Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP - Specify Realm

squaricdot
Champ in-the-making
Champ in-the-making

‎11-04-2010 01:35 PM

Good afternoon,

I've a working authentication+synchronization ldap (openldap) configuration. i store my configuration in shared/classes/alfresco-global.properties as:

<<alfresco-global.properties>>

authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap


#
# OPENLDAP AUTH+SYNC
#————-
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=true
#ldap.authentication.userNameFormat=mail\=%s,jvd\=cdomain.tld,ou\=customers,dc\=tao,dc\=intranet
ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://tao-dev-auth02.tao.intranet:389
#ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=tao-admin
ldap.synchronization.active=true
#ldap.synchronization.java.naming.security.principal=cn\=alfresco,ou\=services,ou\=mgnt,dc\=tao,dc\=intranet
ldap.synchronization.java.naming.security.principal=service.alfresco
ldap.synchronization.java.naming.security.credentials=****************
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(accountActive\=TRUE)(delete\=FALSE)(!(modifyTimestamp<\={0})))
ldap.synchronization.groupSearchBase=ou\=Groups,jvd\=cdomain.tld,ou\=customers,dc\=tao,dc\=intranet
ldap.synchronization.userSearchBase=jvd\=cdomain.tld,ou\=customers,dc\=tao,dc\=intranet
ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'Z'
ldap.synchronization.userIdAttributeName=mail
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=o
ldap.synchronization.defaultHomeFolderProvider=userHomesHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupType=groupOfNames
ldap.synchronization.personType=inetOrgPerson
ldap.synchronization.groupMemberAttributeName=member

synchronization.synchronizeChangesOnly=false
synchronization.import.cron=0 0 0 * * ?
synchronization.syncWhenMissingPeopleLogIn=false
synchronization.syncOnStartup=true
synchronization.autoCreatePeopleOnLogin=true
<</alfresco-global.properties>>

But in my situation I want to explicitly  define the realm which ldap is going to use.
After googling a bit I see that in the common-ldap-context.xml there is a small area mentioning this:
(tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml)

<<common-ldap-context.xml>>

<!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>
<</common-ldap-context.xml>>

so I tried 2 ways to fix this in my alfresco-global.properties but no success..:
1)
<<alfresco-global.properties>>

ldap.authentication.java.naming.security.sasl.realm=single
ldap.synchronization.java.naming.security.sasl.realm=single
<</alfresco-global.properties>>

2)
<<alfresco-global.properties>>

java.naming.security.sasl.realm=single
<</alfresco-global.properties>>

To me this should be the obvious configuration, though it's not working. I don't see anyone on this forum dealing with this.. So it might just be me who is trying to have this rare configuration.. Thought it would be working straight out of the box.. Guess I am wrong.

Can anyone tell me more about this? Or rather, what I am doing wrong and what should I do? 🙂

Cheers

Regards,

Olmo
Labels:
0 Kudos
1 REPLY 1

squaricdot
Champ in-the-making
Champ in-the-making

‎11-04-2010 02:13 PM

When I added the java.naming.security.sasl.realm=single lines to the alfresco-global.properties file the ldap synchronization was not working, Alfresco was not sending any realm.

Normally that would mean that the default realm is used and the synchronization would succeed.
To test it properly I disabled the regular expressions in slapd.conf which handle the default realm. Only the explicit realm expressions are present, for the realm: single.

Alfresco is throwing error (feedback is from openldap):
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): user not found: no secret in database]
Which is correct because the realm single was not used. openldap cannot translate the sasl authenticationID to an existing ldap dn.

I finally found out how to make alfresco explicitly provide ldap with the realm I want, thus actually solving my own problem.  However alfresco is now throwing another error which makes no sense to me:

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): authentication failure: realm changed: authentication aborted]

First I describe how to make alfresco explicitly provide LDAP with the realm you want, although LDAP is not accepting it at this moment.

Edit this part in common-ldap-context.xml:
<<common-ldap-context.xml>>

<!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>
<</common-ldap-context.xml

Make it look like this:
<<common-ldap-context.xml>>
<!– The authentication mechanism to use      –>
            <!– Some sasl authentication mechanisms may require a realm to be set –>
            <!–                java.naming.security.sasl.realm –>
            <entry key="java.naming.security.sasl.realm">
                <value>${ldap.synchronization.java.naming.security.sasl.realm}</value>
            </entry>
            <!– The available options will depend on your LDAP provider –>
            <entry key="java.naming.security.authentication">
               <value>${ldap.authentication.java.naming.security.authentication}</value>
            </entry>
<</common-ldap-context.xml>>

Add this property in it's default setting to the ldap-authentication.properties file like this:
# vim subsystems/Authentication/ldap/ldap-authentication.properties
<<ldap-authentication.properties>>

# The SASL realm
ldap.synchronization.java.naming.security.sasl.realm=
<</ldap-authentication.properties>>

finally I can add the following line to my alfresco-global.properties:

<<alfresco-global.properties>>

ldap.synchronization.java.naming.security.sasl.realm=single
<</alfresco-global.properties>>

When a synchronization is performed it throws the error (feedback from openldap): 
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - SASL(-13): authentication failure: realm changed: authentication aborted]

Why is LDAP not accepting my realm?
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC