https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243107#M196237 <HTML><HEAD></HEAD><BODY><SPAN>G'day,</SPAN><BR /><BR /><SPAN>I've setup Alfresco 3.2 with passthru authentication easily enough, however what I'm banging my head on is AD synchronization.&nbsp; This setup is on a Win2k3 server and trying to authorize to a Win2k3 domain controller.&nbsp; Global config file as follows:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE>authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1<BR /><BR /><BR />ntlm.authentication.sso.enabled=true<BR />passthru.authentication.authenticateCIFS=true<BR /><BR />passthru.authentication.domain=DOMAIN<BR />passthru.authentication.servers=server1,server2<BR /><BR />ldap.authentication.active=false<BR />ldap.synchronization.active=true<BR /><BR />ldap.authentication.userNameFormat=%s@domain.com<BR />ldap.authentication.java.naming.provider.url=ldap://server1:389<BR /><BR />ldap.authentication.defaultAdministratorUserNames=administrator,myaccount<BR /><BR />ldap.synchronization.java.naming.security.principal=serviceaccount@domain.com<BR />ldap.synchronization.java.naming.security.credentials=&lt;secret&gt;<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>What seems to be happening is I'm getting a login failed error in the log, as such:</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE>18:21:48,819 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, passthru1]<BR />18:21:48,866 INFO&nbsp; [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]<BR />18:21:48,960 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, passthru1] complete<BR />18:21:48,976 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap-ad]<BR />18:21:49,007 INFO&nbsp; [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]<BR />18:21:49,007 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap-ad] complete<BR />18:25:32,491 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 06240087 Login failed<BR />org.alfresco.web.scripts.WebScriptException: 06240087 Login failed<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>Any ideas as to what might be causing this?&nbsp; I'm seeing network traffic on a packet capture talking to the DC, but that's it.</SPAN></BODY></HTML> Sat, 25 Jul 2009 01:42:02 GMT daveram 2009-07-25T01:42:02Z https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243107#M196237 G'day,I've setup Alfresco 3.2 with passthru authentication easily enough, however what I'm banging my head on is AD synchronization.&nbsp; This setup is on a Win2k3 server and trying to authorize to a Win2k3 domain controller.&nbsp; Global config file as follows:authentication.chain=alfrescoNtlm1:alfrescoNtlm Sat, 25 Jul 2009 01:42:02 GMT https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243107#M196237 daveram 2009-07-25T01:42:02Z https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243108#M196238 <HTML><HEAD></HEAD><BODY><SPAN>In my experience your config shouldn't work for passthru since alfrescoNtlm and passthru shouldn't be enabled to provide sso at the same time (which is what you setup). So while your CIFS auth might work in this example, I doubt that you can succesfully login to /alfresco webapp with your AD credentials using passthru because in your case sso auth is handled by alfrescoNtlm.</SPAN><BR /><BR /><SPAN>You need to acquire the 14.07.2009. nightly build of Alfresco to get the version with working extensions/classpaths. And then you need to define separate configuration for different instances of your Authentication subsystem as per </SPAN><A href="http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Configuring_Subsystems" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Configuring_Subsystems</A><SPAN>.</SPAN><BR /><BR /><SPAN>This was recently explained to me so search for my posts on this forum, and you can also find the link to the build in the discussion.</SPAN><BR /><BR /><SPAN>As for&nbsp; need to provide search base additional to what you provided. Here is my $TOMCAT_HOME/shared/classes/alfresco/extensions/subsystems/Authentication/ldap-ad/ldap-ad1/ldap-ad.properties</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />ldap.authentication.userNameFormat=%s@&lt;myDomain.tld&gt;<BR />ldap.authentication.java.naming.provider.url=ldap://&lt;myDC'sFQDN&gt;:389<BR /><BR />ldap.authentication.defaultAdministratorUserNames=administrator,&lt;me&gt;<BR /><BR />ldap.synchronization.java.naming.security.principal=administrator@&lt;myDomain.tld&gt;<BR />ldap.synchronization.java.naming.security.credentials=&lt;password&gt;<BR /><BR />ldap.authentication.java.naming.security.authentication=SIMPLE<BR /><BR />ldap.synchronization.userSearchBase=ou=&lt;OUcontainingUsers&gt;,dc=&lt;myDomain&gt;,dc=&lt;tld&gt;<BR /><BR />ldap.synchronization.groupSearchBase=ou=&lt;OUcontainingUsers&gt;,dc=&lt;myDomain&gt;,dc=&lt;tld&gt;<BR /><BR />ldap.authentication.allowGuestLogin=true<BR />synchronization.synchronizeChangesOnly=false<BR />synchronization.syncWhenMissingPeopleLogIn=true<BR />synchronization.autoCreatePeopleOnLogin=true<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE></BODY></HTML> Thu, 30 Jul 2009 06:44:42 GMT https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243108#M196238 bmarkovic 2009-07-30T06:44:42Z https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243109#M196239 <HTML><HEAD></HEAD><BODY><SPAN>It also looks like the line</SPAN><BR /><BR /><SPAN>authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1<img id="smileytongue" class="emoticon emoticon-smileytongue" src="https://connect.hyland.com/i/smilies/16x16_smiley-tongue.png" alt="Smiley Tongue" title="Smiley Tongue" />assthru,ldap-ad:ldap1</SPAN><BR /><BR /><SPAN>is wrong. Make it "ldap1:ldap-ad" instead.</SPAN></BODY></HTML> Wed, 12 Aug 2009 14:03:28 GMT https://connect.hyland.com/t5/alfresco-archive/active-directory-ldap-sync/m-p/243109#M196239 ipeters 2009-08-12T14:03:28Z