Alfresco + OpenLDAP + Filtering (logging by two conditions)

mmmartin — Mon, 10 Dec 2012 15:16:47 GMT

Hi All!I have a problem during configuring OpenLDAP authentication with Alfresco.I saw some similar topics, but the most are about AD, not about OpenLDAP.My aim is to log people to Alfresco using LDAP. People have user account in phpLDAPAdmin and some of them are members of Alfresco group.Logging in

Re: Alfresco + OpenLDAP + Filtering (logging by two conditions)

mmmartin — Fri, 04 Jan 2013 11:55:13 GMT

Anyone else?

Re: Alfresco + OpenLDAP + Filtering (logging by two conditions)

mmmartin — Wed, 09 Jan 2013 11:39:29 GMT

I have resolved the problem I have mentioned above.
My solution is written below for your consideration.

My question was:
How can I authenticate by LDAP with checking group membership in LDAP. Only users with ecm membership can log into Alfresco. For this I need a query in LDAP and the personQuery did not work.

Solution:
The key is set UserNameFormat empty and then personQuery will work!

FIRST STEP
My OpenLDAP Directory system:

dc=capsulecorp,dc=com
|_cn=admin
|_ou=Groups
—|_cn=ecm
—|_cn=fs
—|_cn=…
—|_…
|_ou=Users
—|_cn=firstname1 surname1
—|_cn=firstname2 surname2
—|_cn=…
—|_…

The children of ou=Groups are groupOfName entries. (e.g. cn=ecm: Enterprise Content Management - Alfresco)
The users in ou=Users are members of cn=ecm groupOfName entry (exactly those people who need permission to Alfresco).

SECOND STEP
My Alfresco is running on BitNami Virtual Appliance Stack
My Alfresco Settings:

1, alfresco-global.properties

- Path:

/opt/bitnami/apache-tomcat/shared/classes/alfresco-global.properties‍

- Modifications: Write the row below into the file - anywhere

authentication.chain=myldap:myldap,alfrescoNtlm:alfrescoNtlm‍

- Notes:

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_3:_Configure_Authentication_subsystem_in_.22shared.22_folder

b, alfrescoNtlm is Alfresco's default authentication system

c, chain means that Alfresco is trying to authenticate by systems in the chain in order

2, ldap-authentication.properties

- Default Path:

/opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties
‍‍

- New Path:

/opt/bitnami/apache-tomcat/shared/classes/alfresco/subsystems/Authentication/myldap/ldap-authentication.properties
‍‍

- Note for New Path:

You should make the missing directories:

sudo mkdir /subsystems/Authentication/myldap/‍

And then copy the file into myldap folder.

- Modifications:


ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
ldap.authentication.userNameFormat=
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.10.10.10:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=true
ldap.authentication.escapeCommasInUid=true
ldap.authentication.defaultAdministratorUserNames=
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=cn\=admin,dc\=capsulecorp,dc\=com
ldap.synchronization.java.naming.security.credentials=PASSWORD
ldap.synchronization.queryBatchSize=0
ldap.synchronization.attributeBatchSize=0
ldap.synchronization.groupQuery=(&(objectclass\=groupOfNames)(cn\=ecm))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(memberof\=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com
ldap.synchronization.userSearchBase=ou\=Users,dc\=capsulecorp,dc\=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=uid
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=description
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The most important config variables are answering my Query question:

-> ldap.authentication.userNameFormat=

This variable should be empty as you can see for making an LDAP query

-> ldap.synchronization.personQuery=(&(objectclass\=inetOrgPerson)(memberof\=cn\=ecm,ou\=Groups,dc\=capsulecorp,dc\=com))

This is the group member checker query for LDAP

-> ldap.synchronization.userIdAttributeName=uid

This attribute will be the username at logging into Alfresco!

3, ldap-authentication-context.xml

- Default Path:

/opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication-context.xml
‍‍

- New Path:

/opt/bitnami/apache-tomcat/shared/classes/alfresco/subsystems/Authentication/myldap/ldap-authentication-context.xml
‍‍

- Modifications: Change the short row in the file as Example 3 said (you can find link above) to this:

<import resource="classpath*:alfresco/subsystems/Authentication/common-ldap-context.xml" />
‍‍

4, ldap-synchronization.properties

- Path:

/opt/bitnami/apache-tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Synchronization/default/default-synchronization.properties‍

- Modifications:


synchronization.synchronizeChangesOnly=true
synchronization.import.cron=0 0 0 * * ?
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=true
synchronization.loggingInterval=100
synchronization.workerThreads=2
synchronization.allowDeletions=true
‍‍‍‍‍‍‍‍‍‍

- Note: Actually I did not change anything

THIRD STEP
Finally You should restart the Apache-Tomcat server.
Type the row below anywhere in the directory system:

sudo /opt/bitnami/ctlscript.sh restart‍

topic Re: Alfresco + OpenLDAP + Filtering (logging by two conditions) in Alfresco Archive

Alfresco + OpenLDAP + Filtering (logging by two conditions)

Re: Alfresco + OpenLDAP + Filtering (logging by two conditions)

Re: Alfresco + OpenLDAP + Filtering (logging by two conditions)