Mixing authentication (LDAP and native)

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-07-2008 08:01 PM
Hello,
I know the question may sound stupid, but is it possible to define one or more Alfresco user accounts that are authenticated against a corporate directory service, and (in the same installation) other user accounts that are authenticated using the internal password?
My corporate IT department has set up a test Alfresco system, where all users are authenticated using the corporate directory service via LDAP.
The problem is that there are one or more remote users that will never be defined into the corporate LDAP, and that it need to access the Alfresco repository.
Would it be possible to create these non-LDAP users in the Alfresco user directory?
Or, once the LDAP authentication is enabled, ALL Alfrsco users must be "mapped" against the LDAP server?
I know the question may sound stupid, but is it possible to define one or more Alfresco user accounts that are authenticated against a corporate directory service, and (in the same installation) other user accounts that are authenticated using the internal password?
My corporate IT department has set up a test Alfresco system, where all users are authenticated using the corporate directory service via LDAP.
The problem is that there are one or more remote users that will never be defined into the corporate LDAP, and that it need to access the Alfresco repository.
Would it be possible to create these non-LDAP users in the Alfresco user directory?
Or, once the LDAP authentication is enabled, ALL Alfrsco users must be "mapped" against the LDAP server?
Labels:
- Labels:
-
Archive
4 REPLIES 4

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-08-2008 09:13 AM
Please, refer to
http://wiki.alfresco.com/wiki/Security_and_Authentication
under section "chaining", the document sounds promising: "
See projects\repository\config\alfresco\extension\chaining-authentication-context.xml.sample for an example of JAAS and Alfresco authentication services combined.
In the configuration, take care to give unique bean names where required in the definitions of each authentication service stack. "
Hope that helps.
http://wiki.alfresco.com/wiki/Security_and_Authentication
under section "chaining", the document sounds promising: "
See projects\repository\config\alfresco\extension\chaining-authentication-context.xml.sample for an example of JAAS and Alfresco authentication services combined.
In the configuration, take care to give unique bean names where required in the definitions of each authentication service stack. "
Hope that helps.

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-01-2008 07:19 AM
Well, it does not seem so easy….
My Alfresco administrator has configured the server to synchronize all users from the corporate Active Directory server, via LDAP.
This means that users now can login to Alfresco using their "corporate" username and password…. good.
But then I tried to create a new user manually, using the Alfresco web admin UI, and at the end of the Create User wizard I got the following error:
Failed to create Person due to error: Create User is not supported
So it seems that once Alfresco is "hooked" to a corporate directory server, it's a "take all or nothing" situation, and one needs to have ALL the Alfresco users cataloged in the directory server.
This is an annoying limitation, since sometimes (external consultants, temporary workers, etc) it would be useful to be able to create accounts in the Alfresco user directory only (with a "local" Alfresco password) without having to create these accounts in the central directory server.
Alfresco folks… can you confirm this limitation? Any way to get around it?
My Alfresco administrator has configured the server to synchronize all users from the corporate Active Directory server, via LDAP.
This means that users now can login to Alfresco using their "corporate" username and password…. good.
But then I tried to create a new user manually, using the Alfresco web admin UI, and at the end of the Create User wizard I got the following error:
Failed to create Person due to error: Create User is not supported
So it seems that once Alfresco is "hooked" to a corporate directory server, it's a "take all or nothing" situation, and one needs to have ALL the Alfresco users cataloged in the directory server.
This is an annoying limitation, since sometimes (external consultants, temporary workers, etc) it would be useful to be able to create accounts in the Alfresco user directory only (with a "local" Alfresco password) without having to create these accounts in the central directory server.
Alfresco folks… can you confirm this limitation? Any way to get around it?

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-01-2008 07:55 AM
I didn't test it myself, but I think it is possible in alfresco.
see:
http://wiki.alfresco.com/wiki/Security_and_Authentication#Chaining
Friendly regards,
Nick
see:
http://wiki.alfresco.com/wiki/Security_and_Authentication#Chaining
Friendly regards,
Nick

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-01-2008 08:42 AM
Thanks Xerox for the hint… it points to the same wiki page that I was referred before by Jos.
So it seems that a proper configuration of the the chaining-authentication-context.xml should allow a mix of "LDAP users" and "internal Alfresco users"… interesting.
Has anyone ever tried this type of configuration?
Is it enough to remove the ".sample" suffix from the chaining-authentication-context.xml.sample file and then restart Alfresco, or something else must be done to enable this configuration (pardon me for the stupid question, but I'm a newbie to Alfresco security and authentication configuration…)
So it seems that a proper configuration of the the chaining-authentication-context.xml should allow a mix of "LDAP users" and "internal Alfresco users"… interesting.
Has anyone ever tried this type of configuration?
Is it enough to remove the ".sample" suffix from the chaining-authentication-context.xml.sample file and then restart Alfresco, or something else must be done to enable this configuration (pardon me for the stupid question, but I'm a newbie to Alfresco security and authentication configuration…)
