Liferay6 global settings (1)

 

The settings Link contains global settings for most portals. It mainly includes the following content:

General: Configure global settings, such as company name, domain, virtual host, and a global portal logo.

Authentication: Configure logon IDs, connect to LDAP, and perform single-point logon.

Users: Three tags are available: labeled fields, reserved credentials, and default user associations ). Labeled fields enables or disables certain user fields, such as birthday or terms of use. Reserved credentials can retain the nickname and email address that users cannot use for registration. This function prevents users from registering using political or sensitive words, such as admin or chairman. Default User
Associations (Default User Association) configures the roles, user groups, and communities associated with new users by default. A check box is provided to allow you to trace applications to existing users.

Mail host names: You can add other emails associated with your organization. For example, your primary domain name may be mycompany.com, but you may use mycompany-marketing.com as a news-related email domain name. Any domain names related to your organization can be placed here.

Email communications: Liferay sends email reminders for certain events, such as user registration and password modification. You can customize the information here.

These settings are described in detail below.

(1) General)

The general link allows you to set the name of the company/organization/site that runs the portal. The name set here also defines the default community name of your portal, which is liferay.com by default. Therefore, you can customize it according to your organization. You can also set up virtual hosts, email domains, and other information about your organization.

(2) authentication: general settings

There are many tags under the authentication link, all of which are used to configure how users authenticate in liferay, because liferay supports many verification methods and has corresponding settings for each of them.

General settings only affect the functionality of liferay, and do not do anything about the integration options in other labels. This option allows users to customize liferay out-of-the-box authentication behaviors. In particular, the general label allows you to perform multiple global Authentication Settings:

L email address (default), nickname or user ID (number string automatically generated by the system in the database-not recommended)

L enable/disable automatic logon. If enabled, liferay allows the user to select the "remember" option and store the user name and password in the user's browser. if disabled, the user needs to log on manually each time.

L enable/disable the forgot password function.

L enable/disable the link for resetting the request password.

L enable/disable stranger registration to create an account. If you are running an Internet site, you may want to retain this option to create an account on the site as a visitor.

L enable/disable Account creation by personnel using company domain email (information set in general settings ). This is very convenient for enterprises that use liferay for both internal and external sites. You can ensure that the internal site users must be created by the Administrator, but the external site users can register their own IDs.

L enable/disable email address verification. If it is enabled, liferay will send a verification email containing a verification link. You must click the link to pass verification before accessing the portal.

By default, all settings except the last one are enabled. One of the default settings is very important for user email address verification. liferay uses this method by default for the following reasons:

1) each user's email address is unique.

2) People usually remember their email addresses. If a user does not log on to the portal for a period of time, he may forget his nickname, especially when the user is not allowed to modify his nickname.

3) if a user modifies his email address, the user may forget to update his email address attribute, especially if the email is not used for authentication. If the user's email address is not updated, all notifications sent by the portal cannot be received. Therefore, it is very important for the user to regard the email address as the most important thing. After logging on to the portal, the user can promptly update the email address.

For the above reason, liferay uses the email address as the user name by default.

(3) authentication: LDAP

Through the control panel you can directly connect liferay to an LDAP directory, where there are two places to configure LDAP settings: The portal-ext.properties file (described in the next chapter) and the control panel, the control panel settings will be stored in the data. Note that if you use both, the settings stored in the database will overwrite the settings in the portal-ext.properties file. Therefore, we recommend that most users use the control panel to set LDAP-which is very simple without restarting liferay. The only reason that LDAP is configured in the portal-ext.properties file is that if multiple liferay nodes use the same LDAP directory. In this case, it is very easy to copy the portal-ext.properties to the corresponding node when initializing the deployment startup. No matter which method is used, the set content is the same.

LEnabled/required

Enabled: Select enable LDAP authentication.

Required: If LDAP authentication is required, select this check box. In this case, you must first bind it to the LDAP directory before logging on to the portal. If you allow users without an LDAP account but with a liferay account to log on to liferay, do not select.

LLDAP Server

Add an LDAP server here. If there is more than one LDAP server, you can sort it by the up/down arrow. When you add an LDAP server, you need to provide some data so that liferay can build an LDAP server and search for user records. No matter how many LDAP servers are added, the configuration options for each server are the same:

LDefault Value

Multiple main directory services are listed here. select one of them, and the rest of the form is automatically filled in with the appropriate default value.

LConnection

Set the basic parameters for connecting to LDAP:

Base provider URL: LDAP location. Ensure that the server with liferay installed can communicate with each other. If there is a firewall between the two servers, make sure that the appropriate port is open.

Base DN: The base ID (DN) of the LDAP directory ). The basic dn is usually similar to the DC = companynamehere, Dc = com structure for an enterprise.

Principal: By default, the administrator ID is automatically entered here. If you have removed the default LDAP management, enter the full name of your administrator certificate here. Because liferay uses this ID to synchronize LDAP users, an administrator certificate is required here.

Credentials: The password of the Administrator.

This is all the content required to connect to an LDAP directory. The remaining configuration items are optional: normally, the default property ing data is very important for synchronizing information back to the liferay database during user login attempts.

If your LDAP directory runs in SSL mode to avoid non-encrypted transmission of certificates, You need to perform additional configuration steps to share the encryption key and certificate information between the two systems.

For example, if you have deployed Microsoft Active Directory on Windows Server 2003, use the following steps to share the Certificate Information: open window 2003 domain control and enable certificates MMC snapin. Select Local Certificates MMC snapin to import the root certificate à Trusted Root Certification Authorities-> myrootcacertificatename. Right-click the certificate and choose all tasks> export> select
DER encoded binary X.509. Cer. Copy the exported. Cer file to your liferay Portal Server.

If CAS has been installed (refer to the Single Sign-On section below), you need to import the certificate to the cacerts keystore and use the following command to import it:

Keytool-import-trustcacerts-keystore /Some/path/jdk1.5.0 _ 11/JRE/lib/security/cacerts-storepass changeit -Noprompt -Alias myrootca-file/Some/path/myrootca. Cer

Java SDK part of keytool application.

Return to the LDAP page of the control panel. Modify the ldap url in the base DN domain, set the Protocol to https, and set the port to 636, as shown below:

LDAPS: // myldapserverhostname: 636

Save the changes. In this case, liferay uses the LDAP security mode for user authentication.

Users

LUser

This section describes how to query user settings in LDAP.

Authentication search filter ):The query filter box is used to determine the conditions for user logon. By default, liferay uses the email address as the login name. If this setting is modified-in the control panel settings-> authentication, in the general Tag next to the LDAP tag-you need to modify the filter here. The default setting is to use the LDAP email address attribute as the condition. For example, if you modify the liferay authentication method to use a nickname, You need to modify the corresponding filter to match the user input:

(CN = @ screen_name @)

Import search filter: Depending on the LDAP server, there are multiple methods to identify users. Normally, the default setting is enough (Object-class = inetorgperson ), however, if you want to search only for a subset of users or users with different object classes, you can modify this setting.

User mapping:The next series of domains define the ing between LDAP attributes and liferay domains. five domains must be mapped so that users can be correctly identified. You must create a liing With LDAP attributes for the following liferay domains:

L screen name (nickname)

L Password)

L email address)

L full name (full name)

L first name (surname)

L middle name (intermediate name)

L last name (not last name)

L job title (position)

L group)

The control panel provides default ing relationships commonly used in LDAP attributes. You can also add your own mappings.

Test LDAP users: Once you have created a property ing set (see the preceding figure), click the test LDAP users button and liferay will try to pull the LDAP user and match the previous ing.

 

LGroup)

Import search filter: This filter finds the LDAP groups you want to map to liferay. Enter the LDAP group attribute you want to obtain for the ing. the following attributes can be mapped:

L group name

L description

L user

Test LDAP groups: Click test LDAP groups to display the grousp list filtered by your query.

(4) Export

Users DN: Enter the location where the user will be saved to the LDAP tree. When liferay executes the export operation, the user will be exported to this location.

User default object classes: After a user is exported, use the default object classes to create the user. To obtain the default object classes, you can use LDAP browsing tools such as jxplorer to locate a user and view the attributes of the user object class stored in LDAP.

Groups DN: Enter the location where groups will be saved to the LDAP tree. When liferay performs the export operation, the group will be exported to this location.

Group default object classes: After a group is exported, the default object classes listed by the application are used to create a group. To find out the default object classes, use LDAP browser tools such as jxplorer to locate a group, view the attributes of the Group Object Class stored in LDAP.

Once you have completed option settings and connection tests, click Save. Here, you can add other LDAP servers or set only more options to adapt to all your LDAP server connections.

LImport/Export

Import enabled:Select this option to allow liferay to import data in batches from your LDAP directory. If you only want liferay to synchronize users during user logon, do not select this option. You cannot select this option when using it in the cluster environment. Otherwise, all nodes attempt batch import at startup.

When this option is selected, multiple options become visible.

Import on Startup Enabled: If this option is selected, liferay will be imported at startup. This option is only available after the import enabled option is checked.

Export Enabled: Select this option to allow liferay to export user accounts from the database to LDAP. Liferay uses the listener to listen for changes to the user object. Whenever the user object changes, the listener will output the changes to the LDAP server. Note: by default, the lastlogindate domain will be updated every time a user logs on. When the export is enabled, the user will be exported every time a user logs on. You can disable this feature by setting the following properties in the portal-ext.properties file:

Users. Update. Last. login = false

Use LDAP password policy: by default, liferay uses its own password policy. You can configure the password policies ies link in the portal section on the right of the control panel. If you want to use the secret policy defined by the LDAP directory, select this option. Once enabled, the password policies ies tab displays a message: You have not used a local password policy. Now, you need to use the LDAP directory mechanism to set a password policy. liferay implements password protection by parsing the LDAP control information returned by the LDAP server. The LDAP control information searched by liferay is determined by fedora.
Directory Server. If you are using a different LDAP server, you need to customize this information in the portal-ext.properties file, which currently does not provide a setup interface. The following describes how to set the parameters.

Once the LDAP configuration is complete, click Save.

LDAP options not in the GUI

While most LDAP configurations can be performed in the control panel, some configuration parameters can only be edited by editing the portal-ext.properties file. These options support GUI settings in later versions of liferay, but in current versions, you can only edit attribute files.

If you need to modify these options, copy the LDAP part from the portal. properties file to your portal-ext.properties file. Note that the configuration here is ignored for LDAP parameters that have been configured using the GUI. The GUI configuration parameters are stored in the database, which takes precedence over the attribute file configuration.

LDAP. Auth. method = bind # LDAP. Auth. method = password-compare

Set the LDAP authentication method to bind or password-compare. Bind is the most suitable method. You do not need to consider encryption policies when using bind. Password-compare is the same as the literal meaning: Read the user password from LDAP, decrypt the password, compare it with the user password in liferay, and synchronize the two.

LDAP. Auth. Password. Encryption. algorithm = LDAP. Auth. Password. Encryption. algorithm. types = MD5, Sha

Set LDAP. Auth. metho to password-compare and password encryption algorithm.

LDAP. Import. method = [user, group]

If this setting is added, liferay will import all users from a specific part of the LDAP tree, And liferay will search all groups and import the users in each group. Users that do not belong to any group will not be imported.

LDAP. Error. Password. Age = Age LDAP. Error. Password. Expired = expired LDAP. Error. Password. History = history LDAP. Error. Password. Not. changeable = not allowed to change LDAP. Error. Password. Syntax = syntax LDAP. Error. Password. trivial = trivial LDAP. Error. User. lockout = retry limit

The above is the attribute of the error message that may be returned by the LDAP server. When the user is bound to LDAP, the server can return the corresponding successful or failed control information, which contains an information, this information describes the error message or returned response information. Although the control between LDAP servers is the same, messages can be different. The attribute described here contains the acronyms of these messages, which can be used in Red Hat's fedora Directory Server. However, if this server is not used, these acronyms may not be used on your LDAP server. If you cannot work, you can replace the corresponding property values based on your server error message so that liferay can recognize it.

(5) Single Sign-on)

The Single Sign-On solution allows you to provide a single sign-on Certificate Server for multiple systems. This allows people to automatically log on to liferay only after authentication on the Single Sign-On authentication server, it also automatically logs on to other systems.

In this article, liferay supports multiple single-point logon solutions. Of course, if your product is not yet supported, you can use the extended development environment to achieve support for the product --- or you can choose extended support services, more information please contact the sales@liferay.com.

(6) authentication: Central Authentication Service (CAS)

The CAS certification system was initially created by Yale University and is a widely used open-source single-sign-on solution. It is also the first single-sign-on product supported by liferay.

See the CAS installation document as needed.

Step 1: copy the CAS client. jar file to the liferay library folder. On tomcat, the repository folder is located at [Tomcat Home]/webapps/root/WEB-INF/lib, And the CAS client is available after the next liferay startup.

The CAS server application must apply the appropriate SSL Certificate configuration on your server. If you want to generate one by yourself, you need to use the built-in JDK keytool function. The first step is to generate the key. Next, import the key to a file.

Finally, import the key to your local Java key storage. For public and Internet-based product environments, You need to purchase a logon key from a public authentication center (such as thawte or thawte, you can also use the public authentication center to authenticate your logon key. For the Intranet, the IT department needs to pre-configure the user's browser so that the user will not receive a warning about the certificate when logging on.

Use the following command to generate a key:

Keytool-genkey-alias tomcat-keypass changeit-keyalg RSA

Replace the password (changeit) in the example and use a password that you can remember. If you are not using tomcat, you can also use a different alias. For the first and last names, enter localhost or the host name of your server. IP addresses cannot be used.

Run the following command to import the key to a file:

Keytool-export-alias tomcat-keypass changeit-file server. Cert

Finally, import the key to your Java key storage and run the following command:

Keytool-import-alias tomcat-file % file_name %-keypass changeit -Keystore $ java_home/JRE/lib/security/cacerts

In Windows, replace $ java_home with % java_home %. Of course, all the above descriptions must be completed in the system that is about to run CAS.

Once your CAS server is started and running, you can configure liferay to use it. It is very easy to configure liferay to use cas. In the control panel, use the settings-> Authentication-> CAS tag to enable CAS authentication and modify the URL attribute to point to your CAS server.

Enables: Set to true to enable CAS single-point logon.

Import from LDAP: users who pass CAS authentication may not have this option in the portal. If the user does not exist in the portal, it will be automatically imported from LDAP.

The remaining part is set to various URLs by default. Modify the default localhost to point to your CAS server. After the modification, click Save. Then, when the user clicks the sign in link, they will directly connect to the CAS server and log on to liferay.

(7) Certification: Facebook

The liferay portal also allows users to use their Facebook account to log in and enable this function. You only need to simply select the Enable box and enter the Application ID and password provided by Facebook. Facebook SSO uses the primary email address in Facebook to match the email address in the liferay User table. If yes, the user will log on automatically. If not,

This Facebook user will be quickly added to liferay. Once selected, the new user will be created and the four fields in Facebook will be retrieved (first name, last name, email address, and gende ).

(8) authentication: NTLM

NTLM is a Microsoft protocol used for Microsoft Internet Explorer authentication. Although Microsoft recently used Kerberos in Windows Server, NTLM is still used for workgroup authentication. Liferay portal now supports NTLM V2 certification. NTLM V2 is safer than NTLM V1 and has a stronger authentication process.

Enabled: Select this option to enable NTLM authentication.

Domain Controller: Enter the IP address of the domain control. The server contains the user account you want to use in liferay.

Domain: Enter the domain/workgroup name.

(9) Mail Host Name

The following link is mail host names. You can enter another mail Host Name (one row) next to the mail host name configured in the General tab ). This configuration allows the portal to know the name of the email host owned by the Organization.

(10) Email Notification

There are four tags under the email notifications link. The sender tag sets the portal Administrator name and email address. By default it's Joe Bloggs and test@liferay.com, And you can modify it as needed, and the name and address will appear in the from domain of the mail from all the portals.

The other three tags (Account creation notification, password modification notification, and password reset notification) can be customized to send content.

(11) Identity Recognition)

The Identification Section consists of many information about the address, phone number, and other information you can configure for the portal. This function allows you to create contact information for organizations that allow the portal. Developers can query this information in applications.

(12) Miscellaneous: Display Settings

This section sets the portal's default language in the timely zone. You can also set the logo displayed on the top left of the page within the portal range. When using this function, You must select an image of the appropriate size. If the image used is too large, the navigation bar will be displayed in disorder.