Hyland Connect

geoffrey1211 · ‎03-19-2009

What I want to do is to login on the alfresco login page using ONLY the active directory credentials (I am using Active Directory Server). How can I do this? I keep getting this error:


16:27:37,865  WARN  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server supports anonymous bind ldap://delljoeb:10389
16:27:37,896  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not support simple string user ids and invalid credentials at ldap://delljoeb:10389
16:27:37,912  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://delljoeb:10389
16:27:37,928  INFO  [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://delljoeb:10389
‍‍‍‍‍‍

Here are my configuration files:


ldap.authentication.userNameFormat=cn=%s,ou=users,ou=system
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://delljoeb:10389
# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=admin,ou=users,ou=system
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=secret
‍‍‍‍‍‍‍‍‍‍‍‍‍

My XML too just in case:


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    
   <!– The main configuration has moved into a properties file –>
    
    <bean name="ldapAuthenticationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property>  
        <property name="locations">
            <value>classpath:alfresco/extension/ldap-authentication.properties</value>
        </property>
    </bean>
    
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
    
    <bean name="authenticationDaoLDAP" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>    
   

    <!– LDAP authentication configuration –>
    
    <!– 
    
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
    
    –>
    
    <bean id="authenticationComponentLDAP"
          class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl" 
          parent="authenticationComponentBase">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
            
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
            
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
            
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" 
            Usually for simple authentication. Simple authentication always uses the DN for the user.
            
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>   
        <property name="escapeCommasInBind">
            <value>${ldap.authentication.escapeCommasInBind}</value>
        </property>
        <property name="escapeCommasInUid">
            <value>${ldap.authentication.escapeCommasInUid}</value>
        </property> 
    </bean>
    
    <!–
    
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
    
    –>
    
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>${ldap.authentication.java.naming.factory.initial}</value>
                </entry>
                
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>${ldap.authentication.java.naming.provider.url}</value>
                </entry>
                
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>${ldap.authentication.java.naming.security.authentication}</value>
                </entry>
                
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>${ldap.authentication.java.naming.security.principal}</value>
                </entry>
                
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>${ldap.authentication.java.naming.security.credentials}</value>
                </entry>
            </map>
        </property>
    </bean>
    
</beans>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Please help!!! Thank you.
Geoffrey

jottley · ‎03-19-2009

Ignore those messages they are for info only.

Are you able to login using your AD username and password?

If not a couple things I would look at

Your userNameFormat looks a little short…. missing dc attributes. Can you verify what the full DN is?

You can also set log4j.logger.org.alfresco.repo.security.authentication.ldap=debug in the log4j.properties file (tomcat/webapps/alfresco/WEB-INF/classes). Restart Alfresco and you will then see debug info when you try to login.

rxm307 · ‎03-19-2009

You can also use the Userprincipal ie username@domain.corp or %s@domain.corp

geoffrey1211 · ‎03-20-2009

I am NOT able to login using my AD username and password. I included the debug config, but see nothing regarding login info in the log other than what I shown. Why is Alfresco completely silent about it!? I have NO way of knowing what went wrong…

Regarding my AD structure - it looks like this:


DIT
   Root DSE
      ou=system
         ou=users
             cn=user1
‍‍‍‍‍‍‍

For user1, here are the attributes:
objectClass=inetOrgPerson
objectClass=organizationalPerson
objectClass=person
objectClass=tlsKeyInfo
objectClass=top
cn=user1
keyalgorithm=RSA
privatekey=Binary Data (345 Bytes)
privatekeyformat=PKCS#8
publickey=Binary Data (94 Bytes)
publickeyformat=X.509
sn=surname
displayname=Directory Superuser
givenName=givenname
uid=user1
usercertificate=Binary Data(375 Bytes)
userpassword=Plain text password

? I use simple authentication, so Plain text password is ok right?
? is "dc" required on a distinguished name (dn)? My structure don't use any "dc" attributes
? is synchronisation required in order for authentication to work?
? is there anything AT ALL I can do to see what went wrong?

jottley · ‎03-20-2009

? I use simple authentication, so Plain text password is ok right?

This won't work if you plan on using CIFs shared drives which require an MD4 hashed password

? is "dc" required on a distinguished name (dn)? My structure don't use any "dc" attributes

No. As long as it is you are using your DN, or the email address as pointed out by RXM307

? is synchronisation required in order for authentication to work?

No.

? is there anything AT ALL I can do to see what went wrong?

Use the debug flag:

You can also set log4j.logger.org.alfresco.repo.security.authentication.ldap=debug in the log4j.properties file (tomcat/webapps/alfresco/WEB-INF/classes). Restart Alfresco and you will then see debug info when you try to login.

geoffrey1211 · ‎03-20-2009

I already included this in log4j.properties
log4j.logger.org.alfresco.repo.security.authentication.ldap=debug

When I try to login using the alfresco login screen, I cannot use my AD credentials, only the alfresco ones. And there's nothing in the log about why it cannot authenticate. It is almost as if it never even tries to hit the AD.

Is there anyway to know whether or not it hits the AD? Is there anything that I have not done? I enabled the ldap-authentication-context.xml w/ changes to the properties file:
a. <bean name="authenticationDao" . . . to <bean name="authenticationDaoLDAP"
b. <bean id="authenticationComponent" to <bean id="authenticationComponentLDAP"
Is there anything else that needs to be done?

My ultimate goal is to have a secure login (maybe using SSL or anything other than "simple"), but I can't even get this simplest case working. Please help!!

steffen · ‎03-20-2009

Hi,

try renaming the beans in the ldap-authentication-context.xml:

authenticationDaoLDAP to authenticationDao

and

authenticationComponentLDAP to authenticationComponent

HTH

steffen

—
Alfresco ECM solution engineer | ecm@dmc.de | http://www.dmc.de/ecm

geoffrey1211 · ‎03-20-2009

thank you very much! it worked.

now, I wonder if I can use DIGEST-MD5 to get CIFS authenticated by AD as well?
CIFS needs MD4 or kerberos - does this mean DIGEST-MD5 is ok? I tried it, but it did not succeed:


15:53:07,740 User:System ERROR [smb.protocol.auth] No valid CIFS authentication combination available
15:53:07,740 User:System ERROR [smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
15:53:07,740 User:System ERROR [alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:389)
   at org.alfresco.jlan.smb.server.CIFSConfigSection.setAuthenticator(CIFSConfigSection.java:607)
   at org.alfresco.filesys.ServerConfigurationBean.processCIFSServerConfig(ServerConfigurationBean.java:881)
   at org.alfresco.filesys.ServerConfigurationBean.init(ServerConfigurationBean.java:546)
   at org.alfresco.filesys.ServerConfigurationBean.onApplicationEvent(ServerConfigurationBean.java:3098)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Or do we have to go through all the steps under "Configuring the Alfresco CIFS and web servers for Kerberos/Active
Directory integration" in the "Install_Configure_Alfresco_Lab3Stable.pdf" document? That's quite a lengthy process for something that seems so basic.

Can you tell me please?

jottley · ‎03-21-2009

DIGEST-MD5 will work. You need to configure the filesystem to authenticate against AD. Add one of the following to your file-servers-custom.xml (updating the Server tag with your server.


 <config evaluator="string-compare" condition="CIFS Server">
          <!–The following defines the authentication connector to an AD server –>
          <authenticator type="passthru">
               <!– within the following tag place a comma delimited list of your AD servers that Alfresco should talk to–>
               <Server>192.168.20.10</Server>
          </authenticator>
     </config>
‍‍‍‍‍‍‍‍‍

or


<config evaluator="string-compare" condition="CIFS Server" replace="true">
          <serverEnable enabled="true"/>
          <host name="${localname}A" domain="WORKGROUP"/> 
          <!– The name attribute can use the special token of {localname} to use the local servers host name 
                and generate a unique name by prepending/appending to it. –>
          <comment>Alfresco CIFS Server</comment>

          <!– Set to the broadcast mask for the subnet –>
          <broadcast>255.255.255.255</broadcast>

          <!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
          <tcpipSMB platforms="linux,solaris,macosx"/> 
          <netBIOSSMB platforms="linux,solaris,macosx"/>

          <!– Use Win32 NetBIOS interface on Windows –>
          <Win32NetBIOS/>
          <Win32Announce interval="5"/>
          <hostAnnounce interval="5"/>

          <!–The following defines the authentication connector to an AD server –>
          <authenticator type="passthru">
               <!– within the following tag place a comma delimited list of your AD servers that Alfresco should talk to–>
               <Server>192.168.20.10</Server>
          </authenticator>

          <sessionDebug flags="Negotiate,Socket"/>
     </config> 
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

geoffrey1211 · ‎03-23-2009

What I did:
* added the code you suggested into file-servers-custom.xml
* configured my AD server to use "DIGEST-MD5 (SASL)" authentication
* changed ldap-authentication.properties to become like this:


ldap.authentication.userNameFormat=%s
ldap.authentication.java.naming.security.authentication=DIGEST-MD5
‍‍‍‍

What I observed after starting alfresco:
* no error in the log
* CIFS server is running (machinenameA shows with "nbtstat -n")
* login FAILED

My suspected culprits:
* "SASL Realm" on my AD server - currently left to blank. Don't know what to put here?
* the encryption method for the user entry's password on AD server - I should use DIGEST-MD5 right?

Any idea what could fix this?
Appreciate your help.

Hyland Connect

Simplest case of LDAP authentication doesn't work.. pls help