https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292134#M245264 <HTML><HEAD></HEAD><BODY><SPAN>Hello,</SPAN><BR /><BR /><SPAN>I am using Alfresco 4.2.e on Windows Server 2008 R2.</SPAN><BR /><BR /><SPAN>I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.</SPAN><BR /><BR /><SPAN>My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found in the documentation something about my case… How can I enforce Alfresco to choose StartTls encryption method?</SPAN><BR /><BR /><SPAN>In alfresco.log, I have the following error :</SPAN><BR /><SPAN>&lt;blockquote&gt;</SPAN><BR /><SPAN>11:00:00,186 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error</SPAN><BR /><SPAN>org.alfresco.repo.security.authentication.AuthenticationException: 06200027 Echec de la connexion à ldap://SERVER.DOMAIN.local:389. Raison javax.naming.AuthenticationNotSupportedException, [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:192)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:108)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.&lt;init&gt;(LDAPUserRegistry.java:688)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:685)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:969)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:714)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.quartz.core.JobRunShell.run(JobRunShell.java:216)</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)</SPAN><BR /><SPAN>Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]</SPAN><BR /><SPAN>&lt;/blockquote&gt;</SPAN><BR /><BR /><STRONG style=": ; color: red; text-decoration: underline;">Method applied :</STRONG><BR /><BR /><STRONG>1) Tests with Apache Directory Studio</STRONG><BR /><BR /><SPAN style="text-decoration: underline;">* Failed with the previous error when:</SPAN><BR /><SPAN>server : SERVER.DOMAIN.local, port:389, encryption method : none, provider : JNDI</SPAN><BR /><SPAN>authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local</SPAN><BR /><SPAN>or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local</SPAN><BR /><BR /><SPAN style="text-decoration: underline;">* Succeed with</SPAN><BR /><SPAN>server : SERVER.DOMAIN.local, port:389, encryption method : StartTls, provider : JNDI</SPAN><BR /><SPAN>authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local</SPAN><BR /><SPAN>or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local</SPAN><BR /><BR /><STRONG>2) Alfresco configuration</STRONG><BR /><BR /><SPAN style="text-decoration: underline;">In alfresco-global.properties file I added in the end :</SPAN><BR /><SPAN>&lt;blockcode&gt;</SPAN><BR /><SPAN>### Protocoles d’authentification ###</SPAN><BR /><SPAN>authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm</SPAN><BR /><BR /><SPAN>### Synchronisation Active Directory ###</SPAN><BR /><SPAN>synchronization.import.cron=0 0/30 9-18 ? * MON-FRI</SPAN><BR /><SPAN>synchronization.synchronizeChangesOnly=false</SPAN><BR /><SPAN>synchronization.syncWhenMissingPeopleLogIn=true</SPAN><BR /><SPAN>&lt;/blockcode&gt;</SPAN><BR /><BR /><SPAN>I added in the arborescence :</SPAN><BR /><SPAN>C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap</SPAN><BR /><SPAN>- file : common-ldap-context.xml (copy)</SPAN><BR /><SPAN>- directory : ldap-ad1</SPAN><BR /><SPAN>&nbsp;&nbsp; |</SPAN><BR /><SPAN>&nbsp;&nbsp; ——– files : ldap-ad-authentication.properties (copy), ldap-ad-authentication-context.xml (copy)</SPAN><BR /><SPAN>** copies from C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication…</SPAN><BR /><BR /><SPAN>I updated the copy of ldap-ad-authentication.properties like this :</SPAN><BR /><BR /><SPAN>&lt;blockcode&gt;</SPAN><BR /><SPAN>ldap.authentication.active=true</SPAN><BR /><SPAN>ldap.authentication.allowGuestLogin=false</SPAN><BR /><SPAN>ldap.authentication.userNameFormat=%s@domain.local</SPAN><BR /><SPAN>ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory</SPAN><BR /><SPAN>ldap.authentication.java.naming.provider.url=ldap://SERVER.DOMAIN.local:389</SPAN><BR /><SPAN>ldap.authentication.java.naming.security.authentication=simple</SPAN><BR /><SPAN>ldap.authentication.escapeCommasInBind=false</SPAN><BR /><SPAN>ldap.authentication.escapeCommasInUid=false</SPAN><BR /><SPAN>ldap.authentication.defaultAdministratorUserNames=user_alfresco,Administrateur,admin</SPAN><BR /><SPAN>ldap.synchronization.active=true</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.authentication=simple</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.principal=CN=Alfresco,CN=Users,DC=DOMAIN,DC=local</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.credentials=secret</SPAN><BR /><BR /><SPAN>ldap.synchronization.queryBatchSize=1000&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><BR /><SPAN>ldap.synchronization.attributeBatchSize=1000</SPAN><BR /><SPAN>ldap.synchronization.groupQuery=(objectclass\=group)</SPAN><BR /><SPAN>ldap.synchronization.groupDifferentialQuery=(&amp;(objectclass\=group)(!(whenChanged&lt;\={0})))</SPAN><BR /><SPAN>ldap.synchronization.personQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)) </SPAN><BR /><SPAN>ldap.synchronization.personDifferentialQuery=(&amp;(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged&lt;\={0})))</SPAN><BR /><BR /><SPAN>ldap.synchronization.groupSearchBase=dc\=DOMAIN,dc=local</SPAN><BR /><SPAN>ldap.synchronization.userSearchBase=dc\=DOMAIN,dc=local</SPAN><BR /><BR /><SPAN>ldap.synchronization.modifyTimestampAttributeName=whenChanged</SPAN><BR /><SPAN>ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'</SPAN><BR /><SPAN>ldap.synchronization.userIdAttributeName=sAMAccountName</SPAN><BR /><SPAN>ldap.synchronization.userFirstNameAttributeName=givenName</SPAN><BR /><SPAN>ldap.synchronization.userLastNameAttributeName=sn</SPAN><BR /><SPAN>ldap.synchronization.userEmailAttributeName=mail</SPAN><BR /><SPAN>ldap.synchronization.userOrganizationalIdAttributeName=company</SPAN><BR /><SPAN>ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider</SPAN><BR /><SPAN>ldap.synchronization.groupIdAttributeName=cn</SPAN><BR /><SPAN>ldap.synchronization.groupDisplayNameAttributeName=displayName</SPAN><BR /><SPAN>ldap.synchronization.groupType=group</SPAN><BR /><SPAN>ldap.synchronization.personType=user</SPAN><BR /><SPAN>ldap.synchronization.groupMemberAttributeName=member</SPAN><BR /><SPAN>ldap.synchronization.enableProgressEstimation=true</SPAN><BR /><SPAN>ldap.authentication.java.naming.read.timeout=0</SPAN><BR /><SPAN>&lt;/blockcode&gt;</SPAN><BR /><BR /><STRONG>3) Java configuration</STRONG><BR /><SPAN>Inspired by </SPAN><A href="https://wiki.alfresco.com/wiki/Ldap_over_SSL" rel="nofollow noopener noreferrer">https://wiki.alfresco.com/wiki/Ldap_over_SSL</A><BR /><BR /><SPAN>- I copied the certificate from Apache Directory Studio (Window&gt;Preferences&gt;Apache Directory Studio&gt; Certificate validation&gt; export on my PC the certificate CN=SERVER.DOMAIN.local and renamed "certificate.der")</SPAN><BR /><SPAN>- in a Windows batch console (Administrator mode):</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />C:\Alfresco\java\bin\keytool -import -alias 192.168.1.101 -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><PRE class="language-none line-numbers"><CODE><BR />C:\Alfresco\java\bin\keytool -import -alias SERVER.DOMAIN.local -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>I indicated my keystore password for each previous command.</SPAN><BR /><SPAN>I opened the properties of the tomcat service of Alfresco with the following command</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />C:\Alfresco\tomcat\bin\tomcat7w //ES//alfrescoTomcat<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>And in Java&gt;Java Options, I added : </SPAN><BR /><SPAN>-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"</SPAN><BR /><BR /><SPAN>I restarted tomcat and… it I could not log on Alfresco.</SPAN><BR /><SPAN>&lt;!–break–&gt;</SPAN></BODY></HTML> Tue, 21 Jul 2015 15:34:04 GMT nancygaillard 2015-07-21T15:34:04Z https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292134#M245264 Hello,I am using Alfresco 4.2.e on Windows Server 2008 R2.I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found i Tue, 21 Jul 2015 15:34:04 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292134#M245264 nancygaillard 2015-07-21T15:34:04Z https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292135#M245265 <HTML><HEAD></HEAD><BODY><SPAN>I have downloaded Apache 2.2 and used it like a front-end proxy in HTTPS. I supposed that I could authenticate but I can't.</SPAN><BR /><SPAN>the result is I can see the authentication page (in the first case too) but when I try to log in it provokes the same error…</SPAN><BR /><BR /><SPAN>Does somebody know if it is normal I can't authenticate using a front-end Apache in HTTPS?</SPAN><BR /><BR /><SPAN>#edit</SPAN><BR /><BR /><SPAN>The certificate of Apache and the one of the LDAP are different.</SPAN></BODY></HTML> Tue, 28 Jul 2015 13:38:00 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292135#M245265 nancygaillard 2015-07-28T13:38:00Z https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292136#M245266 <HTML><HEAD></HEAD><BODY><SPAN>With the LDP Windows command, I have seen that the connection is really in SSL, and a user have to authenticate itself with SASL. So, I check connexion to the server and user authentications with Apache Directory, openssl s_client, and with SSLPoke.</SPAN><BR /><BR /><SPAN>I succeed log LDAP user with this configuration :</SPAN><BR /><BR /><SPAN>I updated only these lines of ldap-ad-authentication.properties like this :</SPAN><BR /><SPAN>&lt;blockcode&gt;</SPAN><BR /><SPAN>ldap.authentication.java.naming.provider.url=ldaps://SERVER.DOMAIN.local:636</SPAN><BR /><SPAN>ldap.synchronization.java.naming.security.principal=Alfresco</SPAN><BR /><SPAN>&lt;/blockcode&gt;</SPAN><BR /><BR /><SPAN>I remove the line I have added in Java options of the tomcat service</SPAN><BR /><BR /><SPAN>I added the certificate in the C:\Alfresco\al_data\keystore\ssl.trustore with this command :</SPAN><BR /><PRE class="language-none line-numbers"><CODE><BR />C:\Alfresco\java\bin\keytool -import -storetype JCEKS -file C:\Users\al_semsamar\Documents\se-certificate.der -alias server.domain.se.local -keystore C:\Alfresco\alf_data\keystore\ssl.truststore<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><BR /><SPAN>and I restarted Alfresco, and it works!</SPAN><BR /><BR /><SPAN>Thank you</SPAN></BODY></HTML> Wed, 05 Aug 2015 20:31:47 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-starttls/m-p/292136#M245266 nancygaillard 2015-08-05T20:31:47Z