SSO and LDAP on Alfresco 5.0 b

marwan_khoueiry — Tue, 25 Nov 2014 09:51:59 GMT

Hi All,I have been trying to get Single Sign On to work using LDAP configuration with Alfresco 5.0 b to no avail. I added the following to the alfresco-global.properties:authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-adntlm.authentication.sso.enabled=trueldap.authentication.allowGuestLogin=fal

Re: SSO and LDAP on Alfresco 5.0 b

mathieuga — Fri, 12 Dec 2014 11:02:44 GMT

Hello,
I not pro in Alfresco but i will try give you some help.
Question 1:
- In C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication i have juste folder : alfrescoNtlm, external, kerberos and passthru
- In authentication.chain you use alfinst:alfrescoNtlm,ldap1:ldap-ad
So why you use ldap1:ldap-ad

For information my file (it is not a reference i juste begining in alfresco) whith comment

##############################################
### SSO - LDAP authentication
##http://docs.alfresco.com/4.0/concepts/auth-ldap-props.html
##
## This Boolean flag, when true enables use of this LDAP subsystem for authentication. It may be that this subsystem should only be used for user registry export, in which case this flag should be set to false and you would have to chain an additional subsystem such as passthru or kerberos to provide authentication functions.
ldap.authentication.active=true
##The mechanism to use to authenticate with the LDAP server. Should be one of the standard values documented here or one of the values supported by the LDAP provider. Sun's LDAP provider supports the SASL mechanisms documented here. Recommended values are:
#simple: The basic LDAP authentication mechanism requiring the user name and password to be passed over the wire unencrypted. You may be able to add SSL for secure access, otherwise this should only be used for testing.
#DIGEST-MD5 : More secure RFC 2831 Digest Authentication. Note that with Active Directory, this requires your user accounts to be set up with reversible encryption, not the default setting.
ldap.authentication.java.naming.security.authentication=simple
## Specifies how to map the user identifier entered by the user to that passed through to LDAP.
#If set to an empty string (the default for the ldap subsystem), an LDAP query involving ldap.synchronization.personQuery and ldap.synchronization.userIdAttributeName will be performed to resolve the DN from the user ID dynamically. This allows directories to be structured and does not require the user ID to appear in the DN.
#If set to a non-empty value, the substring %s in this value will be replaced with the entered user ID to produce the ID passed to LDAP. This restricts LDAP user names to a fixed format. The recommended format of this value depends on your LDAP server.
ldap.authentication.userNameFormat=%s@xxxx.priv
## Identifies whether to allow unauthenticated users to log in to Alfresco as the 'guest' user.
ldap.authentication.allowGuestLogin=false
## The URL to connect to the LDAP server, containing its name and port. The standard ports for LDAP are 389 (and 636 for SSL). For example: ldap://openldap.domain.com:389
ldap.authentication.java.naming.provider.url=ldap://NDASI01.xxxx.priv:389
##A comma separated list of user names to be considered administrators by default. If you are using LDAP for all your users, this maps an LDAP user to be an administrator user. This administrator user can then configure the other admin users or groups by add users and/or groups to the ALFRESCO_ADMINISTRATORS group using the Share Admin Console or Explorer Administration Console.
ldap.authentication.defaultAdministratorUserNames=AdminAlfresco

##############################################
### SSO - LDAP synchonization
## This flag enables use of the LDAP subsystem for user registry export functions and decides whether the subsystem will contribute data to the synchronization subsystem. It may be that this subsystem should only be used for authentication, in which case this flag should be set to false.
ldap.synchronization.active=true
## The LDAP user to connect as for the export operation, if one is required by the ldap.synchronization.java.naming.security.authentication authentication mechanism. This should be in the same format as ldap.authentication.userNameFormat but with a real user ID instead of %s.
#This is the default principal to use (only used for LDAP sync when ldap.synchronization.java.naming.security.authentication=simple): ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=company,dc\=com
ldap.synchronization.java.naming.security.principal=AdminAlfresco@xxxx.priv
##The password for this user, if required. The password for the default principal (only used for LDAP sync when ldap.synchronization.java.naming.security.authentication=simple) ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.java.naming.security.credentials=xxxxxxxxxxxxxx
## If set to a positive integer, this property indicates that RFC 2696 paged results should be used to split query results into batches of the specified size. This overcomes any size limits imposed by the LDAP server. The default value of 1000 matches the default result limitation imposed by Active Directory. If set to zero or less, paged results will not be used.
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
##The query to select all objects that represent the groups to export. This query is used in full synchronization mode, which by default is scheduled every 24 hours.
ldap.synchronization.groupQuery=(&(objectclass\=group))
##The query to select objects that represent the groups to export that have changed since a certain time. Should use the placeholder {0} in place of a timestamp in the format specified by ldap.synchronization.timestampFormat. The timestamp substituted will be the maximum value of the attribute named by ldap.synchronization.modifyTimestampAttributeName the last time groups were queried. This query is used in differential synchronization mode, which by default is triggered whenever a user is successfully authenticated that does not yet exist in Alfresco.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))
## The query to select all objects that represent the users to export. This query is used in full synchronization mode, which by default is scheduled every 24 hours.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
##The query to select objects that represent the users to export that have changed since a certain time. Should use the placeholder {0} in place of a timestamp in the format specified by ldap.synchronization.timestampFormat. The timestamp substituted will be the maximum value of the attribute named by ldap.synchronization.modifyTimestampAttributeName the last time users were queried. This query is used in differential synchronization mode, which by default is triggered whenever a user is successfully authenticated that does not yet exist in Alfresco.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))
##The DN below which to run the group queries.
ldap.synchronization.groupSearchBase=OU\=ALFRESCO-TEST,OU\=Migration,DC\=xxxx,DC\=priv
##The DN below which to run the user queries.
ldap.synchronization.userSearchBase=OU\=ALFRESCO-TEST,OU\=Migration,DC\=xxxx,DC\=priv
## The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
##The timestamp format. This varies between directory servers.
#Active Directory      yyyyMMddHHmmss'.0Z'
#OpenLDAP             yyyyMMddHHmmss'Z'
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
##The attribute name on people objects found in LDAP to use as the uid in Alfresco.
ldap.synchronization.userIdAttributeName=sAMAccountName
##The attribute on person objects in LDAP to map to the first name property in Alfresco.
ldap.synchronization.userFirstNameAttributeName=givenName
##The attribute on person objects in LDAP to map to the last name property in Alfresco.
ldap.synchronization.userLastNameAttributeName=sn
##The attribute on person objects in LDAP to map to the email property in Alfresco.
ldap.synchronization.userEmailAttributeName=mail
##The attribute on LDAP group objects to map to the group name in Alfresco.
ldap.synchronization.groupIdAttributeName=cn
##The group type in LDAP.
ldap.synchronization.groupType=group
##The person type in LDAP
ldap.synchronization.personType=user
##The attribute in LDAP on group objects that defines the DN for its members.
ldap.synchronization.groupMemberAttributeName=member
## The attribute on person objects in LDAP to map to the organizational ID property in Alfresco.
#ldap.synchronization.userOrganizationalIdAttributeName=

##############################################
### SSO - LDAP synchonization configuration properties
## Specifies whether the scheduled synchronization job is run in differential mode. The default is true, which means that the scheduled sync job is run in differential mode (rather than full mode). Regardless of this setting a differential sync can still be triggered when a user who does not yet exist in Alfresco is successfully authenticated.
synchronization.synchronizeChangesOnly=false
##Specifies a cron expression defining when the scheduled synchronization job should run, by default at midnight every day.
#Le cron est paramétré pour une syncho toutes les heures
synchronization.import.cron=0 1 * * * ?
##Specifies whether to trigger a differential sync when a user is successfully authenticated who does not yet exist in Alfresco. The default is true.
synchronization.syncWhenMissingPeopleLogIn=true
##Specifies whether to create a user with default properties when a user is successfully authenticated, who does not yet exist in Alfresco, and was not returned by a differential sync (if enabled with the property above). The default is true. Setting this to false allows you to restrict Alfresco to a subset of those users who could be authenticated by LDAP; only those created by synchronization are allowed to log in. You can control the set of users in this more restricted set by overriding the user query properties of the LDAP authentication subsystem.
synchronization.autoCreatePeopleOnLogin=true

Re: SSO and LDAP on Alfresco 5.0 b

anon26949 — Sun, 29 Jan 2017 17:54:18 GMT

You could try to do the following. AFAIK, you should to create the following directory structure
(all authentication subsystem types have the category Authentication. For example, the configuration for a particular subsystem instance of category A, type B, and name C should be under the path /shared/classes/alfresco/extension/subsystems/A/B/C😞

tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1/

Now copy here the ldap-ad-authentication.properties file and specify there:

...
authentication.chain=passthru1:passthru,ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@your_domain_name_without_local_part_here
ldap.authentication.java.naming.provider.url=ldap://your_ldap_server_name_here:389
ldap.synchronization.java.naming.security.principal=domain_administrator_name_here@your_domain_name_without_local_part_here
ldap.synchronization.java.naming.security.credentials=domain_administrator_password_here
# You can browse the LDAP directory by using LdapAdminExe, for example.
ldap.synchronization.groupSearchBase=cn\=Groups,dc\=your_domain_name_without_local_part_here,dc\=local
ldap.synchronization.userSearchBase=cn\=Users,dc\=your_domain_name_without_local_part_here,dc\=local
ntlm.authentication.sso.enabled=true
passthru.authentication.defaultAdministratorUserNames=alfresco_administrator_name_here
passthru.authentication.domain=your_domain_name_without_local_part_here
passthru.authentication.servers=your_domain_name_without_local_part_here\\your_ldap_server_name_here
...
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Note, that because the alfresco-global.properties file is loaded last, you can override any of these properties there.

In tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml specify the following(find this element there and modify):

...
<config condition="Remote" evaluator="string-compare">
   <remote>
      <connector>
         <id>connectorId</id>
         <name>Alfresco Connector</name>
         <description>...</description>
         <class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
      </connector>
      <endpoint>
         <id>alfresco</id>
         <name>...</name>
        <description>...</description>
        <connector-id>connectorId</connector-id>
        <endpoint-url>http://your_server_here:alfresco_port_here/alfresco/wcs</endpoint-url>
        <identity>user</identity>
        <external-auth>true</external-auth>
      </endpoint>
   </remote>
</config>
...‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Then restart the Alfresco server. In in alfresco.log you will see the output from the synchronization subsystem.
Synchronization subsystem will automatically create users and groups by retrieved them from Active Directory through the LDAP query.

And now you (and all domain users) can log in by using SSO. Also you can disable SSO and log in by using the ID and password of any of the Active Directory users.

For more information see: Professional Alfresco: Practical Solutions for Enterprise Content Management

topic SSO and LDAP on Alfresco 5.0 b in Alfresco Archive

SSO and LDAP on Alfresco 5.0 b

Re: SSO and LDAP on Alfresco 5.0 b

Re: SSO and LDAP on Alfresco 5.0 b