Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Alfresco Share 3.2 Very Simple LDAP Authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Alfresco Share 3.2 Very Simple LDAP Authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-23-2009 02:19 PM
I am brand new to Alfresco, and have read the wiki and forums as far as configuring LDAP. All I want to do is setup authentication to go against our ldap server - that's it. But I can't seem to get it to work. Here are the steps I have taken - can somebody help me figure out where I am going wrong?
- 1. I logged in as admin/admin, and created a new user that exists in ldap (e.g. jsmith)
2. I updated alfresco-global.properties to have the following:
- authentication.chain=ldap1:ldap
- tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
5. I updated ldap-authentication.properties to include:
- ldap.authentication.java.naming.provider.url=ldap://mrl1xodc01.mycompany.com:389 (where mrl1xodc01 is the server, and mycompany is the name of my company)
Labels:
- Labels:
-
Archive
15 REPLIES 15
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2009 10:27 AM
Your alfresco-global.properties file is in the wrong place.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2009 11:25 AM
Thanks for reply
I placed it in C:\Tomcat6\shared\classes, but without success.
I can't login
Also, I set
but I don't read anything on console…maybe subsystem are not loaded.
I'm using an Alfresco version I build from repository, maybe that the problem?
Now I see many class changed in package org.alfresco.repo.management.subsystems.
I placed it in C:\Tomcat6\shared\classes, but without success.
I can't login
Also, I set
log4j.logger.org.alfresco.repo.management.subsystems=info
log4j.logger.org.alfresco.repo.management.subsystems.ChildApplicationContextFactory$ChildApplicationContext=warnbut I don't read anything on console…maybe subsystem are not loaded.
I'm using an Alfresco version I build from repository, maybe that the problem?
Current version 3.2.0 (_Preview2_dev @build-number@) schema 2011
Now I see many class changed in package org.alfresco.repo.management.subsystems.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 05:44 AM
Please remove your ldap-authentication-context.xml. It is out of date and you shouldn't have to override it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2009 06:12 AM
I also tried with:
common-ldap-context.xml
and ldap-authentication-context.xml
those files are working fine in alfresco 3.2r, as I tested.
common-ldap-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<!–
Bean definitions shared by the ldap and ldap-ad subsystems
–>
<beans>
<!–
DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings
from the UI.
–>
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
<property name="allowSetEnabled" value="true" />
<property name="allowGetEnabled" value="true" />
<property name="allowDeleteUser" value="true" />
<property name="allowCreateUser" value="true" />
</bean>
<!– LDAP authentication configuration –>
<!–
You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign
on from the web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP
store if it supports other authentication routes, like Active Directory.
–>
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
parent="authenticationComponentBase">
<property name="active">
<value>${ldap.authentication.active}</value>
</property>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory" />
</property>
<property name="userNameFormat">
<!–
This maps between what the user types in and what is passed through to the underlying LDAP authentication.
"%s" - the user id is passed through without modification. Used for LDAP authentication such as DIGEST-MD5,
anything that is not "simple". "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the
authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" Usually for simple authentication. Simple
authentication always uses the DN for the user.
–>
<value>${ldap.authentication.userNameFormat}</value>
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="transactionService">
<ref bean="transactionService" />
</property>
<property name="escapeCommasInBind">
<value>${ldap.authentication.escapeCommasInBind}</value>
</property>
<property name="escapeCommasInUid">
<value>${ldap.authentication.escapeCommasInUid}</value>
</property>
<property name="allowGuestLogin">
<value>${ldap.authentication.allowGuestLogin}</value>
</property>
<property name="defaultAdministratorUserNameList">
<value>${ldap.authentication.defaultAdministratorUserNames}</value>
</property>
</bean>
<!– Wrapped version to be used within subsystem –>
<bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
<property name="proxyInterfaces">
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
</property>
<property name="transactionManager">
<ref bean="transactionManager" />
</property>
<property name="target">
<ref bean="authenticationComponent" />
</property>
<property name="transactionAttributes">
<props>
<prop key="*">${server.transaction.mode.default}</prop>
</props>
</property>
</bean>
<!– Authenticaton service for chaining –>
<bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
<property name="authenticationDao">
<ref bean="authenticationDao" />
</property>
<property name="ticketComponent">
<ref bean="ticketComponent" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
<property name="sysAdminCache">
<ref bean="sysAdminCache" />
</property>
</bean>
<!–
This bean is used to support general LDAP authentication. It is also used to provide read only access to users and
groups to pull them out of the LDAP reopsitory
–>
<bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
<property name="initialDirContextEnvironment">
<map>
<!– The LDAP provider –>
<entry key="java.naming.factory.initial">
<value>${ldap.authentication.java.naming.factory.initial}</value>
</entry>
<!– The url to the LDAP server –>
<!– Note you can use space separated urls - they will be tried in turn until one works –>
<!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
<entry key="java.naming.provider.url">
<value>${ldap.authentication.java.naming.provider.url}</value>
</entry>
<!– The authentication mechanism to use –>
<!– Some sasl authentication mechanisms may require a realm to be set –>
<!– java.naming.security.sasl.realm –>
<!– The available options will depend on your LDAP provider –>
<entry key="java.naming.security.authentication">
<value>${ldap.authentication.java.naming.security.authentication}</value>
</entry>
<!– The id of a user who can read group and user information –>
<!– This does not go through the pattern substitution defined above and is used "as is" –>
<entry key="java.naming.security.principal">
<value>uid=admin,ou=system</value>
</entry>
<!– The password for the user defined above –>
<entry key="java.naming.security.credentials">
<value>admin</value>
</entry>
</map>
</property>
</bean>
<!– Regularly exports user and group information from LDAP –>
<bean id="userRegistry" class="org.alfresco.repo.security.sync.ldap.LDAPUserRegistry">
<property name="active">
<value>${ldap.synchronization.active}</value>
</property>
<!–
If positive, this property indicates that RFC 2696 paged results should be
used to split query results into batches of the specified size. This
overcomes any size limits imposed by the LDAP server.
–>
<property name="queryBatchSize">
<value>${ldap.synchronization.queryBatchSize}</value>
</property>
<!–
The query to select all objects that represent the groups to import.
For Open LDAP, using a basic schema, the following is probably what you want:
(objectclass=groupOfNames)
For Active Directory:
(objectclass=group)
–>
<property name="groupQuery">
<value>${ldap.synchronization.groupQuery}</value>
</property>
<!–
The query to select objects that represent the groups to import that have changed since a certain time.
For Open LDAP, using a basic schema, the following is probably what you want:
(&(objectclass=groupOfNames)(!(modifyTimestamp<={0})))
For Active Directory:
(&(objectclass=group)(!(modifyTimestamp<={0})))
–>
<property name="groupDifferentialQuery">
<value>${ldap.synchronization.groupDifferentialQuery}</value>
</property>
<!–
The query to select all objects that represent the users to import.
For Open LDAP, using a basic schema, the following is probably what you want:
(objectclass=inetOrgPerson)
For Active Directory:
(objectclass=user)
–>
<property name="personQuery">
<value>${ldap.synchronization.personQuery}</value>
</property>
<!–
The query to select objects that represent the users to import that have changed since a certain time.
For Open LDAP, using a basic schema, the following is probably what you want:
(&(objectclass=inetOrgPerson)(!(modifyTimestamp<={0})))
For Active Directory:
(&(objectclass=user)(!(modifyTimestamp<={0})))
–>
<property name="personDifferentialQuery">
<value>${ldap.synchronization.personDifferentialQuery}</value>
</property>
<!–
The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
–>
<property name="groupSearchBase">
<value>${ldap.synchronization.groupSearchBase}</value>
</property>
<!–
The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
–>
<property name="userSearchBase">
<value>${ldap.synchronization.userSearchBase}</value>
</property>
<!–
The unique identifier for the user.
–>
<property name="userIdAttributeName">
<value>${ldap.synchronization.userIdAttributeName}</value>
</property>
<!–
The name of the operational attribute recording the last update time for a group or user.
–>
<property name="modifyTimestampAttributeName">
<value>${ldap.synchronization.modifyTimestampAttributeName}</value>
</property>
<!–
The timestamp format. Unfortunately, this varies between directory servers.
–>
<property name="timestampFormat">
<value>${ldap.synchronization.timestampFormat}</value>
</property>
<!–
An attribute that is a unique identifier for each group found.
This is also the name of the group with the current group implementation.
This is mandatory for any groups found.
OpenLDAP: "cn" as it is mandatory on groupOfNames
Active Directory: "cn"
–>
<property name="groupIdAttributeName">
<value>${ldap.synchronization.groupIdAttributeName}</value>
</property>
<!–
The objectClass attribute for group members.
For each member of a group, the distinguished name is given.
The object is looked up by its DN. If the object is of this class it is treated as a group.
–>
<property name="groupType">
<value>${ldap.synchronization.groupType}</value>
</property>
<!–
The objectClass attribute for person members.
For each member of a group, the distinguished name is given.
The object is looked up by its DN. If the object is of this class it is treated as a person.
–>
<property name="personType">
<value>${ldap.synchronization.personType}</value>
</property>
<!–
The repeating attribute on group objects (found by query or as sub groups)
used to define membership of the group. This is assumed to hold distinguished names of
other groups or users/people; the above types are used to determine this.
OpenLDAP: "member" as it is mandatory on groupOfNames
Active Directory: "member"
–>
<property name="memberAttribute">
<value>${ldap.synchronization.groupMemberAttributeName}</value>
</property>
<!–
This property defines a mapping between attributes held on LDAP user objects and
the properties of user objects held in the repository. The key is the QName of an attribute in
the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
LDAP repository.
–>
<property name="attributeMapping">
<map>
<entry key="cm:userName">
<!– Must match the same attribute as userIdAttributeName –>
<value>${ldap.synchronization.userIdAttributeName}</value>
</entry>
<entry key="cm:firstName">
<!– OpenLDAP: "givenName" –>
<!– Active Directory: "givenName" –>
<value>${ldap.synchronization.userFirstNameAttributeName}</value>
</entry>
<entry key="cm:lastName">
<!– OpenLDAP: "sn" –>
<!– Active Directory: "sn" –>
<value>${ldap.synchronization.userLastNameAttributeName}</value>
</entry>
<entry key="cm:email">
<!– OpenLDAP: "mail" –>
<!– Active Directory: "???" –>
<value>${ldap.synchronization.userEmailAttributeName}</value>
</entry>
<entry key="cm:organizationId">
<!– OpenLDAP: "o" –>
<!– Active Directory: "???" –>
<value>${ldap.synchronization.userOrganizationalIdAttributeName}</value>
</entry>
<!– Always use the default –>
<entry key="cm:homeFolderProvider">
<null/>
</entry>
</map>
</property>
<!– Set a default home folder provider –>
<!– Defaults only apply for values above –>
<property name="attributeDefaults">
<map>
<entry key="cm:homeFolderProvider">
<value>${ldap.synchronization.defaultHomeFolderProvider}</value>
</entry>
</map>
</property>
<!– Services –>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory"/>
</property>
<property name="namespaceService">
<ref bean="namespaceService"/>
</property>
</bean>
</beans>and ldap-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<!–
The bean definitions for this subsystem are shared by the ldap and ldap-ad subsystems with different property
defaults
–>
<import resource="../common-ldap-context.xml" />
</beans>those files are working fine in alfresco 3.2r, as I tested.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2009 05:58 AM
You shouldn't need any -context.xml files to achieve LDAP authentication. Please remove them and tell us what you have in alfresco-global.properties.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2010 06:55 AM
Hi umalade..
So you have find if works ldap auth ?
So ideally no need creat user in alfresco beacouse to login it make respect ldap server..
SO really work ldap auth?
thanks
Molde
So you have find if works ldap auth ?
So ideally no need creat user in alfresco beacouse to login it make respect ldap server..
SO really work ldap auth?
thanks
Molde
Related Content
- How to call Alfresco REST APIs using OAuth instead of Basic Auth? in Alfresco Forum
- Folder quota exceeded in Alfresco Forum
- Alfresco Community Edition 23.4 Release Notes in Alfresco Blog
- How to authenticate at API in Alfresco 23.2.0 Comminity addition in Alfresco Forum
- Elasticsearch Frequently Asked Question in Alfresco Blog
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
