Hyland Connect

jriker1 · ‎05-11-2009

I am trying out Alfresco 3.2 preview 2 and noticed somethings have moved around but regardless can't get LDAP working. Does anyone know if it's working in 3.2 yet or if this is futile? If so, does anyone have any examples how they configured it? I know this is not production as the sample chaining files reference the old properties file paths. Also is there a beta forum for this version? Since the forum search won't allow you to search on things like 3.2 even if you put them in quotes, makes it hard to find people taking about the prerelease version specifically.

Thanks.

JR

blackened · ‎05-26-2009

Does anyone have any info on this? I am also trying to get LDAP figured out on 3.2 preview 2 and see no documentation on it nor does there seem to be any ldap config files in the sample extensions archive. If 3.2 doesn't have a working LDAP setup, does anyone know at what point it might be added in again? Thanks.

dward · ‎05-27-2009

Dear jriker

First you need to set up your authentication chain by declaring it in custom-repository.properties. E.g.

authentication.chain=myldap:ldap

Now take a copy of

root\projects\repository\config\alfresco\subsystems\Authentication\ldap\ldap-authentication.properties

and place it in your extension classpath under

alfresco/extension/subsystems/Authentication/ldap/myldap/ldap-synchronisation.properties

(note that your instance name is the last directory in the path)

.. and edit so that the parameters match your environment.

We certainly had this working in one of our test environments so let me know (via the forums) if you have any further problems.

iantopanto · ‎05-27-2009

What would one do if they wanted to use sync the groups and users from ldap (possibly a one off, or it could be permenant) and use NTLM passthru to a samba machine.

I had this working on a previous version of alfresco where it was doing the sync (at intervals) and auth through our samba server (setup to do pam_ldap). We need this to get CIFS server working properly.

Thanks,
Ian

blackened · ‎05-27-2009

dward -

I followed the instructions but I must have an improper filename or path for the properties file. I have definitely modified it with my own server name, but the error in the log upon starting Alfresco shows the default server:

10:50:29,893 ERROR [org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl] Unable to connect to LDAP Server; check LDAP configuration
javax.naming.CommunicationException: openldap.domain.com:389 [Root exception is java.net.UnknownHostException: openldap.domain.com]

Can you verify the filename you mentioned as well as the path? I did make sure to name the last directory in my path with the instance name I specified in custom-repository.properties.

Thanks,
Scott

blackened · ‎05-27-2009

OK so I got to a next step by modifying the ldap-authentication.properties that resides under <TOMCATDIR>/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap. I no longer get the ldap related errors about openldap.domain.com. However, attempting to login either with an LDAP test user or with the local Alfresco admin user is unsuccessful. The alfresco logs shows:

13:36:34,530 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 04270003 Login failed
org.alfresco.web.scripts.WebScriptException: 04270003 Login failed

13:36:43,239 ERROR [org.alfresco.web.scripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 04270006 Login failed
org.alfresco.web.scripts.WebScriptException: 04270006 Login failed

Do I need to add alfresco to the chain to get the regular admin login to work? Can I have local alfresco users authenticate before it is authenticated against LDAP? Do I need to manually add all of the LDAP users to Alfresco before hand?

Just a little background - I am running the latest nightly build of Alfresco 3.2 Preview 2 (war files manually loaded onto Tomcat 6) on Centos 5.2, and I am authenticating against a Zimbra installation of LDAP.

Thanks,
Scott

airbag888 · ‎05-29-2009

I just found out about Alfresco and watching the videos was really impressed at the amount of control you had on document management.

Trying it out, after seeing the polished interface all around I was expecting an easy time setting up however after looking around I am unable to find a proper configuration screen and all I see around the forums are people tweaking the code directly.

Is there something I'm missing or is that the only way? Reason why I posted in here is one of my 1st objectives is to authenticate my users against my AD server.
Please enlighten me.

Thanks!

iantopanto · ‎05-29-2009

I think its the only way to configure the Labs edition anyway.

To get it working for openldap and indeed active directory what I did was to install the full installer which includes the tomcat installations.
To get the auth working to AD you then need to cd into the "tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap" folder in the tomcat install and edit a file called "ldap-authentication.properties" with AD specific stuff.

I have no idea how to do sync for AD groups, but with openldap what i did was to copy the 2 files in "../Synchronization/ldap/" to the ldap auth folder we are in now and edit them accordingly.

Finally to enable auth (and sync) you will need to edit your custom-repository.properties file in "tomcat/shared/classes/alfresco/extension/" adding the line "Authentication.chain=myldap:ldap. This is supposed to read your ldap config from shared/classes/alfresco/extension/subsystem/Authentication/ldap/myldap/ but i never got it working like this.

Hope it helps.

iantopanto · ‎05-29-2009

Why can't someone use ldap groups of posixGroup objectclass with memberUid, and not forced to use "groupOfUniqueNames" objectclass.
I know that this is so that the members are validated, but I have all my groups set up with memberUid and a gidNumber - its easier to use.

I have to build the alfresco.war file with some modification to the source to construct the full dn myself (uid=%s,out=People,dc=domain,dc=com) to allow me to use memberUid and my already setup posixGroups.

Is it possible to have some configuration options in the ldap files so that the admin can choose which type of groups they have.
There could be 2 parameters:
1) choose which type of group we use
2) enter the base dn for the groups if we are using posixGroups, so that we can construct the dn for the user from just the uid, like above.

Can i submit this as a request? i don't think its a difficult task?

airbag888 · ‎05-29-2009

I think its the only way to configure the Labs edition anyway.

To get it working for openldap and indeed active directory what I did was to install the full installer which includes the tomcat installations.
To get the auth working to AD you then need to cd into the "tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap" folder in the tomcat install and edit a file called "ldap-authentication.properties" with AD specific stuff.

I have no idea how to do sync for AD groups, but with openldap what i did was to copy the 2 files in "../Synchronization/ldap/" to the ldap auth folder we are in now and edit them accordingly.

Finally to enable auth (and sync) you will need to edit your custom-repository.properties file in "tomcat/shared/classes/alfresco/extension/" adding the line "Authentication.chain=myldap:ldap. This is supposed to read your ldap config from shared/classes/alfresco/extension/subsystem/Authentication/ldap/myldap/ but i never got it working like this.

Hope it helps.

Thanks for that thorough response. I'm just out of a seminar and my head's too full of ideas to think about how that'd work in my environment. That said it seems rather tedious to setup. I was looking forward to presenting alfresco running in house with some of our data migrated but i absolutely don't want to be tinkering with the code at such an early stage. If I have to do that now, there's no telling how much more awaits.
A clean administrative console with all settings/options really would make this product showcase-able. However unless that is possible I probably will not even bother and look elsewhere.

Hyland Connect

LDAP on 3.2?