Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication CIFS using LDAP

nshong
Champ in-the-making
Champ in-the-making

‎11-06-2015 04:09 AM

I can login to share using ldap user


but unable login ldap user to cifs use smb:\\X.X.X.X\alfresco log show as below.

[security.sync.ChainingUserRegistrySynchronizer] [AlfJLANWorker11] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Commencing batch of 0 entries
[security.sync.ChainingUserRegistrySynchronizer] [AlfJLANWorker11] 0 user(s) and 0 group(s) processed


log show below is the schedule sync

[security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-10] Synchronization,Category=directory,id1=ldap1,id2=1 Group Analysis: Completed batch of 3 entries
[security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker-6] 2 user(s) and 3 group(s) processed

Labels:
0 Kudos
6 REPLIES 6

mrogers
Star Contributor
Star Contributor

‎11-06-2015 05:09 AM

Although Authentication could be via LDAP, Sync is a different process from authentication.   Your log file extract above is not relevant, expect to show you are syncing something.

What is important is your authentication configuration.

And unfortunatly SMB authentication can be complicated due to an old obsolete authentication mechanism called NTLM.
0 Kudos

billydekid
Star Contributor
Star Contributor
In response to mrogers

‎11-18-2015 01:14 PM

Hi,
Did you mean it's hard or 'impossible' to chain alfresco native NTLM with ldap?
I've similar problem.
When try accessing \\server.name\alfresco, only internal user (registered through Alfresco user mgmt) could access that CIFS shared folder. Exported LDAP users (I used samba) will always fail, repeated pop-up window login.

What's the correct guidance combining native Alfresco NTLM and ldap?
I've read this documentation [1] but still confused Smiley Sad

Thanks,
[bayu]

[1] http://docs.alfresco.com/4.1/concepts/auth-subsystem-types.html
0 Kudos

nshong
Champ in-the-making
Champ in-the-making

‎11-10-2015 09:22 PM

any different [security.sync.ChainingUserRegistrySynchronizer][AlfJLANWorker] vs [security.sync.ChainingUserRegistrySynchronizer] [DefaultScheduler_Worker] , do it read the same ldap-authentication.properties file?
0 Kudos

xarope
Champ in-the-making
Champ in-the-making

‎12-21-2015 03:30 AM

I'm stuck with CIFS authentication too.  This is 5.0.d on ubuntu 14.04 x64.

I can get internal CIFS working (see step 1 below).

I can get LDAP sync to my AD's DC, so that I can authenticate through the share interface for both internal and external users (see step 2 below).

But when I then configure the passthru for CIFS authentication, internal users can no longer authenticate (which is expected, since I turned it off), but LDAP users also cannot authenticate, and all I get in tomcat's catalina.log is "<TIMESTAMP>  ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker21] org.alfresco.jlan.smb.SMBException: Invalid parameter".

For the purposes of documentation, I'm going to pretend my AD domain is "TEST-TEST", with IP domain "test-test.local", and my server is testalfresco.test-test.local with IP address 10.10.1.20

1) internal CIFS is easy enough.  Just need to do:

filesystem.name=Alfresco
cifs.enabled=true
cifs.serverName=testalfresco
cifs.domain=
cifs.broadcast=10.255.255.255
cifs.bindto=10.10.1.20
cifs.disableNativeCode=false
cifs.hostannounce=true
ftp.enable=false

Then from a test system, "sudo mount -t cifs -o user=admin //10.10.1.20/Alfresco/sites /usr/share/testMount", type in the Alfresco admin password and it will mount the sites folder to /usr/share/testMount.

2) Next I do an LDAP sync with my AD's DC.
For this, had to configure the alfresco/extensions/subsystems/Authentication/ldap/ldap1/ldap-ad-authentication.properties file (copied the original from the alfresco-repository-5.0.d.jar file).
Main changes:

ldap.authentication.active=false
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.provider.url=ldap://10.10.1.20:389
ldap.authentication.defaultAdministratorUserNames=Administrator
ldap.synchronization.java.naming.security.principal=non-admin-user@test-test.local
ldap.synchronization.java.naming.security.credentials=thepassword
# sync all active users and groups from the entire AD tree
ldap.synchronization.groupSearchBase=dc\=test-test,dc\=local
ldap.synchronization.userSearchBase=dc\=test-test,dc\=local


Then, added to the authentication chain in alfresco-properties:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap-ad

After an alfresco service restart, I can see users and groups synchronized, and can browse/search LDAP users in Admin Tools/ Users, and Groups.

Now, I add the passthru for LDAP authentication (but not CIFS yet)

Configure /alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication.properties (again, copied the original from the alfresco-repository-5.0.d.jar file).

Main changes:

passthru.authentication.useLocalServer=false
passthru.authentication.domain=
passthru.authentication.servers=TEST-TEST\\10.10.1.200,10.10.1.200 # DC's IP address
passthru.authentication.guestAccess=false
passthru.authentication.defaultAdministratorUserNames=administrator
passthru.authentication.connectTimeout=5000
passthru.authentication.offlineCheckInterval=300
passthru.authentication.protocolOrder=TCPIP,NetBIOS
passthru.authentication.authenticateCIFS=false
passthru.authentication.authenticateFTP=true
passthru.authentication.sessionCleanup=true
passthru.authentication.broadcastMask=


And added to the authentication chain:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad


After an alfresco service restart, I tested that I can login to the share interface with both internal and LDAP users.

Currently, CIFS for internal users is working, but not for LDAP users.

3) Following instructions found in https://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_1:_Advanced_AD_Chain

i)deactivate SSO in order to activate chained password-based login alfrescoNtlm1
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

ii) target CIFS at passthru1
ntlm.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true

iii)target synchronization (but not authentication) at ldap1
ldap.authentication.active=false
ldap.synchronization.active=true

Note1 in that link also says that I can only have either alfresco or passthru's authenticateCIFS=true, so I will expect that I can only have either internal or LDAP users be able to use CIFS, not both at the same time.

So the main changes now are:

# you can set this in alfresco-global.properties, but I made a copy of 
# /alfresco/extension/subsystems/Authentication/passthru/passthru1/passthru-authentication.properties
# from the alfresco-repository-5.0.d.jar file, and made changes in there instead
alfresco.authentication.authenticateCIFS=false



# in passthru1/passthru-authentication.properties
passthru.authentication.authenticateCIFS=true



# in ldap1/ldap-ad-authentication.properties
ldap.authentication.active=false # already done in step (2)


After an alfresco service restart, I can still login to the share interface with both internal and LDAP users, however now CIFS has stopped working for internal (expected) and sadly doesn't work for LDAP users.

"sudo mount -t cifs -o user=non-admin-user,domain=TEST-TEST //10.10.1.20/Alfresco/sites /usr/share/testMount"

just gives me an error like this in catalina.out: "TIMESTAMP  ERROR [auth.cifs.PassthruCifsAuthenticator] [AlfJLANWorker21] org.alfresco.jlan.smb.SMBException: Invalid parameter"

I tried to debug further by changing some parameters in /opt/alfresco-5.0.d/tomcat/webapps/alfresco/WEB-INF/classes/log4j.properties, but nothing else extra appears in the catalina.out file other than the above error about invalid parameter:


# CIFS server debugging
#log4j.logger.org.alfresco.smb.protocol=error
log4j.logger.org.alfresco.smb.protocol=debug
log4j.logger.org.alfresco.smb.protocol.auth=debug
log4j.logger.org.alfresco.acegi=debug
# passthru debug
log4j.logger.org.alfresco.passthru.auth=debug


I checked with wireshark from the client side (IP=10.10.1.40) that the parameters sent for the domain login are correct, and I do see something like this:
10.10.1.40   10.10.1.20   SMB   384   Session Setup AndX Request, User: TEST-TEST\non-admin-user


I thought this would be relatively simple, and for Alfresco internal users it is, but despite numerous hits in google for how people have done it (including this very useful site: https://andoylang.wordpress.com/2010/07/20/alfresco-with-cifs/), I am at a loss for why this is not working in my test environment.

Anybody have any other suggestions?
0 Kudos

andrew_hegerty
Champ in-the-making
Champ in-the-making

‎12-30-2015 09:01 AM

Hi,
I am trying to configure 5.0d Community on CENTOS 7 work with CIFS.  I am using Kerberos as the authentication method.  I have Kerberos working fine for Share.  I have followed the instructions on docs.alfresco to do the configuration.  Now I am stuck.  When I check the Audit logs from the Active Directory DC I find that for CIFS, Alfresco is trying to authenicate to AD to get a kerberos token with the username "admin". With Share it Authenticates with HTTP/teamdocs.team.local. I have no idea where it is getting "admin" from.  Do you guys have any ideas?

Cheers,
Andrew
0 Kudos

nileshyadav326
Champ in-the-making
Champ in-the-making
In response to andrew_hegerty

‎02-15-2018 01:23 PM

can u share the code please.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC