Chaining Alfresco and LDAP

ajmillar — Thu, 15 May 2008 10:56:32 GMT

Dear all, I'm trying to get chaining working with Alfresco 2.9B and I'm struggling. When I started out I was able to log in with admin/admin. I then set the LDAP config going and was able to login using my ldap username/password but not with the local admin/admin. I then tried to work with the chain

Re: Chaining Alfresco and LDAP

ajmillar — Mon, 28 Jul 2008 10:12:18 GMT

Hi Andy,

I had to revert back to the 2.1 edition and it worked almost straight away. The documentation is not the clearest for getting this kind of thing working. Discovered that I had to comment out the following bean in the ldap-authentication-context.xml file before it would work. Got this fix from someone else on the forums. Think I posted it in a seperate thread.

<!–
<bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser">
<value>true</value>
</property>
</bean> –>

It really would be a huge benefit if you could find someway to provide a GUI for configuring Alfresco rather than having to edit all these individual XML files. It really opens up a wide scope for errors being introduced into the config of the system that could otherwise be avoided.

Hoping that when 3.0 is released at the end of this week that we'll be able to upgrade our system. We are piloting it with a few groups, but would love to upgrade to the latest version before we roll it out to the whole company.

A

Re: Chaining Alfresco and LDAP

mykelalvis — Fri, 01 Aug 2008 17:51:10 GMT

I have a similar problem with chaining Alfresco Community 2.9B internal authentication and LDAP.

I have followed the rather sparse documentation and the extensive posts and come up with the following configs. Note that these are the only changes (except for ldap-authentication.properties changes) I've done to a base install of community 2.9B with tomcat.

chaining-authentication-context.xml


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!– Chaining of both the services and components –>
    <bean id="authenticationService" class="org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl">
        <property name="authenticationServices">
            <list>
                <ref bean="authenticationServiceImplLDAP"/>
            </list>
        </property>
<!–
        <property name="mutableAuthenticationService">
            <ref bean="authenticationServiceImplAlfresco"/>
        </property>
–>
    </bean>
    
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl">
      <property name="authenticationComponents">
            <list>
      <!–
                <ref bean="authenticationComponentImplJAAS"/>
      –>
                <ref bean="authenticationComponentImplLDAP"/>
            </list>
        </property>
        <property name="mutableAuthenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
   </bean>
    
    <!– Alfresco Auth –>
    
    <bean id="authenticationServiceImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
    </bean>
    
    <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="dictionaryService">
            <ref bean="dictionaryService"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
        <property name="searchService">
            <ref bean="admSearchService"/>
        </property>
        <property name="userNamesAreCaseSensitive">
            <value>${user.name.caseSensitive}</value>
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder"/>
        </property>
    </bean>
    
    <bean id="authenticationComponentImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="allowGuestLogin">
            <value>false</value>
        </property>
    </bean>
    
    <!– LDAP –>
    
    <bean id="authenticationServiceImplLDAP" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoLDAP"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplLDAP"/>
        </property>
    </bean>
   <bean id="authenticationDaoLDAP" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao"/>
</beans>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and

ldap-authentication-context.xml


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    
   <!– The main configuration has moved into a properties file –>
    
    <bean name="ldapAuthenticationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property>  
        <property name="locations">
            <value>classpath:alfresco/extension/ldap-authentication.properties</value>
        </property>
    </bean>
    
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
    
<!–
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>    
–>
   

    <!– LDAP authentication configuration –>
    
    <!– 
    
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
    
    –>
    
    <!–
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
    –>
    <bean id="authenticationComponentImplLDAP" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
            
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
            
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
            
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" 
            Usually for simple authentication. Simple authentication always uses the DN for the user.
            
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
    </bean>
    
    <!–
    
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
    
    –>
    
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>${ldap.authentication.java.naming.factory.initial}</value>
                </entry>
                
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>${ldap.authentication.java.naming.provider.url}</value>
                </entry>
                
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>${ldap.authentication.java.naming.security.authentication}</value>
                </entry>
                
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>${ldap.authentication.java.naming.security.principal}</value>
                </entry>
                
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>${ldap.authentication.java.naming.security.credentials}</value>
                </entry>
            </map>
        </property>
    </bean>
    
</beans>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

With an appropriate ldap-authentication.properties, I can log in using my LDAP (ActiveDirectory) credentials.

However, note that the mutableAuthenticationService is commented out at the top of the chaining file. If this service is not commented out, several issues appear:

Attempting to login as admin/admin gives:


javax.faces.FacesException: Error calling action method of component with id loginForm:submit
caused by:
javax.faces.el.EvaluationException: Exception while invoking expression #{LoginBean.login}
caused by:
java.lang.NullPointerException

Show Details
javax.faces.FacesException: Error calling action method of component with id loginForm:submit
at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:72)
at javax.faces.component.UICommand.broadcast(UICommand.java:109)
at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:94)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.faces.el.EvaluationException: Exception while invoking expression #{LoginBean.login}
at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:156)
at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)
… 24 more
Caused by: java.lang.NullPointerException
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.getUserOrNull(RepositoryAuthenticationDao.java:158)
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.loadUserByUsername(RepositoryAuthenticationDao.java:119)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.getUserDetails(AuthenticationComponentImpl.java:98)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:121)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.authenticateImpl(AuthenticationComponentImpl.java:75)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.authenticate(AbstractAuthenticationComponent.java:74)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.authenticate(AuthenticationServiceImpl.java:114)
at org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl.authenticate(ChainingAuthenticationServiceImpl.java:164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:241)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
at $Proxy20.authenticate(Unknown Source)
at org.alfresco.web.bean.LoginBean.login(LoginBean.java:247)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
… 25 more
Return to application
Logout
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Hit the "Back" button to get back to the login page and try an LDAP user.


java.lang.NullPointerException

Show Details
java.lang.NullPointerException
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.getUserOrNull(RepositoryAuthenticationDao.java:158)
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.loadUserByUsername(RepositoryAuthenticationDao.java:119)
at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.getUserDetails(AuthenticationComponentImpl.java:98)
at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:121)
at org.alfresco.repo.security.authentication.AuthenticationServiceImpl.validate(AuthenticationServiceImpl.java:150)
at org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl.validate(ChainingAuthenticationServiceImpl.java:277)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:241)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
at $Proxy20.validate(Unknown Source)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:229)
at org.alfresco.web.app.servlet.AuthenticationHelper.authenticate(AuthenticationHelper.java:109)
at org.alfresco.web.app.servlet.AuthenticationFilter.doFilter(AuthenticationFilter.java:75)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
at java.lang.Thread.run(Thread.java:595)
Return to application
Logout
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Close the browser and log in as an LDAP user. This succeeds but a logout produces precisely the same effect as the previous example (i.e. it fails as consistently as I would expect)

Here's where it gets weird:


java.lang.NullPointerException

Hide Details

java.lang.NullPointerException
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.getUserOrNull(RepositoryAuthenticationDao.java:158)
at org.alfresco.repo.security.authentication.RepositoryAuthenticationDao.loadUserByUsername(RepositoryAuthenticationDao.java:11
{blahblahblah}
‍‍‍‍‍‍‍‍‍‍

The interesting thing here is that the new tab has a perfectly valid login session. I can re-login with any LDAP user I choose. As long as I log out by right-clicking on the logout link and opening a new tab, I can switch users successfully (well, sort of successfully).

However, under no circumstances do I seem to be able to log in as Admin, because the Alfresco internal auth component seems broken and/or misconfigured for chaining.

topic Re: Chaining Alfresco and LDAP in Alfresco Archive

Chaining Alfresco and LDAP

Re: Chaining Alfresco and LDAP

Re: Chaining Alfresco and LDAP

Re: Chaining Alfresco and LDAP