Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Content Management
- Alfresco
- Alfresco Archive
- Active Directory authentification
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Active Directory authentification
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2009 11:42 AM
Hello,
We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.
And we're trying to authentificate with an Active Directory account.
Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
He's connecting to Alfresco with his login jblack.
When using an active directory, the authentification mechanism should be :
[Alfresco] ———————–> [AD] : Search for jblack with sAMAccountName : CN=reader,OU=service,OU=admin,DC=company,DC=com
[Alfresco] <———————– [AD] : Response from AD : CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
[Alfresco] ———————–> [AD] : Login with CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com and typed jblack password
[Alfresco] <———————– [AD] : Access granted to Alfresco
Unfortunately, this mechanism doesn't work with our configuration. See our configuration below :
- ldap-authentication-context.xml :
- ldap-authentication-context.xml : untouched
- Do we need to edit the ldap-synchronisation.properties file ?
Thank you for any help.
We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.
And we're trying to authentificate with an Active Directory account.
Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
He's connecting to Alfresco with his login jblack.
When using an active directory, the authentification mechanism should be :
[Alfresco] ———————–> [AD] : Search for jblack with sAMAccountName : CN=reader,OU=service,OU=admin,DC=company,DC=com
[Alfresco] <———————– [AD] : Response from AD : CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
[Alfresco] ———————–> [AD] : Login with CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com and typed jblack password
[Alfresco] <———————– [AD] : Access granted to Alfresco
Unfortunately, this mechanism doesn't work with our configuration. See our configuration below :
- ldap-authentication-context.xml :
ldap.authentication.userNameFormat=sAMAccountName=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ldap.company.com:389
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=***********
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
- ldap-authentication-context.xml : untouched
- Do we need to edit the ldap-synchronisation.properties file ?
Thank you for any help.
Labels:
- Labels:
-
Archive
24 REPLIES 24
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 08:19 AM
Put this in your custom-repository-context.xml (so that it has an effect on all authentication components you might define in a chain)
Readers should note that the above definition is only valid for 3.0 - refer to the master copy in authentication-services-context.xml for other versions. We plan to remove the need to override this bean altogether.
<!– Parent bean for beans derived from AbstractAuthenticationComponent –>
<bean id="authenticationComponentBase" abstract="true">
<property name="tenantService">
<ref bean="tenantService"/>
</property>
<property name="autoCreatePeopleOnLogin">
<value>false</value>
</property>
</bean>
Readers should note that the above definition is only valid for 3.0 - refer to the master copy in authentication-services-context.xml for other versions. We plan to remove the need to override this bean altogether.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 08:33 AM
Thanks again. I open the custom-repository-context.xml from /alfresco/extension and I put the code you sent me. I receive an error telling me that the property autoCreatePeopleOnLogin was not found. I have Alfresco Labs 3.0.0 (1526) Stable. My custom-repository-context.xml is:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<!–
This shows the common minimum configuration overrides.
By default, the content and indexes are located at a relative location, which should only
be used when doing a quick preview of the Alfresco server.
–>
<beans>
<!– overriding to point to custom properties –>
<bean id="repository-properties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreUnresolvablePlaceholders">
<value>true</value>
</property>
<property name="locations">
<list>
<value>classpath:alfresco/repository.properties</value>
<value>classpath:alfresco/version.properties</value>
<value>classpath:alfresco/domain/transaction.properties</value>
<!– Override basic repository properties –>
<value>classpath:alfresco/extension/custom-repository.properties</value>
</list>
</property>
</bean>
<bean id="hibernateConfigProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
<property name="locations">
<list>
<value>classpath:alfresco/domain/hibernate-cfg.properties</value>
<!– Override hibernate dialect –>
<value>classpath:alfresco/extension/custom-hibernate-dialect.properties</value>
</list>
</property>
</bean>
<!– Parent bean for beans derived from AbstractAuthenticationComponent –>
<bean id="authenticationComponentBase" abstract="true">
<property name="tenantService">
<ref bean="tenantService"/>
</property>
<property name="autoCreatePeopleOnLogin">
<value>false</value>
</property>
</bean>
</beans>Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2009 10:05 AM
My mistake. That property wasn't present in 3.0. Best to override it on the person service itself. Try this in custom-repository-context.xml (remove my previous suggestion). Note that I have set createMissingPeople to false.
<bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init">
<property name="transactionService">
<ref bean="transactionService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="tenantService">
<ref bean="tenantService"/>
</property>
<property name="searchService">
<ref bean="admSearchService" />
</property>
<property name="permissionServiceSPI">
<ref bean="permissionServiceImpl" />
</property>
<property name="authorityService">
<ref bean="authorityService" />
</property>
<property name="dictionaryService">
<ref bean="dictionaryService" />
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService" />
</property>
<property name="policyComponent">
<ref bean="policyComponent"/>
</property>
<property name="personCache">
<ref bean="personCache" />
</property>
<property name="personDao">
<ref bean="personDaoImpl" />
</property>
<!– Configurable properties. –>
<!– –>
<!– TODO: –>
<!– Add support for creating real home spaces adn setting –>
<!– permissions on the hame space and people created. –>
<!– –>
<!– The store in which people are persisted. –>
<property name="storeUrl">
<value>${spaces.store}</value>
</property>
<!– Some authentication mechanisms may need to create people –>
<!– in the repository on demand. This enables that feature. –>
<!– If dsiabled an error will be generated for missing –>
<!– people. If enabled then a person will be created and –>
<!– persisted. –>
<!– Valid values are –>
<!– ${server.transaction.allow-writes} –>
<!– false –>
<property name="createMissingPeople">
<value>false</value>
</property>
<property name="userNamesAreCaseSensitive">
<value>${user.name.caseSensitive}</value>
</property>
<!– New properties after 1.4.0 to deal with duplicate user ids when found –>
<property name="processDuplicates">
<value>true</value>
</property>
<!– one of: LEAVE, SPLIT, DELETE –>
<property name="duplicateMode">
<value>SPLIT</value>
</property>
<property name="lastIsBest">
<value>true</value>
</property>
<property name="includeAutoCreated">
<value>false</value>
</property>
</bean>Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2009 08:14 AM
Thank you very much. I change that property to false and I solved the problem but I changed that property in the authentication-services-context.xml file because in the custom-propoerties-properties.xml I don't have the bean id= personService and nothing to configure.
Now, I receive an error if I try to login with an user not imported by Alfresco:
Any suggestion?
Now, I receive an error if I try to login with an user not imported by Alfresco:
11:46:07,513 ERROR [[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
org.alfresco.service.cmr.security.NoSuchPersonException: User does not exist and could not be created: rca25d
at org.alfresco.repo.security.person.PersonServiceImpl.getPerson(PersonServiceImpl.java:249)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:296)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:177)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:144)
at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:275)
at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
at $Proxy104.getPerson(Unknown Source)
at org.alfresco.web.bean.LoginBean.login(LoginBean.java:283)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)
at javax.faces.component.UICommand.broadcast(UICommand.java:109)
at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:278)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)
Any suggestion?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-01-2009 09:10 AM
I solved the problem. There was a mistake in one line. Thanks to all.
Related Content
- ldapS configuration for samba-ad in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
- Alfresco Community Edition 23.2 Release Notes in Alfresco Blog
- Active Directory LDAP being polled by Alfresco millions of times per day in Alfresco Forum
- How to Switch from LDAP to Active DIrectory for Authentication in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
