topic Re: Alfresco LDAP-AD Questions in Alfresco Archive

Alfresco LDAP-AD Questions

sab — Tue, 11 Nov 2014 04:15:17 GMT

Hi,I have some questions i hope someone can answer.First, i have 2 Microsoft Active Servers running 2008 on my main network.I also have a separate network with 1 test server: Microsoft Active Server 2008 DC and 1 test server running Ubuntu 14, joined to the test domain using Centrify software and Al

Re: Alfresco LDAP-AD Questions

sab — Tue, 11 Nov 2014 22:13:27 GMT

I have found Some answers myself:

On encryption:

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
(about 1/3 the way down)
ldap.authentication.java.naming.security.authentication
    The mechanism used to validate passwords with the LDAP server. Should be one of the standard values documented here or one of the values supported by the LDAP provider. Sun's LDAP provider supports the SASL mechanisms documented here. Recommended values are:

    simple
        the basic LDAP authentication mechanism requiring the username and password to be passed over the wire unencrypted. You may be able to add SSL for secure access; otherwise, only use this for testing.

    DIGEST-MD5
        More secure RFC 2831 Digest Authentication. Note that with Active Directory, this requires your user accounts to be set up with reversible encryption, not the default setting.

Ports 389 is non-SSL, and 636 is SSL

Re: Alfresco LDAP-AD Questions

sab — Wed, 12 Nov 2014 04:20:22 GMT

I am still stuck on this issue, but have found some more useful info:

Here:
http://docs.alfresco.com/community/concepts/auth-passthru-intro.html
This method of authentication is much more secure than simple LDAP-based authentication or form-based authentication.

Why is passthru more secure than Active Directory ?

For LDAP-AD:
http://docs.alfresco.com/community/concepts/auth-ldap-props.html
To change to secure logins, do you just change the word: simple to DIGEST-MD5 ? and ports 389 to 636? Is that it???

Now, my question is, what is the best method to use to have secure logins from Active Directory?

Re: Alfresco LDAP-AD Questions

sab — Wed, 19 Nov 2014 02:09:54 GMT

I have been doing more testing and found some results:

1) Using Pure LDAP-AD (only), the username + password is sent in PLAIN TEXT

2) Using passthru + LDAP-AD mixed, only the username is sent in PLAIN TEXT. Passwords are encrypted, but use Weak encryption: NTLM v1

Back to number 1, if i change the port number from 389 > 636, and change simple passwords to DIGEST-MD5, and tick reversible encryption in a user in AD, It does Not work.

Both 1 and 2 can be proven using Wireshark.

packets that have LDAP will have the password inside and smb packets for the second one will have the password encrypted in the 3rd SMB packet (210 session setup andx request)

By pure LDAP-AD, i mean following instructions here:
http://docs.alfresco.com/community/tasks/auth-example-oneldap-ad.html
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#LDAP

inside global properties file only.

So, does anyone have info on using number 1 with encryption??? or is the only real way is using Kerberos?
Thanks

Re: Alfresco LDAP-AD Questions

sab — Sun, 23 Nov 2014 22:44:01 GMT

Another idea i came across is to add a SSL Cert to tomcat.

http://forums.alfresco.com/forum/installation-upgrades-configuration-integration/configuration/change-alfresco-use-ssl-and