topic alfresco 4 + LDAP in Alfresco Archive

alfresco 4 + LDAP

jms_nh — Thu, 27 Oct 2011 14:24:52 GMT

I'm a complete novice to alfresco + have just installed the latest community edition 4.0.I want to configure it to use an LDAP server for authentication, and am very confused. The documentation for alfresco (http://docs.alfresco.com/3.4/index.jsp?topic=%2Fcom.alfresco.Enterprise_3_4_0.doc%2Fconcepts

Re: alfresco 4 + LDAP

scouil — Fri, 28 Oct 2011 14:05:27 GMT

There are a lot of posts about LDAP on the forum. Check that one for example:
https://forums.alfresco.com/en/viewtopic.php?f=46&t=14737&start=15

And the only file you'll need to configure in most cases is tomcat/shared/classes/alfresco-global.properties :
http://wiki.alfresco.com/wiki/Repository_Configuration#alfresco-global.properties_.28V3.2.2B.29

Hope you can find your answers in those links. Come back if you couldn't or if you have other questions I'll be glad to help.

Re: alfresco 4 + LDAP

mrogers — Fri, 28 Oct 2011 14:25:25 GMT

This is the URL for the Alfresco 4.0 documentation -> http://docs.alfresco.com/4.0/index.jsp

Re: alfresco 4 + LDAP

leftcase — Fri, 28 Oct 2011 16:02:53 GMT

I like yourself am pretty new to this too…

Here's how I got it working:

Alfresco will let you use the authentication capabilities of multiple different auth systems. If you just want LDAP, put this line into your alfresco-global.properties file ( you'll find it in Alfresco/tomcat/shared/classes)

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad‍

Then create a file in this path (create the folders too if they don't exist) and fill it with info needed for your AD:

Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@YOURDOMAINHERE
ldap.authentication.java.naming.provider.url=ldap://YOURDC.YOURDOMAINHERE:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,yourusername
ldap.synchronization.java.naming.security.principal=alfresco@YOURDOMAINHERE
ldap.synchronization.java.naming.security.credentials=*************
ldap.synchronization.groupSearchBase=cn=someOU,dc=YOURDOMAIN,dc=COM
ldap.synchronization.userSearchBase=cn=someOU,dc=YOURDOMAIN,dc=COM‍‍‍‍‍‍‍‍

See where it says ldap.synchronization.java.naming.security.principal & credentials? You need to create an AD user for Alfresco to use to 'browse the AD with'. Put the username and password for this user in those spaces.

Restart the tomcat service.

Check the latest log in the Alfresco/tomcat/logs folder and you should see lots of info about Alfresco syncing users and groups from your Active Directory. Wait a little while and you'll be able to log in using your AD account.

Caveat - This authentication is done in-the-clear, so isn't very secure.

Re: alfresco 4 + LDAP

throwback — Mon, 31 Oct 2011 18:59:28 GMT

Awesome! A set of clear directions on how to get LDAP-AD working.

Can I ask a cogent question? Why is the ldap-ad config going into a subdirectory called ldap1? I have found nothing in documentation anywhere that describes this need, and the default alfrescoNtlm authentication subsystem configuration doesn't sit in alfrescoNtlm1.

Even the packt book I bought is completely redundant now. How does anyone upgrade? The configuration files for each subsystem seem to move and change with every release!

Been trying to configure this beast for a month now and I am very close to just telling my boss I am too thick to do this and just buy Sharepoint.

Arg, rant over. Still, can anyone describe why the ldap-ad config has to go in a separate subdirectory?

Kind regards,

Iain

Re: alfresco 4 + LDAP

mrogers — Mon, 31 Oct 2011 20:30:11 GMT

The config does not change that much!

As for why its called ldap1, that's simply the name given to in in the authentication chain above. The chain consists of name/type pairs.

So the chain above contains two authenticators. The first called "alfinst" of type "alfrescoNTLM" the second called "ldap1" of type "ldap-ad".

Types are alfrescoNTLM, ldap, ldap-ad, passthru, kerberos and external.

You could if you wanted do something horrible like.

authentication.chain=default:alfrescoNtlm,bill:ldap-ad,ben:ldap-ad,conan:kerberos

In which case the various configuration files would live under

filesystems/alfrescoNtlm/default
filesystems/ldap-ad/bill
filesystems/ldap-ad/ben
filesystems/kerberos/conan

Re: alfresco 4 + LDAP

mrogers — Tue, 01 Nov 2011 12:26:47 GMT

And in the case above with only a single authenticator simply put the authentication properties into alfresco-global.properties

There's no need to faff with the subsystem folders for the simple cases.

Re: alfresco 4 + LDAP

jpearson — Wed, 02 Nov 2011 23:29:13 GMT

Just some info, one thing that tripped me up was that when I specified the credentials that alfresco would use to query LDAP in the alfresco configuration file I did domain\username but found out later on that '\' was a special char and so I had to escape it like this domain\\username. Just something to be aware of.

Re: alfresco 4 + LDAP

mrogers — Wed, 02 Nov 2011 23:42:23 GMT

Yes you have to escape the '\' character in a properties file.

Its probably easier to use the unix directory separator character '/' instead.

Re: alfresco 4 + LDAP

prabuprasath — Tue, 11 Mar 2014 14:19:30 GMT

i want to configure with external LDAP, if there any good link means, please send me