topic Re: ldap authentication with AD what am I doing wrong? in Alfresco Archive

ldap authentication with AD what am I doing wrong?

btorfs — Mon, 28 Aug 2006 17:31:37 GMT

Hello;I followed the wiki info to get ldap authentication to work, but it does not do it.our config: Alfresco.war build with maven2, bea app server 9.1, postgres db 8.1.I tested my ldap credentials using ldp.exe and I can connect, bind and search…usernameformat:samaccountname=%sad server:ldap://10.4

Re: ldap authentication with AD what am I doing wrong?

andy — Tue, 29 Aug 2006 11:28:18 GMT

Hi

As far as I am aware, the SIMPLE LDAP authentication mechanism requires the full DN of the user for authentication. Normally the user would enter the CN and then you would build the DN using the user name format property.

Simple authentication can not use samaccountname as I understand it.
It is possible your client is using digest-md5 authentication.

Depending on your LDAP server, it may support md5 authentication.

See what is listed under

supportedSASLMechanisms at the top level of your LDAP repository.

The LDAP logging does not record authentication failure or causes.
I will put this on the list.

Which LDAP server are you using?

Regards

Andy

Re: ldap authentication with AD what am I doing wrong?

btorfs — Tue, 29 Aug 2006 11:50:35 GMT

Hi Andy;

digest-md5 seems to be supported when I connect using ldp.exe

4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; ‍

I tried it with this configuration but I got the same result…

We use Active directory on windows2003 server.

regards, Bert

PS thanks for the swift reply

Re: ldap authentication with AD what am I doing wrong?

btorfs — Tue, 29 Aug 2006 12:26:35 GMT

Andy,
Some extra info…
OUr dn contains a \ which is not allowed in the login box of alfresco:

Dn: CN=Torfs\, Bert,OU=Employees,OU=RNDBE,DC=eu,DC=jnj,DC=com‍

that is why I cannot test with the dn…
regards,
Bert

Re: ldap authentication with AD what am I doing wrong?

andy — Fri, 01 Sep 2006 16:10:54 GMT

Hi Bert

I think you need to set the ldapInitialDirContextFactory bean to use DIGEST-MD5 (it is using simple) and then set userNameFormat to be just %s.

Then users should be able to log in entering their samaccountname.

This certainly works with openldap set up to use digest authentication.

The AD set up to which I hace access does not support md5 authentication 😞

Regards

Andy

Re: ldap authentication with AD what am I doing wrong?

dpalmeira — Mon, 09 Oct 2006 11:34:27 GMT

I had the same problem and I solutionate it changing that in file-servers.xml configuration file.


<!–
   <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="alfresco">
      </authenticator>
–>

<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="passthru">
   <LocalServer/>
  </authenticator>‍‍‍‍‍‍‍‍‍‍‍

try it

Re: ldap authentication with AD what am I doing wrong?

andy — Tue, 10 Oct 2006 08:35:07 GMT

Hi

That is fine - you want to make sure that web client is also doing single sign on with the approriate authentication configuration. So that CIFS and web auth is in sync. If not, the web login couldl be authenticating against a different back end … It is fine if they all go to the same AD instance and use the same user identifier.

Regards

Andy