Hyland Connect

jms_nh · ‎10-27-2011

I'm a complete novice to alfresco + have just installed the latest community edition 4.0.

I want to configure it to use an LDAP server for authentication, and am very confused. The documentation for alfresco (http://docs.alfresco.com/3.4/index.jsp?topic=%2Fcom.alfresco.Enterprise_3_4_0.doc%2Fconcepts%2Fauth-...) is pretty poor in this regard. The page on LDAP http://docs.alfresco.com/3.4/index.jsp?topic=%2Fcom.alfresco.Enterprise_3_4_0.doc%2Fconcepts%2Fauth-... makes no mention of where the properties have to be set.

I'm also really confused because I'm running Community Edition 4.0 but the online docs are for Enterprise 3.4 – where are the docs for CE4.0?

scouil · ‎10-28-2011

There are a lot of posts about LDAP on the forum. Check that one for example:
https://forums.alfresco.com/en/viewtopic.php?f=46&t=14737&start=15

And the only file you'll need to configure in most cases is tomcat/shared/classes/alfresco-global.properties :
http://wiki.alfresco.com/wiki/Repository_Configuration#alfresco-global.properties_.28V3.2.2B.29

Hope you can find your answers in those links. Come back if you couldn't or if you have other questions I'll be glad to help.

mrogers · ‎10-28-2011

This is the URL for the Alfresco 4.0 documentation -> http://docs.alfresco.com/4.0/index.jsp

prabuprasath · ‎03-11-2014

i want to configure with external LDAP, if there any good link means, please send me

leftcase · ‎10-28-2011

I like yourself am pretty new to this too…

Here's how I got it working:

Alfresco will let you use the authentication capabilities of multiple different auth systems. If you just want LDAP, put this line into your alfresco-global.properties file ( you'll find it in Alfresco/tomcat/shared/classes)

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad‍

Then create a file in this path (create the folders too if they don't exist) and fill it with info needed for your AD:

Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties

ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@YOURDOMAINHERE
ldap.authentication.java.naming.provider.url=ldap://YOURDC.YOURDOMAINHERE:389
ldap.authentication.defaultAdministratorUserNames=Administrator,alfresco,yourusername
ldap.synchronization.java.naming.security.principal=alfresco@YOURDOMAINHERE
ldap.synchronization.java.naming.security.credentials=*************
ldap.synchronization.groupSearchBase=cn=someOU,dc=YOURDOMAIN,dc=COM
ldap.synchronization.userSearchBase=cn=someOU,dc=YOURDOMAIN,dc=COM‍‍‍‍‍‍‍‍

See where it says ldap.synchronization.java.naming.security.principal & credentials? You need to create an AD user for Alfresco to use to 'browse the AD with'. Put the username and password for this user in those spaces.

Restart the tomcat service.

Check the latest log in the Alfresco/tomcat/logs folder and you should see lots of info about Alfresco syncing users and groups from your Active Directory. Wait a little while and you'll be able to log in using your AD account.

Caveat - This authentication is done in-the-clear, so isn't very secure.

throwback · ‎10-31-2011

Awesome! A set of clear directions on how to get LDAP-AD working.

Can I ask a cogent question? Why is the ldap-ad config going into a subdirectory called ldap1? I have found nothing in documentation anywhere that describes this need, and the default alfrescoNtlm authentication subsystem configuration doesn't sit in alfrescoNtlm1.

Even the packt book I bought is completely redundant now. How does anyone upgrade? The configuration files for each subsystem seem to move and change with every release!

Been trying to configure this beast for a month now and I am very close to just telling my boss I am too thick to do this and just buy Sharepoint.

Arg, rant over. Still, can anyone describe why the ldap-ad config has to go in a separate subdirectory?

Kind regards,

Iain

mrogers · ‎10-31-2011

The config does not change that much!

As for why its called ldap1, that's simply the name given to in in the authentication chain above. The chain consists of name/type pairs.

So the chain above contains two authenticators. The first called "alfinst" of type "alfrescoNTLM" the second called "ldap1" of type "ldap-ad".

Types are alfrescoNTLM, ldap, ldap-ad, passthru, kerberos and external.

You could if you wanted do something horrible like.

authentication.chain=default:alfrescoNtlm,bill:ldap-ad,ben:ldap-ad,conan:kerberos

In which case the various configuration files would live under

filesystems/alfrescoNtlm/default
filesystems/ldap-ad/bill
filesystems/ldap-ad/ben
filesystems/kerberos/conan

mrogers · ‎11-01-2011

And in the case above with only a single authenticator simply put the authentication properties into alfresco-global.properties

There's no need to faff with the subsystem folders for the simple cases.

jpearson · ‎11-02-2011

Just some info, one thing that tripped me up was that when I specified the credentials that alfresco would use to query LDAP in the alfresco configuration file I did domain\username but found out later on that '\' was a special char and so I had to escape it like this domain\\username. Just something to be aware of.

mrogers · ‎11-02-2011

Yes you have to escape the '\' character in a properties file.

Its probably easier to use the unix directory separator character '/' instead.

Hyland Connect

alfresco 4 + LDAP