topic Re: OpenLDAP authentication in Alfresco Archive

OpenLDAP authentication

uesnet — Thu, 19 Mar 2009 19:53:41 GMT

Hi everyone, I have looked through the posts and googled this problem without any luck. This is my first installation of Alfresco, am using the Stable 3labs version on linux and trying to use Openldap for user authentication. I edited the ldap-authentication.properties.xml and ldap-authentication-c

Re: OpenLDAP authentication

jottley — Thu, 19 Mar 2009 22:40:22 GMT

Ignore the error message. It is for info only.

Modify:

ldap.authentication.java.naming.provider.url to point to your LDAP server
ldap.authentication.java.naming.security.authentication to use the appropriate security mechanism

Depending your LDAP scheme you may need to change the format that is used when passing usernames from Alfresco to your LDAP. This can be done by changing:

ldap.authentication.userNameFormat=%s where %s is the value passed. Digest authentication can use the default of just a %s. Others should modify to your specific user container. For Example, ldap.authentication.userNameFormat=cn=%s,ou=users,o=demo,dc=alfresco,dc=com

Re: OpenLDAP authentication

uesnet — Fri, 20 Mar 2009 14:27:20 GMT

Hi Jottley,
Thanks for your reply. I had already modified the values you mention, here are the values I have been using:
FOR ldap-authentication-context.xml
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                   <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
                  <entry key="java.naming.provider.url">
                    <value>ldap://10.10.0.1:389</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                </entry>
                <entry key="java.naming.security.principal">
               <value></value>
                </entry>
                <entry key="java.naming.security.credentials">
                <value></value>
                </entry>
            </map>

FOR ldap-authentication.properties
ldap.authentication.userNameFormat=uid=%s,ou=usuarios,dc=one,dc=test,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.10.0.1:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.security.principal=
ldap.authentication.java.naming.security.credentials=

Again, I can see that alfresco reaches my ldap server when staring up, but it is doing a search that returns "INVALID_CREDENTIALS" (err=49) on the LDAP server, the only reason I see for that to happen is that Alfresco is doing the search without a serachbase. I have confirmed this by doing a local ldapsearch on the OpenLDAP server, when I use the -b modifier and specify a searchbase the search works fine but the same search fails if I don't specify a searchbase. Any ideas where else I could for clues…?

Thanks again for your help,
eric.

Re: OpenLDAP authentication

jottley — Fri, 20 Mar 2009 14:47:36 GMT

I had already modified the values you mention, here are the values I have been using:
FOR ldap-authentication-context.xml

FYI you only need to modify ldap-authentication.properties. (well now you need to modify ldap-authentication-context.xml unless you reset it to the defaults.)

the search works fine but the same search fails if I don't specify a searchbase.

We aren't doing a search, we are authenticating against the directory through a bind which does not require a searchbase. Try doing an ldapwhoami.

ldapwhoami -x -D "<your DN>" -w <your password>

It will return your DN if successful

Re: OpenLDAP authentication

uesnet — Fri, 20 Mar 2009 17:57:58 GMT

Thanks again for your reply. I've made the changes you suggested. The opneldap log shows this now:
Connection from Alfresco
Mar 20 11:41:17 campus slapd[10047]: conn=52 fd=13 ACCEPT from IP=10.10.0.2:46221 (IP=0.0.0.0:389)
Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" method=128
Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 RESULT tag=97 err=49 text=
Mar 20 11:41:17 campus slapd[10047]: conn=53 fd=13 closed (connection lost)
Mar 20 11:41:18 campus slapd[10047]: conn=50 op=1 UNBIND
Mar 20 11:41:18 campus slapd[10047]: conn=50 fd=11 closed

Connection from ldapwhoamI using the same credentials
Mar 20 11:42:12 campus slapd[10047]: conn=54 fd=11 ACCEPT from IP=127.0.0.1:40887 (IP=0.0.0.0:389)
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" method=128
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" mech=SIMPLE ssf=0
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 RESULT tag=97 err=0 text=
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=1 WHOAMI
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=1 RESULT oid= err=0 text=

The ssf=0 seems to be the difference between the two Bind attempts. Is this SSF value, something I can modify within Alfresco?
eric.

Re: OpenLDAP authentication

jottley — Sat, 21 Mar 2009 04:57:28 GMT

The problems is actually this line

Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 RESULT tag=97 err=49 text=

Which indicates an error 49…Invalid Credentials.

Can you try doing a "ldapwhoami -x"? Does it return anonymous?

Check the error log as well to see what it returns and post it here.

Re: OpenLDAP authentication

uesnet — Mon, 23 Mar 2009 15:17:30 GMT

~# ldapwhoami -x
anonymous
Result: Success (0)
~# cat ldap.log
Mar 23 09:08:49 campus slapd[10047]: conn=55 fd=11 ACCEPT from IP=127.0.0.1:47672 (IP=0.0.0.0:389)
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=0 BIND dn="" method=128
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=0 RESULT tag=97 err=0 text=
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=1 WHOAMI
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=1 RESULT oid= err=0 text=
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=2 UNBIND
Mar 23 09:08:49 campus slapd[10047]: conn=55 fd=11 closed

Re: OpenLDAP authentication

jottley — Mon, 23 Mar 2009 16:20:28 GMT

can we check and make sure that your slapd.conf file does not deny access (auth connections) from the Alfresco server?

Below is the output from my instance of Alfresco to my ldap server.

Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 fd=15 ACCEPT from IP=156.124.13.100:52309 (IP=0.0.0.0:389)
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 BIND dn="cn=Jared Ottley,ou=users,o=demo,dc=alfresco,dc=com" method=128
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 BIND dn="cn=Jared Ottley,ou=users,o=demo,dc=alfresco,dc=com" mech=SIMPLE ssf=0
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 RESULT tag=97 err=0 text=
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=1 UNBIND
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 fd=15 closed

My access line looks like this

access to attrs=userPassword
        by dn="cn=admin,dc=alfresco,dc=com" write
        by anonymous auth
        by self write
        by * none

Re: OpenLDAP authentication

uesnet — Mon, 23 Mar 2009 16:46:44 GMT

Thanks again for your reply. The ACLs look right, I also enabled acl logging on openldap. Here is the log from the ldapwhoami an alfresco operations, they both are being grnated access:
Mar 23 10:31:26 campus slapd[19365]: slapd starting
Mar 23 10:31:32 campus slapd[19365]: => access_allowed: auth access to "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" "userPassword" requested
Mar 23 10:31:32 campus slapd[19365]: => acl_get: [1] attr userPassword
Mar 23 10:31:32 campus slapd[19365]: access_allowed: no res from state (userPassword)
Mar 23 10:31:32 campus slapd[19365]: => acl_mask: access to entry "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv", attr "userPassword" requested
Mar 23 10:31:32 campus slapd[19365]: => acl_mask: to value by "", (=0)
Mar 23 10:31:32 campus slapd[19365]: <= check a_dn_pat: cn=admin,dc=ues,dc=edu,dc=sv
Mar 23 10:31:32 campus slapd[19365]: <= check a_dn_pat: anonymous
Mar 23 10:31:32 campus slapd[19365]: <= acl_mask: [2] applying auth(=xd) (stop)
Mar 23 10:31:32 campus slapd[19365]: <= acl_mask: [2] mask: auth(=xd)
Mar 23 10:31:32 campus slapd[19365]: => access_allowed: auth access granted by auth(=xd)
Mar 23 10:32:58 campus slapd[19365]: bind: invalid dn (daftAsABrush)
Mar 23 10:32:58 campus slapd[19365]: => access_allowed: auth access to "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" "userPassword" requested
Mar 23 10:32:58 campus slapd[19365]: => acl_get: [1] attr userPassword
Mar 23 10:32:58 campus slapd[19365]: access_allowed: no res from state (userPassword)
Mar 23 10:32:58 campus slapd[19365]: => acl_mask: access to entry "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv", attr "userPassword" requested
Mar 23 10:32:58 campus slapd[19365]: => acl_mask: to value by "", (=0)
Mar 23 10:32:58 campus slapd[19365]: <= check a_dn_pat: cn=admin,dc=ues,dc=edu,dc=sv
Mar 23 10:32:58 campus slapd[19365]: <= check a_dn_pat: anonymous
Mar 23 10:32:58 campus slapd[19365]: <= acl_mask: [2] applying auth(=xd) (stop)
Mar 23 10:32:58 campus slapd[19365]: <= acl_mask: [2] mask: auth(=xd)
Mar 23 10:32:58 campus slapd[19365]: => access_allowed: auth access granted by auth(=xd)

Also, both in your openLDAP log and my ldapwhoami log there's two Bind lines logged, one uses the ssf=0 right before the err=0(success) message. I suspect that something Is wrong with my current Alfresco setup that is not generating that second bind/ssf=0 action.

Re: OpenLDAP authentication

uesnet — Wed, 25 Mar 2009 17:57:26 GMT

I just noticed there are also error messages on my alfresco log. don't know if is directly related to the ldap problem but here it is:
10:46:47,072 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
java.lang.NullPointerException
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.isSystemUserName(AbstractAuthenticationComponent.java:299)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:161)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setCurrentUser(ChainingAuthenticationComponentImpl.java:373)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setSystemUserAsCurrentUser(ChainingAuthenticationComponentImpl.java:407)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.bootstrap(SystemInfoBootstrap.java:124)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.onBootstrap(SystemInfoBootstrap.java:190)
   at org.alfresco.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:62)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:41

Any ideas?

Re: OpenLDAP authentication

ssandruchi — Wed, 07 Apr 2010 10:02:05 GMT

Hello,

   I had same problem in Alfresco 3.0 and I solved this adding following parent bean:

    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl" parent="authenticationComponentBase">

See following wiki:
          http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#LDAP

   Regards,
      Sandra