Server: os centos 5.2
Alfresco: latest version (upload 6 septemper 2009)
Client: os win xp
For authentication using NTLMv2 and for test NTLMv1
For the organization it is not correct because of safety
Ok. I have set following chain (for test) alfrescoNtlm1:alfrescoNtlm,passthru1
assthru, ldap1:ldap-ad with dward recommendations
Then steps:
I am
1. I start up alfresco
Alfresco
2. add people from ad to alfresco without password
I am
3. in browser I enter address http://localhost:8080/alfresco
Alfresco
4. get ntlm query (pass and username)
5. Tries to find for itself username with pass
View code
View log
I do not know there can be it and should transfer further on a chain, but for me with the given version does not work
P.S: dward sync work normal. Thanks.
Alfresco: latest version (upload 6 septemper 2009)
Client: os win xp
For authentication using NTLMv2 and for test NTLMv1
1. Enable NTLM v1 on the Vista machines
http://www.technologyquestions.com/tech … emium.html
For the organization it is not correct because of safety
2. Use the alfrescoNtlm subsystem instead. This supports NTLM v2 but will require alfresco to store its own copy of the user password. You can switch on NTLM v2 SSO with
authentication.chain=alfrescoNtlm1:alfrescoNtlm
ntlm.authentication.sso.enabled=true
3. Switch off SSO with the passthru subsystem
ntlm.authentication.sso.enabled=false
Ok. I have set following chain (for test) alfrescoNtlm1:alfrescoNtlm,passthru1
assthru, ldap1:ldap-ad with dward recommendationsThen steps:
I am
1. I start up alfresco
Alfresco
2. add people from ad to alfresco without password
I am
3. in browser I enter address http://localhost:8080/alfresco
Alfresco
4. get ntlm query (pass and username)
5. Tries to find for itself username with pass
View code
protected void processType3(Type3NTLMMessage type3Msg, ServletContext context, HttpServletRequest req, HttpServletResponse res,
HttpSession session, FilterChain chain) throws IOException, ServletException
{
Log logger = getLogger();
if (logger.isDebugEnabled())
logger.debug("Received type3 " + type3Msg);
// Get the existing NTLM details
NTLMLogonDetails ntlmDetails = null;
SessionUser user = null;
if (session != null)
{
ntlmDetails = (NTLMLogonDetails)session.getAttribute(NTLM_AUTH_DETAILS);
user = getSessionUser(session);
}
// Get the NTLM logon details
String userName = type3Msg.getUserName();
String workstation = type3Msg.getWorkstation();
String domain = type3Msg.getDomain();
boolean authenticated = false;
// Check if we are using cached details for the authentication
if (user != null && ntlmDetails != null && ntlmDetails.hasNTLMHashedPassword())
{
// Check if the received NTLM hashed password matches the cached password
byte[] ntlmPwd = type3Msg.getNTLMHash();
byte[] cachedPwd = ntlmDetails.getNTLMHashedPassword();
if (ntlmPwd != null)
{
authenticated = Arrays.equals( cachedPwd, ntlmPwd);
}
if (logger.isDebugEnabled())
logger.debug("Using cached NTLM hash, authenticated = " + authenticated);
try
{
if (logger.isDebugEnabled())
logger.debug("User " + user.getUserName() + " validate ticket");
// Validate the user ticket
authenticationService.validate(user.getTicket());
onValidate(context, req, res);
}
catch (AuthenticationException ex)
{
if (logger.isErrorEnabled())
logger.error("Failed to validate user " + user.getUserName(), ex);
removeSessionUser(session);
onValidateFailed(req, res, session);
return;
}
// Allow the user to access the requested page
chain.doFilter(req, res);
return;
}
else
{
// Check if we are using local MD4 password hashes or passthru authentication
if (nltmAuthenticator.getNTLMMode() == NTLMMode.MD4_PROVIDER)
{
// Check if guest logons are allowed and this is a guest logon
if (m_allowGuest && userName.equalsIgnoreCase(authenticationComponent.getGuestUserName()))
{
// Indicate that the user has been authenticated
authenticated = true;
if (getLogger().isDebugEnabled())
getLogger().debug("Guest logon");
}
else
{
// Get the stored MD4 hashed password for the user, or null if the user does not exist
String md4hash = getMD4Hash(userName);
if (md4hash != null)
{
authenticated = validateLocalHashedPassword(type3Msg, ntlmDetails, authenticated, md4hash);
}
else
{
// Check if unknown users should be logged on as guest
if (m_mapUnknownUserToGuest)
{
// Reset the user name to be the guest user
userName = authenticationComponent.getGuestUserName();
authenticated = true;
if (logger.isDebugEnabled())
logger.debug("User " + userName + " logged on as guest, no Alfresco account");
}
else
{
if (logger.isDebugEnabled())
logger.debug("User " + userName + " does not have Alfresco account");
// Bypass NTLM authentication and display the logon screen,
// as user account does not exist in Alfresco
authenticated = false;
}
}
}
}
else
{
// Determine if the client sent us NTLMv1 or NTLMv2
if (type3Msg.hasFlag(NTLM.Flag128Bit) && type3Msg.hasFlag(NTLM.FlagNTLM2Key) ||
(type3Msg.getNTLMHash() != null && type3Msg.getNTLMHash().length > 24))
{
// Cannot accept NTLMv2 if we are using passthru auth
if (logger.isErrorEnabled())
logger.error("Client " + workstation + " using NTLMv2 logon, not valid with passthru authentication");
}
else
{
// Passthru mode, send the hashed password details to the passthru authentication server
NTLMPassthruToken authToken = (NTLMPassthruToken) ntlmDetails.getAuthenticationToken();
authToken.setUserAndPassword(type3Msg.getUserName(), type3Msg.getNTLMHash(), PasswordEncryptor.NTLM1);
try
{
// Run the second stage of the passthru authentication
nltmAuthenticator.authenticate(authToken);
authenticated = true;
// Check if the user has been logged on as guest
if (authToken.isGuestLogon())
{
userName = authenticationComponent.getGuestUserName();
}
// Set the authentication context
authenticationComponent.setCurrentUser(userName);
}
catch (BadCredentialsException ex)
{
if (logger.isDebugEnabled())
logger.debug("Authentication failed, " + ex.getMessage());
}
catch (AuthenticationException ex)
{
if (logger.isDebugEnabled())
logger.debug("Authentication failed, " + ex.getMessage());
}
finally
{
// Clear the authentication token from the NTLM details
ntlmDetails.setAuthenticationToken(null);
}
}
}
// Check if the user has been authenticated, if so then setup the user environment
if (authenticated == true)
{
if (user == null)
{
user = createUserEnvironment(session, userName);
}
else
{
// user already exists - revalidate ticket to authenticate the current user thread
try
{
authenticationService.validate(user.getTicket());
}
catch (AuthenticationException ex)
{
if (logger.isErrorEnabled())
logger.error("Failed to validate user " + user.getUserName(), ex);
removeSessionUser(session);
onValidateFailed(req, res, session);
return;
}
}
onValidate(context, req, res);
// Update the NTLM logon details in the session
String srvName = getServerName();
if (ntlmDetails == null)
{
// No cached NTLM details
ntlmDetails = new NTLMLogonDetails(userName, workstation, domain, false, srvName);
ntlmDetails.setNTLMHashedPassword(type3Msg.getNTLMHash());
session.setAttribute(NTLM_AUTH_DETAILS, ntlmDetails);
if (logger.isDebugEnabled())
logger.debug("No cached NTLM details, created");
}
else
{
// Update the cached NTLM details
ntlmDetails.setDetails(userName, workstation, domain, false, srvName);
ntlmDetails.setNTLMHashedPassword(type3Msg.getNTLMHash());
if (logger.isDebugEnabled())
logger.debug("Updated cached NTLM details");
}
if (logger.isDebugEnabled())
logger.debug("User logged on via NTLM, " + ntlmDetails);
if (onLoginComplete(req, res))
{
// Allow the user to access the requested page
chain.doFilter(req, res);
}
}
else
{
restartLoginChallenge(res, session);
}
}
}
View log
11:43:51,317 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] New NTLM auth request from 127.0.0.1 (127.0.0.1:3990) SID:62AD906989E08668F737B80C4458B865
11:43:51,333 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type1 [Type1:0xa208b207,Domain:MY-DOMAIN,Wks:ITPROGVENG2]
11:43:51,348 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Sending NTLM type2 to client - [Type2:0xa0080201,Target:ITPROGVENG2A,Ch:23a24d4bb9e6d775]
11:43:51,348 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] Received type3 [Type3:,LM:40a9dce061ef41d200000000000000000000000000000000,NTLM:5d67d431322f129dd8d35e17f9af1a22faf0242775fdaa55,Dom:MY-DOMAIN,User:p.web,Wks:ITPROGVENG2]
11:43:51,379 DEBUG [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] User p.web does not have Alfresco account
I do not know there can be it and should transfer further on a chain, but for me with the given version does not work
P.S: dward sync work normal. Thanks.
Hello,
An other problem for me.
I shall want that all the users who want to reach Alfresco by the WEB interface are identified by a LDAP authentification and that only the Windows domain users (included in AD) can use the access in CIFS like this :
[img]http://easycaptures.com/fs/uploaded/354/3205637094.jpg[/img]
If I use this : authentication-chain = ldap1:ldap,passthru1assthru
Do you think that it will work? Which keys I have to define in the file alfresco-global.properties ?
An other problem for me.
I shall want that all the users who want to reach Alfresco by the WEB interface are identified by a LDAP authentification and that only the Windows domain users (included in AD) can use the access in CIFS like this :
[img]http://easycaptures.com/fs/uploaded/354/3205637094.jpg[/img]
If I use this : authentication-chain = ldap1:ldap,passthru1
assthruDo you think that it will work? Which keys I have to define in the file alfresco-global.properties ?
Nice picture.
Yes I think it will work. Assuming that you have 2 non-AD LDAP servers, plus 1 AD server you will need the following in alfresco-global.properties
authentication.chain=ldap1:ldap,ldap2:ldap,passthru1assthru
ntlm.authentication.sso.enabled=false # Chained authentication, so we can't use NTLM
passthru.authentication.domain=# Leave blank
passthru.authentication.servers=YOURDOMAIN\adserver.com,adserver.com
passthru.authentication.authenticateFTP=false # If you want chained FTP authentication
The properties for the individual LDAP servers will have to be set as per
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_2:_Advanced_LDAP_Chain
But please note that you will need a v3.2 nighly build in order for this to work.
Yes I think it will work. Assuming that you have 2 non-AD LDAP servers, plus 1 AD server you will need the following in alfresco-global.properties
authentication.chain=ldap1:ldap,ldap2:ldap,passthru1
assthruntlm.authentication.sso.enabled=false # Chained authentication, so we can't use NTLM
passthru.authentication.domain=# Leave blank
passthru.authentication.servers=YOURDOMAIN\adserver.com,adserver.com
passthru.authentication.authenticateFTP=false # If you want chained FTP authentication
The properties for the individual LDAP servers will have to be set as per
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_2:_Advanced_LDAP_Chain
But please note that you will need a v3.2 nighly build in order for this to work.
Nice picture.
Yes I think it will work. Assuming that you have 2 non-AD LDAP servers, plus 1 AD server you will need the following in alfresco-global.properties
authentication.chain=ldap1:ldap,ldap2:ldap,passthru1
ntlm.authentication.sso.enabled=false # Chained authentication, so we can't use NTLM
passthru.authentication.domain=# Leave blank
passthru.authentication.servers=YOURDOMAIN\adserver.com,adserver.com
passthru.authentication.authenticateFTP=false # If you want chained FTP authentication
The properties for the individual LDAP servers will have to be set as per
http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_2:_Advanced_LDAP_Chain
But please note that you will need a v3.2 nighly build in order for this to work.
Thank you very much for this answer.
What I forgot to specify, it is that OVD corresponds to the LDAP server allowing the authentification for the Web access.
Its relation with the other LDAP server (included AD) is already organized.
Does this precision change anything in your answer? the ldap2 is still necessary ?
How Alfresco knows which subsystem to use to authenticate either by Web or by CIFS with this configuration ?
Thank you one more time
