Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco/Ldap connect, but not authenticate - V3.0

nowhere
Champ in-the-making
Champ in-the-making

‎02-17-2009 08:02 AM

Hi all,
i'm encountering problems with alfresco - apacheDS integration.
Now i'll try to explain my troubles…
Following wiki instuction and several posts in this forum I've configured and renamed (cut off ".sample") those files:

- ldap-authentication-context.xml
- ldap-authentication.properties
- ldap-synchronisation-context.xml
- ldap-synchronisation.properties

For avoiding cifs exception changed the file-server.xml and left unchanged chaining-authentication-context.xml.sample (i'm non interested at moment, I suppose I can leave it so).

Here my more important settings:
file ldap-authentication.properties
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=cn=%s,ou=users,ou=system
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://localhost:10389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=reader

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=secret

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

file ldap-synchronisation.properties
# 
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=ou=users,ou=system

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=personalHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The person type in LDAP
ldap.synchronisation.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 */10 * * * ?

# The cron expression defining when group imports should take place 
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=true

and, finally, my ApacheDS server.xml


  <defaultDirectoryService id="directoryService" instanceId="default"
                           workingDirectory="example.com"
                           allowAnonymousAccess="false"
                           accessControlEnabled="false"
                           denormalizeOpAttrsEnabled="false">
    <systemPartition>
      <!– use the following partitionConfiguration to override defaults for –>
      <!– the system partition                                              –>
      <jdbmPartition id="system" cacheSize="100" suffix="ou=system" optimizerEnabled="true" syncOnWrite="true">
        <indexedAttributes>
          <jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.1" cacheSize="100"/>
           …
        </indexedAttributes>
      </jdbmPartition>
     </systemPartition>

    <partitions>
      …
      <jdbmPartition id="alfresco" cacheSize="100" suffix="dc=company,dc=com" optimizerEnabled="true" syncOnWrite="true"/>
    </partitions>

    <interceptors>
      <normalizationInterceptor/>
      <authenticationInterceptor/>
      <aciAuthorizationInterceptor/>
      <defaultAuthorizationInterceptor/>
      <exceptionInterceptor/>
      <operationalAttributeInterceptor/>

      <!– Uncomment to enable the password policy interceptor
      <passwordPolicyInterceptor/>
      <keyDerivationInterceptor/>
      –>

     …
  <ldapService id="ldapsService"
              enabled="true"
              ipPort="10636"
              enableLdaps="true">
    <directoryService>#directoryService</directoryService>
    <socketAcceptor>#socketAcceptor</socketAcceptor>
  </ldapService>


  <ldapService id="ldapService"
              ipPort="10389"
              allowAnonymousAccess="false"
              saslHost="ldap.example.com"
              saslPrincipal="ldap/ldap.example.com@EXAMPLE.COM"
              searchBaseDn="ou=users,ou=system"
              maxTimeLimit="15000"
              maxSizeLimit="1000">

    <directoryService>#directoryService</directoryService>
    <socketAcceptor>#socketAcceptor</socketAcceptor>

    <!– The list of supported authentication mechanisms.                   –>
    <saslMechanismHandlers>
      <simpleMechanismHandler mech-name="SIMPLE"/>
      <cramMd5MechanismHandler mech-name="CRAM-MD5" />
      <digestMd5MechanismHandler mech-name="DIGEST-MD5" />
      <gssapiMechanismHandler mech-name="GSSAPI" />
      <ntlmMechanismHandler mech-name="NTLM" ntlmProviderFqcn="com.foo.Bar"/>
      <ntlmMechanismHandler mech-name="GSS-SPNEGO" ntlmProviderFqcn="com.foo.Bar"/>
    </saslMechanismHandlers>

    <!– The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  –>
    <saslQop>
      <s:value>auth</s:value>
      <s:value>auth-int</s:value>
      <s:value>auth-conf</s:value>
    </saslQop>

    <!– The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. –>
    <saslRealms>
      <s:value>example.com</s:value>
      <s:value>apache.org</s:value>
    </saslRealms>

      <apacheDS id="apacheDS"
            synchPeriodMillis="15000"
            allowAnonymousAccess="false">

    <directoryService>#directoryService</directoryService>
    <ldapService>#ldapService</ldapService>
    <ldapsService>#ldapsService</ldapsService>
  </apacheDS>


So, when I start catalina, I think i get connect to LDAP server and I get the following error:


[13:33:26] ERROR [org.apache.directory.shared.ldap.codec.LdapMessageGrammar] - Incorrect DN given : daftAsABrush (0x64 0x61 0x66 0x74 0x41 0x73 0x41 0x42 0x72 0x75 0x73 0x68 ) is invalid : Bad DN : daftAsABrush
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - >>>==========================================
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - –> Decoding a PDU
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - >>>——————————————
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = TAG_STATE_START —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x30
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - Tag 0x30 has been decoded
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = LENGTH_STATE_START —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x2F
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = LENGTH_STATE_END —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x02
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - Parent length : TLV expected length stack :  - null
Is this the problem?
No error in Tomcat Log.
I have this configuration in Ldap server, browsed with Apache Studio: Here

So, when i start alfresco and try to login with user paolo, I get "Unable to login - unknown username/password" message Smiley Sad
Where am I in wrong? If you need any else configuration information ask me, i'll try to get it for you understanding!
Thanks in advance!
Labels:
0 Kudos
16 REPLIES 16

cheffilet
Champ in-the-making
Champ in-the-making

‎02-17-2009 09:38 AM

What is your login name?
0 Kudos

nowhere
Champ in-the-making
Champ in-the-making

‎02-17-2009 09:44 AM

Do you mean the user name i try to log in alfresco? I use "paolo" as defined in my ldap server with dn: cn=paolo,ou=users,ou=system and I use password as defined in attribute userPassword.
I hope this was your question…excuse me for my bad english.
Greetings
0 Kudos

nowhere
Champ in-the-making
Champ in-the-making

‎02-17-2009 10:46 AM

I tried to configure chaining, my chaining-authentication-context.xml appears as follow:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    
   
    
    <!– Chaining of both the services and components –>
    
    <bean id="authenticationService" class="org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl">
        <property name="authenticationServices">
            <list>
                <ref bean="authenticationServiceImplJAAS"/>
            </list>
        </property>
        <property name="mutableAuthenticationService">
            <ref bean="authenticationServiceImplAlfresco"/>
        </property>
        <property name="sysAdminCache">
            <ref bean="sysAdminCache"/>
        </property>
    </bean>
    
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl">
      <property name="authenticationComponents">
            <list>
                <ref bean="authenticationComponentImplJAAS"/>
            </list>
        </property>
        <property name="mutableAuthenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
   </bean>
    
    <!– Alfresco Auth –>
    
    <bean id="authenticationServiceImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
        <property name="sysAdminCache">
            <ref bean="sysAdminCache"/>
        </property>
    </bean>
    
    <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="tenantService">
            <ref bean="tenantService"/>
        </property>
        <property name="dictionaryService">
            <ref bean="dictionaryService"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
        <property name="searchService">
            <ref bean="admSearchService"/>
        </property>
        <property name="retryingTransactionHelper">
          <ref bean="retryingTransactionHelper"/>
        </property>
        <property name="userNamesAreCaseSensitive">
            <value>${user.name.caseSensitive}</value>
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder"/>
        </property>
    </bean>
    
    <bean id="authenticationComponentImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl" parent="authenticationComponentBase">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="allowGuestLogin">
            <value>true</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>
    </bean>

   <!– ldap –> 
<bean id="authenticationServiceImplLDAP" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl" lazy-init="default" autowire="default" dependency-check="default">
 <property name="authenticationDao">
  <ref bean="authenticationDaoLDAP" /> 
  </property>
 <property name="ticketComponent">
  <ref bean="ticketComponent" /> 
  </property>
 <property name="authenticationComponent">
  <ref bean="authenticationComponentImplLDAP" /> 
  </property>
</bean>
<bean id="authenticationComponentImplLDAP" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl" lazy-init="default" autowire="default" dependency-check="default">
 <property name="LDAPInitialDirContextFactory">
  <ref bean="ldapInitialDirContextFactory" /> 
  </property>
 <property name="userNameFormat">
 <!–  cn=Manager,dc=khaz-domain,dc=com 
  –> 
  <value>cn=%s,ou=users,ou=system</value> 
  </property>
  </bean>
  <bean id="authenticationDaoLDAP" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" lazy-init="default" autowire="default" dependency-check="default" />
<!– fine –>
    
    <!– JAAS –>
    
    <bean id="authenticationServiceImplJAAS" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoJAAS"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplJAAS"/>
        </property>
        <property name="sysAdminCache">
            <ref bean="sysAdminCache"/>
        </property>
    </bean>
    
    <bean id="authenticationComponentImplJAAS" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent">
        <property name="realm">
            <value>COMPANY.COM</value>
        </property>
        <property name="jaasConfigEntryName">
            <value>Alfresco</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>
    </bean>
    
    <bean id="authenticationDaoJAAS" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao"/>
    
</beans>

In this case, logging as admin/admin or as paolo/pwd I get the following exception:

javax.faces.FacesException: Error calling action method of component with id loginForm:submit
caused by:
javax.faces.el.EvaluationException: Exception while invoking expression #{LoginBean.login}
caused by:
org.alfresco.error.AlfrescoRuntimeException: Not implemented

Any ideas? I'd like to consigure authentication with ldap server, also without chaining…
Thanks for any suggestions Smiley Happy
0 Kudos

nowhere
Champ in-the-making
Champ in-the-making

‎02-17-2009 01:16 PM

Hi again…
I also tried configuration with DIGEST:

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://ldap.example.com:10389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=DIGEST-MD5

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=reader

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=secret

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

Don't care of "ldap.authentication.java.naming.security.principal" and credentials, i set them in ldap-authentication-context.xml as follow:

<entry key="java.naming.security.principal">
                    <value>uid=admin,ou=system</value>
                </entry>
                
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>secret</value>
                </entry>

and I get the following error (from ApancheDs log):
ERROR [org.apache.directory.server.ldap.handlers.BindHandler] - INVALID_CREDENTIALS: DIGEST-MD5: cannot acquire password for uid=admin,ou=system in realm : example.com

Hoping in some suggestions…i can't get out of this…
0 Kudos

nowhere
Champ in-the-making
Champ in-the-making

‎02-18-2009 11:32 AM

Some else information…if someone can help me:
when I start Catalina, I get the following log:

17:23:50,390  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP
server does not fall back to anonymous bind for a string uid and password at lda
p://ldap.example.com:10389/
17:23:50,515  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP
server does not fall back to anonymous bind for a simple dn and password at ldap
://ldap.example.com:10389/
17:23:50,640  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP
server does not fall back to anonymous bind for known principal and invalid cred
entials at ldap://ldap.example.com:10389/

and, always the log shows after a few minutes:

17:30:01,187  DEBUG [authentication.ldap.LDAPPersonExportSource] Adding user for
 admin
17:30:01,187  DEBUG [authentication.ldap.LDAPPersonExportSource] Adding user for
 fullname
17:30:01,203  DEBUG [authentication.ldap.LDAPPersonExportSource] Adding user for
 adminrosa
17:30:01,218  DEBUG [authentication.ldap.LDAPPersonExportSource] Adding user for
 valerio
17:30:01,484  DEBUG [authentication.ldap.LDAPGroupExportSource] Found 1
17:30:01,484  DEBUG [authentication.ldap.LDAPGroupExportSource] Linking GROUP_Gr
oup One
17:30:01,484  DEBUG [authentication.ldap.LDAPGroupExportSource] … cn=Full Name
,dc=example,dc=com
17:30:01,593  DEBUG [authentication.ldap.LDAPGroupExportSource] … is member
17:30:01,593  DEBUG [authentication.ldap.LDAPGroupExportSource] Top 1
17:30:01,593  DEBUG [authentication.ldap.LDAPGroupExportSource] Secondary 0

but authentication fails…despite the ldap comunication seems to be working.
Why?
0 Kudos

jcuzcano
Champ in-the-making
Champ in-the-making

‎02-18-2009 12:08 PM

hi

in my case, alfresco.log is show this

11:59:04,638 WARN  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server supports anonymous bind ldap://ldap.com:389
11:59:04,653 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not support simple string user ids and invalid credentials at ldap://ldap.com:389
11:59:04,700 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://ldap.com:389
11:59:04,716 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://ldap.com:389

but the process import users not was started!!!
0 Kudos

jcuzcano
Champ in-the-making
Champ in-the-making

‎02-18-2009 12:11 PM

I'm working with Alfresco 2.1 with OpenLdap
0 Kudos

nowhere
Champ in-the-making
Champ in-the-making

‎02-18-2009 12:18 PM

What's your "ldap.synchronisation.import.person.cron" setting?
If it can help you, read this: https://issues.alfresco.com/jira/browse/ALFCOM-1211, it seems that if your ldap server accepts anonymous bind alfresco will not work with it…
0 Kudos

jcuzcano
Champ in-the-making
Champ in-the-making

‎02-18-2009 01:01 PM

in my  ldap.synchronisation.properties file modify this parameter
ldap.synchronisation.import.person.cron=0 0/1 * * * ? then this job execute each minute

but alfresco log get this information

12:57:00,021 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
java.lang.NullPointerException
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:218)
   at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:44)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
12:57:00,021 ERROR [org.quartz.core.ErrorLogger] Job (DEFAULT.ldapPeopleJobDetail threw an exception.
org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: java.lang.NullPointerException]
   at org.quartz.core.JobRunShell.run(JobRunShell.java:213)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: java.lang.NullPointerException
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:218)
   at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:44)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
   … 1 more
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC