Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Active Directory Studio - DIGEST-MD5
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Active Directory Studio - DIGEST-MD5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2009 04:35 PM
Hi,
When I tried to change the authentication method to "DIGEST-MD5 (SASL)", and then I pressed the "Check Authentication" button, I received this error:
Does anybody know how I can fix this? Active Directory Studio's documentation and help are so sparse and useless.
When I tried to change the authentication method to "DIGEST-MD5 (SASL)", and then I pressed the "Check Authentication" button, I received this error:
LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: digest response format violation. Mismatched URI: ldap/127.0.0.1; expecting: ldap/ldap.example.com
Does anybody know how I can fix this? Active Directory Studio's documentation and help are so sparse and useless.
Labels:
- Labels:
-
Archive
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-23-2009 07:49 PM
ok, I realized how to get rid of the problem - i had to open up the authentication tab of the server.xml and change the URI accordingly, but now i have this problem:
LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for user_1 in realm : apache.org
Does anybody have a clue what this is? I don't know how to deal with the realm - are we supposed to create a user in that realm? If so , how?
LDAP: error code 49 - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for user_1 in realm : apache.org
Does anybody have a clue what this is? I don't know how to deal with the realm - are we supposed to create a user in that realm? If so , how?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2009 10:40 AM
if memory serves me, I dont think Active Directory (2k3 r2) supports MD5 out of the box. I believe you can install it. I believe, MS AD only supports MD4 and in alfresco you have to use "SIMPLE" (plaintext) because Alfresco doesn't do MD4.
the other issue could be, user names. In AD is say your name is "John Doe" and you login using "john.doe" for a user name, your real, ldap user name is NOT "john.doe" your real user name is something to the effect of CN=John Doe,OU=Users,DC=COMPANY,DC=com (i think this is officially called a DN distinguished name)
I use Apache directory studio (which i blieve uses the same base as your studio) to look into the ldap side of Active Directory and the settings i use for an out of the box(unlocked down) AD server.
hostname=IP Address
port=389
encryption method=no encryption
(if you have TSL or SSL setup on ad you will need to change this. this is connection based not credentials)
Authentication Method=Simple Authentication
Bind DN or user=John Doe (not john.doe or jdoe)
(dont ask me why this is some strange truncated form of the actual ldap user name but it works)
Bind password=John Doe's password
dont quote me on that, but i had a similar experience
let me know if that helps at all
the other issue could be, user names. In AD is say your name is "John Doe" and you login using "john.doe" for a user name, your real, ldap user name is NOT "john.doe" your real user name is something to the effect of CN=John Doe,OU=Users,DC=COMPANY,DC=com (i think this is officially called a DN distinguished name)
I use Apache directory studio (which i blieve uses the same base as your studio) to look into the ldap side of Active Directory and the settings i use for an out of the box(unlocked down) AD server.
hostname=IP Address
port=389
encryption method=no encryption
(if you have TSL or SSL setup on ad you will need to change this. this is connection based not credentials)
Authentication Method=Simple Authentication
Bind DN or user=John Doe (not john.doe or jdoe)
(dont ask me why this is some strange truncated form of the actual ldap user name but it works)
Bind password=John Doe's password
dont quote me on that, but i had a similar experience
let me know if that helps at all
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2009 11:05 AM
thanks for your reply.
I do not want to use simple authentication, because that is so insecure - anyone who intercept the HTTP request can see your password. Moreover, alfresco does not allow CIFS to be run with simple authentication, but only with Kerberos or MD4 (or above?).
When I use DIGEST-MD5 as the authentication method for the server using DN (instead of John Doe), it gets the same error. Something to do with the realm cannot retrieve user password.
Anyway, I am VERY DISAPPOINTED at alfresco's documentation. I say unless you are going fully enterprise with 24-7 support and everything, do not attempt the community/free version because it's going to waste you a TON of time. Officially I've given up on a more secure authentication with alfresco, and will definitely discourage any new people from trying to use this software.
I do not want to use simple authentication, because that is so insecure - anyone who intercept the HTTP request can see your password. Moreover, alfresco does not allow CIFS to be run with simple authentication, but only with Kerberos or MD4 (or above?).
When I use DIGEST-MD5 as the authentication method for the server using DN (instead of John Doe), it gets the same error. Something to do with the realm cannot retrieve user password.
Anyway, I am VERY DISAPPOINTED at alfresco's documentation. I say unless you are going fully enterprise with 24-7 support and everything, do not attempt the community/free version because it's going to waste you a TON of time. Officially I've given up on a more secure authentication with alfresco, and will definitely discourage any new people from trying to use this software.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2009 11:27 AM
Yeah the documentation is a pain And alfresco need A LOT of love at times but my company loves it even though It costs me many sleepless nights. I usually Google what i need. I believe they are going to clean up configuration in the next release or two so it is more of a point and click. Alfresco/Adobe made a bunch of management changes when they ported Alfrescso to work as the backend for Adobe LiveCycle
for MD5 you need do some work on the AD server i dont know how to do this off the top of my head.
I think you probably want to use NTLM It works as "out of the box" as anything else and i believe it is secure.
It runs on MD4 and supports Single Sign On (SSO) so IE and Windows will automagically log you into CIFS and the Alfresco web interface with the Account you are logged into the Windows Client with and if it doesnt know you it will prompt. Its actually really slick.
The only draw back is it does not Sync, so uses new users can always get in but it wont automatically pull over emails, phone numbers and the like but you can run LDAP Sync to pull that over
Here is the documentation you need for SSO and NTLM (i believe). Dont try SSO for Share (its broken in labs 3 stable) but i can point you in the right direction to fix it. a bad edit slipped in after QC came around (*shakes fist*). Also, in share, if you have dots or other symbols in user names Share will need a touch more love you need to add a line to about 6 scripts.
http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM
the extension to ntlm-authentication-context.xml file is really finicky how you describe the Authentication servers for CIFS and FTP so let me know if anything gives you any grief
at a minimum you need to do this part
"NTLM Passthru Authentication "
SSO is always optional.
for MD5 you need do some work on the AD server i dont know how to do this off the top of my head.
I think you probably want to use NTLM It works as "out of the box" as anything else and i believe it is secure.
It runs on MD4 and supports Single Sign On (SSO) so IE and Windows will automagically log you into CIFS and the Alfresco web interface with the Account you are logged into the Windows Client with and if it doesnt know you it will prompt. Its actually really slick.
The only draw back is it does not Sync, so uses new users can always get in but it wont automatically pull over emails, phone numbers and the like but you can run LDAP Sync to pull that over
Here is the documentation you need for SSO and NTLM (i believe). Dont try SSO for Share (its broken in labs 3 stable) but i can point you in the right direction to fix it. a bad edit slipped in after QC came around (*shakes fist*). Also, in share, if you have dots or other symbols in user names Share will need a touch more love you need to add a line to about 6 scripts.
http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM
the extension to ntlm-authentication-context.xml file is really finicky how you describe the Authentication servers for CIFS and FTP so let me know if anything gives you any grief
at a minimum you need to do this part
"NTLM Passthru Authentication "
SSO is always optional.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 03:13 PM
Thanks for your detailed response.
I work for a consulting company, and my client has a fully functional domain controller with active directory. On my local network, there is no domain controller for me to play with. Therefore I've been working with Active Directory Studio (apache) for it to be the server.
Now if I want to use NTLM, do I need a domain controller instead of just a LDAP/AD server? Is there anyway for me to test on my local machine instead of going over to the client's domain and test things out there?
I work for a consulting company, and my client has a fully functional domain controller with active directory. On my local network, there is no domain controller for me to play with. Therefore I've been working with Active Directory Studio (apache) for it to be the server.
Now if I want to use NTLM, do I need a domain controller instead of just a LDAP/AD server? Is there anyway for me to test on my local machine instead of going over to the client's domain and test things out there?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2009 04:03 PM
I dont think there is an easy way to simulate an ADS server with the NTLM protocol.
If there is it would most likely be an open source product from the Samba project. Using this, I believe, RHEL/Fedora and most likely DEB/Ubuntu can be substituted for an ADS server at least for authentication. However, I have never done this before and from what i have gathered its a bit of a pain. I also don't know what protocol it uses
On the other hand, you could probably create a VM with a demo of Windows Server 2k3. All you would need is VMWare Server or if you can find a pre-made image, VMWare player.
It is actually easier to configure the system for NTLM than LDAP. I would be surprised if it took more than an hour to configure and test it.
to help you out here is what i use. We have multiple Domain Controllers in this file i hard code the IP addresses of them but you could use the DNS Name. Also, the domain is always ALL CAPS (good old NT), don't use the .com/.net/.org/etc suffixes (NT again) The servers line is a bit weird, but i needed both styles of deceleration (with and w/o domain) to make all the different file servers play nice(CIFS/NFS/FTP)
If there is it would most likely be an open source product from the Samba project. Using this, I believe, RHEL/Fedora and most likely DEB/Ubuntu can be substituted for an ADS server at least for authentication. However, I have never done this before and from what i have gathered its a bit of a pain. I also don't know what protocol it uses
On the other hand, you could probably create a VM with a demo of Windows Server 2k3. All you would need is VMWare Server or if you can find a pre-made image, VMWare player.
It is actually easier to configure the system for NTLM than LDAP. I would be surprised if it took more than an hour to configure and test it.
to help you out here is what i use. We have multiple Domain Controllers in this file i hard code the IP addresses of them but you could use the DNS Name. Also, the domain is always ALL CAPS (good old NT), don't use the .com/.net/.org/etc suffixes (NT again) The servers line is a bit weird, but i needed both styles of deceleration (with and w/o domain) to make all the different file servers play nice(CIFS/NFS/FTP)
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowSetEnabled" value="true" />
<property name="allowGetEnabled" value="true" />
<property name="allowDeleteUser" value="true" />
<property name="allowCreateUser" value="true" />
</bean>
<!– The authentication component. –>
<!– Use the passthru authentication component to authenticate using –>
<!– user accounts on one or more Windows servers. –>
<!– Properties that specify the server(s) to use for passthru –>
<!– authentication :- –>
<!– useLocalServer use the local server for authentication –>
<!– domain use domain controllers from the specified domain–>
<!– servers comma delimted list of server addresses or –>
<!– names –>
<bean id="authenticationComponent"
class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"
parent="authenticationComponentBase">
<property name="useLocalServer">
<value>false</value>
</property>
<property name="servers">
<value>DOMAIN\192.168.1.200,DOMAIN\192.168.1.201,192.168.1.200</value>
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="guestAccess">
<value>false</value>
</property>
</bean>
</beans>
Related Content
- Getting Started with Alfresco Identity Service EA (Keycloak) in Alfresco Blog
- Generating an app with Angular CLI and preparing it for use with ADF 2.0.0 in Alfresco Blog
- Generating an app with Angular CLI and preparing it for use with ADF 1.9.0 in Alfresco Blog
- Alfresco Community 201704 | LDAP and Apache Directory Studio | alfresco-global.properties in Alfresco Forum
- Tech Talk Live in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
