Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco and Active Directory - cannot login?

jsosic
Champ in-the-making
Champ in-the-making

‎06-30-2010 08:52 AM

Hi.

I've managed to succeed the user import from Windows AD, but users just can't log in. Passwords are not accepted…. I guess I'm doing something wrong. These are my configs:

# cat /var/opt/csw/tomcat5/shared/classes/alfresco-global.properties
###############################
## Common Alfresco Properties #
###############################

#
# Sample custom content and index data location
#
dir.root=/tank/alfresco/alf_data

#
# Sample database connection properties
#
db.username=alfresco
db.password=dbpass

#
# Property to control whether schema updates are performed automatically.
# Updates must be enabled during upgrades as, apart from the static upgrade scripts,
# there are also auto-generated update scripts that will need to be executed.  After
# upgrading to a new version, this can be disabled.
#
db.schema.update=true

#
# MySQL connection
#
db.driver=org.gjt.mm.mysql.Driver
db.url=jdbc:mysql://server6/alfresco
hibernate.dialect=org.hibernate.dialect.MySQLInnoDBDialect

# The well known RMI registry port is defined in the alfresco-shared.properties file
# alfresco.rmi.services.port=50500
#
# RMI service ports for the individual services.
# These six services are available remotely.
#
# Assign individual ports for each service for best performance
# or run several services on the same port. You can even run everything on 50500 if needed.
#
# Select 0 to use a random unused port.
#
#avm.rmi.service.port=50501
#avmsync.rmi.service.port=50502
#attribute.rmi.service.port=50503
#authentication.rmi.service.port=50504
#repo.rmi.service.port=50505
#action.rmi.service.port=50506


#
# External locations
#
ooo.exe=/opt/csw/bin/soffice
#img.root=./ImageMagick
#img.dyn=/usr/lib64
img.exe=/opt/csw/bin/convert
#swf.exe=/usr/local/bin/pdf2swf

#
# Outbound Email Configuration
#
mail.host=mail.mycompany.local
mail.port=25
mail.encoding=UTF-8
mail.from.default=alfresco@mycompany.local
#mail.username=
#mail.password=
#mail.smtp.auth=true


#
# CIFS configuration
#
cifs.enabled=false
cifs.serverName=alfresco
cifs.hostannounce=true
cifs.urlfile.prefix=http://alfresco:8080/alfresco
#
# FTP configuration
#
ftp.enabled=true
ftp.port=8021

#
# Authentication
#authentication.chain=mycompany:ldap
#authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,mycompany:ldap-ad
#authentication.chain=alfrescoNtlm1:alfrescoNtlm,mycompany:ldap-ad
authentication.chain=mycompany:ldap-ad,alfrescoNtlm1:alfrescoNtlm
Labels:
0 Kudos
8 REPLIES 8

jsosic
Champ in-the-making
Champ in-the-making

‎06-30-2010 08:55 AM

# cat /var/opt/csw/tomcat5/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/mycompany/ldap-ad-authentication.properties

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=false

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=false

# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@Mycompany.local

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://server1.mycompany.local:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the cn is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the cn is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default
ldap.authentication.defaultAdministratorUserNames=Administrator

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.java.naming.security.principal=ldapsearch@Mycompany.local

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=ldappasswd

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000

# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=1000

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
ldap.synchronization.groupSearchBase=ou\=Dept,ou\=Groups,ou\=Mycompany.com,dc\=Mycompany,dc\=local

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
ldap.synchronization.userSearchBase=ou\=Regular,ou\=Employees,ou\=Mycompany.hr,dc\=Mycompany,dc\=local

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=company

# The attribute on LDAP group objects to map to the authority display name property in Alfresco
ldap.synchronization.groupDisplayNameAttributeName=displayName

# The group type in LDAP
ldap.synchronization.groupType=group

# The person type in LDAP
ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
0 Kudos

mrogers
Star Contributor
Star Contributor

‎06-30-2010 08:58 AM

All your authentication chains in alfresco-global.properties are commented out.
0 Kudos

jsosic
Champ in-the-making
Champ in-the-making

‎06-30-2010 08:58 AM

# cat /var/opt/csw/tomcat5/shared/classes/alfresco/extension/subsystems/Synchronization/default/default/mycompany-synchronization.properties

# 
# This properties file is used to configure user registry syncronisation (e.g. LDAP)
#

# Should the scheduled sync job only query users and groups changed since the
# last sync? Note that when true, the sync job will not be able to detect which
# users or groups have been removed from the directory (but obviously group
# membership changes would still be reflected). When false, a more regular
# differential sync on login can still be enabled.
synchronization.synchronizeChangesOnly=false

# The cron expression defining when imports should take place
synchronization.import.cron=0 0/5 * * * ?

# Should we trigger a differential sync when missing people log in?
synchronization.syncWhenMissingPeopleLogIn=true

# Should we trigger a differential sync on startup?
synchronization.syncOnStartup=true

# Should we auto create a missing person on log in?
synchronization.autoCreatePeopleOnLogin=true
0 Kudos

jsosic
Champ in-the-making
Champ in-the-making

‎06-30-2010 08:59 AM

All your authentication chains in alfresco-global.properties are commented out.

actually last one is uncommented, I failed with copy/paste Smiley Sad

PRoblem is I don't know how to debug the problem because there's nothing in the logs… Logins just return me to login screen, as nothing happened…
0 Kudos

marcobusetto
Champ in-the-making
Champ in-the-making

‎06-30-2010 10:21 AM

I can suggest to stop Alfresco, rename the alfresco.log file, start Alfresco and observe the messages in the clean log. You should see some message like:


INFO  [org.alfresco.config.JndiPropertiesFactoryBean] Loading properties file from file [/opt/Alfresco/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties]
:
INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [Authentication, managed, ldap1]
:
INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] complete

and no errors.
Can you confirm?
0 Kudos

boutch55555
Champ in-the-making
Champ in-the-making

‎07-02-2010 10:36 AM

In your ldap config, the first parameter seems to be the problem :
ldap.authentication.active=false
You are syncing the users, but the passwords will never sync (as far as I know, Alfresco cannot sync password hash). Therefore, your users will never be able to login. You need to activate it if you want your users to login. If working in a windows only environnement, the passthru would be more convenient (provides sso).

If you still get problems, you can activate debug logging for the login :

in file
tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties
uncomment those 2 log4j lines :
# NTLM servlet filters
#log4j.logger.org.alfresco.web.app.servlet.NTLMAuthenticationFilter=debug
#log4j.logger.org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter=debug
0 Kudos

jsosic
Champ in-the-making
Champ in-the-making

‎07-05-2010 07:20 AM

OK, I've succeeded. I've done the following in the alfresco-global:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,mycompany:ldap-ad
And in shared/classes/alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication-context.properties:
passthru.authentication.useLocalServer=false
passthru.authentication.domain=MYCOMPANY.LOCAL
passthru.authentication.servers=192.168.1.1,MYCOMPANY.LOCAL\\server1,server1
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=
#Timeout value when opening a session to an authentication server, in milliseconds
passthru.authentication.connectTimeout=5000
#Offline server check interval in seconds
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=NetBIOS,TCPIP
passthru.authentication.authenticateCIFS=true
passthru.authentication.authenticateFTP=true

And now it works… Other files are unchanged.
Does this make any sense to you guys? Smiley Happy
0 Kudos

boutch55555
Champ in-the-making
Champ in-the-making

‎07-05-2010 07:28 AM

Yes, makes sense… your passthru does the login work, while your ldap-ad does the users info (username, name, email…) sync.

note : the first three options in passthru-authentication-context.properties are mutually exclusive. You should set it that way :
passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=192.168.1.1,MYCOMPANY.LOCAL\\server1,server1
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC