topic Re: Configure Alfresco community to sync AD users in Alfresco Archive

Configure Alfresco community to sync AD users

bostjanc — Wed, 29 Jun 2016 11:21:11 GMT

Hi guys.Installed (alfresco-community-installer-201605-win-x64).Would like to achieve that alfresco would be synced with Windows Active Directory.Are there any tutorials (step by steps) how to achieve in this version in community edition?Haven't found anything useful yet on the net.Thank you.With be

Re: Configure Alfresco community to sync AD users

romschn — Wed, 29 Jun 2016 11:33:10 GMT

Kindly take a look at the documentation at the following link http://docs.alfresco.com/community/concepts/auth-ldap-intro.html and sections under it. It should help you get started.

Hope this helps.

Re: Configure Alfresco community to sync AD users

bostjanc — Wed, 29 Jun 2016 12:39:57 GMT

Thanks for the links. We have managed to configure Alfresco vs Active directory. Under people the search results return AD users/objects…
We have a next problem, that users cannot login with their AD credentials into ALFRESCO website.
Do you need to do any additional steps to achieve the login process?

Re: Configure Alfresco community to sync AD users

bostjanc — Thu, 30 Jun 2016 10:43:27 GMT

Ok, the problem regarding making authentication… Have figured out the root the problem, but dont know the solution yet…
In global properties one of the line is the userNameFormat: ldap.authentication.userNameFormat=%s@domain.com
But in our case UPN is: name.surname@domain.com
so %s@domain.com works only for JOHN@domain.com but not for JOHN.COOK@domain.com
how to achieve that even JOHN.COOK@domain.com will be authenticated at the login site?
any suggestions please.
with best regards

Re: Configure Alfresco community to sync AD users

bostjanc — Thu, 30 Jun 2016 12:03:21 GMT

Ok, managed to figure it out that NAME.SURNAME (without domain) can be used for login.
But why SSO is not working?
What must we do to enable SSO for ALFRESCO SHARE site?
with best regards

Re: Configure Alfresco community to sync AD users

steven_okennedy — Thu, 30 Jun 2016 12:33:50 GMT

The LDAP/LDAP-AD subsystems don't provide passwordless single-sign on, what it does is it allows authentication via a username/password against users stored in LDAP/Active Directory.

If you want to be automatically logged in without the user needing to enter a password, you'll need to look at the Kerberos or Pass-through authentication subsystems. The standard documentation is pretty good in this area http://docs.alfresco.com/5.1/concepts/auth-subsystem-types.html

Regards

Steven

Re: Configure Alfresco community to sync AD users

memphissk — Tue, 19 Jul 2016 08:10:50 GMT

Hello,
could you help me with ldap-ad config file? I've installed alfresco-community-installer-201605-linux-x64.bin on Centos 7 and now i need to configure authentification to MS Active Directory. I downloaded ldap-ad config file (extracted from community-edition-5.2.a-EA.zip) copied to /opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/classes and still files are not loaded. When i check tomcat log files (/opt/alfresco-community/tomcat/logs/catalina.out ) i see org.alfresco.repo.security.authentication.AuthenticationException: 06190001 Failed to communicate with ldap://domaincontroller.company.com:389. Reason javax.naming.CommunicationException, domaincontroller.company.com:389, java… Could you identify where is default value "domaincontroller.company.com:389" definied, or where should be located ldap-ad authentication files?
Thanks in advance

Re: Configure Alfresco community to sync AD users

steven_okennedy — Tue, 19 Jul 2016 20:17:27 GMT

Hi,

You need to make sure that you've followed the steps outlined in the documentation (http://docs.alfresco.com/5.1/concepts/auth-config-examples.html) and make sure that you are putting the properties files in the right place - authentication is dealt with as a set of chained subsystems each which is configured separately, so Alfresco expects the configuration to be in a subsystem specific folder. Also, don't drop files directly into the exploded WAR folder, that will just get them lost on redeploy, use the extensions folder instead. E.g if the authentication subsystem referenced by your authentication chain is called "ad1", your files related to it would go in the location:

tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ad1/ad1.properties.

Refer to the docs around how to set each of the properties you need to override.

One last thing when using LDAP-AD from a Linux box, make sure to add an entry to your /etc/hosts file that matches the domain name of your AD server and point it to the IP address of your AD server - this avoids issues if your server can't resolve the primary domain controller automatically

Regards

Steven