Hyland Connect

bphudy · ‎10-23-2009

I am brand new to Alfresco, and have read the wiki and forums as far as configuring LDAP. All I want to do is setup authentication to go against our ldap server - that's it. But I can't seem to get it to work. Here are the steps I have taken - can somebody help me figure out where I am going wrong?

authentication.chain=ldap1:ldap

tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1

ldap.authentication.java.naming.provider.url=ldap://mrl1xodc01.mycompany.com:389 (where mrl1xodc01 is the server, and mycompany is the name of my company)

At this point, have I done everything that's necessary to get Alfresco to authenticate against my ldap server? Obviously I'm missing something, but I'm not sure what.

zaizi · ‎10-23-2009

What does the alfresco logs (alfresco.log) report when you restarted alfresco?

bphudy · ‎10-26-2009

I'm not sure what's meaningful from the log, so here is an excerpt from the Login Failed message. Should I see my ldap server name somewhere in the log? If I search the log, I don't see it. In fact, the only text that even has the word LDAP in it says:
13:39:16,732 INFO [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap1]

13:43:34,461 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 09260003 Login failed
org.alfresco.web.scripts.WebScriptException: 09260003 Login failed
   at org.alfresco.repo.web.scripts.bean.AbstractLoginBean.login(AbstractLoginBean.java:81)
   at org.alfresco.repo.web.scripts.bean.LoginPost.executeImpl(LoginPost.java:79)
   at org.alfresco.web.scripts.DeclarativeWebScript.executeImpl(DeclarativeWebScript.java:223)
   at org.alfresco.web.scripts.DeclarativeWebScript.execute(DeclarativeWebScript.java:70)
   at org.alfresco.repo.web.scripts.RepositoryContainer$2.execute(RepositoryContainer.java:357)
   at org.alfresco.repo.transaction.RetryingTransactionHelper.doInTransaction(RetryingTransactionHelper.java:326)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecute(RepositoryContainer.java:407)
   at org.alfresco.repo.web.scripts.RepositoryContainer.transactionedExecuteAs(RepositoryContainer.java:424)
   at org.alfresco.repo.web.scripts.RepositoryContainer.executeScript(RepositoryContainer.java:253)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:262)
   at org.alfresco.web.scripts.AbstractRuntime.executeScript(AbstractRuntime.java:139)
   at org.alfresco.web.scripts.servlet.WebScriptServlet.service(WebScriptServlet.java:122)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
   at java.lang.Thread.run(Thread.java:619)

bufke · ‎10-29-2009

I did a lot more to alfresco-global.properties to get it working. Here are my additions that work for me. Note that I used the AD version of ldap-authentication.properties

authentication.chain=passthru1:passthru,ldap1:ldap-ad
ldap.authentication.active=false
passthru.authentication.domain=
passthru.authentication.servers=Domain name\\AD server
passthru.authentication.defaultAdministratorUserNames=administrator
ldap.authentication.java.naming.provider.url=ldap://AD server:389
ldap.authentication.userNameFormat=%s@Domain.company
ldap.synchronization.java.naming.security.principal=loginname@Domain.company
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=OU=, DC=,etc
ldap.synchronization.userSearchBase=OU=, DC=,etc‍‍‍‍‍‍‍‍‍‍‍

bphudy · ‎10-29-2009

I finally got LDAP authentication working!!! (I can even log in with my admin user). It's hard to tell which combination of things made it work. For anybody interested, here is what I did:

1. I Downloaded and installed the Alfresco-Community-3.2r-Full-Setup.exe

2. Logged in as the admin user, and created a new user that exists in ldap

3. Updated the file c:\Alfresco\tomcat\shared\classes\alfresco-global.properties to contain:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

4. Created the following folder structure. Note that the default folder structure only goes as far as the extension folder.
c:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap\ldap1

5. I copied the ldap-authentication.properties and ldap-authentication-context.xml to the directory above from:
c:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap

6. Updated the ldap-authentication.properties to include:
ldap.authentication.userNameFormat=cn\=%s,ou\=Users,ou\=Corporate,dc\=sepracor,dc\=com
ldap.authentication.java.naming.provider.url=ldap://adauth.sepracor.com:389
ldap.synchronization.active=false
Note: The userNameFormat is KEY. Nothing worked until I got this right. I had to check with our Windows group to confirm the right format.

7. Had to do the following. NOTHING worked unless I did this. Copied the file
c:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\common-ldap-context.xml
to
c:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap

8. Restarted alfresco

vferia15 · ‎11-13-2009

Thank you bphudy it works!!!

neozone · ‎11-15-2009

I finally got LDAP authentication working!!! (I can even log in with my admin user). It's hard to tell which combination of things made it work. For anybody interested, here is what I did:

1. I Downloaded and installed the Alfresco-Community-3.2r-Full-Setup.exe

2. Logged in as the admin user, and created a new user that exists in ldap

3. Updated the file c:\Alfresco\tomcat\shared\classes\alfresco-global.properties to contain:
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap

4. Created the following folder structure. Note that the default folder structure only goes as far as the extension folder.
c:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap\ldap1

5. I copied the ldap-authentication.properties and ldap-authentication-context.xml to the directory above from:
c:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\ldap

6. Updated the ldap-authentication.properties to include:
ldap.authentication.userNameFormat=cn\=%s,ou\=Users,ou\=Corporate,dc\=sepracor,dc\=com
ldap.authentication.java.naming.provider.url=ldap://adauth.sepracor.com:389
ldap.synchronization.active=false
Note: The userNameFormat is KEY. Nothing worked until I got this right. I had to check with our Windows group to confirm the right format.

7. Had to do the following. NOTHING worked unless I did this. Copied the file
c:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication\common-ldap-context.xml
to
c:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap

8. Restarted alfresco

I did all of this, it work!! but…I can't use CIFS and IMAP. How can I solve this problem?

mrogers · ‎11-16-2009

There's a few more steps to turning on CIFS and IMAP.

Details are already on the wiki and in the documentation.

But here's my settings.

#
# IMAP server
#
imap.server.enabled=true
imap.server.port=143
imap.server.host=MARKR02
imap.server.attachments.extraction.enabled=false

#
# CIFS SERVER
#
cifs.enabled=true
cifs.serverName=MARKR02A
cifs.hostannounce=true

umalade · ‎11-18-2009

hi bphudy,

nice and clear instructions. I've followed them but how to check whether Alfresco is using ldap userids.
Because there are userids already created in Alfresco, which are also there on LDAP. So, how do we check, whether Alfresco is using ldap authentication.

Ideally, I don't need to create users in Alfresco, I'll just need to create them in LDAP, and use the same logins for logging to Alfresco.

Could you pls clarify me?

nowhere · ‎11-20-2009

Hi all,
I'm having troubles with ldap alfresco configuration.
I'm using "Current version 3.2.0 (_Preview2_dev @build-number@) schema 2011", so I think I should use subsystem configuration, don't I?

So I created alfresco-global.properties in C:\Tomcat6\shared\classes\alfresco\extension end it looks like:

###############################
## Common Alfresco Properties #
###############################

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap‍‍‍‍‍

I have created a folder: C:\Tomcat6\shared\classes\alfresco\extension\subsystems\Authentication\ldap\ldap1 with followinf files:

ldap-authentication.properties

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
ldap.authentication.active=true
# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=uid\=%s,dc\=company,dc\=com

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://sss:10389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=uid=admin,ou=system

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=admin

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

and ldap-authentication-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   <!–
      DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings
      from the UI.
   –>

   <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
      <property name="allowSetEnabled" value="true" />
      <property name="allowGetEnabled" value="true" />
      <property name="allowDeleteUser" value="true" />
      <property name="allowCreateUser" value="true" />
   </bean>

   <!– LDAP authentication configuration –>

   <!–

      You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign
      on from the web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP
      store if it supports other authentication routes, like Active Directory.
   –>

   <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
      parent="authenticationComponentBase">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory" />
      </property>
      <property name="userNameFormat">
         <!–

            This maps between what the user types in and what is passed through to the underlying LDAP authentication.

            "%s" - the user id is passed through without modification. Used for LDAP authentication such as DIGEST-MD5,
            anything that is not "simple". "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the
            authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" Usually for simple authentication. Simple
            authentication always uses the DN for the user.
         –>
         <value>${ldap.authentication.userNameFormat}</value>
      </property>
      <property name="nodeService">
         <ref bean="nodeService" />
      </property>
      <property name="personService">
         <ref bean="personService" />
      </property>
      <property name="transactionService">
         <ref bean="transactionService" />
      </property>
      <property name="escapeCommasInBind">
         <value>${ldap.authentication.escapeCommasInBind}</value>
      </property>
      <property name="escapeCommasInUid">
         <value>${ldap.authentication.escapeCommasInUid}</value>
      </property>
      <property name="allowGuestLogin">
         <value>${ldap.authentication.allowGuestLogin}</value>
      </property>
      <property name="defaultAdministratorUserNameList">
         <value>${ldap.authentication.defaultAdministratorUserNames}</value>
      </property>
   </bean>

   <!– Wrapped version to be used within subsystem –>
   <bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
      <property name="proxyInterfaces">
         <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
      </property>
      <property name="transactionManager">
         <ref bean="transactionManager" />
      </property>
      <property name="target">
         <ref bean="authenticationComponent" />
      </property>
      <property name="transactionAttributes">
         <props>
            <prop key="*">${server.transaction.mode.default}</prop>
         </props>
      </property>
   </bean>

   <!– Authenticaton service for chaining –>
   <bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
      <property name="authenticationDao">
         <ref bean="authenticationDao" />
      </property>
      <property name="ticketComponent">
         <ref bean="ticketComponent" />
      </property>
      <property name="authenticationComponent">
         <ref bean="authenticationComponent" />
      </property>
      <property name="sysAdminCache">
         <ref bean="sysAdminCache" />
      </property>
   </bean>

   <!–

      This bean is used to support general LDAP authentication. It is also used to provide read only access to users and
      groups to pull them out of the LDAP reopsitory
   –>

   <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
      <property name="initialDirContextEnvironment">
         <map>
            <!– The LDAP provider –>
            <entry key="java.naming.factory.initial">
               <value>${ldap.authentication.java.naming.factory.initial}</value>
            </entry>

            <!– The url to the LDAP server –>
            <!– Note you can use space separated urls - they will be tried in turn until one works –>
            <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
            <entry key="java.naming.provider.url">
               <value>${ldap.authentication.java.naming.provider.url}</value>
            </entry>

            <!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>

            <!– The id of a user who can read group and user information –>
            <!– This does not go through the pattern substitution defined above and is used "as is" –>
            <entry key="java.naming.security.principal">
               <value>${ldap.authentication.java.naming.security.principal}</value>
            </entry>

            <!– The password for the user defined above –>
            <entry key="java.naming.security.credentials">
               <value>${ldap.authentication.java.naming.security.credentials}</value>
            </entry>
         </map>
      </property>
   </bean>

</beans>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

but if I restart Tomcar Alfresco debug doesn't report anything about ldap and autenthication works fine only with internal user.
What am I missing?
Must I specify somewhere else bean for ldap authentication?

If I place ldap-authentication-context.xml and ldap-authentication.properties in extension directory I can see LDAP debug in console, I can login with internal user, but not with ldap. If I debug code I get BadCredentialsException at user = getUserFromBackend(username) in DaoAuthenticationProvider.

Any help? Maybe a bad spring configuration?

Thanks,
Nowhere

Hyland Connect

Alfresco Share 3.2 Very Simple LDAP Authentication