Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Hitting a wall with LDAP authentication

luda12
Champ in-the-making
Champ in-the-making

‎09-21-2007 10:35 AM

Hello, I am installing Alfresco in my company. Everthing is working great and even though I had some issues, it didnt take too long to solve them.

Now I have a problem that I cant seem to solve. I am trying to allow simple auhtentication with LDAP for my users. Without it Alfresco would be useless since we have way too many users to manually create each account.

So I configured the ldap-authentication-context.xml
My logs clearly indicate that I am corresponding with the ldap server + I cant login anymore with local users which is the correct behavior.

However it seems that whatever login or password I use from LDAP users, I cant manage to login.

Here is my ldap-authentication-context.xml:


<?xml version='1.0' encoding='UTF-8'?> 
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'> 

<beans> 

<!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –> 

<bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" > 
<property name="allowDeleteUser"> 
<value>true</value> 
</property> 
</bean> 


<!– LDAP authentication configuration –> 

<!– 

You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the 
web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other 
authentication routes, like Active Directory. 

–> 

<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"> 
<property name="LDAPInitialDirContextFactory"> 
<ref bean="ldapInitialDirContextFactory"/> 
</property> 
<property name="userNameFormat"> 
<!– 

This maps between what the user types in and what is passed through to the underlying LDAP authentication. 

"%s" - the user id is passed through without modification. 
Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple". 

"cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" 
Usually for simple authentication. 

–> 
<value>uid=%s,ou=***,o=***,c=fr</value> 
</property> 
</bean> 

<!– 

This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups 
to pull them out of the LDAP reopsitory 

–> 

<bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl"> 
<property name="initialDirContextEnvironment"> 
<map> 
<!– The LDAP provider –> 
<entry key="java.naming.factory.initial"> 
<value>com.sun.jndi.ldap.LdapCtxFactory</value> 
</entry> 

<!– The url to the LDAP server –> 
<!– Note you can use space separated urls - they will be tried in turn until one works –> 
<!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –> 
<entry key="java.naming.provider.url"> 
<value>ldap://***:50014</value> 
</entry> 

<!– The authentication mechanism to use –> 
<!– Some sasl authentication mechanisms may require a realm to be set –> 
<!– java.naming.security.sasl.realm –> 
<!– The available options will depend on your LDAP provider –> 
<entry key="java.naming.security.authentication"> 
<value>simple</value> 
</entry> 
</map> 
</property> 
</bean>


Here are my log files concerning LDAP:


12:00:25,918 WARN [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server supports anonymous bind ldap://***:50014
12:00:25,921 INFO [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not support simple string user ids and invalid credentials at ldap://***:50014
12:00:25,923 INFO [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://***:50014

Any advices or leads would be greatly appreciated.

Greetings from France

Luda
Labels:
0 Kudos
1 REPLY 1

andy
Champ on-the-rise
Champ on-the-rise

‎10-11-2007 07:58 AM

Hi

LDAP simple suthentication uses the DN of the user. Check the DN of the user in an LDAP browser - and confirm you can authenticate with this browser- The DN is likely to be based on CN and not uid.

Andy
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC