Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco LDAP user home path

ccc_chen
Champ in-the-making
Champ in-the-making

‎03-12-2012 04:59 PM

My Alfresco connects with LDAP authentication.
In the file ldap-authentication.properties, I set defaultHomeFolderProvider = usersHomeFolderProvider, the system creates a LDAP user with user's home directory.
Under Alfresco Explorer, if I log on with the LDAP user account, I can see the LDAP user home directory, as well as all the rights read, write, execute.
However under the CMIS, I log on with the same LDAP user account, I can not see the home directory. But I can access the home directory with ID to write in to the folder, but the content will not be readable, still. The only exception is when I log with Admin account, I can see all home directories of LDAP accounts.  :evil:  :cry:  :?:
If I log on with a local user, I can see (read) the home directory and also write or execute the content.

I think this may be caused by wrong setting of the user authority or privilege, but I have no clue where to change this setting. Or maybe it's another problem.  :shock: 
How can I solve this problem, please help me!
Labels:
0 Kudos
7 REPLIES 7

loftux
Star Contributor
Star Contributor

‎03-13-2012 04:15 AM

Can it be that the home folders are created with "All" permissions (instead of a role like "Coordinator") and CMIS doesn't understand this?
   <bean name="defaultOnCreatePermissionsManager"
      class="org.alfresco.repo.security.person.PermissionsManagerImpl">
      <property name="permissionService">
         <ref bean="permissionServiceImpl" />
      </property>
      <property name="ownableService">
         <ref bean="ownableService" />
      </property>
      <property name="inheritPermissions">
         <value>false</value>
      </property>
      <property name="ownerPermissions">
         <set>
            <value>All</value>
         </set>
      </property>
      <property name="userPermissions">
         <set>
            <value>All</value>
         </set>
      </property>
   </bean>
Try changing this bean (found in authentication-services-context.xml, but do not change directly in this file, create your own myname-context.xml file in extension) and change All to Coordinator.
This will only have effect on newly created folders, to change it for existing you have to do some scripting. If it helps, then you should file an issue att https://issues.alfresco.com.
0 Kudos

ccc_chen
Champ in-the-making
Champ in-the-making

‎03-13-2012 06:17 AM

I am new in alfresco, and have created a myname-context.xml file in tomcat/shared/classes/alfresco/extension, and has changed All to Coordinator.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   <bean name="defaultOnCreatePermissionsManager"
      class="org.alfresco.repo.security.person.PermissionsManagerImpl">
      <property name="permissionService">
         <ref bean="permissionServiceImpl" />
      </property>
      <property name="ownableService">
         <ref bean="ownableService" />
      </property>
      <property name="inheritPermissions">
         <value>false</value>
      </property>
      <property name="ownerPermissions">
         <set>
            <value>Coordinator</value>
         </set>
      </property>
      <property name="userPermissions">
         <set>
            <value>Coordinator</value>
         </set>
      </property>
   </bean>
</beans>
But, after restart the Alfresco, nothing changed. Is any other thing, what I forgot?
0 Kudos

loftux
Star Contributor
Star Contributor

‎03-13-2012 06:38 AM

That looks correct. Just for your information, the file can have any name, as long as it ends with -context.xml.
Note that this will only have an effect on home folders that ar newly created, so that may bee why not immediately see any changes ( and this may not be a the required solution).

On existing user home folder, try adding the user with Coordinator rights by updating the permissions and see if it shows up using CMIS.
0 Kudos

ccc_chen
Champ in-the-making
Champ in-the-making

‎03-13-2012 08:03 AM

Thank you for the answer. I try to reinstall the alfresco, then set the myname-context.xml in the tomcat/shared/classes/alfresco/extension first, and set ldap as (in alfresco-global.properties):

# CIFS
cifs.enabled=true
cifs.serverName=alfresco
cifs.domain=XXXX
cifs.hostannounce=true
cifs.urlfile.prefix=http://127.0.0.1/alfresco/

authentication.chain=ldap1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
The ldap-ad-authentication.properties has the content as:

# This flag enables use of this LDAP subsystem for authentication. It may be
# that this subsytem should only be used for synchronization, in which case
# this flag should be set to false.
ldap.authentication.active=true

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.allowGuestLogin=false

# How to map the user id entered by the user to taht passed through to LDAP
# In Active Directory, this can either be the user principal name (UPN) or DN.
# UPNs are in the form <sAMAccountName>@domain and are held in the userPrincipalName attribute of a user
ldap.authentication.userNameFormat=%s@XXXX.XXX

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://XXXX

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

# Comma separated list of user names who should be considered administrators by default (Administrator)
ldap.authentication.defaultAdministratorUserNames=

# This flag enables use of this LDAP subsystem for user and group
# synchronization. It may be that this subsytem should only be used for
# authentication, in which case this flag should be set to false.
ldap.synchronization.active=true

# The default principal to bind with (only used for LDAP sync). This should be a UPN or DN
ldap.synchronization.java.naming.security.principal=alfresco

# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=eN.a3eib

# If positive, this property indicates that RFC 2696 paged results should be
# used to split query results into batches of the specified size. This
# overcomes any size limits imposed by the LDAP server.
ldap.synchronization.queryBatchSize=1000

# If positive, this property indicates that range retrieval should be used to fetch
# multi-valued attributes (such as member) in batches of the specified size.
# Overcomes any size limits imposed by Active Directory.
ldap.synchronization.attributeBatchSize=1000

# The query to select all objects that represent the groups to import.
ldap.synchronization.groupQuery=(objectclass\=group)

# The query to select objects that represent the groups to import that have changed since a certain time.
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(\!(modifyTimestamp<\={0})))

# The query to select all objects that represent the users to import.
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))

# The query to select objects that represent the users to import that have changed since a certain time.
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(\!(modifyTimestamp<\={0})))

# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server. "ou\=Security Groups,ou\=Alfresco,dc=domain"
ldap.synchronization.groupSearchBase=ou\=Gruppen,ou\=Abteilungen,ou\=XXXX,dc\=XXXX,dc\=XXX

# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server. "ou\=User Accounts,ou=\Alfresco,dc=domain"
ldap.synchronization.userSearchBase=ou\=XXXX,dc\=XXXX,dc\=XXX

# The name of the operational attribute recording the last update time for a group or user.
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

# The timestamp format. Unfortunately, this varies between directory servers.
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronization.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronization.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronization.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronization.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronization.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronization.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronization.groupType=group

# The person type in LDAP
ldap.synchronization.personType=user

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronization.groupMemberAttributeName=member

# If true progress estimation is enabled. When enabled, the user query has to be run twice in order to count entries.
ldap.synchronization.enableProgressEstimation=true
I have created the test-folder in the LDAP-User home directory by Alfresco
but this directory can not see in CMIS, still.
I post the CMIS Test-Code:

public class Testing
{
    public static void main(String args[])
    {
        System.out.println(Testing.class.getName() + " started");

        SessionFactory sessionFactory = SessionFactoryImpl.newInstance();
        Map<String, String> parameter = new HashMap<String, String>();
        
        parameter.put(SessionParameter.USER, "myusername");
        parameter.put(SessionParameter.PASSWORD, "passwd");
        
        parameter.put(SessionParameter.BINDING_TYPE,
                BindingType.ATOMPUB.value());
        parameter.put(SessionParameter.ATOMPUB_URL,
                "http://127.0.0.1:8080/alfresco/service/cmis");

        // get repositories & create session
        try
        {
            List<Repository> repositories = sessionFactory.getRepositories(parameter);
            Repository repository = repositories.get(0);
            Session session = repository.createSession();
            session.getDefaultContext().setCacheEnabled(false);
            
            System.out.println("Got a connection to repository: " + repository.getName() + ", with id: "
                    + repository.getId());
 
            Folder homeFolder = (Folder)session.getObject("workspace://SpacesStore/a358c3e6-1881-4f45-b74f-b7b92f498f9c");
            System.out.println("homeFolder: " + homeFolder.getName());
            ItemIterable<CmisObject> children = homeFolder.getChildren();
            System.out.println("Found the following objects in the root folder:- size: " + children.getTotalNumItems());
        }
        catch (CmisRuntimeException ex)
        {
            ex.printStackTrace();
        }

        System.out.println(Testing.class.getName() + " ended");
    }
}
I use session.getObject(LDAP-userhome-ObjID) get the home folder, but the size of children is zero.  Smiley Sad
0 Kudos

ccc_chen
Champ in-the-making
Champ in-the-making

‎03-13-2012 08:04 AM

I use the Version 4.0.b
I have checked the right of my LDAP-User by "manage space users", thr roles is Coordinator. But it is not readable still.
0 Kudos

ccc_chen
Champ in-the-making
Champ in-the-making

‎03-13-2012 09:37 AM

I found the solution: set the inheritPermissions=true, then I can read all content of the LDAP-user-folder, as well as the write and execute.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   <bean name="defaultOnCreatePermissionsManager"
      class="org.alfresco.repo.security.person.PermissionsManagerImpl">
      <property name="permissionService">
         <ref bean="permissionServiceImpl" />
      </property>
      <property name="ownableService">
         <ref bean="ownableService" />
      </property>
      <property name="inheritPermissions">
         <value>true</value>
      </property>
      <property name="ownerPermissions">
         <set>
            <value>Coordinator</value>
         </set>
      </property>
      <property name="userPermissions">
         <set>
            <value>Coordinator</value>
         </set>
      </property>
   </bean>
</beans>
Thank you for the helf by setting the rights.  Smiley Very Happy
0 Kudos

loftux
Star Contributor
Star Contributor

‎03-13-2012 10:24 AM

You are welcome. Just notice that now users folders will not be private (depending on permissions on parent folder), but that of course can be exactly what you want.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC