Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD+Kerberos and alfrescoUserStore cooperation

milesif
Champ in-the-making
Champ in-the-making

‎05-07-2009 12:27 PM

Hi everybody,

In a previous post I described an authentication problem with AD+kerberos, but later I discovered that AD+Kerberos was working fine and the problem was of a different nature. I discovered that:

1. if I manually create a user in Alfresco, when kerberos is turned off, and then in AD I have no problem using CIFS shares with kerberos (I can see that kerberos authentication is completed succesfully)
2. if I create a user in AD that does not exist in ALfresco, an equivalent user is automatically created in Alfresco the first time I try to access a share. In this case whenever I try to access the share the AD+Kerberos authentication is completed correctly but the user cannot login because the RepositoryAuthenticatonDao cannot find it in the alfrescoUserStore, althogh it exists (getUserOrNull method returns null), and I am presented with the login dialog until I insert the data of one of the users pre-created in ALfresco, that can login succesfully.

So I have a few question
1. Is it absolutely necessary to create users first in ALfresco, or there is a way to "promote" users created by AD so that the process login can be completed succesfully? Can I switch off the alfrescoUserStore or should I configure the LDAP synchronization? Or should I do something else?
2. When I try to login using IE7 I am requested username and password, even if I am using a user that was pre-created in ALfresco. What should I do to make IE7 automatically and transparently send username and password in its headers (I thought that I there was nothing to do here…)?

Thanks in advance to anybody helping me

Ciao Francesco
Labels:
0 Kudos
2 REPLIES 2

milesif
Champ in-the-making
Champ in-the-making

‎05-13-2009 05:57 AM

Hi everybody,

All the problems were coming from the fact that, because of a misunderstanding of mines, I configured neither the jaas authentication context in a extension/jaas-authentication-context.xml, nor a chaining context.
Now I can make work both the jaas Kerberos AD security and the chain with Alfresco security and jaas Kerberos AD security.

I have just one minor problem left. When I use chaining I cannot login from the web using my alfresco users, because the kerberos filter tries to authenticate them in the AD domain and, of course, it can't.
There's a way to make the web client first to authenticate against the Alfresco DB and, if it does not suceed, against AD, or viceversa? I tried a configuration with both the kerberos filter and the standard filter active, with no luck. I also tried them in reverse order with no success.

Thanks in advance for any help

ciao Francesco
0 Kudos

flefoll
Champ in-the-making
Champ in-the-making

‎05-28-2009 05:21 PM

Hi,

What you are trying normally works…
Can you post your config file ?

All of them (except krb5.conf…)
JAAS,
Tomcat/JAAS,
Alfresco JAAS & Alfresco chaining configuration ?

Regards,

Francois
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC