https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298502#M251632 <HTML><HEAD></HEAD><BODY><SPAN>Hi m4lewis,</SPAN><BR /><BR /><SPAN>Congratz for getting it to work.</SPAN><BR /><SPAN>And thanks for posting the answer for everyone to see.</SPAN><BR /><BR /><SPAN>However, I'm sorry to be the bearer of bad news but it looks like you have a security hole there.</SPAN><BR /><SPAN>With simple authentication and ldap without SSL, your password will transit on your network in the clear:</SPAN><BR /><SPAN>(cf:</SPAN><A href="http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2</A><SPAN>)</SPAN><BR /><BR /><SPAN>So the next step before going to production might be to either put your ldap behind SSL or use DIGEST-MD5 and configure your LDAP with reversible encryption.</SPAN><BR /><BR /><SPAN>Good luck!</SPAN></BODY></HTML> Fri, 12 Jul 2013 15:35:12 GMT scouil 2013-07-12T15:35:12Z https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298499#M251629 Hello,I'm currently working with Alfresco 4.2.c Community and I am trying to obtain authentication within Alfresco through our LDAP AD. After many searches on the net I was able to throw together a configuration and all of my AD users have appeared within alfresco (stack trace below) and there are n Thu, 11 Jul 2013 15:15:53 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298499#M251629 m4lewis 2013-07-11T15:15:53Z https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298500#M251630 <HTML><HEAD></HEAD><BODY><SPAN>I should also say that I'm using bitnami alfresco stack and here is yesterday's log when my users were actually pulled into alfresco.</SPAN><BR /><BR /><SPAN>16:58:08,767 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Commencing batch of 30 entries</SPAN><BR /><SPAN>16:58:08,846 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Processed 30 entries out of 30. 100% complete. Rate: 379 per second. 0 failures detected.</SPAN><BR /><SPAN>16:58:08,846 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Analysis: Completed batch of 30 entries</SPAN><BR /><SPAN>16:58:08,867 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Creation and Association Deletion: Commencing batch of 30 entries</SPAN><BR /><SPAN>16:58:10,518 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Creation and Association Deletion: Processed 30 entries out of 30. 100% complete. Rate: 18 per second. 0 failures detected.</SPAN><BR /><SPAN>16:58:10,518 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 Group Creation and Association Deletion: Completed batch of 30 entries</SPAN><BR /><SPAN>16:58:10,521 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Retrieving all users from user registry 'ldap1'</SPAN><BR /><SPAN>16:58:10,557 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Commencing batch of 114 entries</SPAN><BR /><SPAN>16:58:11,972 WARN&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Updating user 'Guest'. This user will in future be assumed to originate from user registry 'ldap1'.</SPAN><BR /><SPAN>16:58:28,635 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Processed 100 entries out of 114. 88% complete. Rate: 5 per second. 0 failures detected.</SPAN><BR /><SPAN>16:58:30,835 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Processed 114 entries out of 114. 100% complete. Rate: 5 per second. 0 failures detected.</SPAN><BR /><SPAN>16:58:30,835 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] ldap1 User Creation and Association: Completed batch of 114 entries</SPAN><BR /><SPAN>16:58:30,938 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Finished synchronizing users and groups with user registry 'ldap1'</SPAN><BR /><SPAN>16:58:30,938 INFO&nbsp; [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] 114 user(s) and 30 group(s) processed</SPAN><BR /><SPAN>16:58:30,980 INFO&nbsp; [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Synchronization' subsystem, ID: [Synchronization, default] complete</SPAN><BR /><SPAN>16:58:31,002 INFO&nbsp; [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.7.0_25-b15; maximum heap size 494.938MB</SPAN><BR /><SPAN>16:58:31,002 WARN&nbsp; [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - WARNING - maximum heap size 494.938MB is less than recommended 512MB</SPAN><BR /><SPAN>16:58:31,003 INFO&nbsp; [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community). Current version: 4.2.0 (4576) schema 6,022. Originally installed version: 4.2.0 (4576) schema 6,022.</SPAN><BR /></BODY></HTML> Thu, 11 Jul 2013 15:21:08 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298500#M251630 m4lewis 2013-07-11T15:21:08Z https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298501#M251631 <HTML><HEAD></HEAD><BODY><SPAN>Okay I ended up getting it working.</SPAN><BR /><BR /><SPAN>I did not have passthru enabled or configured so it was only trying to authenticate my ldap users from Alfresco and not my AD server. Added the following config settings…</SPAN><BR /><BR /><SPAN>authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad,passthru1<img id="smileytongue" class="emoticon emoticon-smileytongue" src="https://connect.hyland.com/i/smilies/16x16_smiley-tongue.png" alt="Smiley Tongue" title="Smiley Tongue" />assthru (appended passthru)</SPAN><BR /><SPAN>passthru.authentication.servers=DOMAIN\\batman.robin.com,batman.com</SPAN><BR /><SPAN>passthru.authentication.domain=#leave blank</SPAN><BR /><SPAN>passthru.authentication.guestAccess=false</SPAN><BR /><BR /><BR /><SPAN>Restarted Tomcat and was able to login as myself using my AD credentials… woohoo</SPAN><BR /><BR /><BR /><BR /></BODY></HTML> Thu, 11 Jul 2013 15:51:15 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298501#M251631 m4lewis 2013-07-11T15:51:15Z https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298502#M251632 <HTML><HEAD></HEAD><BODY><SPAN>Hi m4lewis,</SPAN><BR /><BR /><SPAN>Congratz for getting it to work.</SPAN><BR /><SPAN>And thanks for posting the answer for everyone to see.</SPAN><BR /><BR /><SPAN>However, I'm sorry to be the bearer of bad news but it looks like you have a security hole there.</SPAN><BR /><SPAN>With simple authentication and ldap without SSL, your password will transit on your network in the clear:</SPAN><BR /><SPAN>(cf:</SPAN><A href="http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2" rel="nofollow noopener noreferrer">http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Configuration_2</A><SPAN>)</SPAN><BR /><BR /><SPAN>So the next step before going to production might be to either put your ldap behind SSL or use DIGEST-MD5 and configure your LDAP with reversible encryption.</SPAN><BR /><BR /><SPAN>Good luck!</SPAN></BODY></HTML> Fri, 12 Jul 2013 15:35:12 GMT https://connect.hyland.com/t5/alfresco-archive/ldap-sync-working-but-no-authentication/m-p/298502#M251632 scouil 2013-07-12T15:35:12Z