Hyland Connect

dushyanth_h · ‎05-30-2006

Hey all,

Finally, I have the two last issues with integrating alfresco with active directory.

I have authentication via LDAP setup using JAAS as mentioned in the WIKI [http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration].
This works fine.

Problems :

1) I have LDAP User & Group Synchronisation setup with Active directory and both are working fine. However, when I check out the groups that have been synced in alfresco there seem to be no users under them. The users & groups are synced properly and there are no errrors in the logs. Its only that from the administrative console iam not able to see what users belong to a group. I have also applied the fix mentioned in one of the topics which doesnt sync empty groups from the AD.


<property name="groupQuery">
      <value><![CDATA[(&(objectclass=group) (member=*))]]></value>
</property>
‍‍‍‍‍

2) CIFS does'nt work.

I have tried all authentication methods listed in http://wiki.alfresco.com/wiki/CIFS_Server_Authentication. For all of them, I get the same error.


23:49:21,502 ERROR [alfresco.smb.protocol] File server configuration error, Wrong authentication setup for alfresco authenticator
org.alfresco.error.AlfrescoRuntimeException: Wrong authentication setup for alfresco authenticator
        at org.alfresco.filesys.server.config.ServerConfiguration.processSecurityConfig(ServerConfiguration.java:1570)
        at org.alfresco.filesys.server.config.ServerConfiguration.init(ServerConfiguration.java:492)
        at org.alfresco.filesys.server.config.ServerConfiguration.onApplicationEvent(ServerConfiguration.java:423)
        at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:45)
        at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:225)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:323)
        at org.springframework.web.context.support.AbstractRefreshableWebApplicationContext.refresh(AbstractRefreshableWebApplicationContext.java:134)
        at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:246)
        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:184)
        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3692)
        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4127)
        at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
        at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
        at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
        at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:804)
        at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:693)
        at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:472)
        at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1118)
        at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
        at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1020)
        at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
        at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1012)
        at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
        at org.apache.catalina.core.StandardService.start(StandardService.java:450)
        at org.apache.catalina.core.StandardServer.start(StandardServer.java:680)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:536)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The other posts in the forums abt this error dont tell me what to do exactly.

Shuld i be using NTLM passthru auth with both Alfresco and CIFS ? If I do this will the LDAP user and group sync work ?

Please advice

Dushyanth

dushyanth_h · ‎05-30-2006

Hey all,

Just after the post, I tried NTLM pass thru for CIFS and Main alfresco and everything works like a charm. Even the LDAP User and group sync works.

Only the first issue of empty groups in alfresco needs to resolved now.

Thanks
Dushyanth

hsantander · ‎05-31-2006

Hi
I have problem integrating Active Directory with alfresco. I can't get working LDAP authentication. Please, could you post the hole authentication-services-context.xml?

Thanks

dushyanth_h · ‎06-05-2006

Hey,

I got nothing specific done in authentication-services-context.xml. I have all AD related config in my ntlm-authentication-context.xml & file-servers.xml. The instructions in the WIKI for NTML passthru authentication works great for both CIFS and main alfresco.


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao">
       <property name="nodeService">
           <ref bean="nodeService" />
       </property>
    </bean>

    <!– The authentication component.                                      –>

    <!– Use the passthru authentication component to authenticate using    –>
    <!– user accounts on one or more Windows servers.                      –>

    <!– Properties that specify the server(s) to use for passthru          –>
    <!– authentication :-                                                  –>
    <!–   useLocalServer   use the local server for authentication         –>
    <!–   domain           use domain controllers from the specified domain–>
    <!–   servers          comma delimted list of server addresses or      –>
    <!–                    names                                           –>

    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl">
        <property name="servers">
            <value>192.168.0.1</value>
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="guestAccess">
            <value>false</value>
        </property>
    </bean>

</beans>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍


<alfresco-config area="file-servers">

   <config evaluator="string-compare" condition="CIFS Server">
      <host name="${localname}_A"/>
      <comment>Alfresco CIFS Server</comment>

      <!– Set to the broadcast mask for the subnet –>
      <broadcast>255.255.255.255</broadcast>

      <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
      <tcpipSMB platforms="linux,solaris,macosx"/>
      <netBIOSSMB platforms="linux,solaris,macosx"/>
      <hostAnnounce interval="5"/>

      <!– Use Win32 NetBIOS interface on Windows –>
      <Win32NetBIOS/>
      <Win32Announce interval="5"/>

<!–
      <WINS>
         <primary>1.2.3.4</primary>
         <secondary>5.6.7.8</secondary>
      </WINS>
–>
      <sessionDebug flags="Negotiate,Socket"/>
   </config>

   <config evaluator="string-compare" condition="FTP Server">
<!–      <debug flags="File,Search,Error,Directory,Info,DataPort"/> –>
   </config>

   <config evaluator="string-compare" condition="Filesystems">
      <filesystem name="Alfresco">
         <store>workspace://SpacesStore</store>
         <rootPath>/app:company_home</rootPath>
        <urlFile>
            <filename>__AlfrescoClient.url</filename>
            <webpath>http://localhost:8080/alfresco/</webpath>
         </urlFile>
<!–
         <accessControl default="Write">
            <user name="admin" access="Write"/>
            <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
         </accessControl>
–>
      </filesystem>
   </config>

   <config evaluator="string-compare" condition="Filesystem Security">

    <authenticator type="passthru">
        <Server>192.168.0.1</Server>
    </authenticator>

<!–        <authenticator type="alfresco">
        </authenticator>
–>
<!–        <authenticator type="enterprise">
            <KDC>192.168.0.1</KDC>
            <Realm>PDC.ABC.COM</Realm>
            <Password>PDC</Password>
        </authenticator>
–>
<!–
      <globalAccessControl default="None">
         <user name="admin" access="Write"/>
         <address ip="90.1.0.90" access="Write"/>
      </globalAccessControl>

      <users>
         <localuser name="user">
            <password>user</password>
            <comment>Normal user account</comment>
         </localuser>

         <localuser name="administrator">
            <password>admin</password>
            <administrator/>
            <comment>Administrator account</comment>
         </localuser>
      </users>
–>
   </config>


</alfresco-config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

andy · ‎06-12-2006

Hi Dushyanth

Thanks for your comments.

You are correct. If you want CIFS the best option is NTLM pass through authentication. You should be able to use the LDAP API for AD to sync users and groups. I am pretty sure this is suggested in the wiki.

Did you get your issue with groups not having users sorted?

Regards

Andy

bhavin_t · ‎06-12-2006

hey andy

thanks for your post. the empty groups issue still exists. dushyanth who was coordinating this is on leave. i am looking at it in his absence. actually a more detailed post with our latest config files and log entries is available in the other post we made in this forum -

http://forums.alfresco.com/viewtopic.php?t=2117

hope you can help us

thanks
bhavin

andy · ‎06-27-2006

Hi

Empty groups are certainly dealt with in the 1.3 release.

To work around the issue in previous releases, add a presence filter for the members attribute on the LDAP query thta finds groups.

Regards

Andy

bhavin_t · ‎06-27-2006

if you check our post at -

http://forums.alfresco.com/viewtopic.php?t=2117

we managed to solve this issue.

the one issue i am unable to solve as yet is the one i have posted at below links -

http://forums.alfresco.com/viewtopic.php?t=2183
http://forums.alfresco.com/viewtopic.php?t=2240

any help there would be appreciated. currently my company is thinking of adopting a WIKI instead of alfresco primarily because of the issue described in the above 2 posts

bhavin

paulhh · ‎06-27-2006

Hi bhavin

There will be a way to achieve what you want, but I think it will take a bit of experimentation on our part - currently we're deep into getting 1.3.0 out.

Can I just replay what I've understood of your requirement?

- there is a folder where people can read existing content
- they should only have permission to check out content to edit anything
- they work on the checked out copy and when happy submit if for approval (the working copy should not be visible to everyone)
- the approver is the only person with permission to check in the changes

Is there a particular system's permission/approval scheme that captures what you want?

Cheers
Paul.

bhavin_t · ‎06-27-2006

hi paul

* thanks for your response

* yes your understanding below is perfect. that is indeed the basic requirement. some more ideas though could be as follows -

* if instead of having to checkout the content, if people can actually directly perform inline editing for htm files and txt files that would be even better. after editing the same their submitted changes should not be visible until approved by an approver

* what would also be great would be a "diff viewer" to show differences in between the revised version and the original version to the approver - if the document is htm/txt … just like a wiki/VCS does. ideally these files should be stored in some RCS/VCS format to allow for this easily. that way anyone can always see the history of changes as DIFFs for any TXT/HTM/ASCII file

* when you ask "Is there a particular system's permission/approval scheme that captures what you want" -> wiki's have this mechanism. i am currently exploring confluence and mediawiki and i am not yet certain whether they support this in the exact fashion as i envision, but they seem to.

* just to reinstate. i am quite excited about alfresco. i have researched a ton of document management systems and CMS's and most of them miss out on such basic principles that we went ahead and built our own hacked version on top of SVN. Alfresco is probably the only system out there which comes close to matching the feature requirements that should exist in a Knowledge Management software

* however there are certain advantages that WIKIs have, and certain advantages that SVN has. If Alfresco can combine all those advantages then it would in my opinion be the BEST and most perfect software for Knowledge management that exists

Is there any place that I can submit a list of what I believe are important features for any organization who wants to deploy a knowledge/doc management solution ?? There are some inherent advantages in SVN/Wikis which do not exist in alfresco as of today. I would like to suggest them to you folks.

I would even be happy to contribute development resources (we have a large development team here in India) towards some of those efforts

Thanks again

- Bhavin

Hyland Connect

Active Directory Integration Quirks