Hyland Connect

sessa · ‎09-05-2007

Hi !

I configured NTLM SSO as descriped in "Configuring NTLM".

everything works find, except one thing:

Only users who are added in in custom-authority-services-context.xml in the adminUsers-Tag (<property name="adminUsers">) can access with Internet Explorer.
Other users get an error:

java.lang.NullPointerException 
at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthoritiesForUser(AuthorityServiceImpl.java:152) 
at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthorities(AuthorityServiceImpl.java:141) 
at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.getAuthorisations(PermissionServiceImpl.java:457) 
‍‍‍‍‍

Where can i configure that everybody who is logged in into Windows can access Alfresco ?
Do i need LDAP ?

thanks,
Sessa

andy · ‎09-10-2007

Hi

I am not sure what is working and what is not.

Can you gice the repo version and describe which authentication modules you have wired up and post the full stack trace please.

Andy

sessa · ‎09-11-2007

custom-authority-services-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
    <bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl">
        <property name="authenticationComponent">
            <ref bean="authenticationComponent" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="authorityDAO">
            <ref bean="authorityDAO" />
        </property>
        <property name="permissionServiceSPI">
            <ref bean="permissionServiceImpl" />
        </property>
        <property name="adminUsers">
            <set>
             <value>alfrescocifs</value> <!– add an NTLM user as an Administrator –>
             <value>admin</value>
             <value>User_1</value>
             <value>User_2</value>
             <value>administrator</value>
          </set>
        </property>
    </bean>
</beans> 
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

file-servers-custom.xml:


<alfresco-config area="file-servers">

   <!– To override the default Alfresco filesystem use replace="true", to –>
      
   <config evaluator="string-compare" condition="Filesystems" replace="true">
      <filesystems>

         <filesystem name="Alfresco">
            <store>workspace://SpacesStore</store>
            <rootPath>/app:company_home</rootPath>

            <urlFile>
               <filename>__Alfresco.url</filename>
               <webpath>http://${localname}:8080/alfresco/</webpath>
            </urlFile>
            <!– Mark locked files as offline –>
            <offlineFiles/>
            <!– Desktop actions –>
            <desktopActions>
               <global>
                  <path>alfresco/desktop/Alfresco.exe</path>
                  <webpath>http://${localname}:8080/alfresco/</webpath>
               </global>
               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
                  <name>CheckInOut</name>
                  <filename>__CheckInOut.exe</filename>
               </action>
               <action>
                  <class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
                  <name>JavaScriptURL</name>
                  <filename>__ShowDetails.exe</filename>
                  <script>alfresco/desktop/showDetails.js</script>
                  <attributes>anyFiles</attributes>
                  <preprocess>copyToTarget</preprocess>
               </action>
            </desktopActions>
         </filesystem>
       <!– AVM virtualization view of all stores/versions for WCM –>
         <avmfilesystem name="AVM">
            <virtualView/>
         </avmfilesystem>  
      </filesystems>
   </config>
   
   <config evaluator="string-compare" condition="Filesystem Security" replace="true">
  
      <authenticator type="alfresco">
            <LocalDomain/> 
     </authenticator>
   </config>
</alfresco-config>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

ntlm-authentication-context.xml:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />       
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl"> 
    
        <property name="servers"> 
           <value>MY_DOMAIN\IP-ADDRESS</value>
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent" />
        </property> 
        <property name="guestAccess">
            <value>false</value>
        </property>
    </bean>
</beans>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Error:

15:02:11,242 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco].[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
java.lang.NullPointerException
   at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthoritiesForUser(AuthorityServiceImpl.java:152)
   at org.alfresco.repo.security.authority.AuthorityServiceImpl.getAuthorities(AuthorityServiceImpl.java:141)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.getAuthorisations(PermissionServiceImpl.java:457)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:347)
   at org.alfresco.repo.security.permissions.impl.PermissionServiceImpl.hasPermission(PermissionServiceImpl.java:580)
   at sun.reflect.GeneratedMethodAccessor279.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:281)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:187)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:154)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
   at $Proxy9.hasPermission(Unknown Source)
   at org.alfresco.repo.security.permissions.impl.acegi.ACLEntryVoter.vote(ACLEntryVoter.java:358)
   at net.sf.acegisecurity.vote.AffirmativeBased.decide(AffirmativeBased.java:69)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:394)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.alfresco.repo.audit.AuditComponentImpl.auditImpl(AuditComponentImpl.java:256)
   at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:191)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:176)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:210)
   at $Proxy2.getProperty(Unknown Source)
   at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:786)
   at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:402)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Thread.java:619)‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

This error occurs if a user which is not added in custom-authority-services-context.xml, <adminUsers>.

If I add the user, he can login.

Alfresco version: I checked out the files from SVN 06. Sept. 2007

What did i do wrong ?

thanks a lot,
Sessa

andy · ‎09-11-2007

Hi

Check your config with the current authority-services-context.xml. I think you are missing a service injection after a recent change.

Andy

sessa · ‎09-12-2007

I got the newsest files from SVN and still have the same error.

Do i need to change something in authentication-services-context.xml ?
Oder do i need the ldap…. xml file ?

how does alfresco get the roles from the AD ?

rubi · ‎09-17-2007

Hei Sessa/Andy

I have the same config in my Alfresco (SSO and NTLM), and I also can't find/or search AD users. Those who have signed in once via SSO I can search up in Alfresco, but Alfresco have problems with connection to AD to find users who haven't signed inn thru SSO.

Here is my error messages:

11:40:00,546 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapGroupJobDetail threw an unhandled Exception:
org.alfresco.repo.importer.ExportSourceImporterException: Failed to import
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:214)
   at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:44)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: org.alfresco.repo.security.authentication.AuthenticationException: LDAP authentication failed.
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:78)
   at org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource.buildGroupsAndRoots(LDAPGroupExportSource.java:380)
   at org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource.generateExport(LDAPGroupExportSource.java:182)
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:174)
   … 3 more
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
   at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2985)
   at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2931)
   at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2732)
   at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2646)
   at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:283)
   at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
   at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
   at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
   at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
   at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
   at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
   at javax.naming.InitialContext.init(InitialContext.java:223)
   at javax.naming.InitialContext.<init>(InitialContext.java:197)
   at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
   at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:85)
   … 7 more
—————-
I'm using LDAP, is this even possible with SSO-NTLM config?

andy · ‎09-17-2007

Hi

This is an LDAP authentication issue. Check that your user and password setting for LDAP sync are correct and that the LDAP server suports the selected authentication mechanism. Yiu should also try connecting with a simple LDQAP client (eg the Softerra LDAP client) and run the same query to find users and groups.

Andy

Hyland Connect

SSO with NTLM: need to add User in XML ?