liferay 6.1 CE LDAP

goole了许多网页，讲的是五花八门，最后想起来去portal.properties看看，才发现别人讲的不一定正确，或者是自己理解有误。

重要提示：
1. user mapping 中有5个必须映射的字段，否则出错。

• screenName
• password
• emailAddress
• firstName
• lastName

2. 如果在控制面板中配置了LDAP，则portal-ext 中的关于ldap设置会全部失效， 所以只能二选一（控制面板 or portal-ext）
3. 如果想让控制面板中配置的ldap信息失效，只有一个办法:
    找到portalpreferences表，删除其中的一条记录, 此记录信息如下
    plid=0
    portletid=LIFERAY_PORTAL
    the "preferences" field will start with "<portlet-preferences><preference><name>ldap.base.dn</name>"



仔细看看portal.properties

##
## LDAP
##

    #
    # Set the values used to connect to a LDAP store.
    #
    ldap.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
    ldap.referral=follow

    #
    # Settings for com.liferay.portal.security.auth.LDAPAuth can be configured
    # from the Admin portlet. It provides out-of-the-box support for Apache
    # Directory Server, Microsoft Active Directory Server, Novell eDirectory,
    # and OpenLDAP. The default settings are for Apache Directory Server.
    #
    # The LDAPAuth class must be specified in the property "auth.pipeline.pre"
    # to be executed.
    #
    # Encryption is implemented by com.liferay.util.Encryptor.provider.class in
    # system.properties.
    #
    ldap.auth.enabled=false
    ldap.auth.required=false

    #
    # Set the page size for directory servers that support paging. This value
    # needs to be 1000 or less for Microsoft Active Directory Server.
    #
    ldap.page.size=1000

    #
    # Set the number of values to return in each query to a multivalued
    # attribute for directory servers that support range retrieval. The range
    # size must be 1000 or less for Windows 2000 and 1500 or less for Windows
    # Server 2003.
    #
    ldap.range.size=1000

    #
    # Set either bind or password-compare for the LDAP authentication method.
    # Bind is preferred by most vendors so that you don't have to worry about
    # encryption strategies.
    #
    ldap.auth.method=bind
    #ldap.auth.method=password-compare

    #
    # Set the password encryption to use for comparing passwords during import
    # and to use for encrypting passwords during export. Comparing passwords
    # during import will only be used when the property "ldap.auth.method" is
    # set to password-compare. If the encryption is set to NONE, which is the
    # default value, passwords are considered as plain text. The SHA-512
    # algorithm is currently unsupported.
    #
    #ldap.auth.password.encryption.algorithm=BCRYPT
    #ldap.auth.password.encryption.algorithm=MD2
    #ldap.auth.password.encryption.algorithm=MD5
    ldap.auth.password.encryption.algorithm=NONE
    #ldap.auth.password.encryption.algorithm=SHA
    #ldap.auth.password.encryption.algorithm=SHA-256
    #ldap.auth.password.encryption.algorithm=SHA-384
    #ldap.auth.password.encryption.algorithm=SSHA
    #ldap.auth.password.encryption.algorithm=UFC-CRYPT

    #
    # You can write your own class that implements
    # com.liferay.portal.security.ldap.AttributesTransformer to transform the
    # LDAP attributes before a user or group is imported to the LDAP store.
    #
    ldap.attrs.transformer.impl=com.liferay.portal.security.ldap.DefaultAttributesTransformer

    #
    # Specify the settings for LDAP connections. Any property prefixed with
    # "ldap.connection." will be passed to the LDAP context as an environment
    # variable.
    #
    # To enable LDAP connection pooling, you have to set
    # "ldap.connection.com.sun.jndi.ldap.connect.pool" to true and provide
    # additional JVM system properties via the JVM start-up options via:
    #
    #     java ... -Dcom.sun.jndi.ldap.connect.pool.maxsize=50 -Dcom.sun.jndi.ldap.connect.pool.timeout=10000
    #
    # See the following link:
    #     http://docs.oracle.com/javase/6/docs/technotes/guides/jndi/jndi-ldap.html#POOL
    #
    ldap.connection.com.sun.jndi.ldap.connect.pool=true
    ldap.connection.com.sun.jndi.ldap.connect.timeout=500
    ldap.connection.com.sun.jndi.ldap.read.timeout=15000

    #
    # Settings for importing users and groups from LDAP to the portal.
    #
    ldap.import.enabled=false
    ldap.import.on.startup=false
    ldap.import.interval=10

    #
    # Set either user or group for import method. If set to user, the portal
    # will import all users and the groups associated with those users. If set
    # to group, the portal import all groups and the users associated those
    # groups. This value should be set based on how your LDAP server stores
    # group membership information.
    #
    ldap.import.method=user
    #ldap.import.method=group

    #
    # Set the lock expiration time for LDAP import. By default, the expiration
    # time is 1 day.
    #
    ldap.import.lock.expiration.time=86400000

    #
    # If set to true, the group filter will be applied, but only to groups in
    # the specified base DN. If set to false, the filter will not be applied and
    # all groups that are associated with the imported users will be imported
    # regardless of the base DN.
    #
    ldap.import.group.search.filter.enabled=true

    #
    # Specify whether group DN lookups will be cached during LDAP import and
    # login. If set to true, this will speed up LDAP import and login, but
    # updates to group attributes will not be recognized until the cache entry
    # expires. The cache size and timeout may be configured in the configuration
    # file specifed in the property "ehcache.single.vm.config.location".
    #
    ldap.import.group.cache.enabled=true

    #
    # Set this to true if the portal should automatically create a role per
    # group imported from LDAP. The role will be assigned to the group so that
    # users can automatically inherit that role when they are assigned to the
    # group.
    #
    ldap.import.create.role.per.group=false

    #
    # Set these values to be a portion of the error message returned by the
    # appropriate directory server to allow the portal to recognize messages
    # from the LDAP server. The default values will work for Fedora DS.
    #
    ldap.error.password.age=age
    ldap.error.password.expired=expired
    ldap.error.password.history=history
    ldap.error.password.not.changeable=not allowed to change
    ldap.error.password.syntax=syntax
    ldap.error.password.trivial=trivial
    ldap.error.user.lockout=retry limit

    #
    # Set this to true to use LDAP's password policy instead of the portal
    # password policy.
    #
    # If set to true, it is possbile that portal generated passwords will not
    # match the LDAP policy. See the "passwords.regexptoolkit.*" properties for
    # details on configuring RegExpToolkit in generating these passwords.
    #
    ldap.password.policy.enabled=false

    #
    # Set this to false when the LDAP user's password should not be imported to
    # the Liferay user.
    #
    ldap.import.user.password.enabled=true

    #
    # Set this to true to autogenerate passwords for users imported from
    # LDAP.
    #
    # This property is only in use if the property
    # "ldap.import.user.password.enabled" is set to false.
    #
    # If an LDAP password policy is enabled (see the property
    # "ldap.password.policy.enabled"), the password will be generated using
    # RegExpToolkit. Set the "auth.pipeline.enable.liferay.check" property to
    # false to disable password checking by the portal's internal authentication
    # (which is not compatible with LDAP), and set the "auth.pipeline.pre"
    # property to com.liferay.portal.security.auth.LDAPAuth so that password
    # checking will be delegated to the LDAPAuth authenticator.
    #
    # Note that enabling LDAP export, by setting the "ldap.export.enabled"
    # property to true, may lead to overwriting the LDAP user's password with an
    # autogenerated password.
    #
    ldap.import.user.password.autogenerated=false

    #
    # Set either screenName or plain text as the default password for the
    # imported LDAP user. Setting the value to screenName will use the user's
    # screen name as the password for the imported LDAP user. Setting the value
    # to any other plain text value will use that value as the password for the
    # imported LDAP user.
    #
    # This property is only in use if the properties
    # "ldap.import.user.password.enabled" and
    # "ldap.import.user.password.autogenerated" are both set to false.
    #
    ldap.import.user.password.default=test
    #ldap.import.user.password.default=screenName

    #
    # Settings for exporting users from the portal to LDAP. This allows a user
    # to modify his first name, last name, etc. in the portal and have that
    # change pushed to the LDAP server. This setting is not used unless the
    # property "ldap.auth.enabled" is set to true.
    #
    ldap.export.enabled=false

    #
    # Set this to true if groups and their associations should be exported from
    # the portal to LDAP. This setting is not used unless the property
    # "ldap.auth.enabled" is set to true.
    #
    ldap.export.group.enabled=true

    #
    # Set the values used to connect to a LDAP store.
    #
    # The list of properties must end with a subsequent integer (0, 1, etc.) and
    # it is assumed that the list has reached an end when the pattern or
    # replacement is not set.
    #
    #ldap.base.provider.url.0=ldap://localhost:10389
    #ldap.base.dn.0=dc=example,dc=com
    #ldap.security.principal.0=uid=admin,ou=system
    #ldap.security.credentials.0=secret

    #
    # Active Directory stores information about the user account as a series of
    # bit fields in the UserAccountControl attribute.
    #
    # If you want to prevent disabled accounts from logging into the portal you
    # need to use a search filter similiar to the following:
    # (&(objectclass=person)(userprincipalname=@email_address@)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
    #
    # See the following links:
    #     http://support.microsoft.com/kb/305144/
    #     http://support.microsoft.com/?kbid=269181
    #
    #ldap.auth.search.filter.0=(mail=@email_address@)

    #
    # When importing and exporting users, the portal will use this mapping to
    # connect LDAP user attributes and portal contact attributes.
    #
    # See com.liferay.portal.model.ContactModel for a list of attributes.
    #
    #ldap.contact.mappings.0=aimSn=\nbirthday=\nfacebookSn=\nicqSn=\njabberSn=\njobTitle=\nmsnSn=\nmySpaceSn=\nskypeSn=\nsmsSn=\ntwitterSn=\nymSn=

    #
    # When importing and exporting users, the portal will use this mapping to
    # connect LDAP user attributes and portal contact's custom attributes.
    #
    #ldap.contact.custom.mappings.0=

    #
    # When a user is exported to LDAP and the user does not exist, the user will
    # be created with the following default object classes.
    #
    #ldap.user.default.object.classes.0=top,person,inetOrgPerson,organizationalPerson

    #
    # When importing and exporting users, the portal will use this mapping to
    # connect LDAP user attributes and portal user attributes.
    #
    # See com.liferay.portal.model.UserModel for a list of attributes.
    #
    #ldap.user.mappings.0=emailAddress=mail\nfirstName=givenName\ngroup=groupMembership\njobTitle=title\nlastName=sn\npassword=userPassword\nscreenName=cn\nuuid=uuid\n

    #
    # When importing and exporting users, the portal will use this mapping to
    # connect LDAP user attributes and portal user's custom attributes.
    #
    #ldap.user.custom.mappings.0=

    #
    # Set the user attributes that are controlled from the portal. When adding
    # or updating a user from LDAP, these attributes will be skipped.
    #
    ldap.user.ignore.attributes=
    #ldap.user.ignore.attributes=aimSn,comments,facebookId,facebookSn,greeting,icqSn,jabberSn,jobTitle,languageId,msnSn,mySpaceSn,openId,prefixId,reminderQueryAnswer,reminderQueryQuestion,skypeSn,smsSn,suffixId,timeZoneId,twitterSn,ymSn

    #
    # When a group is exported to LDAP and the group does not exist, the group
    # will be created with the following default object classes.
    #
    #ldap.group.default.object.classes.0=top,groupOfUniqueNames

    #
    # When importing groups, the portal will use this mapping to connect LDAP
    # group attributes and portal user group attributes.
    #
    #ldap.group.mappings.0=description=description\ngroupName=cn\nuser=uniqueMember

    #
    # Settings for importing users and groups from LDAP to the portal. These
    # setttings are not used unless the property "ldap.import.enabled" is set
    # to true.
    #
    #ldap.import.user.search.filter.0=(objectClass=inetOrgPerson)
    #ldap.import.group.search.filter.0=(objectClass=groupOfUniqueNames)

    #
    # New users and groups will be created at the specified DN. This will only
    # be active if the property "ldap.auth.enabled" and "ldap.export.enabled"
    # are set to true.
    #
    #ldap.users.dn.0=ou=users,dc=example,dc=com
    #ldap.groups.dn.0=ou=groups,dc=example,dc=com