topic Re: Alfresco Labs 3.0 AD connectivity in Alfresco Archive

Alfresco Labs 3.0 AD connectivity

cassini — Wed, 19 Nov 2008 09:21:17 GMT

Hello community,since a view days is try to setup the Alfresco NTLM Auth Component. I user this (http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM) Tutorial from the Alfresco Wiki to set up the component. Unfortunately I had no success.My setup: Debian Etch, TomCat 5.5, Mysql5, War Version of Alfre

Re: Alfresco Labs 3.0 AD connectivity

danovtx — Tue, 06 Jan 2009 19:44:41 GMT

Hi there,

In case you are still having problems, I noticed this part of your error message:

org.springframework.beans.MethodInvocationException: Property 'domain' threw exception; nested exception is org.alfresco.error.AlfrescoRuntimeException: Failed to set passthru domain, java.io.IOException: Failed to find domain controller or browse master for HM
Caused by: org.alfresco.error.AlfrescoRuntimeException: Failed to set passthru domain, java.io.IOException: Failed to find domain controller or browse master for HM
at org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl.setDomain(NTLMAuthenticationComponentImpl.java:290)

That looks to me like the domain, or a server to authenticate against is not set properly. Check the wiki page you were using for more details on that…
If that doesn't help you out, I know that the NTLMAuthenticationComponent bean needs to have the ID "authenticationComponent" and not "authenticationComponentImpl"…. In some versions I guess (had to be before my time with alfresco, because I haven't seen it myself, just in the forums) the default ID in the xml file (ntlm-authentication-context.xml in shared/classes/alfresco/extension) has the 'Impl' on it, and that causes errors.

Re: Alfresco Labs 3.0 AD connectivity

tobias_amon — Wed, 07 Jan 2009 14:43:01 GMT

Hi,

I have the same problem. But the ID must have the "impl". Otherwise I get a ClassNotFoundException

kind regards
Tobias

Re: Alfresco Labs 3.0 AD connectivity

ofrxnz — Tue, 17 Feb 2009 18:40:28 GMT

Hey at the bottom of this post is my working config for NTLM. This configuration doesn't try to auto discover the domain controllers but declares them. I had issues with only setting a domain and instead had to set the server option.

in this code
when i use DOMAIN it is the "test" portion of "test.com" in all caps.

and <ip of DC 1> and <ip of DC 2> are replaced by the IP address of a my two domain controllers

so if I have "test.com" and my domain controllers are at 10.0.0.1 and 10.0.0.2 It would look something like this

<property name="servers">
<value>TEST\10.0.0.1,TEST\10.0.0.2,10.0.0.1</value>
</property>

There are some more configurations you can put in here

take a look at the "NTLM Passthru Properties" and "Domain Mappings" sections of this page for Alfresco 3

http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM

My Working config with network configuration stuff blinded


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
         <property name="allowSetEnabled" value="true" />
         <property name="allowGetEnabled" value="true" />
         <property name="allowDeleteUser" value="true" />
         <property name="allowCreateUser" value="true" />
   </bean>


   <!– The authentication component.                                      –>

   <!– Use the passthru authentication component to authenticate using    –>
   <!– user accounts on one or more Windows servers.                      –>

   <!– Properties that specify the server(s) to use for passthru          –>
   <!– authentication :-                                                  –>
   <!–   useLocalServer   use the local server for authentication         –>
   <!–   domain           use domain controllers from the specified domain–>
   <!–   servers          comma delimted list of server addresses or      –>
   <!–                    names                                           –>

   <bean id="authenticationComponent"
         class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"
         parent="authenticationComponentBase">
       <property name="useLocalServer">
           <value>false</value>
       </property>
       <property name="servers">
           <value>DOMAIN\<ip of DC 1>,DOMAIN\<ip of DC 2>,<ip of DC 1></value>
       </property>
       <property name="personService">
           <ref bean="personService" />
       </property>
       <property name="nodeService">
           <ref bean="nodeService" />
       </property>
       <property name="transactionService">
           <ref bean="transactionComponent" />
       </property>
       <property name="guestAccess">
           <value>false</value>
       </property>
   </bean>

</beans>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Alfresco Labs 3.0 AD connectivity

ganesh_boil — Thu, 30 Apr 2009 06:37:59 GMT

Hi team,
I'm new to Alfresco and i'm using alfresco labs 3.0 stable version.
In the user guide i found the NTLM under security but in that there is no explanation about it.
Can anyone tell me the exact use of this NTLM ?

Thanks in advance.

Re: Alfresco Labs 3.0 AD connectivity

ofrxnz — Thu, 30 Apr 2009 10:32:07 GMT

NTLM is a Microsoft authentication protocol

http://en.wikipedia.org/wiki/NTLM

It is the primary protocol Windows/Microsoft use for most system-system authentication through 2003/xp. I believe they are phasing it out but dont know for sure. It is a Windows NT holdover.

In Alfresco, NTLM can replace all other authentication mechanisms. So, basically when a user enters their username and password, alfresco will ask the NTLM (active directory) server if this is a valid username and password.

If AD says yes its valid, Alfresco creates a local userprofile/account if the dont have one on alfresco and logs them in. In all subsequent authentication attempts, Alfresco always polls AD. If a user is locked out because of bad password attempts or their account is disabled or deleted in AD, they can not get into Alfresco. I believe this should work with AD log on hours but have never tried it.

NTLM in alfresco is only good for authentication against AD. It will not care about AD groups and it will not pull over user metadata (phone numbers, email address, etc) those must be managed in alfresco by an administrator.

If you need more than authentication and your application requires, for lack of a better term, "syncing" groups and metadata with AD you will need to use LDAP syncing.

I service about 50 users and have never had trouble with only NTML. Inserting the metadata and group management is simply part of our setup procedure and typically doesn't take me more than 15 minuets per user.

IF you use NTLM and LDAP syncing, NTLM will be the preferred authentication protocol, and LDAP should only be used for syncing.

Re: Alfresco Labs 3.0 AD connectivity

ganesh_boil — Thu, 30 Apr 2009 10:43:48 GMT

IF you use NTLM and LDAP syncing, NTLM will be the preferred authentication protocol, and LDAP should only be used for syncing.

Hi ofrxnz, thanks for your time. And i got clear idea about NTLM by seeing your post. And i just get a bit confusion on the above. what is "LDAP syncing/(synchronising)"…? I understood it is to change the password/editing the first name,last mae,mail …etc am i right?
But there was a problem, if i'm right, the labs 3.0 stable version is not allowing the users (even admin) to change their password/edit profile if we use LDAP. i think this was a bug reported in the following JIRA.

https://issues.alfresco.com/jira/browse/ETHREEOH-1634?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel

can you explan a bit about using the files ldap-authentication-context.xml and ldap-synchronisation-context.xml files and what is ldap syncing(synchronising) ?? .
I'm just confusing on these two files.

Re: Alfresco Labs 3.0 AD connectivity

ofrxnz — Thu, 30 Apr 2009 11:22:13 GMT

In AD, each user has meta data such as fname, lname, mail, phone, etc. the only thing NTLM cares about is Username and password.

Alfresco also supports LDAP authentication and AD also supports LDAP authentication so, with the Alfresco LDAP authentication mechanism, you can have Alfresco automatically pull these things over and put them in the alfresco profile.

I dont believe you can change your password in alfresco with NTLM. you may be able to do it with LDAP but i dont know. You would probably have to give the LDAP bind user administrative rights. Typically LDAP users only have Read-Only access and cant change a thing. I dont know how this works with their own LDAP profile

I dont believe the LDAP issue you mention was a bug. LDAP Sync literally over writes all of the user profiles when ever it runs. This is the nature of the relation ship. LDAP is the repository/Authority, and Alfresco should respect that. I dont remember this when i used LDAP but this may be part of the design–no point letting you change your profile if its just going to get over written. I have not used LDAP in production for a version or two so i dont know for labs 3

LDAP-authentication-context.xml is the file you configure to allow alfresco to connect to and authenticate against an LDAP repository. LDAP-Synchronization-context.xml is the file that tells Alfresco to scan a portion or all of the LDAP directory and maps certain attributes for user to groups to their alfresco equivalent. This file says that each DN with Attribute X should be a user so create a profile for them if they dont have one. it also maps ldap attributes such as fname, lname, o, mail, etc to alfresco profile attributes. Basically, it copies the LDAP user and their attributes to their Alfresco profile. On top of this, it can also find groups in the LDAP server and copy them over to alfresco. the group will have the same name, and it will populate the alfresco group with the LDAP users already in the group. If there is a conflict between alfresco and the LDAP directory, the default behavior is to overwrite Alfresco with what is in the LDAP directory. you can configure how frequently it syncs alfresco to the LDAP directory

There should be 4 ldap files in there 2 that are the configuration and 2 that hold the variables. all you need to do is rename the the two that hold the variables and configure them for your server. the other two will execute and suck the variables over from them. I would give you names but im at home right now

Here is some LDAP stuff to get you started
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#LDAP_Configuration_before_2.1

I personally never liked using the LDAP mechanism with AD. works greatewith open LDAP but its a bit strange with AD

Re: Alfresco Labs 3.0 AD connectivity

ganesh_boil — Thu, 30 Apr 2009 11:44:42 GMT

Thanks ofrxnz ,
Now i got a clear picture about these thinks.
Thanks again for ur support.