Hyland Connect

uesnet · ‎03-19-2009

Hi everyone, I have looked through the posts and googled this problem without any luck. This is my first installation of Alfresco, am using the Stable 3labs version on linux and trying to use Openldap for user authentication. I edited the ldap-authentication.properties.xml and ldap-authentication-context.xml files, and enabled loging for LDAP within tomcat. I keep getting this error in the logs "LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://IP

ort.

I also enabled logging on my LDAP server, and check looking for a user using ldapsearch which worked fine and compared that with the messages alfersco is generating in the same log:
LDAPsearch log on OpenLDAP
conn=28 op=0 BIND dn="" method=128
Mar 19 13:40:59 campus slapd[10047]: conn=28 op=0 RESULT tag=97 err=0 text=
Mar 19 13:40:59 campus slapd[10047]: conn=28 op=1 SRCH base="dc=one,dc=test,dc=com" scope=2 deref=0 filter="(uid=eric)"
Mar 19 13:40:59 campus slapd[10047]: conn=28 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Alfresco log on OpenLDAP
conn=22 op=0 BIND dn="" method=128
Mar 19 08:10:44 campus slapd[10047]: conn=22 op=0 RESULT tag=97 err=49 text=
Mar 19 08:10:44 campus slapd[10047]: conn=22 fd=13 closed (connection lost)
Mar 19 08:10:45 campus slapd[10047]: conn=19 op=1 UNBIND

The only difference I can see is that ldapsearch uses the search base, I don't see where I can specify a searchbase for LDAP searches on Alfresco config files.
Any help would be greatly appreciated.
Thanks in advance,
Eric.

jottley · ‎03-19-2009

Ignore the error message. It is for info only.

Modify:

ldap.authentication.java.naming.provider.url to point to your LDAP server
ldap.authentication.java.naming.security.authentication to use the appropriate security mechanism

Depending your LDAP scheme you may need to change the format that is used when passing usernames from Alfresco to your LDAP. This can be done by changing:

ldap.authentication.userNameFormat=%s where %s is the value passed. Digest authentication can use the default of just a %s. Others should modify to your specific user container. For Example, ldap.authentication.userNameFormat=cn=%s,ou=users,o=demo,dc=alfresco,dc=com

uesnet · ‎03-20-2009

Hi Jottley,
Thanks for your reply. I had already modified the values you mention, here are the values I have been using:
FOR ldap-authentication-context.xml
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                   <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
                  <entry key="java.naming.provider.url">
                    <value>ldap://10.10.0.1:389</value>
                </entry>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                </entry>
                <entry key="java.naming.security.principal">
               <value></value>
                </entry>
                <entry key="java.naming.security.credentials">
                <value></value>
                </entry>
            </map>

FOR ldap-authentication.properties
ldap.authentication.userNameFormat=uid=%s,ou=usuarios,dc=one,dc=test,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://10.10.0.1:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.java.naming.security.principal=
ldap.authentication.java.naming.security.credentials=

Again, I can see that alfresco reaches my ldap server when staring up, but it is doing a search that returns "INVALID_CREDENTIALS" (err=49) on the LDAP server, the only reason I see for that to happen is that Alfresco is doing the search without a serachbase. I have confirmed this by doing a local ldapsearch on the OpenLDAP server, when I use the -b modifier and specify a searchbase the search works fine but the same search fails if I don't specify a searchbase. Any ideas where else I could for clues…?

Thanks again for your help,
eric.

jottley · ‎03-20-2009

I had already modified the values you mention, here are the values I have been using:
FOR ldap-authentication-context.xml

FYI you only need to modify ldap-authentication.properties. (well now you need to modify ldap-authentication-context.xml unless you reset it to the defaults.)

the search works fine but the same search fails if I don't specify a searchbase.

We aren't doing a search, we are authenticating against the directory through a bind which does not require a searchbase. Try doing an ldapwhoami.

ldapwhoami -x -D "<your DN>" -w <your password>

It will return your DN if successful

uesnet · ‎03-20-2009

Thanks again for your reply. I've made the changes you suggested. The opneldap log shows this now:
Connection from Alfresco
Mar 20 11:41:17 campus slapd[10047]: conn=52 fd=13 ACCEPT from IP=10.10.0.2:46221 (IP=0.0.0.0:389)
Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" method=128
Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 RESULT tag=97 err=49 text=
Mar 20 11:41:17 campus slapd[10047]: conn=53 fd=13 closed (connection lost)
Mar 20 11:41:18 campus slapd[10047]: conn=50 op=1 UNBIND
Mar 20 11:41:18 campus slapd[10047]: conn=50 fd=11 closed

Connection from ldapwhoamI using the same credentials
Mar 20 11:42:12 campus slapd[10047]: conn=54 fd=11 ACCEPT from IP=127.0.0.1:40887 (IP=0.0.0.0:389)
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" method=128
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 BIND dn="uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" mech=SIMPLE ssf=0
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=0 RESULT tag=97 err=0 text=
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=1 WHOAMI
Mar 20 11:42:12 campus slapd[10047]: conn=54 op=1 RESULT oid= err=0 text=

The ssf=0 seems to be the difference between the two Bind attempts. Is this SSF value, something I can modify within Alfresco?
eric.

jottley · ‎03-21-2009

The problems is actually this line

Mar 20 11:41:17 campus slapd[10047]: conn=53 op=0 RESULT tag=97 err=49 text=

Which indicates an error 49…Invalid Credentials.

Can you try doing a "ldapwhoami -x"? Does it return anonymous?

Check the error log as well to see what it returns and post it here.

uesnet · ‎03-23-2009

~# ldapwhoami -x
anonymous
Result: Success (0)
~# cat ldap.log
Mar 23 09:08:49 campus slapd[10047]: conn=55 fd=11 ACCEPT from IP=127.0.0.1:47672 (IP=0.0.0.0:389)
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=0 BIND dn="" method=128
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=0 RESULT tag=97 err=0 text=
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=1 WHOAMI
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=1 RESULT oid= err=0 text=
Mar 23 09:08:49 campus slapd[10047]: conn=55 op=2 UNBIND
Mar 23 09:08:49 campus slapd[10047]: conn=55 fd=11 closed

jottley · ‎03-23-2009

can we check and make sure that your slapd.conf file does not deny access (auth connections) from the Alfresco server?

Below is the output from my instance of Alfresco to my ldap server.

Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 fd=15 ACCEPT from IP=156.124.13.100:52309 (IP=0.0.0.0:389)
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 BIND dn="cn=Jared Ottley,ou=users,o=demo,dc=alfresco,dc=com" method=128
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 BIND dn="cn=Jared Ottley,ou=users,o=demo,dc=alfresco,dc=com" mech=SIMPLE ssf=0
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=0 RESULT tag=97 err=0 text=
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 op=1 UNBIND
Mar 23 09:54:13 alfresco-openldap slapd[19820]: conn=12 fd=15 closed

My access line looks like this

access to attrs=userPassword
        by dn="cn=admin,dc=alfresco,dc=com" write
        by anonymous auth
        by self write
        by * none

uesnet · ‎03-23-2009

Thanks again for your reply. The ACLs look right, I also enabled acl logging on openldap. Here is the log from the ldapwhoami an alfresco operations, they both are being grnated access:
Mar 23 10:31:26 campus slapd[19365]: slapd starting
Mar 23 10:31:32 campus slapd[19365]: => access_allowed: auth access to "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" "userPassword" requested
Mar 23 10:31:32 campus slapd[19365]: => acl_get: [1] attr userPassword
Mar 23 10:31:32 campus slapd[19365]: access_allowed: no res from state (userPassword)
Mar 23 10:31:32 campus slapd[19365]: => acl_mask: access to entry "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv", attr "userPassword" requested
Mar 23 10:31:32 campus slapd[19365]: => acl_mask: to value by "", (=0)
Mar 23 10:31:32 campus slapd[19365]: <= check a_dn_pat: cn=admin,dc=ues,dc=edu,dc=sv
Mar 23 10:31:32 campus slapd[19365]: <= check a_dn_pat: anonymous
Mar 23 10:31:32 campus slapd[19365]: <= acl_mask: [2] applying auth(=xd) (stop)
Mar 23 10:31:32 campus slapd[19365]: <= acl_mask: [2] mask: auth(=xd)
Mar 23 10:31:32 campus slapd[19365]: => access_allowed: auth access granted by auth(=xd)
Mar 23 10:32:58 campus slapd[19365]: bind: invalid dn (daftAsABrush)
Mar 23 10:32:58 campus slapd[19365]: => access_allowed: auth access to "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv" "userPassword" requested
Mar 23 10:32:58 campus slapd[19365]: => acl_get: [1] attr userPassword
Mar 23 10:32:58 campus slapd[19365]: access_allowed: no res from state (userPassword)
Mar 23 10:32:58 campus slapd[19365]: => acl_mask: access to entry "uid=eric,ou=usuarios,dc=ues,dc=edu,dc=sv", attr "userPassword" requested
Mar 23 10:32:58 campus slapd[19365]: => acl_mask: to value by "", (=0)
Mar 23 10:32:58 campus slapd[19365]: <= check a_dn_pat: cn=admin,dc=ues,dc=edu,dc=sv
Mar 23 10:32:58 campus slapd[19365]: <= check a_dn_pat: anonymous
Mar 23 10:32:58 campus slapd[19365]: <= acl_mask: [2] applying auth(=xd) (stop)
Mar 23 10:32:58 campus slapd[19365]: <= acl_mask: [2] mask: auth(=xd)
Mar 23 10:32:58 campus slapd[19365]: => access_allowed: auth access granted by auth(=xd)

Also, both in your openLDAP log and my ldapwhoami log there's two Bind lines logged, one uses the ssf=0 right before the err=0(success) message. I suspect that something Is wrong with my current Alfresco setup that is not generating that second bind/ssf=0 action.

uesnet · ‎03-25-2009

I just noticed there are also error messages on my alfresco log. don't know if is directly related to the ldap problem but here it is:
10:46:47,072 ERROR [org.springframework.web.context.ContextLoader] Context initialization failed
java.lang.NullPointerException
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.isSystemUserName(AbstractAuthenticationComponent.java:299)
   at org.alfresco.repo.security.authentication.AbstractAuthenticationComponent.setCurrentUser(AbstractAuthenticationComponent.java:161)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setCurrentUser(ChainingAuthenticationComponentImpl.java:373)
   at org.alfresco.repo.security.authentication.ChainingAuthenticationComponentImpl.setSystemUserAsCurrentUser(ChainingAuthenticationComponentImpl.java:407)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.bootstrap(SystemInfoBootstrap.java:124)
   at org.alfresco.repo.importer.system.SystemInfoBootstrap.onBootstrap(SystemInfoBootstrap.java:190)
   at org.alfresco.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:62)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:41

Any ideas?

Hyland Connect

OpenLDAP authentication