cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory and CIFS

trelofysikos
Champ in-the-making
Champ in-the-making
Hello,

I'm trying to make Active Directory and CIFS work together in Alfresco Labs3b. I have managed to make Alfresco work with AD and authenticate AD users.
Everything seems to work fine except, when i try to open CIFS network folder from windows explorer with a user/pass from AD. It does'nt work for any AD users and only alfresco admin has access.
I want users  to be able to scan a document to their User Home in Alfresco.

I tried using authentication=alfresco/simple/passthru, NTLM  and SSO but either nothing works or i'm doing it wrong.
I also read some wiki guides and posts in this forum and could not resolve this issue.
passthru seems promising but can't get it to work.

my ldap-sychronization.properties file

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://myserver.local:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=DIGEST-MD5

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=reader

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=secret

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

Do i need to change more properties than
ldap.authentication.java.naming.provider.url=ldap://myserver.local:389

is using
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ok? or do i have to use authentication=simple? it seems to be ok for the alfresco auth.

my file-servers-custom.xml

<alfresco-config area="file-servers">

<config evaluator="string-compare" condition="CIFS Server">
     <serverEnable enabled="true"/>
      <host name="ACIFS" domain="mydomain"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>255.255.255.255</broadcast>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB platforms="linux,solaris,macosx"/>
      <netBIOSSMB platforms="linux,solaris,macosx"/>

      <!– Can be mapped to non-privileged ports, then use firewall rules to forward
          requests from the standard ports –>
     <!–      
      <tcpipSMB port="1445" platforms="linux,solaris,macosx"/>
      <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
     –>
      
      <hostAnnounce interval="5"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>

      <!– CIFS authentication –>
<!–
      <authenticator type="alfresco">
      </authenticator>
–>

      <WINS>
         <primary>192.168.xx.xx</primary>
         <secondary>192.168.xx.xx</secondary>
      </WINS>

      <sessionDebug flags="Negotiate,Socket"/>
   </config>



  <config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="alfresco">
  </authenticator>
</config>

  
  
  
   <!– To override the default Alfresco filesystem use replace="true", to –>
   <!– add additional filesystems remove the replace="true" attribute     –>
  
   <config evaluator="string-compare" condition="Filesystems" replace="true">
      <filesystems>

         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

            <!– Add a URL file to each folder that links back to the web client –>
            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>

            <!– Mark locked files as offline –>
            <offlineFiles/>

            <!– Desktop actions –>
<!–
            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>

               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>

               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>

            </desktopActions>
–>
<!–
            <accessControl default="Write">
               <user name="admin" access="Write"/>
               <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
            </accessControl>
–>
         </filesystem>
       
       <!– AVM virtualization view of all stores/versions for WCM –>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>
       
      </filesystems>
   </config>

</alfresco-config>



Can anybody help me with this ?


Thanks in advance.
6 REPLIES 6

aususer
Champ in-the-making
Champ in-the-making
I haven't done it via LDAP personally, but just looking to your ldap.propertioes files you will need to set up at least some username items…

ie. pretty sure you have to add some username information in
        # The default principal to use (only used for LDAP sync)
        ldap.authentication.java.naming.security.principal=reader <- this would probably be one of your users on AD?

I believe there is an "enterprise" wiki that might help you…
BTW: you will probably also need to allow some type of authentiction… I am not sure your commenting out of the authentication is the correct method for what you are wanting to do..:
eg (from your post)
             <!– CIFS authentication –>
        <!–
              <authenticator type="alfresco">
             </authenticator>
        –>


You might want to also refer to what we have been doing with AD/CIGS using poassthru where we are hitting brick walls ie. http://forums.alfresco.com/en/viewtopic.php?f=9&t=15552

trelofysikos
Champ in-the-making
Champ in-the-making
I commented out CIFS authentication only to use it seperately in this


<config evaluator="string-compare" condition="Filesystem Security">
  <authenticator type="alfresco">
  </authenticator>
</config>

I also tried to use an LDAP user and pass in the properties file with no luck.

Can you share your configuration, so that i can take some hints ?

hannesb
Champ in-the-making
Champ in-the-making

trelofysikos
Champ in-the-making
Champ in-the-making
I also tried the kerberos wiki and i get an error in the CIFS authentication.

Is CIFS authentication only possible with the "alfresco" option ?

Is there someone who has a working CIFS+AD cofiguration ? Please share


p.s. If i have alfresco SSL will that be a problem with CIFS auth ?

hannesb
Champ in-the-making
Champ in-the-making
I have a setup working.

kerberos and enterprise auth works. Try to follow the instructions in the url I posted. the realm should be the windows domain uppercase. The rest is correct, kindof

trelofysikos
Champ in-the-making
Champ in-the-making
please share your Working Configuration.
I have tried Kerberos authentication and still not working!