case:
- creating a new user appears to work
- user object is created in the db and ldap
- ldap does not have a userPassword attribute
- initial password does not allow user to auth
- user can use 'forgot password' feature
- upon submit, error is thrown in log*** and UI; but passwordModifiedDate is updated in db and userPassword attribute is added to ldap
- at this point, it seems that the user's ldap is setup the same as the other, working users, but this user still cannot log in – same error thrown
Note that this error is seen often when using other configurations (e.g., enabling ldap import & export at the same time – note that Liferay 6.2 appears not to allow this config)
Note that I attempted to disable the 'required' flag (assuming it's similar to the JAAS control flag for required vs. sufficient) to see if new users would be able to auth against the password value in the db, but that failed.