Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Ldap confguration issues

dasjlm
Champ in-the-making
Champ in-the-making

‎03-26-2007 02:58 PM

Sorry to be a pest but I have reviewed the doc/various hits etc, but still can't get ldap authentication to work.  (I'm ignoring the user/group sync aspect at this point.)


I'm testing the lastest Enterpise release and can't either our Sun Directory or Active Directory to work for web authentication.  To complicate matters I can't seem to find the trick wiht the log4j.properties to put out some kind of authentication error. How do you turn on authentcaton logging for the web client?

I suspect the problem with the Sun Directory is that it doesn't support DIGEST-MD5 as it's still using Unix CRYPT. Can't seem to find anyway to do that.  Is Unix CRYPT supported?  Do you have any other users talking to a Sun Directory Server (Netscape) using unix crypt for passwords? Can you suggest any other encyrption protocols to try?

I also tried to get authentication to work with ActiveDirectory, but still get same results.  Lognon rejected, no messages in logs. Our Active Directory is suppose to support DIGEST-MD5.

I did confirm my xp pc can communicate with both directories.
ie: Able to read the directory. 

Seems anytime I save a ldap-authentication-content.xml file the the extension directory causes authentication to break.


I assume I need to have a defined user in Alfresco to match the ldap user as no user sync for now.  Is that correct? 

ie: If my cn is dasjlm do I create an id in Alfreso to match?

What credentials to I need to use to logon to the web client?
ie: I assume I should use my cn and password?



What can I do to debug the problem as I need to resolve to do a demo of project?





:cry:
Labels:
0 Kudos
3 REPLIES 3

dasjlm
Champ in-the-making
Champ in-the-making

‎03-27-2007 02:45 PM

After a lot of mucking about and searching the forum I think I finally got the combination that allows ldap authenticaiton with passthru for CIFS.

I'm able to logon via the web and authenticate using Active Directory.

I'm able to use passthru for CIFS.

The tricks seem to be
-use simple authentication for ActiveDirectory to let anonymous work
-provide two ldap beans (one for web authentication and one for CIFS)


Not sure why but it works.


    <bean id="ldapAuthenticationComponentImpl" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
          
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
          
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
          
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
          
            –>
            <value>uwo\%s</value>
        </property>
    </bean>


<!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
   
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
           
            –>
            <value>uwo\%s</value>
        </property>
    </bean> Smiley Very Happy
0 Kudos

finner
Champ in-the-making
Champ in-the-making

‎08-29-2007 07:30 AM

Hi dasjlm,
Would you have some more info on your configuration for CIFS / LDAP.
I've tried your solution but with the same results. (See my post :  Passthru on CIFS ).

I've removed my NTLM configuration. I can login on the Web client and WebDAV against LDAP but not from CIFS.

My config is as follows:

file-servers-custom.xml


. . . 
<config evaluator="string-compare" condition="Filesystem Security" replace="true">
    <authenticator type="passthru">
        <Server>my.ldap.ip</Server>  <!–   LDAP server –>
    </authenticator>
</config>
. . .


ldap-authentication-context.xml


. . .
<bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
     <property name="allowDeleteUser">
            <value>true</value>
      </property>
</bean>    


<bean id="authenticationComponent" class="es.retevision.ecompany.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentWrapper">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
         <value>uid=%s,ou=Users,dc=mydc1,dc=mydc2</value>         
      </property>
</bean>

<bean id="ldapAauthenticationComponentImpl" class="es.retevision.ecompany.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentWrapper">
      <property name="LDAPInitialDirContextFactory">
         <ref bean="ldapInitialDirContextFactory"/>
      </property>
      <property name="userNameFormat">
         <value>uid=%s,ou=Users,dc=mydc1,dc=mydc2</value>         
      </property>
</bean>

<bean id="ldapInitialDirContextFactory" class="es.retevision.ecompany.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryWrapper">
        <property name="initialDirContextEnvironment">
             <map>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry> 
                <entry key="java.naming.provider.url">
                    <value>ldap://my.ldap.server:port</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>     <!–  DIGEST-MD5 –>
                </entry>
             </map>
        </property>
</bean>

. . .

As you can see, I have 2 beans as suggested by your mail and I'm not using LDAP synchronization.
Sorry to drag this up again, any ideas would be appreciated.
Thanks
Finner
0 Kudos

daliakamal2005
Champ in-the-making
Champ in-the-making

‎09-16-2007 09:37 AM

Hi all

I have the same problem and i spent more that 3 days to try all the suggestion but still I can not  login to CIFS.

So i ask if u solve this problem.

Thanks a lot.
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC