I got authentication with Active Directory working
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2008 07:33 PM
Desktop Actions didn't work in Labs 3 B on Linux or Windows, so I installed Community 2.1 on a CentOS 4.6 Linux server.
I got it working by following the JAAS section of the Enterprise Security and Authentication Configuration WIKI, and configuring the CIFS passthru authenticator described in the CIFS Server Authentication WIKI (The only option I use is the Server option).
LDAP isn't a good solution becuase you can't use your normal account name…you have to use a distinguished name (DN).
NTLM worked Ok for the web interface, but I couldn't get it to work with CIFS (JLAN-46?).
The problem with the Configuring the CIFS and web servers for Kerberos/AD integration WIKI is:
1. The keytab is optional and over-complicates things
2. The Kerberos authentication web filter, in web.xml, is not available in Community 2.1
I got it working by following the JAAS section of the Enterprise Security and Authentication Configuration WIKI, and configuring the CIFS passthru authenticator described in the CIFS Server Authentication WIKI (The only option I use is the Server option).
LDAP isn't a good solution becuase you can't use your normal account name…you have to use a distinguished name (DN).
NTLM worked Ok for the web interface, but I couldn't get it to work with CIFS (JLAN-46?).
The problem with the Configuring the CIFS and web servers for Kerberos/AD integration WIKI is:
1. The keytab is optional and over-complicates things
2. The Kerberos authentication web filter, in web.xml, is not available in Community 2.1
Labels:
- Labels:
-
Archive
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2008 04:51 PM
Can you post your configs… I am having issues getting Kerberos working with AD.
I have plenty of experiance in the [not working] passthru method for CIFS in Labs 3b and 3c…
so keen to see how you got it to work.
I have plenty of experiance in the [not working] passthru method for CIFS in Labs 3b and 3c…
so keen to see how you got it to work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2009 06:32 PM
[size=150]From the JAAS section of the Enterprise Security and Authentication Configuration WIKI[/size]
tomcat/shared/classes/alfresco/extension/jaas-authentication-context.xml:
tomcat/webapps/alfresco/WEB-INF/classes/alfresco/file-servers.xml:
tomcat/shared/classes/alfresco/extension/jaas-authentication-context.xml:
<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'><beans> <!– The authentication component. –> <!– Jass authentication - most of the config goes somewhere else –> <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.jaas.JAASAuthenticationComponent"> <property name="realm"> <value>AMALFI.LG.COM</value> </property> <property name="jaasConfigEntryName"> <value>Alfresco</value> </property> </bean> <!– DAO that rejects changes - JAAS is read only at the moment. –> <!– It does allow users to be deleted with out warnings from the UI. –> <!– The user is still present in JAAS, only the personal information is removed from alfresco. –> <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" > <property name="allowDeleteUser"> <value>true</value> </property> </bean> </beans>…## Default login configuration file##login.config.url.1=file:${user.home}/.java.login.configlogin.config.url.1=file:${java.home}/lib/security/java.login.config…Alfresco { com.sun.security.auth.module.Krb5LoginModule sufficient;};[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log[kdc] profile = /var/kerberos/krb5kdc/kdc.conf[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }[libdefaults] ticket_lifetime = 24000 default_realm = AMALFI.LG.COM dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = des-cbc-md5 des-cbc-crc default_tgs_enctypes = des-cbc-md5 des-cbc-crc [realms] AMALFI.LG.COM = { kdc = srv-lg3.amalfi.lg.com:88 kdc = ssvrc14.amalfi.lg.com:88 admin_server = srv-lg3.amalfi.lg.com:749 kpasswd_server = srv-lg3.amalfi.lg.com:464 kpasswd_protocol = SET_CHANGE default_domain = amalfi.lg.com } [domain_realm] .amalfi.lg.com = AMALFI.LG.COM amalfi.lg.com = AMALFI.LG.COMtomcat/webapps/alfresco/WEB-INF/classes/alfresco/file-servers.xml:
<alfresco-config area="file-servers"> <config evaluator="string-compare" condition="CIFS Server"> <serverEnable enabled="true"/> <host name="${localname}" domain="amalfilg"/> <comment>Alfresco CIFS Server</comment> <!– Set to the broadcast mask for the subnet –> <broadcast>255.255.255.255</broadcast> <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –> <tcpipSMB platforms="linux,solaris,macosx"/> <netBIOSSMB platforms="linux,solaris,macosx"/> <!– Can be mapped to non-privileged ports, then use firewall rules to forward requests from the standard ports –> <!– <tcpipSMB port="1445" platforms="linux,solaris,macosx"/> <netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/> –><!– <hostAnnounce interval="5"/>–> <!– Use Win32 NetBIOS interface on Windows –> <Win32NetBIOS/> <Win32Announce interval="5"/><!– <WINS> <primary>1.2.3.4</primary> <secondary>5.6.7.8</secondary> </WINS>–> <sessionDebug flags="Negotiate,Socket"/> </config> <config evaluator="string-compare" condition="FTP Server"> <serverEnable enabled="true"/><!– <debug flags="File,Search,Error,Directory,Info,DataPort"/> –> </config> <config evaluator="string-compare" condition="NFS Server"> <serverEnable enabled="false"/> </config> <config evaluator="string-compare" condition="Filesystems"> <filesystems> <!– Alfresco repository access shared filesystem –> <filesystem name="Alfresco"> <store>workspace://SpacesStore</store> <rootPath>/app:company_home</rootPath> <!– Add a URL file to each folder that links back to the web client –> <urlFile> <filename>__AlfrescoClient.url</filename> <webpath>http://${localname}:8080/alfresco/</webpath> </urlFile> <!– Mark locked files as offline –> <offlineFiles/> <!– Desktop actions –> <!– Uses a client-side application to trigger a server-side action –> <!– Echo - displays a message echoed from the server –> <!– URL - launches a URL via the Windows shell –> <!– CmdLine - launches the Notepad application –> <!– CheckInOut - checks files in/out, drag and drop files onto the application –> <!– JavaScript - run a server-side script –> <!– JavaScriptURL - server-side script that generates a URL to the folder using a ticket –> <!– to avoid having to logon –><!– <desktopActions> <global> <path>alfresco/desktop/Alfresco.exe</path> <webpath>http://${localname}:8080/alfresco/</webpath> </global> <action> <class>org.alfresco.filesys.smb.server.repo.desk.EchoDesktopAction</class> <name>Echo</name> <filename>__AlfrescoEcho.exe</filename> </action> <action> <class>org.alfresco.filesys.smb.server.repo.desk.URLDesktopAction</class> <name>URL</name> <filename>__AlfrescoURL.exe</filename> </action> <action> <class>org.alfresco.filesys.smb.server.repo.desk.CmdLineDesktopAction</class> <name>CmdLine</name> <filename>__AlfrescoCmd.exe</filename> </action> <action> <class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class> <name>CheckInOut</name> <filename>__AlfrescoCheckInOut.exe</filename> </action> <action> <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class> <name>JavaScript</name> <filename>__AlfrescoScript.exe</filename> <script>alfresco/desktop/dumpRequest.js</script> <attributes>anyFiles, multiplePaths , allowNoParams</attributes> <preprocess>confirm, copyToTarget</preprocess> </action> <action> <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class> <name>JavaScriptURL</name> <filename>__AlfrescoDetails.exe</filename> <script>alfresco/desktop/showDetails.js</script> <attributes>anyFiles</attributes> <preprocess>copyToTarget</preprocess> </action> </desktopActions>–> <!– <accessControl default="Write"> <user name="admin" access="Write"/> <address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/> </accessControl>–> </filesystem> <!– AVM virtualization view of all stores/versions for WCM –> <avmfilesystem name="AVM"> <virtualView/> </avmfilesystem> </filesystems> </config> <config evaluator="string-compare" condition="Filesystem Security"> <authenticator type="passthru"> <Server>ssvrc14,srv-lg3</Server> </authenticator><!– <globalAccessControl default="None"> <user name="admin" access="Write"/> <address ip="90.1.0.90" access="Write"/> </globalAccessControl> <users> <localuser name="user"> <password>user</password> <comment>Normal user account</comment> </localuser> <localuser name="administrator"> <password>admin</password> <administrator/> <comment>Administrator account</comment> </localuser> </users>–> </config></alfresco-config>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2009 09:35 AM
jmeehan - So, if I understand correctly, you now have Alfresco Community Labs 2.1 running on a CentOS 4.6 Linux server, authenticating via Kerberos against an Active Directory server for BOTH CIFS AND the Web UI?
And you accomplished this by following the directions in the JAAS section of the Enterprise Security and Authentication Wiki for the Web UI configuration and the directions in the CIFS Server Authentication Wiki for the CIFS server configuration?
Had you tried these exact same configurations with Alfresco Community Labs 3c?
And you accomplished this by following the directions in the JAAS section of the Enterprise Security and Authentication Wiki for the Web UI configuration and the directions in the CIFS Server Authentication Wiki for the CIFS server configuration?
Had you tried these exact same configurations with Alfresco Community Labs 3c?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-08-2009 12:15 PM
Yes, Community 2.1 (Not Labs), CentOS4.6, Kerberos authentication via AD for both CIFS and Web UI.
We're using Community 2.1 since desktop actions didn't work in Labs 3 B.
I haven't tried the same configuration for Labs 3 B. If you try, and it doesn't work, you may try using the Kerberos authentication web filter, in web.xml, from 'Configuring the CIFS and web servers for Kerberos/AD integration', which is not available in Community 2.1.
We're using Community 2.1 since desktop actions didn't work in Labs 3 B.
I haven't tried the same configuration for Labs 3 B. If you try, and it doesn't work, you may try using the Kerberos authentication web filter, in web.xml, from 'Configuring the CIFS and web servers for Kerberos/AD integration', which is not available in Community 2.1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2009 03:31 PM
I have started a thread that I hope to eventually turn into a AlfrescoWiki page for how to configure Active Directory authentication for both CIFS and the Web Interface in Alfresco Labs 3c.
Please see my thread:
[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?
Please come join in the discussion, or at least subscribe to the thread. I want to try to get everyone having these types of issues into the thread so that we can get a large collection of experiences and configurations.
We WILL find the answer for how to enable Active Directory authentication with CIFS in Alfresco!!
Please see my thread:
[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?
Please come join in the discussion, or at least subscribe to the thread. I want to try to get everyone having these types of issues into the thread so that we can get a large collection of experiences and configurations.
We WILL find the answer for how to enable Active Directory authentication with CIFS in Alfresco!!
