Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- LDAP + StartTls
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
LDAP + StartTls
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2015 11:34 AM
Hello,
I am using Alfresco 4.2.e on Windows Server 2008 R2.
I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.
My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found in the documentation something about my case… How can I enforce Alfresco to choose StartTls encryption method?
In alfresco.log, I have the following error :
<blockquote>
11:00:00,186 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 06200027 Echec de la connexion à ldap://SERVER.DOMAIN.local:389. Raison javax.naming.AuthenticationNotSupportedException, [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:192)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:108)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:688)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:685)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:969)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:714)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
</blockquote>
Method applied :
1) Tests with Apache Directory Studio
* Failed with the previous error when:
server : SERVER.DOMAIN.local, port:389, encryption method : none, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local
* Succeed with
server : SERVER.DOMAIN.local, port:389, encryption method : StartTls, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local
2) Alfresco configuration
In alfresco-global.properties file I added in the end :
<blockcode>
### Protocoles d’authentification ###
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### Synchronisation Active Directory ###
synchronization.import.cron=0 0/30 9-18 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
</blockcode>
I added in the arborescence :
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap
- file : common-ldap-context.xml (copy)
- directory : ldap-ad1
|
——– files : ldap-ad-authentication.properties (copy), ldap-ad-authentication-context.xml (copy)
** copies from C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication…
I updated the copy of ldap-ad-authentication.properties like this :
<blockcode>
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://SERVER.DOMAIN.local:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=user_alfresco,Administrateur,admin
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=dc\=DOMAIN,dc=local
ldap.synchronization.userSearchBase=dc\=DOMAIN,dc=local
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
</blockcode>
3) Java configuration
Inspired by https://wiki.alfresco.com/wiki/Ldap_over_SSL
- I copied the certificate from Apache Directory Studio (Window>Preferences>Apache Directory Studio> Certificate validation> export on my PC the certificate CN=SERVER.DOMAIN.local and renamed "certificate.der")
- in a Windows batch console (Administrator mode):
I indicated my keystore password for each previous command.
I opened the properties of the tomcat service of Alfresco with the following command
And in Java>Java Options, I added :
-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"
I restarted tomcat and… it I could not log on Alfresco.
<!–break–>
I am using Alfresco 4.2.e on Windows Server 2008 R2.
I intent to configure LDAP authentication on Alfresco so that the users of my Windows AD could log on Alfresco.
My problem is the use of a certificate with StartTls encryption method. Anybody of my AD can log on Alfresco, and I haven't found in the documentation something about my case… How can I enforce Alfresco to choose StartTls encryption method?
In alfresco.log, I have the following error :
<blockquote>
11:00:00,186 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 06200027 Echec de la connexion à ldap://SERVER.DOMAIN.local:389. Raison javax.naming.AuthenticationNotSupportedException, [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:192)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:108)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:688)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:685)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:969)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:714)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob$1.doWork(UserRegistrySynchronizerJob.java:51)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:548)
at org.alfresco.repo.security.sync.UserRegistrySynchronizerJob.execute(UserRegistrySynchronizerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Caused by: javax.naming.AuthenticationNotSupportedException: [LDAP: error code 8 - 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1 ]
</blockquote>
Method applied :
1) Tests with Apache Directory Studio
* Failed with the previous error when:
server : SERVER.DOMAIN.local, port:389, encryption method : none, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local
* Succeed with
server : SERVER.DOMAIN.local, port:389, encryption method : StartTls, provider : JNDI
authentication method : simple, Bind DN/SASL : CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
or authentication method : simple, Bind DN/SASL : user_alfresco@domain.local
2) Alfresco configuration
In alfresco-global.properties file I added in the end :
<blockcode>
### Protocoles d’authentification ###
authentication.chain=ldap-ad1:ldap-ad,alfrescoNtlm1:alfrescoNtlm
### Synchronisation Active Directory ###
synchronization.import.cron=0 0/30 9-18 ? * MON-FRI
synchronization.synchronizeChangesOnly=false
synchronization.syncWhenMissingPeopleLogIn=true
</blockcode>
I added in the arborescence :
C:\Alfresco\tomcat\shared\classes\alfresco\extension\subsystems\Authentication\ldap
- file : common-ldap-context.xml (copy)
- directory : ldap-ad1
|
——– files : ldap-ad-authentication.properties (copy), ldap-ad-authentication-context.xml (copy)
** copies from C:\Alfresco\tomcat\webapps\alfresco\WEB-INF\classes\alfresco\subsystems\Authentication…
I updated the copy of ldap-ad-authentication.properties like this :
<blockcode>
ldap.authentication.active=true
ldap.authentication.allowGuestLogin=false
ldap.authentication.userNameFormat=%s@domain.local
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://SERVER.DOMAIN.local:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInBind=false
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=user_alfresco,Administrateur,admin
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.authentication=simple
ldap.synchronization.java.naming.security.principal=CN=Alfresco,CN=Users,DC=DOMAIN,DC=local
ldap.synchronization.java.naming.security.credentials=secret
ldap.synchronization.queryBatchSize=1000
ldap.synchronization.attributeBatchSize=1000
ldap.synchronization.groupQuery=(objectclass\=group)
ldap.synchronization.groupDifferentialQuery=(&(objectclass\=group)(!(whenChanged<\={0})))
ldap.synchronization.personQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
ldap.synchronization.personDifferentialQuery=(&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
ldap.synchronization.groupSearchBase=dc\=DOMAIN,dc=local
ldap.synchronization.userSearchBase=dc\=DOMAIN,dc=local
ldap.synchronization.modifyTimestampAttributeName=whenChanged
ldap.synchronization.timestampFormat=yyyyMMddHHmmss'.0Z'
ldap.synchronization.userIdAttributeName=sAMAccountName
ldap.synchronization.userFirstNameAttributeName=givenName
ldap.synchronization.userLastNameAttributeName=sn
ldap.synchronization.userEmailAttributeName=mail
ldap.synchronization.userOrganizationalIdAttributeName=company
ldap.synchronization.defaultHomeFolderProvider=largeHomeFolderProvider
ldap.synchronization.groupIdAttributeName=cn
ldap.synchronization.groupDisplayNameAttributeName=displayName
ldap.synchronization.groupType=group
ldap.synchronization.personType=user
ldap.synchronization.groupMemberAttributeName=member
ldap.synchronization.enableProgressEstimation=true
ldap.authentication.java.naming.read.timeout=0
</blockcode>
3) Java configuration
Inspired by https://wiki.alfresco.com/wiki/Ldap_over_SSL
- I copied the certificate from Apache Directory Studio (Window>Preferences>Apache Directory Studio> Certificate validation> export on my PC the certificate CN=SERVER.DOMAIN.local and renamed "certificate.der")
- in a Windows batch console (Administrator mode):
C:\Alfresco\java\bin\keytool -import -alias 192.168.1.101 -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der
C:\Alfresco\java\bin\keytool -import -alias SERVER.DOMAIN.local -keystore "C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts" -file C:\Users\user_alfresco\Documents\certificate.der
I indicated my keystore password for each previous command.
I opened the properties of the tomcat service of Alfresco with the following command
C:\Alfresco\tomcat\bin\tomcat7w //ES//alfrescoTomcat
And in Java>Java Options, I added :
-Djavax.net.ssl.trustStore="C:\Program Files (x86)\Java\jre1.8.0_45\lib\security\cacerts"
I restarted tomcat and… it I could not log on Alfresco.
<!–break–>
Labels:
- Labels:
-
Archive
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2015 09:38 AM
I have downloaded Apache 2.2 and used it like a front-end proxy in HTTPS. I supposed that I could authenticate but I can't.
the result is I can see the authentication page (in the first case too) but when I try to log in it provokes the same error…
Does somebody know if it is normal I can't authenticate using a front-end Apache in HTTPS?
#edit
The certificate of Apache and the one of the LDAP are different.
the result is I can see the authentication page (in the first case too) but when I try to log in it provokes the same error…
Does somebody know if it is normal I can't authenticate using a front-end Apache in HTTPS?
#edit
The certificate of Apache and the one of the LDAP are different.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-05-2015 04:31 PM
With the LDP Windows command, I have seen that the connection is really in SSL, and a user have to authenticate itself with SASL. So, I check connexion to the server and user authentications with Apache Directory, openssl s_client, and with SSLPoke.
I succeed log LDAP user with this configuration :
I updated only these lines of ldap-ad-authentication.properties like this :
<blockcode>
ldap.authentication.java.naming.provider.url=ldaps://SERVER.DOMAIN.local:636
ldap.synchronization.java.naming.security.principal=Alfresco
</blockcode>
I remove the line I have added in Java options of the tomcat service
I added the certificate in the C:\Alfresco\al_data\keystore\ssl.trustore with this command :
and I restarted Alfresco, and it works!
Thank you
I succeed log LDAP user with this configuration :
I updated only these lines of ldap-ad-authentication.properties like this :
<blockcode>
ldap.authentication.java.naming.provider.url=ldaps://SERVER.DOMAIN.local:636
ldap.synchronization.java.naming.security.principal=Alfresco
</blockcode>
I remove the line I have added in Java options of the tomcat service
I added the certificate in the C:\Alfresco\al_data\keystore\ssl.trustore with this command :
C:\Alfresco\java\bin\keytool -import -storetype JCEKS -file C:\Users\al_semsamar\Documents\se-certificate.der -alias server.domain.se.local -keystore C:\Alfresco\alf_data\keystore\ssl.truststore
and I restarted Alfresco, and it works!
Thank you
Related Content
- ldapS configuration for samba-ad in Alfresco Forum
- ldap configuration in alfresco 7.2 in docker in Alfresco Forum
- Authentication and synchronisation of Alfresco 23 with Active Directory in Alfresco Forum
- Mapeamento dos campos do cadastro de usuário entre Keycloak e alfresco in Alfresco Archive
- Different time Syncronization Ldap in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
