topic Re: Active Directory authentification in Alfresco Archive

Active Directory authentification

francois12 — Thu, 02 Apr 2009 15:42:18 GMT

Hello,We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.And we're trying to authentificate with an Active Directory account.Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=comHe's connectin

Re: Active Directory authentification

rliu — Fri, 03 Apr 2009 20:27:29 GMT

I just recently got AD authentication on my instance of Alfresco Labs3.

ldap.authentication.userNameFormat=sAMAccountName=%s

    # The default principal to use (only used for LDAP sync)
    ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com

    # The password for the default principal (only used for LDAP sync)
    ldap.authentication.java.naming.security.credentials=***********

In the ldap-authentication.properties, I believe you should have the following:

ldap.authentication.userNameFormat=cn=%s,ou=people,ou=admin,dc=company,dc=com
ldap.authentication.java.naming.security.principal=userID that can be used to connect to AD
ldap.authentication.java.naming.security.credentials=password for principal userID to connect with

Hope that helps. It was how I configured it.

Re: Active Directory authentification

francois12 — Tue, 07 Apr 2009 16:09:16 GMT

ldap.authentication.userNameFormat=cn=%s,ou=people,ou=admin,dc=company,dc=com‍

And what if users are in many OU ?

Examples:

cn=%s,ou=people,ou=admin,dc=company,dc=com
cn=%s,ou=people1,ou=admin,dc=company,dc=com
cn=%s,ou=people2,ou=admin,dc=company,dc=com
cn=%s,ou=people3,ou=admin,dc=company,dc=com
…‍‍‍‍‍

thanks for your reply

Re: Active Directory authentification

rliu — Tue, 07 Apr 2009 16:40:34 GMT

My suggestion (and purely a guess as I have not encountered such a situation) is to try appending the other OUs to your line like this:

cn=%s,ou=people,ou=people1,ou=people2,ou=people3,ou=admin,dc=company,dc=com‍

Worth a shot.

Re: Active Directory authentification

francois12 — Wed, 08 Apr 2009 08:19:16 GMT

huu.. unfortunately that's not working either

but thanks for your reply!

Re: Active Directory authentification

ofrxnz — Wed, 08 Apr 2009 20:45:03 GMT

try this. it works for me. I am running Win 2K3 R2 for Active directory and Alfresco labs 3.0

Let me know if you want a working Sync file

watch capitalization on your DNs they have bit me before

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://server:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=COMPANY,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=Password for above user

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Active Directory authentification

francois12 — Thu, 09 Apr 2009 09:59:31 GMT

try this. it works for me. I am running Win 2K3 R2 for Active directory and Alfresco labs 3.0

Let me know if you want a working Sync file

watch capitalization on your DNs they have bit me before

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://server:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=COMPANY,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=Password for above user

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

I don't understand how Alfresco search and bind the user without setting its full DN in "ldap.authentication.userNameFormat".
Do you set this DN in the sync file? Yes I would like to check your file to understand.

Thanks for your help!

Re: Active Directory authentification

ofrxnz — Thu, 09 Apr 2009 11:49:33 GMT

I don't understand how Alfresco search and bind the user without setting its full DN in "ldap.authentication.userNameFormat".
Do you set this DN in the sync file? Yes I would like to check your file to understand.

First, the Sync file is not needed for authentication. it is only needed to populate phone numbers, locations, etc from active directory without manual entry….Ill still post it when i get to work in a couple hours.

also, did that config work for you?

on to the explanation (or how i think it works)

Active Directory is already a fully functional LDAP server. It is just not exactly Standards compliant.

Once, the user you define in "ldap.authentication.java.naming.security.principal in ldap-authentication-context.xml binds to AD you can search for %s in every portion of Active Directory as you would search Google for dirt on your boss.

so if we have a user with the first name of "Jane" a last name of "Doe" and a username "Jane.Doe" and she is located in the Company>Domain Users folder and in that folder they show up as "Jane Doe". When you click on "Jane Doe" you can see some of their attributes (there are also many hidden attributes you can only see with an LDAP browser such as Apache Directory Studio")

then we successfully bind with the "ldap.authentication.java.naming.security.principal" user and someone entered "Jane.Doe" as their user name

Alfresco will tell AD to search through everything in Active Directory for any attribute that ="Jane.Doe"

so it could be sAMAccountName=Jane.Doe or SomeOtherAttribute=JaneDoe, or well anything =Jane.Doe

Once Active Directory has found some attribute that = "Jane.Doe" it will return the full DN where it found "Jane.Doe".

so in the above case, Alfresco says search for *="Jane.Doe" then AD will tell Alfresco I found "Jane.Doe" in "cn=Jane Doe,ou=Domain Users,dc=COMPANY,dc=com".

Alfresco then uses this returned DN to test the password.

Re: Active Directory authentification

francois12 — Thu, 09 Apr 2009 13:54:54 GMT

I tried to dump the ldap network packets and I discover that there is no "search and bind" :
Alfresco just binds. It buils a DN from the given login and tries to connect with the given password.

How can I activate the ldap search ?

Thanks a lot for your help

Re: Active Directory authentification

ofrxnz — Thu, 09 Apr 2009 14:27:27 GMT

Personally, I find LDAP a bit of a pain, so i switched over to NTLM. Its just easier but doesn't import any user data (email, phone, etc) nore does it import AD groups.

http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM

You ONLY need to do the bit AFTER this heading "NTLM Passthru Authentication " the first part is for Single Sign on and that just adds unneeded complication at this point. and SSO is broken in share so dont touch it.

For LDAP

If it is successfully binding, it should automatically search with the config i posted earlier.

How did you get your Bind user DN

I used this application

http://directory.apache.org/studio/

the settings for a connection should be

(Network tab)
hostname = serverIP or DNS anme
port = 389
encryption method = no encryption

(Authentication tab)
bind dn or user = administrator
bind password = **********

I am using administrator because its a bit of a pain to figure out what username they want out of the box.

in my case it is the name the user shows up as in the left column of AD. so in a jane.doe case, the username for Apache directory studio needs to be "Jane Doe" because that is the "Real" uid (have i mentioned AD is not standards compliant)

Once you successfully connect navigate around in your tree and find your bind user. Once selected, the full DN will be at the top of the center frame. and all you need to do is copy and paste it. It can be CaSE SenSItiVe so be careful copying it

Here is the sync file i said i would post. Its a bit of a pain to use because it can render share non functional. Basically it will delete any group that is not in ad if this is set to true "ldap.synchronisation.import.group.clearAllChildren" and if it is set to false it will only add users to groups and never delete them.

My advise is do not enable Sync until you are comfortable your authentication is working well.


#
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=user)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=OU=Domain Users,DC=COMPANY,DC=com

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider

#personalHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The person type in LDAP
ldap.synchronisation.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=14 45 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=false‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Re: Active Directory authentification

francois12 — Tue, 28 Apr 2009 08:22:06 GMT

hi ofrxnz
I appreciate your help, thank you!

The thing is.. I came to the conclusion that Alfresco is a the moment not able to search and bind in many LDAP nodes. Sorry to contradict your saying.
Alfresco is only able to build a DN with the username we gave it and tries to connect with the password.
If you or someone knows how to patch Alfresco to add the search&bind feature.. let me know!

Moreover, I'd like to know if NTLM authentification needs LDAP to work or if it is another authentification method aside from LDAP(AD).
I'd also like to know if the clients needs to be on Windows, in the domain. We have users that are using Linux not binded to the domain.

Thanks again for you help

Re: Active Directory authentification

ofrxnz — Tue, 28 Apr 2009 11:51:18 GMT

Sorry its not working for you

Alfresco will only search/recurse under the folder defined by this line

ldap.synchronisation.personSearchBase=OU=Domain Users,DC=COMPANY,DC=com

you may want to set it to

ldap.synchronisation.personSearchBase=DC=COMPANY,DC=com

that way it should start at the bottom of your directory. Mind you company and com should reflect your AD domain.

LDAP against AD is kind of weird at times, but its always worked out of the box for me. It may be an AD issue….I know in 2008 they closed down a bunch of stuff. I also hate the windows firewall. There is also a port in the 3000s i have had to use with AD/LDAP at times for other applications (apache). I don't remember the port number off the top of my head. I believe it was "forest view" or something like that

I abandoned AD/LDAP because it kept locking out the bind user. We force a 3 strike rule.

For NTLM you do not need LDAP

NTLM is a completely independent protocol.

If i remember correctly NTLM was the main Windows Authentication protocol between NT4 and ME/2000.

With NTLM, the web interface (alfresco explorer, webdav, share) will prompt for a password when using NTLM.

If you opt for NTLM with Single Sign On (SSO) it will probably only SSO with windows clients joined to the domain. For all others it will prompt for credentials.

we have had no issues with non-domained windows boxes or non-domained OS X (personal) machines.

We have had issues with Vista and SSO (not NTLM) but if you use the web logon, not the SSO it is fine. The other issue is we have had is we had a user who windows box was joined to another domain and they had the same username on our network. In this case, it saw they were a valid username and didn't check domain. This case was really strange though and never repeated its self

you would need to experimental with the file servers but i expect them to have similar behavior.

The only requirement is that the user is a valid AD user.

I have had no issues with a win 2k3R2 AD server. 2008 on the other hand seemed to pose more headaches when i beta tested it.

Re: Active Directory authentification

jriker1 — Wed, 06 May 2009 02:21:04 GMT

So how do you know if Alfresco is using LDAP for authentication? I have set my ldap-authentication.properties file as per this thread, however after restarting alfresco I can still login with the "admin" account but not my domain account. It was my understanding that if LDAP authentication was enabled the system based internal accounts wouldn't work anymore. Is there a way to know what's going on?

For that matter, how do you physicall add a domain user to the system when it asks for username and password?

Thanks.

JR

Re: Active Directory authentification

ofrxnz — Wed, 06 May 2009 02:31:48 GMT

try another account in LDAP.

If the authentication comes back valid, Alfresco will create a local user profile

LDAP typically just takes over (unless chaining is setup).

Every ldap config is surprisingly custom to the environment. Everyone does something slightly different to their LDAP/AD server.

If its not working make sure you renamed the config file. At the very least it usually locks everyone out.

In alfresco 3 the users "admin" and "administrator" are admins by default no matter what the repo source is.

On the other hand, im probably not as up on LDAP in the most recent iteration of Labs 3. I switched to NTLM based Auth in version 3b they are at 3d now

Re: Active Directory authentification

jriker1 — Wed, 06 May 2009 18:56:19 GMT

Thanks for the reply ofrxnz. May just be me but something just doesn't sound right. The properties page was active by default (i.e. not .sample at the end), and had dummy config data in it. Wouldn't think it would be reading that in and dying everytime to connect. Would think there is some bean or something that has to be changed to enable this. At a minimum perhaps a log or something of what is happening. Hard for me to understand how the system knows the difference between internal username/password users and domain users when logging in.

JR

Re: Active Directory authentification

ofrxnz — Wed, 06 May 2009 19:28:37 GMT

ldap-authentication-context.xml.sample is the file that needs to be renamed (remove the .sample). don't edit this file. it reads its values over from the .properties file

I think this is where all the bean stuff is.

you can probably tweak the log4j configuration file and enable more levels of logging. I dont know what is there for ldap. have only touched the log config file once. (somewhere in the deployed war file)(i think thats the correct name)

for the last one. Im no expert on this, but from my understanding…… the short answer is….there really isnt a difference between internal users and external users. only where to look for a password.

There are to halves to a person in alfresco. one half is for the internal authentication mechanism and if i remember is more system oriented and the other is more of a repo by repo "profile" if you will. when using external authentication, the "profile" stays and the internal mechanism is superseded

when a user logs into alfresco for the first time using an ldap directory, alfresco receives the "Valid Account" information from the repo. It then trys to associate the account with a "profile". If it cant find one it creates a blank profile with only a username.

I am guessing there is an order of precedence in the authentication engine. if bean A out ranks bean B the latter ie effectively disabled.

It is more complicated than this but hats the high level of how i understand it.

you can set up chaining so say….NTLM fails, it will try LDAP. if LDAP fails it will try Alfresco.

Adam

Re: Active Directory authentification

jriker1 — Thu, 07 May 2009 21:12:47 GMT

Thanks for the reply. The ldap-authentication-context.xml is already set without the .sample. Same with the ldap-authentication.properties. I know I have this properties page setup right. Not sure if I need to do something elsewhere but guess I'll keep looking. Just get an exception that authentication failed with an existing user I added before that exists on the domain with the same network id.

JR

Re: Active Directory authentification

rchamy — Fri, 19 Jun 2009 11:20:25 GMT

Hi, I have LDAP (AD), NTLM and sync working propertly but I have a handicap. In my syncronization I import the users and groups of an especific OU. When I try to logon with a user member of this specific OU I can logon succesfully, otherwise, when I try to logon with a users not in that OU I also can logon!!. I don't want to allow logon for the users out of this OU, only for the users imported or for the users in the OU specified in the sample file.
Do you know wich is the problem?
Thanks.

Re: Active Directory authentification

dward — Fri, 19 Jun 2009 11:38:31 GMT

Try setting the autoCreatePeopleOnLogin property on the authenticationComponentBase bean to false. In theory that won't allow in anyone that hasn't been created by the LDAP sync.

We'll look into making this easier to configure in the v3.2 release.

Re: Active Directory authentification

rchamy — Fri, 19 Jun 2009 11:46:31 GMT

Thanks for the quickly reply. I'm looking for that bean in the ldap-authentication-context.xml and its look like:

    <bean id="authenticationComponent"
          class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl" 
          parent="authenticationComponentBase">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
            
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
            
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
            
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" 
            Usually for simple authentication. Simple authentication always uses the DN for the user.
            
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>   
        <property name="escapeCommasInBind">
            <value>${ldap.authentication.escapeCommasInBind}</value>
        </property>
        <property name="escapeCommasInUid">
            <value>${ldap.authentication.escapeCommasInUid}</value>
        </property> 
    </bean>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Can you specify tha correcto code for me? Thank you very much.