Hi all,
here follows the configuration which we successfully implemented in our company Sourcesense ([3]) and which basically provides LDAP integration and NTLM single sign-on for connecting to Alfresco through web browsers and through Windows File Sharing. Sorry for the long delay but had quite busy days with this Alfresco thing. It's cool and is definitely being increasingly accepted and used in wider and wider enterprises.
Here it goes, hopefully can help to solve and gather the whole number of unstructured forum posts talking about the subject. Sorry for the long post but I preferred to made the *whole* conf files available.
SYSTEM SPECS:
ALFRESCO SERVER:
- Alfresco 2.1 Comm
- Mysql
- Tomcat 5.5.20
- Ubuntu Linux1 7.04
CLIENTS:
- Linux + FF2
- WinXP + IE6
- OSX10.4 + FF2
REQUIREMENTS:
- Integration with Microsoft Active Directory (NTLM + webclient/CIFS + LDAP )
NOTES:
- We started from the default alfresco bundle (linux installer)
- I removed default comments from this file in order to improve readability (seems a paradox, but who will read this post will already know the basic stuff written in those comments…i guess. ;-). I added some configuration specific comments thay may be useful to understand what's going on
- Sensitive data has been removed so don't smile at my funny domain fake names
- Even if I integrated with AD, well, openLDAP would have rocked better 🙂 (i hate bill, typical…)
- Thx to savs for coaching support and for providing useful docs !
NAMING CONVENTIONS:
ALF_HOME = base installation folder of the Alfresco instance
ALF_CLASSES = $ALF_HOME/tomcat/WEB-INF/classes/alfresco
ALF_SHARED_CLASSES = $ALF_HOME/tomcat/shared/classes/alfresco/extension
STEPS:
A. Enable NTLM passtrough for SSO purposes:
- Edit the provided
- Change the $ALF_HOME/tomcat/WEB-INF/web.xml to enable the NTLMAuthentication servlet filter. So comment out the default filter and uncomment it as follows (both for webclient and webdav, in case of need):
- change the $ALF_SHARED_CLASSES/ntlm-authentication-context.xml.sample to $ALF_SHARED_CLASSES/ntlm-authentication-context.xml
- Edit the file so that it looks as follows:
NOTE:
- Both Internet Explorer and Firefox support NTLM authentication, though Firefox will prompt the user for a username and password on the first connection attempt (subsequently username and password can be stored by Firefox). Internet Explorer will pass the Windows authentication details directly to the Alfresco server. Note that single sign-on with Internet Explorer will only work if the Alfresco server is perceived to be within the local intranet zone (for example if the server has a name in the local DNS). This can also be forced within Internet Explorer's preferences (Tools, Internet Options, Security; select “Local Intranetâ€, Sites, Advanced, type in the Alfresco server name and click Add, Ok, Ok)
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
C. Enable CIFS integration with AD and NTLM passtrough on the CIFS interface:
- Change the provided $ALF_SHARED_CLASSES/file-servers-custom.xml.sample –> $ALF_SHARED_CLASSES/file-servers-custom.xml
- Edit the file so that it looks as follows:
- Restart your afresco instance and automagically your NTLM SSO authentication should work also against the CIFS filesystem
NOTE:
- SSO+CIFS was only tested (obviously you may say) from Windows Explorer on Windows (with an AD registered user). We also tested the integration of just AD/CIFS (manual AD user login) with Linux/smbclient and Macosx/Finder but with a proper client- side OS configuration integration (at least on mac) it *should* be possible to have SSO working
- Although other authenticators seems to fit more in this configuration (e.g. NTLM, see [2]), "alfresco" type is the only working with this configuration. Don't get mistaken than Wink
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
D. Enable LDAP users/groups scheduled import in order to be able to assign roles/permissions/notifications/ownerships/jobs to AD users (aka "to be able to use (not only log them in) AD users in alfresco" )
- Change the provided $ALF_SHARED_CLASSES/ldap-authentication-context.xml.sample –> $ALF_SHARED_CLASSES/ldap-authentication-context.xml
- Edit the file so that it looks as follows:
- Enable automatic scheduled jobs starting editing the file $ALF_CLASSES/scheduled-jobs-context.xml by setting the autoStartup property to true in the the schedulerFactory bean definition:
- Restart alfresco and you should see (after waiting the defined time + some import time) the user/groups created in Alfresco
NOTE:
- In order to have a better understanding/debugging of the import process please note that if users are correctly imported from LDAP temporary XML files are written in $ALF_HOME/tomcat/temp/Alfresco/ExportSource*
- For a finer debugging of the whole process you may want to raise log levels for interested components, by editing $ALF_HOME/webapps/alfresco/WEB-INF/classes/log4j.properties setting the following categories to debug:
~~~~~%%%%~~~~~
That should be it. Hope this helps.
Ciao!
[1] ihttp://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users
[2] http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Which_authenticat...
[3] http://www.sourcesense.com
here follows the configuration which we successfully implemented in our company Sourcesense ([3]) and which basically provides LDAP integration and NTLM single sign-on for connecting to Alfresco through web browsers and through Windows File Sharing. Sorry for the long delay but had quite busy days with this Alfresco thing. It's cool and is definitely being increasingly accepted and used in wider and wider enterprises.
Here it goes, hopefully can help to solve and gather the whole number of unstructured forum posts talking about the subject. Sorry for the long post but I preferred to made the *whole* conf files available.
SYSTEM SPECS:
ALFRESCO SERVER:
- Alfresco 2.1 Comm
- Mysql
- Tomcat 5.5.20
- Ubuntu Linux1 7.04
CLIENTS:
- Linux + FF2
- WinXP + IE6
- OSX10.4 + FF2
REQUIREMENTS:
- Integration with Microsoft Active Directory (NTLM + webclient/CIFS + LDAP )
NOTES:
- We started from the default alfresco bundle (linux installer)
- I removed default comments from this file in order to improve readability (seems a paradox, but who will read this post will already know the basic stuff written in those comments…i guess. ;-). I added some configuration specific comments thay may be useful to understand what's going on
- Sensitive data has been removed so don't smile at my funny domain fake names
- Even if I integrated with AD, well, openLDAP would have rocked better 🙂 (i hate bill, typical…)
- Thx to savs for coaching support and for providing useful docs !
NAMING CONVENTIONS:
ALF_HOME = base installation folder of the Alfresco instance
ALF_CLASSES = $ALF_HOME/tomcat/WEB-INF/classes/alfresco
ALF_SHARED_CLASSES = $ALF_HOME/tomcat/shared/classes/alfresco/extension
STEPS:
A. Enable NTLM passtrough for SSO purposes:
- Edit the provided
- Change the $ALF_HOME/tomcat/WEB-INF/web.xml to enable the NTLMAuthentication servlet filter. So comment out the default filter and uncomment it as follows (both for webclient and webdav, in case of need):
<filter>
<filter-name>Authentication Filter</filter-name>
<!–
<filter-class>org.alfresco.web.app.servlet.AuthenticationFilter</filter-class>
–>
<!– For Novell IChain support use the following filter –>
<!–
<filter-class>org.alfresco.web.app.servlet.NovellIChainsHTTPRequestAuthenticationFilter</filter-class>
–>
<!– For NTLM authentication support use the following filter –>
<filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>WebDAV Authentication Filter</filter-name>
<!–
<filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class>
–>
<!– For NTLM authentication support use the following filter –>
<filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>Admin Authentication Filter</filter-name>
<filter-class>org.alfresco.web.app.servlet.AdminAuthenticationFilter</filter-class>
</filter>- change the $ALF_SHARED_CLASSES/ntlm-authentication-context.xml.sample to $ALF_SHARED_CLASSES/ntlm-authentication-context.xml
- Edit the file so that it looks as follows:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl">
<property name="personService">
<ref bean="personService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="guestAccess">
<value>false</value>
</property>
<!– Name of the windows domain \ domain controller hostname or ip –>
<property name="servers">
<value>WINDOWSDOMAIN\domainControllerIPorHostname</value>
</property>
</bean>
</beans>
NOTE:
- Both Internet Explorer and Firefox support NTLM authentication, though Firefox will prompt the user for a username and password on the first connection attempt (subsequently username and password can be stored by Firefox). Internet Explorer will pass the Windows authentication details directly to the Alfresco server. Note that single sign-on with Internet Explorer will only work if the Alfresco server is perceived to be within the local intranet zone (for example if the server has a name in the local DNS). This can also be forced within Internet Explorer's preferences (Tools, Internet Options, Security; select “Local Intranetâ€, Sites, Advanced, type in the Alfresco server name and click Add, Ok, Ok)
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
C. Enable CIFS integration with AD and NTLM passtrough on the CIFS interface:
- Change the provided $ALF_SHARED_CLASSES/file-servers-custom.xml.sample –> $ALF_SHARED_CLASSES/file-servers-custom.xml
- Edit the file so that it looks as follows:
<alfresco-config area="file-servers">
<config evaluator="string-compare" condition="CIFS Server">
<serverEnable enabled="true" />
<!– Insert here IP or hostname of this alfresco server, and the NT domain name in which you want to integrate–>
<host name="alfrescoServerIPorHostname" domain="WINDOWSDOMAIN" />
<comment>Alfresco CIFS Server</comment>
<!– Set to the broadcast mask for the subnet –>
<broadcast>255.255.255.255</broadcast>
<sessionDebug flags="Negotiate,Socket" />
</config>
<config evaluator="string-compare" condition="Filesystems" replace="true">
<filesystems>
<filesystem name="Alfresco">
<store>workspace://SpacesStore</store>
<rootPath>/app:company_home</rootPath>
<!– Add a URL file to each folder that links back to the web client –>
<urlFile>
<filename>__Alfresco.url</filename>
<webpath>http://${localname}:8080/alfresco/</webpath>
</urlFile>
<!– Mark locked files as offline –>
<offlineFiles />
<!– Desktop actions –>
<desktopActions>
<global>
<path>alfresco/desktop/Alfresco.exe</path>
<webpath>http://${localname}:8080/alfresco/</webpath>
</global>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
<name>CheckInOut</name>
<filename>__CheckInOut.exe</filename>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
<name>JavaScriptURL</name>
<filename>__ShowDetails.exe</filename>
<script>alfresco/desktop/showDetails.js</script>
<attributes>anyFiles</attributes>
<preprocess>copyToTarget</preprocess>
</action>
</desktopActions>
</filesystem>
<!– AVM virtualization view of all stores/versions for WCM –>
<avmfilesystem name="AVM">
<virtualView />
</avmfilesystem>
</filesystems>
</config>
<!– Authenticator should be of type alfresco –>
<config evaluator="string-compare" condition="Filesystem Security" replace="true">
<authenticator type="alfresco" />
</config>
</alfresco-config> - Restart your afresco instance and automagically your NTLM SSO authentication should work also against the CIFS filesystem
NOTE:
- SSO+CIFS was only tested (obviously you may say) from Windows Explorer on Windows (with an AD registered user). We also tested the integration of just AD/CIFS (manual AD user login) with Linux/smbclient and Macosx/Finder but with a proper client- side OS configuration integration (at least on mac) it *should* be possible to have SSO working
- Although other authenticators seems to fit more in this configuration (e.g. NTLM, see [2]), "alfresco" type is the only working with this configuration. Don't get mistaken than Wink
- Authentication seems to work only from specified domain and not from trusted domains. See [1] for more info and fixes.
D. Enable LDAP users/groups scheduled import in order to be able to assign roles/permissions/notifications/ownerships/jobs to AD users (aka "to be able to use (not only log them in) AD users in alfresco" )
- Change the provided $ALF_SHARED_CLASSES/ldap-authentication-context.xml.sample –> $ALF_SHARED_CLASSES/ldap-authentication-context.xml
- Edit the file so that it looks as follows:
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
<property name="initialDirContextEnvironment">
<map>
<!– The LDAP provider –>
<entry key="java.naming.factory.initial">
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</entry>
<!– The url to the LDAP server –>
<!– Note you can use space separated urls - they will be tried in turn until one works –>
<!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
<entry key="java.naming.provider.url">
<value>ldap://ldapserverurl:389</value>
</entry>
<!– The authentication mechanism to use –>
<!– Some sasl authentication mechanisms may require a realm to be set –>
<!– java.naming.security.sasl.realm –>
<!– The available options will depend on your LDAP provider –>
<entry key="java.naming.security.authentication">
<value>simple</value>
</entry>
<!– The id of a user who can read group and user information –>
<entry key="java.naming.security.principal">
<value>WINDOWSDOMAIN\directoryadmin</value>
</entry>
<!– The password for the user defined above –>
<entry key="java.naming.security.credentials">
<value>directoryadminpassword</value>
</entry>
</map>
</property>
</bean>
<!– Ldap Syncronisation support –>
<!– There can be more than one stack of beans that import users or groups. For example, it may be easier to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore users found else where. The same applies to the import of groups.
–>
<!– Extract user information from LDAP and transform this to XML –>
<bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
<!–
The query to select objects that represent the users to import. For Active Directory: (objectclass=user)
–>
<property name="personQuery">
<value>(objectclass=user)</value>
</property>
<!–
The search base restricts the LDAP query to a sub section of tree on the LDAP server.
In this particular example we imported only the IT Department users.
–>
<property name="searchBase">
<value>ou=IT Department,dc=mycompany,dc=org</value>
</property>
<!–
The unique identifier for the user.THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT
For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
In Active Directory this is most likely to be "sAMAccountName". This property is mandatory and must appear on all users found by the query defined above.
–>
<property name="userIdAttributeName">
<value>sAMAccountName</value>
</property>
<!– Services –>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory" />
</property>
<property name="personService">
<ref bean="personService"></ref>
</property>
<property name="namespaceService">
<ref bean="namespaceService" />
</property>
<!–
This property defines a mapping between attributes held on LDAP user objects and the properties of user objects held in the repository. The key is the QName of an attribute in the repository, the value is the attribute name from the user/ inetOrgPerson/.. object in the LDAP repository.
–>
<property name="attributeMapping">
<map>
<entry key="cm:userName">
<!– Must match the same attribute as userIdAttributeName –>
<value>sAMAccountName</value>
</entry>
<entry key="cm:firstName">
<!– Active Directory: "givenName" –>
<value>givenName</value>
</entry>
<entry key="cm:lastName">
<!– Active Directory: "sn" –>
<value>sn</value>
</entry>
<entry key="cm:email">
<!– Active Directory: "???" –>
<value>mail</value>
</entry>
<entry key="cm:organizationId">
<!– Active Directory: "???" –>
<value>o</value>
</entry>
<!– Always use the default –>
<entry key="cm:homeFolderProvider">
<null />
</entry>
</map>
</property>
<!– Set a default home folder provider. We configured it to create user home folder under "User Homes" space–>
<property name="attributeDefaults">
<map>
<entry key="cm:homeFolderProvider">
<value>userHomesHomeFolderProvider</value>
</entry>
</map>
</property>
</bean>
<!– Extract group information from LDAP and transform this to XML –>
<bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
<!–
The query to select objects that represent the groups to import.
For Active Directory: (objectclass=group)
–>
<property name="groupQuery">
<value>(objectclass=group)</value>
</property>
<!– The seach base restricts the LDAP query to a sub section of tree on the LDAP server. We reduced it to IT departments internal groups –>
<property name="searchBase">
<value>ou=IT Department,dc=mycompany,dc=org</value>
</property>
<!– The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above. –>
<property name="userIdAttributeName">
<value>sAMAccountName</value>
</property>
<!– An attribute that is a unique identifier for each group found. This is also the name of the group with the current group implementation.This is mandatory for any groups found.
Active Directory: "cn" –>
<property name="groupIdAttributeName">
<value>cn</value>
</property>
<!– The objectClass attribute for group members. For each member of a group, the distinguished name is given.The object is looked up by its DN. If the object is of this class it is treated as a group. –>
<property name="groupType">
<value>group</value>
</property>
<!– The objectClass attribute for person members.For each member of a group, the distinguished name is given.The object is looked up by its DN. If the object is of this class it is treated as a person –>
<property name="personType">
<value>user</value>
</property>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory" />
</property>
<property name="namespaceService">
<ref bean="namespaceService" />
</property>
<!–
The repeating attribute on group objects (found by query or as sub groups) used to define membership of the group. This is assumed to hold distinguished names oF other groups or users/people; the above types are used to determine this.
Active Directory: "member" –>
<property name="memberAttribute">
<value>member</value>
</property>
<property name="authorityDAO">
<ref bean="authorityDAO" />
</property>
</bean>
<!– Job definitions to import LDAP people and groups –>
<!– The triggers register themselves with the scheduler –>
<!– You may comment in the default scheduler to enable these triggers –>
<!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
<!– Trigger to load poeple Note you can have more than one initial (context, trigger, import job and export source) seT. This would allow you to load people from more than one ldap store –>
<bean id="ldapPeopleTrigger" class="org.alfresco.util.TriggerBean">
<property name="jobDetail">
<bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="jobClass">
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name="jobDataAsMap">
<map>
<entry key="bean">
<ref bean="ldapPeopleImport" />
</entry>
</map>
</property>
</bean>
</property>
<!– Start after 5 minutes of starting the repository –>
<property name="startDelay">
<value>180000</value>
</property>
<!– Repeat every hour –>
<property name="repeatInterval">
<value>3600000</value>
</property>
<property name="scheduler">
<ref bean="schedulerFactory" />
</property>
</bean>
<bean id="ldapGroupTrigger" class="org.alfresco.util.TriggerBean">
<property name="jobDetail">
<bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="jobClass">
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name="jobDataAsMap">
<map>
<entry key="bean">
<ref bean="ldapGroupImport" />
</entry>
</map>
</property>
</bean>
</property>
<!– Start after 5 minutes of starting the repository –>
<property name="startDelay">
<value>180000</value>
</property>
<!– Repeat every hour –>
<property name="repeatInterval">
<value>3600000</value>
</property>
<property name="scheduler">
<ref bean="schedulerFactory" />
</property>
</bean>
<!– The bean that imports xml describing people –>
<bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
<property name="importerService">
<ref bean="importerComponentWithBehaviour" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
<property name="exportSource">
<ref bean="ldapPeopleExportSource" />
</property>
<!– The store that contains people - this should not be changed –>
<property name="storeRef">
<value>${spaces.store}</value>
</property>
<!– The location of people nodes within the store defined above - this should not be changed –>
<property name="path">
<value>/${system.system_container.childname}/${system.people_container.childname}</value>
</property>
<!– If true, clear all existing people before import, if false update/add people from the xml –>
<property name="clearAllChildren">
<value>false</value>
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="searchService">
<ref bean="searchService" />
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService" />
</property>
<property name="caches">
<set>
<ref bean="permissionsAccessCache" />
</set>
</property>
</bean>
<!– The bean that imports xml descibing groups –>
<bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
<property name="importerService">
<ref bean="importerComponentWithBehaviour" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent" />
</property>
<property name="exportSource">
<ref bean="ldapGroupExportSource" />
</property>
<!– The store that contains group information - this should not be changed –>
<property name="storeRef">
<value>${alfresco_user_store.store}</value>
</property>
<!– The location of group information in the store above - this should not be changed –>
<property name="path">
<value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
</property>
<!– If true, clear all existing groups before import, if false update/add groups from the xml –>
<property name="clearAllChildren">
<value>true</value>
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="searchService">
<ref bean="searchService" />
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService" />
</property>
<!– caches to clear on import of groups –>
<property name="caches">
<set>
<ref bean="userToAuthorityCache" />
<ref bean="permissionsAccessCache" />
</set>
</property>
<!– userToAuthorityCache –>
</bean>
</beans> - Enable automatic scheduled jobs starting editing the file $ALF_CLASSES/scheduled-jobs-context.xml by setting the autoStartup property to true in the the schedulerFactory bean definition:
<!– Task scheduler –>
<!– Triggers should not appear here - the scheduler should be injected into the trigger definition –>
<!– This bean should not need to appear else where in extension configuration –>
<!– Task scheduler –>
<!– Triggers should not appear here - the scheduler should be injected into the trigger definition –>
<!– This bean should not need to apear else where in extension configuration –>
<bean id="schedulerFactory" class="org.springframework.scheduling.quartz.SchedulerFactoryBean">
<property name="waitForJobsToCompleteOnShutdown">
<value>true</value>
</property>
<property name="configLocation">
<value>classpath:alfresco/domain/quartz.properties</value>
</property>
<property name="schedulerName">
<value>DefaultScheduler</value>
</property>
<!– Do not auto start the scheduler - this is done at the end of the bootstrap process –>
<property name="autoStartup">
<value>true</value>
</property>
</bean> - Restart alfresco and you should see (after waiting the defined time + some import time) the user/groups created in Alfresco
NOTE:
- In order to have a better understanding/debugging of the import process please note that if users are correctly imported from LDAP temporary XML files are written in $ALF_HOME/tomcat/temp/Alfresco/ExportSource*
- For a finer debugging of the whole process you may want to raise log levels for interested components, by editing $ALF_HOME/webapps/alfresco/WEB-INF/classes/log4j.properties setting the following categories to debug:
log4j.logger.org.alfresco.smb.protocol=debug
log4j.logger.org.alfresco.smb.protocol.auth=debug
log4j.logger.org.alfresco.repo.action=debug
log4j.org.alfresco.repo.security.authentication.ldap=debug
log4j.logger.org.alfresco.acegi=debug
# Thx SCHNEIKA
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug ~~~~~%%%%~~~~~
That should be it. Hope this helps.
Ciao!
[1] ihttp://wiki.alfresco.com/wiki/Configuring_NTLM#Enabling_NTLM_users
[2] http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Which_authenticat...
[3] http://www.sourcesense.com
