cancel
Showing results for 
Search instead for 
Did you mean: 

Active directory + Alfresco 3.2

crokette
Champ in-the-making
Champ in-the-making
Salut,

(quoi? non c'est pas pareil que les autres posts que j'ai fait, celui là est pour ALF32)

je voulais savoir quel fichier est utilisé pour utiliser l'active directory (je penche plus quand même pour le deuxième) car j'ai vu le fichier:

ldap-authentication.properties

(qui se trouve C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap)

et

ldap-ad-authentication.properties


(qui se trouve C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad)

bien que j'ai testé avec les deux aucune requête ldap n'est envoyé et je peut me loguer qu'en "admin"

où alors je dois préciser quelque part que j'utilise l'un des deux fichiers.
76 REPLIES 76

michaelh
Champ on-the-rise
Champ on-the-rise
Pourquoi faire compliqué quand on peut faire simple ?
Utilisez simplement alfresco-global.properties

crokette
Champ in-the-making
Champ in-the-making
###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#————-
dir.root=C:/alfresco32/alf_data

#
# Sample database connection properties
#————-
db.name=alfresco32
db.username=alfresco
db.password=alfresco
db.host=localhost
db.port=3306

#
# External locations
#————-
ooo.exe=C:/alfresco32/OpenOffice.org/program/soffice
img.root=C:/alfresco32/ImageMagick
swf.exe=C:/alfresco32/bin/pdf2swf

#
# MySQL connection
#————-
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://${db.host}:${db.port}/${db.name}
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect

#
# Index Recovery Mode
#————-
#index.recovery.mode=Auto

#
# Outbound Email Configuration
#————-
mail.host=www.gmail.com
mail.port=25
mail.username=serveurmailged
mail.password=serviceinformatique
mail.encoding=UTF-8
mail.from.default=alfresco@alfresco.org
mail.smtp.auth=false

#
# Alfresco Email Service and Email Server
#————-

# Enable/Disable the inbound email service.  The service could be used by processes other than
# the Email Server (e.g. direct RMI access) so this flag is independent of the Email Service.
#————-
#email.inbound.enabled=true

# Email Server properties
#————-
#email.server.enabled=true
#email.server.port=25
#email.server.domain=alfresco.com
#email.inbound.unknownUser=anonymous

# A comma separated list of email REGEX patterns of allowed senders.
# If there are any values in the list then all sender email addresses
# must match.  For example:
#   .*\@alfresco\.com, .*\@alfresco\.org
# Allow anyone:
#————-
#email.server.allowed.senders=.*

#
# The default authentication chain
# To configure external authentication subsystems see:
# http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems
#————-
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

#
# IMAP
#————-
#imap.server.enabled=true
#imap.server.port=143
#imap.server.host=localhost

je m'en sert pour indiquer que je veux utiliser ldap mais je suis obliger de toucher aux autres fichiers pour indiquer les OU, mot de passe, utilisateur agréer…

crokette
Champ in-the-making
Champ in-the-making
J'abandonne.

mederic
Champ in-the-making
Champ in-the-making
Bonjour,

Ton problème a peut-être un lien avec le bug signalé ici : https://issues.alfresco.com/jira/browse/ETHREEOH-2376?page=com.atlassian.jira.plugin.system.issuetab.... Il semblerait que les fichiers .properties présents dans "tomcat\shared\classes\alfresco\extension\subsystems\Authentication\…" ne soient pas pris en compte (les seuls fichiers pris en compte seraient ceux situés dans "tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\…").
Essaie de déclarer "ldap-ad1:ldap-ad" dans alfresco-globals.properties et d'éditer directement le fichier "C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad\ldap-ad-authentication.properties". J'ai essayé sur mon install et le fichier a bien l'air d'être pris en compte dans ce cas (le GuestLogin=false est bien pris en compte ; mais je n'ai pas de serveur AD pour vérifier que l'authentification fonctionne par la suite…).
A moins que quelqu'un ait une autre solution (plus simple  :wink: ) ?

Médéric

crokette
Champ in-the-making
Champ in-the-making
Merci, je test cela demain.   Smiley Very Happy

crokette
Champ in-the-making
Champ in-the-making
pour moi, cela ne change rien, login du guest à false et il arrive toujours à se connecter.

pourtant maintenant j'ai bien:

C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad\ldap-ad-authentication.properties

avec dans alfresco-global.properties

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad

ps: je ne m'occupe d'aucune sorte de "ntlm"


et dans ldap-ad-authentication.properties

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=false

# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@domain

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://central-20.mondomaine.fr:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=digest

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=mon_nouvel_admin

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.java.naming.security.principal=(cn\=administrateur,cn\=users,dc\=mondomaine,dc\=fr)

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=mon_mot_de_passe_ldap

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=(dc\=mondomaine,dc\=fr)

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=(ou\=utilisateurs,dc\=mondomaine,dc\=fr)

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=personalHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=group

# The person type in LDAP
ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

Je ne vois pas le problème, pk cela ne fonctionne pas, pour moi tout semble OK  o_O
ou
alors je ne comprends pas ce que veux dire ldap-ad1:ldap-ad c'est une variable ldap-ad1 que l'on créer qui va chercher dans le dossier ldap-ad ou alors il faut un dossier ldap-ad dans un dossier ldap-ad1 ou alors on peut avoir également un ldap-ad2 ?, o_O je comprends rien Smiley Sad

mederic
Champ in-the-making
Champ in-the-making
je ne comprends pas ce que veux dire ldap-ad1:ldap-ad
En fait, "ldap-ad1" est le nom de ta config perso (tu peux mettre ce que tu veux), et "ldap-ad" est le type d'authentification associé. Le principe est que l'on puisse configurer plusieurs subsystems de type "ldap-ad", par exemple "ldap-ad1", "ldap-ad2", etc… en plaçant les fichiers de conf dans des sous-dossiers "ldap-ad1", "ldap-ad2", etc… eux-mêmes placés dans le dossier "ldap-ad". Sauf que le bug qui a été signalé semble montrer que, quel que soit le subsystem déclaré, c'est toujours le fichier de conf par défaut qui est pris.

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
Réessaie en mettant authentication.chain=ldap-ad1:ldap-ad

Médéric

crokette
Champ in-the-making
Champ in-the-making
j'ai déplacé mes fichiers de conf içi:

C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad\ldap-ad1\ldap-ad-authentication.properties

et j'ai mis

authentication.chain=ldap-ad1:ldap-ad

donc là au démarrage d'Alfresco j'ai:

14:12:29,442 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 06170003 Guest authentication not supported
org.alfresco.repo.security.authentication.AuthenticationException: 06170003 Guest authentication not supported

qui m'indique que l'on ne peut plus se connecter avec Guest, OK, mais je ne peut plus me connecter non plus avec Admin, ni avec un compte de l'active directory. Smiley Sad

fanch44
Champ in-the-making
Champ in-the-making
Je verrais plus ca
C:\alfresco32\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap-ad1\ldap-ad-authentication.properties

Ne pas mettre une sous arbo dans ldap-ad

car il me semble qu'il va chercher dans subsystème ldap-ad1 et grace au :ldap-ad dans le fichier global il sait que c'est une authen type ldap AD comme explique Mederic
authentication.chain=ldap-ad1:ldap-ad

nicolas_4463
Champ in-the-making
Champ in-the-making
Bonjour,
Je sais pas si ca peut vous aider mais voilà comment on a activé l'authentification NTLM via AD :
Dans le fichier shared/classes/alfresco-global.properties
authentication.chain=ldap1:ldap-ad,passthru1:passthru

dans shared/classes/alfresco/extension/subsystems
on a entre-autre un sous répertoire Autentication/ qui contient :
/ldap-ad,
/passthru,


dans ldap-ad on a un répertoire :
/[managed, ldap1] (attention: les crochets sont biens présents dans le nom)
contenant le fichier config.properties .
il contient :

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=false

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=true

# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@DOMAIN_NAME (à remplacer)

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ip:389 (à remplacer)

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=Administrator
# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.active=true

# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.java.naming.security.principal=adresse (à remplacer)

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=mot de passe (à remplacer)

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=groupe)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupe)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(company=*))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(company=*)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=DC\=domaine,DC\=sous_domaine (à remplacer)

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=DC\=domaine,DC\=sous_domaine (à remplacer)

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=group

# The person type in LDAP
ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

dans le répertoir /passthru on a :
/[managed, passthru1] contenant le fichier:
config.properties il contient :

ntlm.authentication.sso.enabled=true
ntlm.authentication.mapUnknownUserToGuest=false

passthru.authentication.useLocalServer=false
passthru.authentication.domain=DOMAINE (à remplacer)
passthru.authentication.servers=DOMAINE\\ADR_IP_AD1,NS\\ADR_IP_AD2 (à remplacer)
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=userAdminId (à remplacer)
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true


Au même niveau que le répertoire /authentification, on a les répertoires /Synchronistaion/default/[default]
Le dernier contient un fichier config.properties
avec les paramètres suivants :

#
# This properties file is used to configure user registry syncronisation (e.g. LDAP)
#

# Should the scheduled sync job only query users and groups changed since the
# last sync? Note that when true, the sync job will not be able to detect which
# users or groups have been removed from the directory (but obviously group
# membership changes would still be reflected). When false, a more regular
# differential sync on login can still be enabled.
synchronization.synchronizeChangesOnly=false

# The cron expression defining when imports should take place
synchronization.import.cron=0 0 0 * * ?

# Should we trigger a differential sync when missing people log in?
synchronization.syncWhenMissingPeopleLogIn=false

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=false

Voilà, c'est un peu toufu comme arborescence mais l'authentification via AD fonctionne bien !

Nicolas