Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP and eDirectory

clauded1
Champ in-the-making
Champ in-the-making

‎09-01-2009 05:21 PM

Hi,

I'm trying to setup Alfresco 3.2 to interact with Novell eDirectory. So far I just can't authenticate with LDAP using this config :

alfresco-global.properties :

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
#
alfrescoNtlm1
alfresco.authentication.authenticateCIFS=true
#
ldap1
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.userNameFormat=%s
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://192.168.1.6:389
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=myname
ldap.synchronization.active=false
ldap.synchronization.java.naming.security.principal=myname
ldap.synchronization.java.naming.security.credentials=mypassword
#ldap.synchronization.queryBatchSize=
#ldap.synchronization.groupQuery=
#ldap.synchronization.groupDifferentialQuery=
#ldap.synchronization.personQuery=
#ldap.synchronization.personDifferentialQuery=
ldap.synchronization.groupSearchBase=o=myorg
ldap.synchronization.userSearchBase=o=myorg
ldap.synchronization.modifyTimestampAttributeName=midifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=cn
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=entryDN
#ldap.synchronization.defaultHomeFolderProvider=
ldap.synchronization.groupIdAttributeName=name
#ldap.synchronization.groupType=
#ldap.synchronization.personType=
ldap.synchronization.groupMemberAttributeName=roleOccupant

Connectivity is good with the ldap server :

ldapsearch -h 192.168.1.6 -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
dn:
supportedSASLMechanisms: NMAS_LOGIN
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5

I did a trace of the LDAP request to the server but I still have no clue of what's going on :

NDSTRACE output:

3051293600 LDAP: New cleartext connection 0xdb46c80 from 10.53.88.41:49751, monitor = 0xa06beba0, index = 13
2605857696 LDAP: DoBind on connection 0xdb46c80
2605857696 LDAP: Bind name:NULL, version:3, authentication:DIGEST-MD5
2605857696 LDAP: Sending operation result 14:"":"" to connection 0xdb46c80
2614041504 LDAP: DoBind on connection 0xdb46c80
2614041504 LDAP: Bind (cont) name:NULL, version:3, authentication:DIGEST-MD5
2614041504 LDAP: Failed to authenticate full context on connection 0xdb46c80, err = no such entry (-601)
2614041504 LDAP: Sending operation result 49:"":"" to connection 0xdb46c80
2691427232 LDAP: Monitor 0xa06beba0 found connection 0xdb46c80 socket closed, err = -5871, 0 of 0 bytes read
2691427232 LDAP: Monitor 0xa06beba0 initiating close for connection 0xdb46c80
2611936160 LDAP: Server closing connection 0xdb46c80, socket error = -5871
2611936160 LDAP: Connection 0xdb46c80 closed
3049188256 LDAP: Work info status: Total:2 Peak:1 Busy:0
3051293600 LDAP: New TLS connection 0xdb46c80 from 192.168.1.8:55846, monitor = 0xa06beba0, index = 13
2691427232 LDAP: Monitor 0xa06beba0 initiating TLS handshake on connection 0xdb46c80
2614041504 LDAP: DoTLSHandshake on connection 0xdb46c80
2614041504 LDAP: BIO ctrl called with unknown cmd 7
2614041504 LDAP: Completed TLS handshake on connection 0xdb46c80
2610883488 LDAP: DoBind on connection 0xdb46c80
2610883488 LDAP: Treating simple bind with empty DN and no password as anonymous
2610883488 LDAP: Bind name:NULL, version:3, authentication:simple
2610883488 LDAP: Sending operation result 0:"":"" to connection 0xdb46c80
2611936160 LDAP: DoSearch on connection 0xdb46c80
2611936160 LDAP: Search request:
        base: ""
        scope:0  dereference:0  sizelimit:0  timelimit:0  attrsonly:0
        filter: "(objectclass=*)"
        attribute: "wholeSubtreeSearchOps"
        attribute: "oneLevelSearchOps"
        attribute: "searchOps"
        attribute: "errors"
        attribute: "securityErrors"
2611936160 LDAP: Sending search result entry "" to connection 0xdb46c80
2611936160 LDAP: Sending operation result 0:"":"" to connection 0xdb46c80
2691427232 LDAP: Monitor 0xa06beba0 found connection 0xdb46c80 ending TLS session
2614041504 LDAP: DoUnbind on connection 0xdb46c80
2614041504 LDAP: Preempting operation 0x0:0x0 on connection 0xdb46c80 before processing because connection is closing
2614041504 LDAP: Connection 0xdb46c80 closed
Labels:
0 Kudos
4 REPLIES 4

clauded1
Champ in-the-making
Champ in-the-making

‎09-01-2009 09:54 PM

Ok, I got it working (sort of) by using this : 

ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=cn=%s,ou=myou,o=myorg

Now the problem : it can only authenticate user in ou=myou,o=myorg but my users are in dozens of different organizational units. How do I solve that?
0 Kudos

dward
Champ on-the-rise
Champ on-the-rise

‎09-02-2009 06:49 AM

I'm afraid that right now, we don't support search-based name resolution. Whilst there was a workaround on AD to use UPN format and on OpenLDAP to use authz-regexp mappings, it seems that for other directories we may need to support a solution where, in order to resolve a UID, the sync user first runs the user query with uid=x tacked on the end.

I've logged this as an issue

https://issues.alfresco.com/jira/browse/ETHREEOH-2782

Right now, your only option would be to code an extension to LDAPAuthenticationComponent and LDAPUserRegistry
0 Kudos

clauded1
Champ in-the-making
Champ in-the-making

‎09-02-2009 09:02 AM

Hum, I'm afraid this is beyond my abilities. I've installed many open source softwares that supports natively LDAP search base authentication so I'm a bit disappointed as this renders Alfresco almost unusable here.

Thanks for filling the request anyway.
0 Kudos

clauded1
Champ in-the-making
Champ in-the-making

‎09-02-2009 11:23 AM

Ok I found one workaround that's worth mentioning here : in eDir, we can create a OU for Alfresco, point to this OU in Alfresco's global.properties file and populate the OU with user's alias. I've tested successfully this config here.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC