Hyland Connect

klitwak · ‎02-11-2008

We use CAS for authentication. It would be nice to be able to have CAS for authentication, instead of having to create all separate user ids. Can this be done?

Ken

sacco · ‎02-12-2008

Yes for the 'Web-client', but not for CIFS access.

klitwak · ‎02-12-2008

Yes for the 'Web-client', but not for CIFS access.

I'm really new to this. What is the difference? Can you tell me where to find documentation for doing this? Thanks.

Ken

sacco · ‎02-12-2008

Well, for you to authenticate to the repository, your client, which could
be a Web browser communicating over HTTP, Windows Explorer over CIFS,
M$ Word via WebDAV, etc, must present your login credentials to the server
in a form that it can verify against the information it holds. There are various
authentication protocols to do this, and which of these is available
depends to some extent on the communication protocol.

In the case of the CIFS communication protocol, the only authentication
protocols available are the various versions of M$'s NTML and Microsoft's
variant of Kerberos (which is not quite standard, but tends to interoperate
OK except for the case of a M$ server with non-M$ clients).

Now NTLM will send your server only an MD4 hash of the password to check
which isn't provided for by CAS, so the only possibility of using use NTLM
against your existing user data would be to bypass CAS and go directly to
the system behind it, and this would be possible only in the (unlikely)
case that you could (and would be permitted to ) extract a plain-text
password from the backing system. In any case, it wouldn't be
using CAS.

The only remaining alternative is to somehow make CAS have a front-end
that looks like Kerberos to the client. I havent thought about this too
hard, but it would certainly not be simple, and I suspect that if I did
think about it harder I would realise that it's actually impossible.
It probably ought to be.

There are quite a few pages on the Wiki about this: these are probably the
most generally useful:

http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#SSO_-_Kerberos
http://wiki.alfresco.com/wiki/Security_and_Authentication
http://wiki.alfresco.com/wiki/Configuring_the_CIFS_and_web_servers_for_Kerberos/AD_integration

If you want to use both the Web-client and CIFS, and also want to
integrate with other systems, then the 'Recommended combination'
'SSO- Kerberos' is a good point to aim at, although it doesn't seem to
work as documented quite yet in the Community releases. Roll on
2.2 (or even just a 2.2-nearly please)!

If CAS is more important to you than CIFS (or you're prpared to do your
CIFS authentication against a different source from your Web-client), then
I believe it has been done - there might be something somewhere on these
forums. One way to do it would be via the Acegi security components
http://wiki.alfresco.com/wiki/Acegi_Security
(CAS is available for Acegi - check the Acegi site).

Unfortunately the Wiki appears to mark all 3 letter words as stop words,
so searching to see if anything about CAS (or XML , RPC …) has been
posted there is tricky!

Good luck!

klitwak · ‎02-12-2008

Thanks for the information. So, if I want to use only a web client to allow for adding documents to the repository, searching the repository, and reading documents in the repository (this is all we want Alfresco for–no workflow, no editing by others, etc.), can I safely ignore everything said about CIFS? Thanks.

Ken

sacco · ‎02-12-2008

Yes, and you should be able to use CAS

jarnaiz · ‎02-15-2008

Hello,

Do i need to relogin to use CIFS using CAS for web?

Thank in advance.

Hyland Connect

Can Alfresco use CAS?