Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco 4.0.d and Novell eDirectory

roger
Champ in-the-making
Champ in-the-making

‎08-20-2012 03:53 PM

Does anybody knows how to connect Alfresco to Novell's eDirectory service for authentication purposes?

I want to let the users in Alfresco use the same password they're using in eDirectory.

I've tried several other manuals but no success.

Thanks in advance.
Labels:
0 Kudos
5 REPLIES 5

jottley
Confirmed Champ
Confirmed Champ

‎08-20-2012 05:29 PM

Summary: (The last time I tried this was with Alfresco 3 and OES 2 - no service packs) Novell eDirectory LDAP uses MD5 hashed passwords.  To emulate MS CIFs, Alfresco uses MD4 hashed passwords.  If you have access to Novell's Open Enterprise Server (At least version 2), you can install Novell Samba and then enable the Samba Default Password Policy in iManager to allow eDirectory LDAP to use MD4 hashed passwords.  Novell eDirectory LDAP also requires SSL connections.  So you'll need to export the server cert used by the LDAP service and install it in a java keystore that Alfresco can access.


Configuring eDirectory for Alfresco
Novell’s eDirectory is a popular Directory server for managing Servers, Computers and Users.  It is LDAP compatible and therefore usable with Alfresco.  However, it does not support MD4 hashing of passwords, which is needed to Authenticate users against Alfresco’s CIFs Virtual File Server
Prerequisites
This document presupposes some basic administration knowledge of eDirectory and Alfresco.  For Alfresco you must know or be familiarly with configuring LDAP and CIFs Server passthru authentication.
For eDirectory you must have an OES 2 server in your tree.
Context
Alfresco’s CIFs Virtual File Server is developed against the CIF standard as implemented by Microsoft.  It uses MD4 hashed passwords to authenticate users.  eDirectory, and LDAP in general, have chosen to use MD5 hashed passwords.  This makes the Alfresco CIFs server incompatible in an environment where eDirectory is used as a Directory Server.  To work around this, you can leverage Samba as delivered in Novell’s Open Enterprise Server (OES) 2.
Steps
Verify that the OES Samba Pattern has been installed
1.   In YAST, under Software, select Software Management.
2.   Change the Filter to Patterns
3.   Verify that Novell Samba is selected under OES Services.
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/pxe1qAWhTCSJM...[/img]
4.   If not installed, select it here to be installed.
With Novell-samba installed we can start to configure it and enable users to use the samba service.  We’ll start by enabling users to use the samba service.  This requires the users and the container they are in to have Universal Password enabled.
5.   Login into iManager
6.   Under Passwords select Password Policies.
7.   In your list of Password Policies you should see a Policy called “Samba Default Password Policy”. Click on this link
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/wyPdBhUiRYyvN...[/img]
8.   In the new window that is open select the Policy Assignment tab
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/VoFk10QvQYWpZ...[/img]
9.   Add the user containers that you contain the users you want to have access to Alfresco.
10.   Once the containers have been selected. Apply the changes.
Next we want to add the users in these containers to samba
11.   From the File Protocols menu, select Samba
12.   Select the samba object from the tree.
13.   Select the users tab
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/eyOqH6NYQ92MC...[/img]
14.   Click ‘Add…’
15.   Select the users from the container you added to the Samba Default Password Policy.
Enabling LDAP connections
LDAP connections to eDirectory require an SSL certificate. To obtain the Certificate:
1.   Login in to iManager
2.   From the LDAP menu select LDAP Options
3.   Select the Connections page on the General Tab
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/GBOmCCNWT8av4...[/img]
4.   On the Connections Page you will see the type of certificate LDAP is using.
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/FwWz1gMoSca2s...[/img]
5.   From the Novell Certificate Access menu select Server Certificates
6.   Check the Nickname that matches the certificate that the LDAP server is using and click the Export link
[img]https://my.alfresco.com/share/-default-/proxy/alfresco-noauth/api/internal/shared/node/5IDp2JzIQuWmJ...[/img]
7.   Select the Certificate from the drop down list and the export format. 
8.   Click Next and then “Click the Save the exported certificate” link.  This will download the link.
9.   Save the Certificate to the Alfresco Server.
10.   Using the Java keytool create a keystore with your certificate
For example if the exported certificate is using .der:
keytool -import -alias {some value} -keystore {path to keystore} -file {path to exported certificate} –trustcacerts
11.   Modify JAVA_OPTS by appending 
-Djavax.net.ssl.trustStore={path to keystore}
Result
You have now enabled eDirectory to use Samba as a proxy accepting MD4 password hashes. And added an SSL certificate that Alfresco can use for LDAP connections
0 Kudos

chrischu
Champ in-the-making
Champ in-the-making

‎08-27-2012 10:59 AM

Hello Jottley,

Thanks for the good explanation.
I have two additional questions:
Can I use the OES CIFS pattern instead of Samba pattern, or is there a special requirement why you use samba on the OES server?

Could you please provide a working Alfresco LDAP configuration. I played a long time with many different settings but it seems that somting is wrong in my configuration.

Thank you

Chris
0 Kudos

jottley
Confirmed Champ
Confirmed Champ

‎08-27-2012 11:31 AM

:
Can I use the OES CIFS pattern instead of Samba pattern, or is there a special requirement why you use samba on the OES server?

Possibly…I've never tried it and don't have access to an OES setup to try it anymore.  The key is being able to have password retrievable as MD4 hashes…so if the password policy in iManager allows this, you should be good (fingers crossed)

:
Could you please provide a working Alfresco LDAP configuration. I played a long time with many different settings but it seems that somting is wrong in my configuration.

An AD-LDAP config should work…and I don't have the one I used for this one anymore either.  I'm including a generic one that I know has worked in the past.


# 
# AD configurations
# ————————–
#
ldap.authentication.active=false
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domain.com
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://domaincontroller.domain.com:389
ldap.authentication.escapeCommasInBind=true
ldap.authentication.escapeCommasInUid=true
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=manager,dc=domain,dc=com
ldap.synchronization.java.naming.security.credentials=secret
#ldap.synchronization.queryBatchSize=1000
#ldap.synchronization.attributeBatchSize=100

ldap.synchronization.groupQuery=(&(objectclass\=group))
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<={0})))
ldap.synchronization.personQuery=(&(objectclass\=user))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(!(whenChanged<={0})))
ldap.synchronization.groupSearchBase=dc\=domain,dc\=com
ldap.synchronization.userSearchBase=dc\=domain,dc\=com
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.import.cron=0 30 * * * ?
ldap.synchronization.synchronizeChangesOnly=true
0 Kudos

chrischu
Champ in-the-making
Champ in-the-making

‎08-28-2012 10:37 AM

Hi Jared,

Currently I use 4.0.e and it seems that it doesn't work. I cannot login with an LDAP user. I made a network trace and I can see that the syntax of the call to the LDAP server is wrong. The server returns with error code 34 (Invalid DN syntax). I used many several settings (%s, %s + container), but I get everytime the same results. I have installed and managed many PHP-based LDAP authentications and I feel that we miss something here. There is no base. There is no comunication where Alfresco asks for the users container in the tree.

Chris
0 Kudos

chrischu
Champ in-the-making
Champ in-the-making

‎08-29-2012 09:16 AM

It works!!!  Smiley Very Happy

I have put all ldap settings in the alfresco-global.properties. strange behaviour …  :?:

Chris
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2026 Khoros, LLC