Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication & Active Directory

boneill
Star Contributor
Star Contributor

‎07-17-2008 08:10 AM

Hi guys,

I have been through the wikis and forum posts a number of times and get more confused all the time.  I simply want to authenticate users against our Active Directory using LDAP.  The users exist in Alfresco so only want authentication for now not synchronisation.  Firstly, is MSActiveDirectory & LDAP authentication supported in Enterprise version 2.2.  (Active Directory does not support MD5 passwords but lots of blogs on 2.1 say they have this working.)  

From reading the wiki it appears all I have to do is set values in the ldap-authentication.properties.   (values set as below, these work using an ldap browser app for testing).  Is there something else I need to do as well, other config settings I have missed etc.  Authentication is failing and there is nothing in the log files.  Any help much appreciated:

ldap.authentication.userNameFormat="cn=%s,ou=marketing,dc= etc"

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://myserver:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=myreader

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=password

Regards
Labels:
0 Kudos
5 REPLIES 5

vycitalr
Champ in-the-making
Champ in-the-making

‎07-18-2008 05:24 AM

I think you mix two things together, which are not exactly the same - and that Active Directory and LDAP protocol. Despite Active Directory exposes ldap-protocol, so you can use ldap-authenticaion, I think it's little inconvenient. There is a better way to use sort of more native AD-authentication, and that is the NTLM authentication configured in ntlm-authentication-context. Here is just enough to specify IP of your domain controller and that's all. While if you use the ldap-authentication it'll be  more difficult to configure and also might be even impossible. I was also confused about these things and made ldap-auth working for AD but I had to do some customizations to fit to my purposes. But it was due to my lack of knowledge not knowing about the NTLM. Just consider, that with ldap-protocol you bind/authenticate with string like "cn=%s,ou=marketing,dc= etc" but the CN is in AD usually the real person name and not the loginname. The login name is usually stored in other attribute "sAMAccountName". So how to handle this??
I just suggest to use ntlm-authentication-context.xml instead of ldap.

Regards
Robert
0 Kudos

boneill
Star Contributor
Star Contributor

‎07-19-2008 07:06 AM

Robert,

Thankyou very much for your reply.  I understand that you can use ntlm but they do not want to do that at my client site as ntlm is not very secure. i.e  Any user can access alfresco from a logged in computer.   When you were going through the config options did you determine if MS AD and ldap config is supported by alfresco out of the box?  Also, assuming I did want to use the sAMAccount name, can I not just include that in the string that gets passed to AD and configure the ldap config as follows: 
"sAMAccountName=%S, ou="marketing, dc= etc etc etc.

Would appreciate a response from an alfresco SE if possible on this post.
0 Kudos

janeerdekens
Champ in-the-making
Champ in-the-making

‎10-24-2008 10:15 AM

I use something like %s@example.com as the userNameFormat for the AD domain example.com, which allows me to login with a username that is the same as the value of the sAMAccountName attribute in AD.
0 Kudos

mrojas73
Champ in-the-making
Champ in-the-making

‎10-26-2008 11:22 PM

I use something like %s@example.com as the userNameFormat for the AD domain example.com, which allows me to login with a username that is the same as the value of the sAMAccountName attribute in AD.

Is it possible to login using the e-mail address (userPrincipalName)?

Thank you.
0 Kudos

janeerdekens
Champ in-the-making
Champ in-the-making

‎10-27-2008 04:26 AM

Hi mrojas73,

I'm not able to log in using the userPrincipalName attribute directly by using it in the userNameFormat field as follows userPrincipalName=%s,CN=Users,Dc=example,dc=com. But since in my case the combination of the sAMAccountName and the AD domain example.com is the same as the value of the userPrincipalName attribute, it looks like you're logging in using that attribute if I specify in my Alfresco config files that userNameFormat=%s@example.com.

Example:

AD domain: exmaple.com
sAMAccountName=john.doe
userPrincipalName=john.doe@example.com

-> so specifying userNameFormat=%s@example.com enables me to log in using the username john.doe.

In your case, if you would want to log in using a username john.doe@example.com, it should suffice to use userNameFormat=%s.

I hope this helps.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC