cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco 3, AD NTLM, LDAP Sync Issue

rubicon49bc
Champ in-the-making
Champ in-the-making
I have NTLM Authentication working and I can access the CIFS shares as a user with out a problem. My issue is with LDAP Sync, I can not seem to get it working. When I configure ldap-authentication.properties I can no longer get into Alfresco.


[#|2009-04-06T14:22:40.227+0000|INFO|sun-appserver2.1|org.springframework.beans.factory.support.DefaultListableBeanFactory|_ThreadID=16;_ThreadName=pool-1-thread-8;|Overriding bean definition for bean 'authenticationComponent': replacing [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ntlm-authentication-context.xml]] with [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ldap-authentication-context.xml]]|#]
[#|2009-04-06T14:22:49.839+0000|WARNING|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;_RequestID=7eaa0fa6-d2cf-457f-afee-7e2c50868f75;|LDAP server supports anonymous bind ldap://<ip address>|#]
[#|2009-04-06T14:22:49.860+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a string uid and password at ldap://<ip address>|#]
[#|2009-04-06T14:22:49.881+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://<ip address>|#]
[#|2009-04-06T14:22:49.913+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://<ip address>|#]

I have tested the account who has delegated rights to the domain via ldapsearch without any problems.
ldap-authentication.properties

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s@company-inc.net
#also tried company-inc\%s and %s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://<ip address>

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=Alfresco Ldap,cn=users,dc=company-inc,dc=net
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=password

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false


#
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=organizationalPerson)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=ou=users,ou=pkmm,dc=pkmm-inc,dc=net

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=group)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=ou=groups,ou=pkmm,dc=pkmm-inc,dc=net

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=group

# The person type in LDAP
ldap.synchronisation.personType=organizationalPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 30 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=false

After I enable ldap-auth and ldap sync xmls, I get the above error and CIFS doesn't start nor can I login.
6 REPLIES 6

steffen
Champ in-the-making
Champ in-the-making
Hi,

I think you forgot to specify the IP/DNS of the LDAP-Server:

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://<ip address>


Greetings

Steffen

rubicon49bc
Champ in-the-making
Champ in-the-making
I took that info, out as well as passwords and the Domain of the application server.

rubicon49bc
Champ in-the-making
Champ in-the-making
I also tested against an openldap server with no problem, of course I need CIFS so NTLM it needs to be.

rubicon49bc
Champ in-the-making
Champ in-the-making
I have ldap-authenication work and the user accounts sync'd. CIFS will only work in passthru mode, but NTLM users can not log into the CIFS share. So if you use ldap-sync you lose NTLM and so you lose CFIS SSO. Is this correct? If so, how do you manage groups in AD for Alfresco? How do you get all the users in? file-server.xml with Alfresco or enterprise won't work if you are using ldap-auth. So how do you import AD accounts using the ldap-sync?

ofrxnz
Champ in-the-making
Champ in-the-making
this suggests to me it is not even binding correctly

[#|2009-04-06T14:22:49.913+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://<ip address>|#]

It probably worked on OpenLDAP because OpenLDAP will anonymously bind until you explicitly forbid it.  AD will not anonymously bind till you make it

what does your NTLM and File-server configuration look like?  The file servers are a bit picky with the NTLM syntax. 

file-server.xml has nothing to do with LDAP sync.  you can set the file servers to use pass through to the LDAP but, that wont do anything about the sync. 

When you have both NTLM and LDAP enabled.  NTLM should over ride LDAP. Though it sounds like something is a bit funky.  Did you change any other authentication files?

NTLM will give you SSO.  LDAP will not. 

If you only want to use NTLM you will have to manually enter user details (email, phone, etc).

With Both NTLM and LDAP a user account is created as soon as they log into alfresco.  you do not need to sync as soon as they correctly authenticate they are allowed in

I would not use SYNC for groups because Share creates its own groups and SYNC will do one of two things.  It will either delete these groups when Alfresco sees they are not in AD or, Alfresco will only be able to add users to groups.    Depending on your network size you may only want to sync once and handle user details and group changes by hand. 


try this…..

auth file

ldap.authentication.userNameFormat=%s

better safe than sorry with the port
ldap.authentication.java.naming.provider.url=ldap://<ip address>:389

dont know if it counts but mine is caps…i remember caps greif somewhere in here dont know where though
ldap.authentication.java.naming.security.authentication=SIMPLE

again verify capitalization….I think it gave me grief before… this is my capitalization pattern
ldap.authentication.java.naming.security.principal=CN=Alfresco Ldap,CN=Users,DC=COMPANY,DC=net

yours should be valid but this is mine
ldap.synchronisation.personQuery=(objectclass=user)

and the search file

again check caps…i would guess it would be more like this.  your path here and above dont match even if you did scrub them?
ldap.synchronisation.personSearchBase=OU=Users,OU=pkmm,DC=PKMM-INC,DC=net

this isnt required information in AD have you filled it in.  if not 'o' does not exist.
ldap.synchronisation.userOrganizationalIdAttributeName=o

shouldn't matter but i used user
ldap.synchronisation.personType=user

rubicon49bc
Champ in-the-making
Champ in-the-making
I will give that a try. I did use :389 in the server address. I wasn't not paying attention to case in the config for the windows configs. I am also running Glassfish so share doesn't work with that. Maybe in the next release.

Thanks
Matt