Hyland Connect

lchildress · ‎06-23-2015

I am a complete novice to Alfresco so bare with me! I have authentication working through Active Directory. I want to create individual sites for our various departments (I am with a government entity) and allow them access to the site based on their group membership in Active Directory. This question, I am sure, has been posted and answered already but I looked through the forum and was unable to find an answer.

Thank you in advance for either giving me some instruction, or pointing me to a link where this has already been answered.

borisstankov · ‎06-24-2015

Hello there,

First thing you need is the synchronization subsystem enabled and working properly in order Alfresco to take all groups and other important properties from your users' profiles.
For synchronization you need something like:


synchronization.syncOnStartup=true
synchronization.allowDeletions=true
synchronization.sinchronyzeChangesOnly=true
synchronization.syncWhenMissingPeopleLogIn=true
synchronization.import.cron=0 0 * * * ?

ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=AlfrescoService@doamin.com
ldap.synchronization.java.naming.security.credentials=YourPasswordForAlfrescoAccountInAD
#ldap.synchronization.personQuery=(&(objectclass\=person)(objectClass\=user))
#ldap.synchronization.personDifferentialQuery=(objectclass\=*)
ldap.synchronization.groupSearchBase=ou=4,ou=3,dc=domain,dc=com
ldap.synchronization.userSearchBase=ou=1,ou=2,dc=domain,dc=com
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.personType=user
ldap.synchronization.enableProgressEstimation=true


ldap.authentication.defaultAdministratorUserNames=admin
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

After that you need to build you folder structure and Manage the Permissions for each folder –> disable the Inherite Permission button (so that no permission will be inherited from the mother folder), then add some groups to the have access to this folder - the button is right next to the Inherite one. Keep in mind that all subfolder will have this "inharite permission" enabled by default, so if you want to have more deeper folder structure then you need to go through them too.

Let me know how this sounds to you and you have any further questions.

Cheers!

lchildress · ‎06-24-2015

Your settings were very similar to mine, but I erased mine and used yours, keeping my active directory authentication settings. I am able to authenticate through Active Directory but cannot get synchronization to work at all. Additionally, my configuration will fail and the website will not load if I have ldap.synchronization.active=true in the configuration. If I comment out that line, the site will load and I can authenticate, but no synchronization. My config is as follows:

### LDAP Authentication ###
synchronization.syncOnStartup=true

synchronization.allowDeletions=true

synchronization.sinchronyzeChangesOnly=true

synchronization.syncWhenMissingPeopleLogIn=true

synchronization.import.cron=0 0 * * * ?

ldap.authentication.active=true

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad

ntlm.authentication.sso.enabled=true

ldap.authentication.allowGuestLogin=false

ldap.authentication.userNameFormat=%s@some-very-not-so-famous-organization.com

ldap.authentication.java.naming.provider.url=ldap://some-very-not-so-famous-organization.com:389

#ldap.synchronization.active=true

ldap.synchronization.java.naming.security.authentication=simple

ldap.synchronization.java.naming.security.principal=ldap@some-very-not-so-famous-organization.com

ldap.synchronization.java.naming.security.credentials=insert-incredible-password-here

ldap.synchronization.personQuery=(&(objectclass\=person)(objectClass\=user))

ldap.synchronization.personDifferentialQuery=(objectclass\=*)

ldap.synchronization.groupSearchBase=ou=Users - Internal,dc=some-very-not-so-famous-organization,dc=com

ldap.synchronization.userSearchBase=ou=Users - Internal,dc=some-very-not-so-famous-organization,dc=com

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.personType=user

ldap.synchronization.enableProgressEstimation=true

ldap.authentication.defaultAdministratorUserNames=admin

lchildress · ‎06-25-2015

First off, let me say THANK YOU, Boris. I did not expect someone to assist me like you have been willing and I want you to know I truly am appreciative. I made the changes you suggested, and show them below. However, when I enter the url to Alfresco, the site crashes. If I comment out ldap.syncronization.active=true, the site works and I am able to authenticate, but obviously nothing synchronizes.

synchronization.syncOnStartup=true

synchronization.allowDeletions=true

synchronization.sinchronyzeChangesOnly=true

synchronization.syncWhenMissingPeopleLogIn=true

synchronization.import.cron=0 0 * * * ?

authentication.chain=alfinst:alfrescoNtlm,ldap1:ldap-ad
ntlm.authentication.sso.enabled=false
ldap.authentication.active=true

ldap.authentication.userNameFormat=%s@some-very-not-so-famous-organization.com

ldap.authentication.java.naming.provider.url=ldap://dc-adcen.some-very-not-so-famous-organization.com:389

#ldap.synchronization.active=true

ldap.synchronization.java.naming.security.authentication=simple

ldap.synchronization.java.naming.security.principal=ldap@some-very-not-so-famous-organization.org

ldap.synchronization.java.naming.security.credentials=insert-incredible-password-here

ldap.synchronization.personQuery=(&(objectclass\=person)(objectClass\=user))

ldap.synchronization.personDifferentialQuery=(objectclass\=*)

ldap.synchronization.groupSearchBase=ou=Users - Internal,dc=some-very-not-so-famous-organization,dc=com

ldap.synchronization.userSearchBase=ou=Users - Internal,dc=some-very-not-so-famous-organization,dc=com

ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp

ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'

ldap.synchronization.userIdAttributeName=sAMAccountName

ldap.synchronization.userFirstNameAttributeName=givenName

ldap.synchronization.userLastNameAttributeName=sn

ldap.synchronization.userEmailAttributeName=mail

ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider

ldap.synchronization.personType=user

ldap.synchronization.enableProgressEstimation=true

ldap.authentication.defaultAdministratorUserNames=admin

borisstankov · ‎06-25-2015

There is no problem about it. I had a long time that I had some similar problems and I spent a lot of time in internet and doing tests before I made my configuration work fine.
Hmm this is interesting problem. Do you have any error messages in catalina.out log file located in /pathto/youralfresco/tomcat/logs/catalina.out during the same time when you try to open the site? Also what happens in the browser?

lchildress · ‎06-25-2015

I could not find a catalina.out file but I posted today's log below which really didn't tell me anything.

Jun 25, 2015 8:32:02 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 8:32:02 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 8:32:02 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8443"]
Jun 25, 2015 8:32:02 AM org.apache.catalina.core.StandardService stopInternal
INFO: Stopping service Catalina
Jun 25, 2015 8:39:19 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 8:39:19 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 8:39:19 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["http-bio-8443"]
Jun 25, 2015 8:42:04 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: Loaded APR based Apache Tomcat Native library 1.1.32 using APR version 1.5.1.
Jun 25, 2015 8:42:04 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
Jun 25, 2015 8:42:05 AM org.apache.catalina.core.AprLifecycleListener initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1j 15 Oct 2014)
Jun 25, 2015 8:42:06 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 8:42:06 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 8:42:06 AM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Jun 25, 2015 8:42:07 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3688 ms
Jun 25, 2015 8:42:07 AM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jun 25, 2015 8:42:07 AM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.59
Jun 25, 2015 8:42:07 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deploying configuration descriptor C:\Alfresco\tomcat\conf\Catalina\localhost\solr4.xml
Jun 25, 2015 8:42:07 AM org.apache.catalina.startup.SetContextPropertiesRule begin
WARNING: [SetContextPropertiesRule]{Context} Setting property 'debug' to '0' did not find a matching property.
Jun 25, 2015 8:42:30 AM org.apache.catalina.startup.HostConfig deployDescriptor
INFO: Deployment of configuration descriptor C:\Alfresco\tomcat\conf\Catalina\localhost\solr4.xml has finished in 23,602 ms
Jun 25, 2015 8:42:31 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive C:\Alfresco\tomcat\webapps\alfresco.war
Jun 25, 2015 8:44:52 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive C:\Alfresco\tomcat\webapps\alfresco.war has finished in 140,979 ms
Jun 25, 2015 8:44:52 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive C:\Alfresco\tomcat\webapps\share.war
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive C:\Alfresco\tomcat\webapps\share.war has finished in 48,663 ms
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory C:\Alfresco\tomcat\webapps\host-manager
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory C:\Alfresco\tomcat\webapps\host-manager has finished in 141 ms
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory C:\Alfresco\tomcat\webapps\manager
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory C:\Alfresco\tomcat\webapps\manager has finished in 93 ms
Jun 25, 2015 8:45:41 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 8:45:41 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 8:45:41 AM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Jun 25, 2015 8:45:41 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 214272 ms
Jun 25, 2015 9:09:18 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 9:09:18 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 9:09:18 AM org.apache.coyote.AbstractProtocol pause
INFO: Pausing ProtocolHandler ["http-bio-8443"]
Jun 25, 2015 9:09:18 AM org.apache.catalina.core.StandardService stopInternal
INFO: Stopping service Catalina
Jun 25, 2015 9:10:18 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["http-apr-8080"]
Jun 25, 2015 9:10:18 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["ajp-apr-8009"]
Jun 25, 2015 9:10:18 AM org.apache.coyote.AbstractProtocol stop
INFO: Stopping ProtocolHandler ["http-bio-8443"]

borisstankov · ‎06-26-2015

My catalina.out file is located /opt.alfresc-5.0/tomcat/logs/catalina.out

lchildress · ‎06-26-2015

It's nice that you are able to use a linux box. I'm stuck having to use Windows for our environment and it sucks!

I did a search on my entire drive and there is no catalina.out. I may have to bite the bullet and just pay for Sharepoint … great … another Microsoft product to deal with! lol

Boris, you have been an awesome help. Thank you so much.

borisstankov · ‎06-26-2015

No problem.
Maybe I got confused, but I did not know that you are using Windows server for this.
Please try to search for alfresco.log somewhere on the HDD. It appears that it called different way on Windows.

lchildress · ‎06-26-2015

I think I'm gonna create a Ubuntu server to test with even though they like everything Windows. I'll keep you posted, and thanks again

Hyland Connect

LDAP Authentication For Sites