Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP/Active Directory authentication AGAIN-why is so hard?

bxiang
Champ in-the-making
Champ in-the-making

‎03-09-2009 12:42 PM

Hi,

We are currently evaluating Alfresco/Nuxeo. I got Nuxeo authenticated against Active Directory using LDAP pretty quickly. But I can not get Alfresco authentication working using LDAP(Active Diretory) even after few days struggling. Here is what I did:
1) Download Lab 3stable (tomcat bundle).
2) Start server and login using admin/admin no problem, and Shutdown server
3) Added this in log4j.properties file:
log4j.logger.org.alfresco.repo.importer.ImporterJob=debug
log4j.logger.org.alfresco.repo.importer.ExportSourceImporter=debug
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug
4) My ldap-authentication.properties file:
ldap.authentication.userNameFormat=CN=%s,OU=Dev,DC=tlr,DC=com

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://110.192.4.33:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=tlr\admin

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=****

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
5)Renamed ldap-authentication-context.xml.sample to ldap-authentication-context.xml

But it does not work. I saw this in alfresco.log :
11:59:53,814 WARN  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server supports anonymous bind ldap://110.192.4.33:389
11:59:53,829 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a string uid and password at ldap://110.192.4.33:389
11:59:53,845 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://110.192.4.33:389
11:59:53,845 INFO  [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://110.192.4.33:389
But no other information tells me where to look the problem.

I have even tried using in ldap-authentication.properties:
ldap.authentication.userNameFormat=%s
and
ldap.authentication.userNameFormat=sAMAccountName=%s

But none of them work. All I want is get simple LDAP authentication work. What is it so hard? Help please!!!

Thanks,
Brian
Labels:
0 Kudos
5 REPLIES 5

loftux
Star Contributor
Star Contributor

‎03-09-2009 01:53 PM

Try to specify your login as
ldap.authentication.java.naming.security.principal=CN=tlr\admin,OU=Dev,DC=tlr,DC=com
0 Kudos

bxiang
Champ in-the-making
Champ in-the-making

‎03-09-2009 05:39 PM

Thanks Loftux! I got it working by using
ldap.authentication.userNameFormat=%s@tlr.com

Camparing it to Nuxeo's ldap, I think Alfreso LDAP is missing following:

- 1 ability to specify the LDAP context root,  such as OU=blah,DC=company,DC=com. 
ldap.authentication.userNameFormat=CN=%s,OU=Dev,DC=tlr,DC=com
does not work in my case because the Distinguish Name for certain user might be something like:
CN=someuserid,OU=dep,OU=PEOPLE,OU=Dev,DC=tlr,DC=com
- 2 ability to specify the SearchScope be one of options:
javax.naming.directory.SearchControl.SUBTREE_SCOPE
javax.naming.directory.SearchControl.ONELEVEL_SCOPE
- 3 ability to specify the default admin userid and default group for LDAP authentication(Nuxeo can!). This is a major pain right now! Once configured using LDAP. I login using LDAP userid, I can only be a regular user. I lost the Admin account. So I have to Chain LDAP and Alfreso internal authentication in order to get the Admin account back ( Anybody know any other way?) But Chaining is NOT working at all. I searched the forum. It seems few people have already complained this issue. I got this exception chaining LDAP + Alfreso internal authentication:
17:22:09,283 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
java.lang.NullPointerException
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.isSystemUserName(AbstractAuthenticationComponent.java:299)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:161)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setCurrentUser(ChainingAuthenticationComponentImpl.java:373)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setSystemUserAsCurrentUser(ChainingAuthenticationComponentImpl.java:407)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.bootstrap(SystemInfoBootstrap.java:124)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.onBootstrap(SystemInfoBootstrap.java:190)
   at org.alfresco.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:62)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

Can someone give me some hint where do I go from here?
Thanks,
Brian
0 Kudos

troga
Champ in-the-making
Champ in-the-making

‎03-10-2009 03:41 AM

Hi Brian

I am also in Trouble now, with Alfresco and Active Directory, it is really a pain…..
http://forums.alfresco.com/en/viewtopic.php?f=9&t=17435

How was your solution with CIFS? Did you changed something?

Best Regards
Troga
0 Kudos

jtp
Champ in-the-making
Champ in-the-making

‎03-10-2009 08:06 AM

- 3 ability to specify the default admin userid and default group for LDAP authentication(Nuxeo can!). This is a major pain right now! Once configured using LDAP. I login using LDAP userid, I can only be a regular user. I lost the Admin account. So I have to Chain LDAP and Alfreso internal authentication in order to get the Admin account back ( Anybody know any other way?) But Chaining is NOT working at all. I searched the forum. It seems few people have already complained this issue. I got this exception chaining LDAP + Alfreso internal authentication:

You don't need chaining, just enable an LDAP account as an admin.  Works for my NTLM setup, should work for you.
(From the Wiki)
File custom-authority-services-context.xml in tomcat\shared\classes\alfresco\extension (or equivalent) allows such a configurations. (in 2.1(linux) it can be found in tomcat/webapps/alfresco/WEB-INF/classes/alfresco/authority-services-context.xml

For example… 
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
    <bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl">
        <property name="authenticationComponent">
            <ref bean="authenticationComponent" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="authorityDAO">
            <ref bean="authorityDAO" />
        </property>
        <property name="permissionServiceSPI">
            <ref bean="permissionServiceImpl" />
        </property>
        <property name="adminUsers">
            <set>
                <value>smithj</value> <!– add an NTLM user as an Administrator –>
                <value>admin</value>
                <value>administrator</value>
            </set>
        </property>
    </bean>
</beans>
0 Kudos

bxiang
Champ in-the-making
Champ in-the-making

‎03-10-2009 09:47 AM

Thanks JTP!
That is what I ended up with changing authority-services-context.xml. They should allow configuring this from  ldap-cuahtentication.properties because LDAP is such a common requirement and you need admin account as well when working with LDAP.

Troja,
I did not try to configure CIFS with LDAP. We just need basic LDAP authentication for evaluation purpose. While I was searching the forum, I saw a few threads related to CIFS/LDAP. If it has to use Chaining, good luck with that! I do not think chaining is working without doing something like diving into authority-services-context.xml to make some change.

-Brian
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC