cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticating via apache's basic auth

jimperrin
Champ in-the-making
Champ in-the-making
Using apache's proxy_ajp works very well with alfresco 3.2 community, however I'd like to be able to pass authentication through from apache without using something as bulky as mod_cas or standing up a CAS server. Is it possible to simply hand over the REMOTE_USER  server variable to alfresco? I can't seem to find any clear (read: alfresco n00b) documentation on the subject.
6 REPLIES 6

dward
Champ on-the-rise
Champ on-the-rise
If you take a nightly build, you can use the External authentication subsystem. Just set

authentication.chain=external1:external

See

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#External

jimperrin
Champ in-the-making
Champ in-the-making
Excellent, and thanks for the pointers.

This won't work with 3.2 though? It has to be from a nightly build after 3.2 ?

dward
Champ on-the-rise
Champ on-the-rise
Yes, the 21 Sep nightly build should be OK.

dward
Champ on-the-rise
Champ on-the-rise
In server.xml, remember to set tomcatAuthentication="false" if you are relying on request.getRemoteUser(). E.g.

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" tomcatAuthentication="false"/>

novetica
Champ in-the-making
Champ in-the-making
Hi,
I use apache with mod_jk to connect to Alfresco tomcat instance. I've enabled the external authentication with following configuration:

external.authentication.proxyUserName=
external.authentication.proxyHeader=X-Alfresco-Remote-User
external.authentication.enabled=true
external.authentication.userIdPattern=

and I've set using mod_headers and mod_rewrite the X-Alfresco-Remote-User in the request headers.

If I look at a phpinfo() page the header is ok, but when I load alfresco I'm logged in as "(null)"… I've tried to extract the request.getHeader("X-Alfresco-Remote-User") in login.jsp but it's really "(null)".

Could be related to mod_jk?

Thanks,

N.

PS: I'm using Alfresco Community 3.4b

novetica
Champ in-the-making
Champ in-the-making
I solved the problem setting apache sites as follows:

<Location /alfresco>
      Options -Indexes FollowSymLinks MultiViews
      Order allow,deny
      allow from all
      AuthType Basic
      AuthName "Example DMS"
      Require valid-user
      AuthLDAPBindDN "uid=admin,ou=People,dc=example,dc=org"
      AuthLDAPBindPassword ********
      AuthLDAPURL "ldaps://intranet.example.org:636/ou=People,dc=example,dc=org?uid?sub?(objectClass=*)"
      AuthBasicProvider ldap
      ProxyPass http://localhost:8080/alfresco
      ProxyPassReverse http://localhost:8080/alfresco
      RewriteEngine On
      RewriteCond %{LA-U:REMOTE_USER} (.+)
      RewriteRule . - [E=RU:%1]
      RequestHeader set X-Alfresco-Remote-User "%{RU}e"
   </Location>
   <Location /share>
      Options -Indexes FollowSymLinks MultiViews
      Order allow,deny
      allow from all
      AuthType Basic
      AuthName "Example DMS"
      Require valid-user
      AuthLDAPBindDN "uid=admin,ou=People,dc=example,dc=org"
      AuthLDAPBindPassword ********
      AuthLDAPURL "ldaps://intranet.example.org:636/ou=People,dc=example,dc=org?uid?sub?(objectClass=*)"
      AuthBasicProvider ldap
      ProxyPass http://localhost:8080/share
      ProxyPassReverse http://localhost:8080/share
      RewriteEngine On
      RewriteCond %{LA-U:REMOTE_USER} (.+)
      RewriteRule . - [E=RU:%1]
      RequestHeader set X-Alfresco-Remote-User "%{RU}e"
   </Location>

..and editing alfresco config:

/opt/alfresco/tomcat/shared/classes/alfresco-global.properties
authentication.chain=external1:external,ldap-example:ldap

/opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/external/external-filter.properties
external.authentication.proxyUserName=

Then adding in /opt/alfresco/tomcat/webapps/share/WEB-INF/classes/alfresco/templates/org/alfresco/global/slingshot-login.ftl a script that emulate login script…

This is an acceptable solution because we have enabled only ssl protected internal vpn network navigation… but if anyone has a better solution using the HTTP-AUTH basic… please suggest…