LDAP - Specify Realm

squaricdot — Thu, 04 Nov 2010 17:35:35 GMT

Good afternoon,I've a working authentication+synchronization ldap (openldap) configuration. i store my configuration in shared/classes/alfresco-global.properties as:<<alfresco-global.properties>>…authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap…## OPENLDAP AUTH+SYNC#————-ldap.a

Re: LDAP - Specify Realm

squaricdot — Thu, 04 Nov 2010 18:13:18 GMT

When I added the java.naming.security.sasl.realm=single lines to the alfresco-global.properties file the ldap synchronization was not working, Alfresco was not sending any realm.

Normally that would mean that the default realm is used and the synchronization would succeed.
To test it properly I disabled the regular expressions in slapd.conf which handle the default realm. Only the explicit realm expressions are present, for the realm: single.

Alfresco is throwing error (feedback is from openldap):

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): user not found: no secret in database]‍

Which is correct because the realm single was not used. openldap cannot translate the sasl authenticationID to an existing ldap dn.

I finally found out how to make alfresco explicitly provide ldap with the realm I want, thus actually solving my own problem. However alfresco is now throwing another error which makes no sense to me:

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): authentication failure: realm changed: authentication aborted]‍

First I describe how to make alfresco explicitly provide LDAP with the realm you want, although LDAP is not accepting it at this moment.

Edit this part in common-ldap-context.xml:
<<common-ldap-context.xml>>

…
<!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>
…‍‍‍‍‍‍‍‍‍

<</common-ldap-context.xml

Make it look like this:
<<common-ldap-context.xml>>

<!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <entry key="java.naming.security.sasl.realm">
                <value>${ldap.synchronization.java.naming.security.sasl.realm}</value>
            </entry>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>‍‍‍‍‍‍‍‍‍‍

<</common-ldap-context.xml>>

Add this property in it's default setting to the ldap-authentication.properties file like this:
# vim subsystems/Authentication/ldap/ldap-authentication.properties
<<ldap-authentication.properties>>

…
# The SASL realm
ldap.synchronization.java.naming.security.sasl.realm=
…‍‍‍‍

<</ldap-authentication.properties>>

finally I can add the following line to my alfresco-global.properties:

<<alfresco-global.properties>>

…
ldap.synchronization.java.naming.security.sasl.realm=single
…‍‍‍

<</alfresco-global.properties>>

When a synchronization is performed it throws the error (feedback from openldap):

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): authentication failure: realm changed: authentication aborted]‍

Why is LDAP not accepting my realm?

topic LDAP - Specify Realm in Alfresco Archive

LDAP - Specify Realm

Re: LDAP - Specify Realm