topic Re: LDAP Authentication & Active Directory in Alfresco Archive

LDAP Authentication & Active Directory

boneill — Thu, 17 Jul 2008 12:10:54 GMT

Hi guys,I have been through the wikis and forum posts a number of times and get more confused all the time. I simply want to authenticate users against our Active Directory using LDAP. The users exist in Alfresco so only want authentication for now not synchronisation. Firstly, is MSActiveDirecto

Re: LDAP Authentication & Active Directory

vycitalr — Fri, 18 Jul 2008 09:24:34 GMT

I think you mix two things together, which are not exactly the same - and that Active Directory and LDAP protocol. Despite Active Directory exposes ldap-protocol, so you can use ldap-authenticaion, I think it's little inconvenient. There is a better way to use sort of more native AD-authentication, and that is the NTLM authentication configured in ntlm-authentication-context. Here is just enough to specify IP of your domain controller and that's all. While if you use the ldap-authentication it'll be more difficult to configure and also might be even impossible. I was also confused about these things and made ldap-auth working for AD but I had to do some customizations to fit to my purposes. But it was due to my lack of knowledge not knowing about the NTLM. Just consider, that with ldap-protocol you bind/authenticate with string like "cn=%s,ou=marketing,dc= etc" but the CN is in AD usually the real person name and not the loginname. The login name is usually stored in other attribute "sAMAccountName". So how to handle this??
I just suggest to use ntlm-authentication-context.xml instead of ldap.

Regards
Robert

Re: LDAP Authentication & Active Directory

boneill — Sat, 19 Jul 2008 11:06:39 GMT

Robert,

Thankyou very much for your reply. I understand that you can use ntlm but they do not want to do that at my client site as ntlm is not very secure. i.e Any user can access alfresco from a logged in computer. When you were going through the config options did you determine if MS AD and ldap config is supported by alfresco out of the box? Also, assuming I did want to use the sAMAccount name, can I not just include that in the string that gets passed to AD and configure the ldap config as follows:
"sAMAccountName=%S, ou="marketing, dc= etc etc etc.

Would appreciate a response from an alfresco SE if possible on this post.

Re: LDAP Authentication & Active Directory

janeerdekens — Fri, 24 Oct 2008 14:15:05 GMT

I use something like %s@example.com as the userNameFormat for the AD domain example.com, which allows me to login with a username that is the same as the value of the sAMAccountName attribute in AD.

Re: LDAP Authentication & Active Directory

mrojas73 — Mon, 27 Oct 2008 03:22:35 GMT

I use something like %s@example.com as the userNameFormat for the AD domain example.com, which allows me to login with a username that is the same as the value of the sAMAccountName attribute in AD.

Is it possible to login using the e-mail address (userPrincipalName)?

Thank you.

Re: LDAP Authentication & Active Directory

janeerdekens — Mon, 27 Oct 2008 08:26:33 GMT

Hi mrojas73,

I'm not able to log in using the userPrincipalName attribute directly by using it in the userNameFormat field as follows userPrincipalName=%s,CN=Users,Dc=example,dc=com. But since in my case the combination of the sAMAccountName and the AD domain example.com is the same as the value of the userPrincipalName attribute, it looks like you're logging in using that attribute if I specify in my Alfresco config files that userNameFormat=%s@example.com.

Example:

AD domain: exmaple.com
sAMAccountName=john.doe
userPrincipalName=john.doe@example.com

-> so specifying userNameFormat=%s@example.com enables me to log in using the username john.doe.

In your case, if you would want to log in using a username john.doe@example.com, it should suffice to use userNameFormat=%s.

I hope this helps.