Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- LDAP and Alfresco problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP and Alfresco problem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-28-2008 04:36 PM
Hello,
I am having problems getting my alfresco ldap setting work correctly. I have followed the instructions on viewtopic.php?t=3351 and i dont receive any errors on alfresco startup, but my users in ldap can not log in. I dont know where to start troubleshooting. How can i enable logging for ldap authentication, so that i can see what is happening on my login attempts. I've got logging turned on so that i get the following in my logs.
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a string uid and password at ldap://myserver:389
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://myserver:389
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://myserver:389
from what i can tell this is a good message, as my server does not allow for fall back to anonymous more. Any help on troubleshooting ldap is appreciated. I am using Fedora Directory Server for my ldap server and alfresco 2.1 Community.
Thanks,
I am having problems getting my alfresco ldap setting work correctly. I have followed the instructions on viewtopic.php?t=3351 and i dont receive any errors on alfresco startup, but my users in ldap can not log in. I dont know where to start troubleshooting. How can i enable logging for ldap authentication, so that i can see what is happening on my login attempts. I've got logging turned on so that i get the following in my logs.
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a string uid and password at ldap://myserver:389
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://myserver:389
[org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://myserver:389
from what i can tell this is a good message, as my server does not allow for fall back to anonymous more. Any help on troubleshooting ldap is appreciated. I am using Fedora Directory Server for my ldap server and alfresco 2.1 Community.
Thanks,
Labels:
- Labels:
-
Archive
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-03-2008 01:53 PM
At first guess, it sounds like you need to configure a bind user in alfresco…..
Basically there are two (well 3) ways alfresco can bind to an LDAP directory for authentication.
1.) anonymous bind and search. Alfresco connects to the server with no credentials and then searched the dirrectory to find your username (%s in the config) and then matches it with it's password.
2.) bind and search. alfresco has credentials to first login/connect to the ldap server then it searches as before.
3.) bind dirrectly as user…..it can kind of be rigged to work but is a hack.
It sounds like you are attempting to use method 1 but fedora does not allow anonymous connections for security reasons. so you need to configure alfresco to use method 2.
The following lines are from Alfresco 3.0 so the file has changed some but the basic values should be similar.
This line basically says use this user account….It must be the full DN of the user account. for example on an ldap server, user with the account name johnDoe could have a full DN of CN=John Doe,CN=Users,dc=SOMEDOMAIN,dc=com. I dont know what the fedora structure in terms of CN, DN, etc but the basic style should be the same.
This is just the password for the previous user
Hopefully this is some help. If that doesn't help, post your ldap config (cleaned of your specific information)….I don't have an Alfresco 2.1 config handy
Adam
Basically there are two (well 3) ways alfresco can bind to an LDAP directory for authentication.
1.) anonymous bind and search. Alfresco connects to the server with no credentials and then searched the dirrectory to find your username (%s in the config) and then matches it with it's password.
2.) bind and search. alfresco has credentials to first login/connect to the ldap server then it searches as before.
3.) bind dirrectly as user…..it can kind of be rigged to work but is a hack.
It sounds like you are attempting to use method 1 but fedora does not allow anonymous connections for security reasons. so you need to configure alfresco to use method 2.
The following lines are from Alfresco 3.0 so the file has changed some but the basic values should be similar.
ldap.authentication.java.naming.security.principal=CN=John Doe,CN=Users,dc=SOMEDOMAIN,dc=comThis line basically says use this user account….It must be the full DN of the user account. for example on an ldap server, user with the account name johnDoe could have a full DN of CN=John Doe,CN=Users,dc=SOMEDOMAIN,dc=com. I dont know what the fedora structure in terms of CN, DN, etc but the basic style should be the same.
ldap.authentication.java.naming.security.credentials=PasswordForJohnDoeInPlainTextThis is just the password for the previous user
Hopefully this is some help. If that doesn't help, post your ldap config (cleaned of your specific information)….I don't have an Alfresco 2.1 config handy
Adam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 04:11 AM
hi,
i have the same problem with an Alfesco labs 3.1 version,
however my conf files seems correct
can you help me ?
i have the same problem with an Alfesco labs 3.1 version,
however my conf files seems correct
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=(cn=administrateur,cn=users,dc=my_domain,dc=fr)
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=my_password
can you help me ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 07:44 AM
Hey Crokette,
Could you post the full config (cleaned of anything identifying) and describe your setup.
One thing that trew me for a loop was the encryption. It took a while to figure out.
here is the first config i had working in Active Directory and Alfresco 3.0.
If you want run encryption it gets a bit more complicated
Could you post the full config (cleaned of anything identifying) and describe your setup.
One thing that trew me for a loop was the encryption. It took a while to figure out.
here is the first config i had working in Active Directory and Alfresco 3.0.
If you want run encryption it gets a bit more complicated
ldap.authentication.userNameFormat=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://192.168.1.100:389
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=CN=Login User,OU=Some Group,DC=COMAPNY,DC=com
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=PasswordForAboveUser
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 08:22 AM
hi,
my system is Windows Server 2003 and i use Alfresco Labs 3.1 with MySQL 5
and
this is my ldap-synchronisation.properties
and this is my ldap-authentication.properties
i have seen that you used SIMPLE instead of DIGEST-MD5, SIMPLE is used to anonymous auth ? and DIGEST for crypted auth ?
my system is Windows Server 2003 and i use Alfresco Labs 3.1 with MySQL 5
and
this is my ldap-synchronisation.properties
#
# This properties file is used to configure LDAP syncronisation
#
# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)
# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=(OU=utilisateurs,DC=my_domain,DC=fr)
# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName
# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName
# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn
# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail
# The attribute on person objects in LDAP to map to the organizational id property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o
# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=personalHomeFolderProvider
# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=group)
# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=(DC=my_domain,DC=fr)
# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn
# The group type in LDAP
ldap.synchronisation.groupType=group
# The person type in LDAP
ldap.synchronisation.personType=inetOrgPerson
# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member
# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 0 * * * ?
# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?
# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=true
and this is my ldap-authentication.properties
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
# How to map the user id entered by the user to taht passed through to LDAP
# - simple
# - this must be a DN and would be something like
# CN=%s,DC=company,DC=com
# - digest
# - usually pass through what is entered
# %s
ldap.authentication.userNameFormat=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=(ldap://my-ldap:389)
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
#ldap.authentication.java.naming.security.authentication=SIMPLE
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=(cn=administrateur,cn=users,dc=my_domain,dc=fr)
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=my_password
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false
# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=falsei have seen that you used SIMPLE instead of DIGEST-MD5, SIMPLE is used to anonymous auth ? and DIGEST for crypted auth ?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 08:55 AM
Your configuration looks about right.
But the encryption would do it. Windows 2k3 does not support MD5 out of the box last time i checked. You can install MD5 into windows though. also, the LDAP over SSL port used in windows is 636
i dont remember if alfresco uses ldap://server.company.com:636 or ldaps://server.company.com:636 for secure connections.
What i think is happening in your case is Alfresco tries to use MD5 but Windows doesn't support it. Then because the encryption is unsupported the connection fails and Alfresco fails back to anonymous authentication and Active Directory does not support anonymous binding by default so that fails as well.
SIMPLE authentication is unencrypted. When you are debugging, i would suggest using SIMPLE authentication so you can get it to work without worrying about encryption.
The drawbacks to SIMPLE are all traffic is plain text and Active directory wont let you change passwords and other things with unencrypted connections
But first, try using SIMPLE and if you can get that to work then work towards encryption
But the encryption would do it. Windows 2k3 does not support MD5 out of the box last time i checked. You can install MD5 into windows though. also, the LDAP over SSL port used in windows is 636
i dont remember if alfresco uses ldap://server.company.com:636 or ldaps://server.company.com:636 for secure connections.
What i think is happening in your case is Alfresco tries to use MD5 but Windows doesn't support it. Then because the encryption is unsupported the connection fails and Alfresco fails back to anonymous authentication and Active Directory does not support anonymous binding by default so that fails as well.
SIMPLE authentication is unencrypted. When you are debugging, i would suggest using SIMPLE authentication so you can get it to work without worrying about encryption.
The drawbacks to SIMPLE are all traffic is plain text and Active directory wont let you change passwords and other things with unencrypted connections
But first, try using SIMPLE and if you can get that to work then work towards encryption
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 09:18 AM
-_-' i have problems
when i use the 636 port or when i #Digest-MD5 and un-# SIMPLE i can't join the Alfresco's web interface, i have 404 error.
when i use the 636 port or when i #Digest-MD5 and un-# SIMPLE i can't join the Alfresco's web interface, i have 404 error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 09:45 AM
hummm….
Only other thing i notice is you have some () around your ldap://server and OU=,DC=,DC=.. lines in your config.
The config i posted worked in 3.0.0 against Active Directory. I dont know if something has changed in 3.1.
Just to put some trouble shooting out there…have you restarted alfresco? Are your LDAP ports open on the directory server and if you are using Active Directory, is ldap enabled?
Only other thing i notice is you have some () around your ldap://server and OU=,DC=,DC=.. lines in your config.
The config i posted worked in 3.0.0 against Active Directory. I dont know if something has changed in 3.1.
Just to put some trouble shooting out there…have you restarted alfresco? Are your LDAP ports open on the directory server and if you are using Active Directory, is ldap enabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2009 10:12 AM
yes, i have used '(' ')' and i succed to import active directory's group in alfresco but i failed to users.
with ldap admin tool, i can't connect my active directory with 636 port.
with ldap admin tool, i can't connect my active directory with 636 port.
Related Content
- External Authentication using OIDC/SAML ? in Alfresco Forum
- Alfresco Content App refresh DocumentList Sort in Alfresco Forum
- Connection problem with Alfresco in Alfresco Forum
- Problem with sending email from Alfresco version 6.2 - we use office365 in Alfresco Forum
- Solr search results only for admins in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
