Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Labs 3c + external AD auth + SSO... Need some direction

meansartin14
Champ in-the-making
Champ in-the-making

‎12-19-2008 09:29 AM

Alfresco Platform:
   Alfresco Community Labs 3c
   Red Hat Enterprise Linux 5.2
   MySQL 5.0.45-community MySQL Community Edition (GPL) (NOTE: Came with RHEL 5.2)
   Tomcat 5.5.23 (comes with Alfresco)
   Java 6 Update 11 (jdk1.6.0_11)

End-user Workstations:
   OS: Windows XP Professional (majority are 32bit, but also a few 64bit)
   User Authentication: Active Directory (Windows Server 2003 R2)

Background/Goal:
We have upwards of 250 users in our area that all authenticate using Active Directory. We do not want/need to manage a separate set of login/password combinations for Alfresco, separate from the current PC login via Active Directory. Also, we would like to configure single sign-on (SSO) for our users so that they never have to login to Alfresco for CIFS or the Web UI.

So, in short, the end-goal is to have an Alfresco implementation where user authentication is performed against an external Active Directory server, and also have SSO for our users for both the CIFS and Web UI.

Issues/Questions:
It looks like we can use the Configuring the CIFS and web servers for Kerberos/AD integration instructions to allow what we want for user authentication.

But what about groups defined within Alfresco? If users are externally-authenticated (this would mean that the users don't actually exist in Alfresco, right?) then how can I add each user to one or more Alfresco-defined groups which then give them the privileges I want them to have from within Alfresco? Is this possible?

Am I approaching this right or is there a better way to accomplish what I want?
Labels:
0 Kudos
6 REPLIES 6

t_broyer
Champ in-the-making
Champ in-the-making

‎12-19-2008 10:27 AM

External authentication only externalizes… authentication. Users are still stored within Alfresco, just that their passwords aren't and Alfresco delegates authentication to an external source.

Actually, AFAICT, users are created in Alfresco only when they first log in. However, you can optionnally synchronize (import) your users' into Alfresco (along with their first/last name, email address, etc.) from your AD (see the ldap-synchronisation-context.xml.sample in tomcat/shared/classes/alfresco/extension).

Anyway, users will end up existing within Alfresco so you'll be able to add them to groups.
0 Kudos

meansartin14
Champ in-the-making
Champ in-the-making

‎12-19-2008 11:14 AM

External authentication only externalizes… authentication. Users are still stored within Alfresco, just that their passwords aren't and Alfresco delegates authentication to an external source.

Actually, AFAICT, users are created in Alfresco only when they first log in. However, you can optionnally synchronize (import) your users' into Alfresco (along with their first/last name, email address, etc.) from your AD (see the ldap-synchronisation-context.xml.sample in tomcat/shared/classes/alfresco/extension).

Anyway, users will end up existing within Alfresco so you'll be able to add them to groups.

Excellent. As soon as I get the System Admins to apply steps 1 through 8 of Configuring the CIFS and web servers for Kerberos/AD integration, I will proceed with steps 9 through 11 and give it a try.

I will also go take a look at the ldap-synchronisation-context.xml.sample file to see if it'd be an easy import of the rest of the information. Does this require any further configuration on the Alfresco server (e.g. LDAP)? I do not have (and would prefer not to have) LDAP configured to operate on the Alfresco server currently.

Thank you for the help!!
0 Kudos

meansartin14
Champ in-the-making
Champ in-the-making

‎01-05-2009 12:43 PM

I now have external AD authentication for Alfresco active and functioning properly for the Web interface! Thank you very much for the help!!

CIFS is still behaving properly, but I'm fairly certain this is not due to an Alfresco configuration/issue. (see my other thread, if you're interested: http://forums.alfresco.com/en/viewtopic.php?f=9&t=15888)

One thing I need to know: how do you login as "admin" when you're using external authentication?
0 Kudos

zaizi
Champ in-the-making
Champ in-the-making

‎01-05-2009 07:05 PM

To define admin users: http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users
0 Kudos

meansartin14
Champ in-the-making
Champ in-the-making

‎01-06-2009 09:06 AM

To define admin users: http://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users

I guess well. I had already done that with my own username prior to seeing your post and it works perfectly.

Thank you all very much. Thanks to your help, Alfresco is now authenticating via a remote Active Directory server for the Web Interface.

Now if I can just get our Windows XP client PCs to allow the CIFS server to be mapped as a network drive… Anyone have any experience in that arena? Take a look at my other thread here, if so: http://forums.alfresco.com/en/viewtopic.php?f=9&t=15888
0 Kudos

meansartin14
Champ in-the-making
Champ in-the-making

‎01-13-2009 03:35 PM

I have started a thread that I hope to eventually turn into a AlfrescoWiki page for how to configure Active Directory authentication for both CIFS and the Web Interface in Alfresco Labs 3c.

Please see my thread:
[ERROR]Alfresco Engineers: CIFS auth does not work. Sugg?

Please come join in the discussion, or at least subscribe to the thread. I want to try to get everyone having these types of issues into the thread so that we can get a large collection of experiences and configurations.

We WILL find the answer for how to enable Active Directory authentication with CIFS in Alfresco!!
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC