topic Re: simple LDAP authentication with several OUs in Alfresco Archive

simple LDAP authentication with several OUs

france — Fri, 07 Apr 2006 11:49:57 GMT

Hi, I would like to use the LDAP authentication with the "simple" mechanism(combined with SSL). I see in the ldap-authentication-context.xml file thatI have to specify the full DN of the user in the userNameFormat. It doesn'tsuit us because the users are spread over different OUs. Is there a way ofi

Re: simple LDAP authentication with several OUs

andy — Fri, 07 Apr 2006 13:10:13 GMT

Hi

I don't think this is possible as you need the full DN of the user for simple authentication. (See http://java.sun.com/products/jndi/tutorial/ldap/security/simple.html).

What are you using as the back end?
If Active Directory I would go with JAAS/Kerberos.
It would then be fine to use SSL+simple jsut to extract groups and users.
If OpenLDAP I would go with DIGEST MD5.

Regards

Andy

Re: simple LDAP authentication with several OUs

france — Fri, 07 Apr 2006 16:24:57 GMT

Hi Andy,

Thanks for your answer.

I'd like to give you more information about my ldap "setting".

1. I tried to realize the authentication with Active Directory. It works with
"simple", but also with "DIGEST-MD5". According to the documentation, it
should not work with Active Directory and DIGEST-MD5, but it does. I tried
first from a Windows installation during the course in Belgium; now I am
using Alfresco on a Linux platform and it works too.
But maybe I'll have problem to extract groups and users ? I didn't try yet.

2. I built a small openldap server. I can realize the authentication from
Alfresco to this ldap server with the "simple" mechanism. But it's not good
because we are using different OUs for the users.

3. Up to now I didn't succeed in setting the DIGEST-MD5 mechanism on the openldap server. Anyway, it raises an important question: according to the openldap documentation, I need to keep the user passwords in clear text in the ldap server. It is not so nice … Can the passwords be encrypted ?

4. The final setup for our company would be a combination of an openldap
server with referrals to Active Directory for the internal users, as
explained by Simon in his post "Alfresco ignores LDAP referrals". I do
need 1 unique way of defining the authentication that can work for both
openldap and Active Directory.

5. You mentioned that Alfresco 1.3 will support authentication chaining.
But will it be with simple authentication or DIGEST-MD5 or will it be
possible to choose the mechanism depending on the kind of ldap server ?

Best regards,

France

Re: simple LDAP authentication with several OUs

andy — Mon, 10 Apr 2006 09:11:35 GMT

Hi

1) Active Directory does not advertise that it supports DIGEST-MD5 authentication method. I would expect this authentication method to be fine for extracting users and groups. If you can authenticate and the user has read rights that is enough.

2 & 3) I have set up OpenLDAP using DIGEST-MD5. The configuration is on the enterprise bit of the wiki. http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration.

As I understand it, in OpenLDAP you need plain text to support all auth methods. If you just want to support DIGEST-MD5 you should be able to store the MD5 password hash. Then simple/SHA etc would not be possible.
I have not confirmed this.

4) I have answered some questions that may help on referral.
http://forums.alfresco.com/viewtopic.php?t=1518&highlight=referral.
I would like to know how you get on.

5) Chaining will allow you to combine any number of authentication services. This can be two LDAP instances with different config and the built in Alfresco authenitcation.

Regards

Andy

Re: simple LDAP authentication with several OUs

simon — Tue, 18 Apr 2006 10:02:37 GMT

Easter holidays are over so time to solve some LDAP problems… again. :roll: I'll continue where France stopped in her last post (we are colleagues).

We tried the following combinations to authenticate against an LDAP with Alfresco and they all worked:

- SIMPLE authentication and Active Directory
- SIMPLE authentication and OpenLDAP
- DIGEST-MD5 authentication and Active Directory
- DIGEST-MD5 authentication and OpenLDAP

Now we would like to use these mechanisms to authenticate against multiple LDAP's. The LDAP referrals (from OpenLDAP to Active AD) don't work at the moment (see other post) so we should find a way to authenticate both our internal and external users (internals are kept in AD and externals are stored in OpenLDAP) when they login to Alfresco.

France came up with the following construction:

1. Copy all the users to one single OU in OpenLDAP (both internals and externals).
2. The externals have their full credentials stored here but the internals have a cn=username and a password userpassword={SASL}username@company.be (their full credentials are stored in AD).
3. When an internal user tries to login their password is looked up by the salsauthentication deamon which in his turn tries to find the Kerberos server (which is Active Directory in our case).

Could this work and is this the best way to solve our problem?

Re: simple LDAP authentication with several OUs

andy — Tue, 18 Apr 2006 10:08:53 GMT

Hi Simon

See the other post…

I have discovered you can have more than one LDAP server in the URL (space separated) and it will try them in turn for authentication. There is an example for simple auth.

I have not tried this yet myself.

This should solve the referral problem by removing it.

Hope this helps.

Regards

Andy

Re: simple LDAP authentication with several OUs

simon — Tue, 18 Apr 2006 13:59:27 GMT

Indeed Andy, I should have read your other post first, sorry.

The "more than one LDAP server in the URL" trick did it! I tested it with simple authentication against an AD and an OpenLDAP server.

DIGEST-MD5 is still a problem but this is a "wrong OpenLDAP version" problem so we'll try another version.