Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory LDAP Sync

daveram
Champ in-the-making
Champ in-the-making

‎07-24-2009 09:42 PM

G'day,

I've setup Alfresco 3.2 with passthru authentication easily enough, however what I'm banging my head on is AD synchronization.  This setup is on a Win2k3 server and trying to authorize to a Win2k3 domain controller.  Global config file as follows:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1


ntlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

passthru.authentication.domain=DOMAIN
passthru.authentication.servers=server1,server2

ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.java.naming.provider.url=ldap://server1:389

ldap.authentication.defaultAdministratorUserNames=administrator,myaccount

ldap.synchronization.java.naming.security.principal=serviceaccount@domain.com
ldap.synchronization.java.naming.security.credentials=<secret>

What seems to be happening is I'm getting a login failed error in the log, as such:

18:21:48,819 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, passthru1]
18:21:48,866 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
18:21:48,960 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, passthru1] complete
18:21:48,976 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap-ad]
18:21:49,007 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
18:21:49,007 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap-ad] complete
18:25:32,491 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 06240087 Login failed
org.alfresco.web.scripts.WebScriptException: 06240087 Login failed

Any ideas as to what might be causing this?  I'm seeing network traffic on a packet capture talking to the DC, but that's it.
Labels:
0 Kudos
2 REPLIES 2

bmarkovic
Champ in-the-making
Champ in-the-making

‎07-30-2009 02:44 AM

In my experience your config shouldn't work for passthru since alfrescoNtlm and passthru shouldn't be enabled to provide sso at the same time (which is what you setup). So while your CIFS auth might work in this example, I doubt that you can succesfully login to /alfresco webapp with your AD credentials using passthru because in your case sso auth is handled by alfrescoNtlm.

You need to acquire the 14.07.2009. nightly build of Alfresco to get the version with working extensions/classpaths. And then you need to define separate configuration for different instances of your Authentication subsystem as per http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Configuring_Subsystems.

This was recently explained to me so search for my posts on this forum, and you can also find the link to the build in the discussion.

As for  need to provide search base additional to what you provided. Here is my $TOMCAT_HOME/shared/classes/alfresco/extensions/subsystems/Authentication/ldap-ad/ldap-ad1/ldap-ad.properties


ldap.authentication.userNameFormat=%s@<myDomain.tld>
ldap.authentication.java.naming.provider.url=ldap://<myDC'sFQDN>:389

ldap.authentication.defaultAdministratorUserNames=administrator,<me>

ldap.synchronization.java.naming.security.principal=administrator@<myDomain.tld>
ldap.synchronization.java.naming.security.credentials=<password>

ldap.authentication.java.naming.security.authentication=SIMPLE

ldap.synchronization.userSearchBase=ou=<OUcontainingUsers>,dc=<myDomain>,dc=<tld>

ldap.synchronization.groupSearchBase=ou=<OUcontainingUsers>,dc=<myDomain>,dc=<tld>

ldap.authentication.allowGuestLogin=true
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.autoCreatePeopleOnLogin=true
0 Kudos

ipeters
Champ in-the-making
Champ in-the-making

‎08-12-2009 10:03 AM

It also looks like the line

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1Smiley Tongueassthru,ldap-ad:ldap1

is wrong. Make it "ldap1:ldap-ad" instead.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC