topic Yet another LDAP configuraiton question in Alfresco Archive

Yet another LDAP configuraiton question

yosemitesam — Fri, 13 May 2011 17:39:30 GMT

Hi,I'm new to Alfresco, new to LDAP, and new to the forum. I have inherited a broken Alfresco 3.4.d installation from a co-worker, and am trying to get it online. We are running on a hosted system using x86_64 GNU/Linux. OpenLDAP, Crowd, and JIRA are all configured and working, but I have been un

Re: Yet another LDAP configuraiton question

yosemitesam — Sun, 15 May 2011 22:20:11 GMT

Wow, 41 views in two days and no responses. Is my question too vague? Too little info?

Since the original post I've learned a bit about LDAP and slapd, installed Softerra on my Windows machine, and have proved that the LDAP store is accessible. I have DNs that work from Softerra as well as the ldap and slapd -T utility sets.

I have eliminated the initial LDAP bind error from Alfresco startup by removing the "ldap1:" entry from the authentication chain; I noted it was blowing up on that entry, so my chain is now defined as "authentication.chain=ldap", and no error occurs at bind.

However, when users attempt to log in to Alfresco, it throws an invalid login exception, even when the user specifies the correct password:


21:50:28,268 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 04150001 Login failed
org.springframework.extensions.webscripts.WebScriptException: 04150001 Login failed
        at org.alfresco.repo.web.scripts.bean.AbstractLoginBean.login(AbstractLoginBean.java:75)
‍‍‍‍‍

I tried several user names with several "known good" passwords, and they all failed.

I've tried different values in ldap.authentication.userNameFormat. The initial value, which was set when I took over, used:


ldap.authentication.userNameFormat=cn=%s,dc=machine,dc=company,dc=com
‍‍‍

I found that regular users need to include "ou=Users," to get authenticated by "ldapsearch", for instance, so I modified the string to:


ldap.authentication.userNameFormat=cn=%s,ou=Users,dc=machine,dc=company,dc=com
‍‍‍

I also tried removing the escapes from the Principal definition:


from
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=machine,dc\=company,dc\=com

to
ldap.synchronization.java.naming.security.principal=cn=Manager,dc=machine,dc=company,dc=com
‍‍‍‍‍‍‍

To clarify: The Manager CN can log in with the indicated DN, while users must specify the "ou=Users" piece.

I found that my slapd server is very picky about DNs. If I don't specify the entire DN for the user, as indicated above - in that exact order, even - it fails to authenticate. I don't know if this is normal or not, but it seems it should allow partial qualification, eg, -Dcn=user,dc=company,dc=com. Not in my case, anyway.

In any event, I still cannot log into Alfresco, and I'm fresh out of ideas as to what to look for next. Any suggestions?

– Sam

Re: Yet another LDAP configuraiton question

mrogers — Mon, 16 May 2011 09:11:05 GMT

You shouldn't be hacking files below WEB-INF.

Re: Yet another LDAP configuraiton question

yosemitesam — Mon, 16 May 2011 14:49:59 GMT

You shouldn't be hacking files below WEB-INF.

Thanks, but that's not real helpful.

As stated in the original, I'm new at this, and am trying to work with a configuration I inherited from someone.

I tried moving the definitions to the alfresco-global.properties file and it had no effect, so I moved them back to where I found them.

– Sam

Re: Yet another LDAP configuraiton question

sydwellz — Thu, 02 Jun 2011 13:51:54 GMT

Hi
I am new as well but should not these settings be in /opt/alfresco/tomcat/shared/classes/alfresco.global.properties ?

Hi,

In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties I have set:
# The default authentication chain
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
‍‍‍‍
In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties

– Sam