topic Re: Understanding Alfresco subsystems for authentication (3.3) in Alfresco Archive

Understanding Alfresco subsystems for authentication (3.3)

bnice — Tue, 14 Sep 2010 12:51:42 GMT

Hi,I need to get my fresh Alfresco 3.3 installation to run together with a W2K3 ADS - SSON is not a must, but would be nice to have.I tried to configure Kerberos for that reason with help of the wiki http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos, but still got some diffic

Re: Understanding Alfresco subsystems for authentication (3.3)

rhoefer — Tue, 14 Sep 2010 15:40:05 GMT

From my understanding you can:
1) put your properties inside alfresco-global.properties (which is what I have tested with and seems to work fine)

2) you can make a new directory inside WEB-INF/classes/alfresco/subsystems/Authentication/kerberos/ called kerebos1 and then override.

Spring Beans

For advanced purposes, you can also extend or override the Spring Bean definitions of the subsystem.

If you add a Spring Bean file to your application server's global classpath (e.g. under $TOMCAT_HOME/shared/classes) with a path matching the following pattern you can add to or override the subsystem bean definitions.

alfresco/extension/subsystems/<category>/<type>/<id>/*-context.xml

Here, the ID is the subsystem instance identifier, which will be default for single instance subsystems, or the provided ID for chained subsystems.

So, for example, suppose your authentication chain looked like this:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

Then you could put bean definition overrides for alfrescoNtlm1 in

alfresco/extension/subsystems/Authentication/alfrescoNtlm/alfrescoNtlm1/custom-context.xml

Remembering that the default type and ID of non-chained subsystems is default you could put overrides for file server beans in

alfresco/extension/subsystems/fileServers/default/default/custom-file-servers-context.xml

*Edit

After re-reading your question I realized that this really only pertains to your question regarding properties and locations. I thought I have read that everything should at the bare minimum work with Explorer before it works with Share (someone please correct me if I'm wrong).

Re: Understanding Alfresco subsystems for authentication (3.3)

mrogers — Wed, 15 Sep 2010 08:01:46 GMT

Please don't change anything in the WEB-INF folder.

Re: Understanding Alfresco subsystems for authentication (3.3)

bnice — Wed, 15 Sep 2010 08:25:59 GMT

So every changes have to be done in alfresco-global.properties? I'll try this.

Re: Understanding Alfresco subsystems for authentication (3.3)

bnice — Wed, 15 Sep 2010 11:46:33 GMT

I followed this guide
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Kerberos
and I've added the following in the alfresco-global.properties:


# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
#authentication.chain=alfrescoNtlm1:alfrescoNtlm
authentication.chain=alfrescoNtlm1:alfrescoNtlm, kerberos:kerberos
kerberos.authentication.realm=MYDOMAIN.LOCAL
kerberos.authentication.sso.enabled=false
kerberos.authentication.authenticateCIFS=true
kerberos.authentication.user.configEntryName=alfresco
kerberos.authentication.cifs.configEntryName=alfrescocifs
kerberos.authentication.http.configEntryName=alfrescohttp
kerberos.authentication.cifs.password=***
kerberos.authentication.http.password=***
kerberos.authentication.defaultAdministratorUserNames=admin
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

But must have missed something - Trying login with domain acounts fails:

The Remote Server is unreachable, or your credentials were not recognized.‍

(I translated that from German…)

Re: Understanding Alfresco subsystems for authentication (3.3)

bnice — Wed, 15 Sep 2010 12:50:53 GMT

I found a hint how to work with the subsystems here: http://forums.alfresco.com/en/viewtopic.php?f=9&t=28656
Now trying to adopt this for my system.

So I copied the files from
/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/…
to
opt/Alfresco/shared/classes/extension/subsystems/Authentication/…
(/ldap-ad/ldap-ad1, /alfrescoNtlm/alfrescoNtlm1, /passthru/passthru1, …)
where I edited these (when necessary).

Am I correct so far?

My alfresco-global.properties is now only containing

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad‍

for authentication, I'll later extend this to kerberos

Re: Understanding Alfresco subsystems for authentication (3.3)

bnice — Wed, 15 Sep 2010 14:40:39 GMT

Found the problem regarding the subsystems:
Was caused by a "File not found"

tail -f alfresco.log‍

is always your friend…

Caused by: java.io.FileNotFoundException: 
/opt/Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap-ad1/../common-ldap-context.xml (No such file or directory)
‍‍‍

The file "common-ldap-context.xml" has to be located under
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap-ad
respective
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap
(for non Windows-LDAP)

At first, I copied it to
/opt/Alfresco/shared/classes/extension/subsystems/Authentication/ldap-ad/ldap-ad1

After correcting that, LDAP was used for authentication.
Share is now running with LDAP-login, Alfresco explorer still has an error, as it is not supporting NTLMv2:

16:24:13,865 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:000000000000000000000000000000000000000000000000,
NTLM:35fb5be1dba846ea300a95190c2ff33d0101000000000000af8ab392e154cb01578d66ff7ea7475a000000000200060061006c0066000000000000000000,
Dom:,User:user@mydomain.local,Wks:Workstationname]
16:24:13,866 ERROR [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Client Workstationname using NTLMv2 logon, not valid with passthru authentication
‍‍‍‍‍

So, I'll have to use Kerberos for that (please correct me if I'm wrong)

I'll stick to this guide http://www.anotherstrangerme.com/afresco-integration-with-active-directory-using-kerberos/ for configuring Kerberos.

Re: Understanding Alfresco subsystems for authentication (3.3)

bnice — Wed, 15 Sep 2010 15:32:48 GMT

UPDATE

Seems to be working now

Used authentication chain

authentication.chain=kerberos1:kerberos,ldap-ad1:ldap-ad‍

and configured everything else in the config files for the authentication subsystem.