Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Two LDAP server setup

bensewell
Champ in-the-making
Champ in-the-making

‎07-07-2011 09:59 AM

Hi I've read through the alfresco wiki and a few related posts but can't seem to nail this one down.

Heres the scenario. 
My Alfresco is working fine through LDAP and local user accounts.  I now want it to chain to LDAP1, LDAP2 and then local.  I copied the content from the subsystems authentication folder from ldap to a new folder called ldap2.

Then changed the settings in the global config to:

### Authentication chain settings###
authentication.chain=ldap1:ldap,ldap2:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domaina.co.uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://ad01.domaina.co.uk:389
ldap.authentication.defaultAdministratorUserNames=alfrescosr
ldap.synchronization.active=false

###ad2-settings###  Configured  07/06/11
ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domainb.co.uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://ad01.domainb.co.uk:389
ldap.synchronization.active=false

But unsure if this will work?  I need to offline the server when i do this change so really want to make sure it will work before restarting the alfresco / tomcat services.

Is this the right way to setup 2 LDAP servers for chaining?

Please can anyone point out if this is the right way to do it or have i done a big no no?

Thanks, Ben
Labels:
0 Kudos
6 REPLIES 6

bensewell
Champ in-the-making
Champ in-the-making

‎07-07-2011 11:26 AM

So i've been reading further using this article

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_2:_Advanced_LDAP_Chain

And i've made a ldap1 and ldap2 folder with the ldap-authentication.properties files.  Just editing these to reflect the files in the global configuration for the two servers.  Then will these be loaded by default if i take the current user chaining out of the global config file or do i have to reference the two files somehow?  I've managed to get some downtime for tomorrow AM.

Cheers
0 Kudos

bensewell
Champ in-the-making
Champ in-the-making

‎07-11-2011 05:56 AM

So heres what a tried.  I added the settings from the global configuration file for our current LDAP server and added into

/opt/alfresco-3.4.d/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldap1/ldap-ad-authentication.properties

The contents are as below:

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domain1.co.uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://ad1.domain1.co.uk:389
ldap.authentication.defaultAdministratorUserNames=alfresco_user
ldap.synchronization.active=false

The new LDAP settings for LDAP chaining 2 is saved into the

/opt/alfresco-3.4.d/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap-ad/ldap2/ldap-ad-authentication.properties

With the same contents but for the the second AD chain:

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domain2.co.uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://ad1.domain2.co.uk:389
ldap.authentication.defaultAdministratorUserNames=alfresco_user
ldap.synchronization.active=false

Then lastly to pull these together in the global configuration file it has the following for the chaining:

[quote]### Authentication settings ###
authentication.chain=ldap1:ldap,ldap2:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.synchronization.active=false[/quote]

If i enter our LDAP 1 server directly into the global config file it works and i can login using a AD account from domain1.  However when i take this out i can't login to the system using an account from domain1.  If i revert the settings back into the global config i can.  Is there something i'm missing here?

Anyone?
0 Kudos

bensewell
Champ in-the-making
Champ in-the-making

‎07-11-2011 09:27 AM

http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#Example_1:_Advanced_AD_Chain

After double checking the wiki i've put the ldap1 and ldap2 folders into the:

/opt/alfresco-3.4.d/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ *ldap1*  *ldap2*

I'm going to revert to the modified global config file and restart the services and see if this works.?
0 Kudos

bensewell
Champ in-the-making
Champ in-the-making

‎07-13-2011 05:19 AM

So i've nearly got it working now.

The two configs are in the correct folders:
/opt/alfresco-3.4.d/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap1
/opt/alfresco-3.4.d/tomcat/shared/classes/alfresco/extension/subsystems/Authentication/ldap/ldap2

The ldap1 is working fine and is like below:


ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%s@domain1.co.uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://ad1.domain1.co.uk:389
ldap.authentication.defaultAdministratorUserNames=alfresco_user
ldap.synchronization.active=false

Ldap2 is not working and looks like this:

ldap.authentication.active=true
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.userNameFormat=%sou=Users,dc=domain2,dc=co,dc=uk
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.provider.url=ldap://dc02.domain2.co.uk:389
ldap.synchronization.active=false

The LDAP is working fine on LDAP server one but not on two.  I can succesffully talk to the LDAP server using a LDAP browser so i know there's no connectivity issues.  So my next attempt is to simplyfy the ldap.authentication.userNameFormat= and try %s@domain2.co.uk

The IT admins told me i need to seach for attribue uid so maybe the config is wrong.

Anyone any more pointers.  I know i'm nearly there!    :roll:
0 Kudos

bensewell
Champ in-the-making
Champ in-the-making

‎07-13-2011 10:33 AM

Further progress here.

So i changed the ldap2 configuration file to be

uid=%s,ou=External,ou=Users,dc=domain1,dc=co,dc=uk

As my testing account is in a OU called External.  However i want to include the higher level group like below:

DOMAIN1
—-USERS
———–EXTERNAL
———–GROUP1
———–GROUP2
———–GROUP3

So it works if i add the EXTERNAL but doesnt include all the sub groups when i add the USERS in?

Anyone?
0 Kudos

bensewell
Champ in-the-making
Champ in-the-making

‎07-21-2011 09:27 AM

Anyone?

the other things i've thought about.  Adding a -s to the string indicates a sub scope and maybe that would work.

uid=%-s,ou=Users,dc=domain1,dc=co,dc=uk

Or

cn=%s,ou=Users,dc=domain1,dc=co,dc=uk
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC