Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Re: Yet another Active Directory Sync
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Yet another Active Directory Sync
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-04-2008 08:24 AM
Hello everyone,
First of all, escuse me for my poor english…
I am currently testing Alfresco. I managed to run authentication on a Active Directory domain via NTLM.
I suffer now on the synchronisation of users and groups. I found a lot of information on how to configure the synchronisation and in particular an article on the Alfresco Wiki (link below).
However, despite all my efforts, I never arrive to make the system work. My problem is that Alfresco is unable to authenticate with the Active Directory domain (LDAP authentication, not KERBEROS) before the synchronisation. Below you can see a screenshot of a capture produced with Wireshark which shows the Alfresco’s request of and especially the Domain Controler’s response.
I think it's possible that i have made some mistakes somewhere or possibly I have missed some information. Maybe some prerequisites (not detailed in forums posts) are necessary? (AD server side configuration for example). I don’t know where to look, I have exhausted my stock of keywords on google and forums.
Alfresco (2.9B - Tomcat Bundle) is running on a Scientific Linux 5.1 Box and Sun JRE 1.6 Update 6.
You will find below my configuration files and log files.
Log file "catalina.out"
Configuration files for AD Sync :
ldap-synchronisation.properties
ldap-synchronisation-context.xml
ldap-authentication.properties
ldap-authentication-context.xml
Screenshot of the capture produced by Wireshark:
[img]http://img60.imageshack.us/img60/1029/ldapreqrespdu3.th.jpg[/img]
Configuration files for NTLM Authentication :
Wy configuration was based on this tutorial :
http://forums.alfresco.com/en/viewtopic.php?t=7750&postdays=0&postorder=asc&start=15
ntlm-authentication-context.xml
web.xml
file-servers.xml
You will find below a few links on which I have based to configure Alfresco and LDAP sync.
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Active_Directory_...
http://forums.alfresco.com/en/viewtopic.php?f=9&t=2675
http://forums.alfresco.com/en/viewtopic.php?p=37456
http://forums.alfresco.com/fr/viewtopic.php?t=1339
http://forums.alfresco.com/fr/viewtopic.php?f=6&t=1010
http://forums.alfresco.com/fr/viewtopic.php?f=8&t=406&st=0&sk=t&sd=a
Thanks in advance,
Leodd
First of all, escuse me for my poor english…
I am currently testing Alfresco. I managed to run authentication on a Active Directory domain via NTLM.
I suffer now on the synchronisation of users and groups. I found a lot of information on how to configure the synchronisation and in particular an article on the Alfresco Wiki (link below).
However, despite all my efforts, I never arrive to make the system work. My problem is that Alfresco is unable to authenticate with the Active Directory domain (LDAP authentication, not KERBEROS) before the synchronisation. Below you can see a screenshot of a capture produced with Wireshark which shows the Alfresco’s request of and especially the Domain Controler’s response.
I think it's possible that i have made some mistakes somewhere or possibly I have missed some information. Maybe some prerequisites (not detailed in forums posts) are necessary? (AD server side configuration for example). I don’t know where to look, I have exhausted my stock of keywords on google and forums.
Alfresco (2.9B - Tomcat Bundle) is running on a Scientific Linux 5.1 Box and Sun JRE 1.6 Update 6.
You will find below my configuration files and log files.
Log file "catalina.out"
Jun 30, 2008 9:08:19 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Jun 30, 2008 9:08:19 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2046 ms
Jun 30, 2008 9:08:20 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Jun 30, 2008 9:08:20 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Jun 30, 2008 9:08:20 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
09:09:58,954 User:System DEBUG [smb.protocol.auth] Added passthru server [TEST\SRVTEST:192.168.123.1:Offline:0,0]
09:09:59,037 DEBUG [smb.protocol.auth] New auth session from vm-alfresco_1 to \\192.168.123.1\IPC$\
09:09:59,138 DEBUG [smb.protocol.auth] Trying address 192.168.123.1
09:09:59,272 DEBUG [smb.protocol.auth] Connected to address 192.168.123.1
09:09:59,272 DEBUG [smb.protocol.auth] Connected session, protocol : TCP/IP NetBIOS
09:09:59,288 DEBUG [smb.protocol.auth] SessionFactory: Negotiated SMB dialect NT LM 0.12
09:09:59,297 DEBUG [smb.protocol.auth] Passthru server online, [TEST\SRVTEST:192.168.123.1:Online:0,0]
09:10:05,644 User:System WARN [remoting.rmi.RmiRegistryFactoryBean] Could not detect RMI registry - creating new one
09:10:12,536 User:System WARN [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server supports anonymous bind ldap://srvtest.test.local:389
09:10:12,555 User:System INFO [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a string uid and password at ldap://srvtest.test.local:389
09:10:12,587 User:System INFO [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://srvtest.test.local:389
09:10:12,603 User:System INFO [authentication.ldap.LDAPInitialDirContextFactoryImpl] LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://srvtest.test.local:389
09:10:13,187 User:System INFO [domain.schema.SchemaBootstrap] Schema managed by database dialect org.hibernate.dialect.MySQLInnoDBDialect.
09:10:14,522 User:System INFO [domain.schema.SchemaBootstrap] No changes were made to the schema.
09:10:17,029 User:System INFO [repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: /data/alf_data
09:10:17,079 User:System INFO [admin.patch.PatchExecuter] Checking for patches to apply …
09:10:17,798 User:System INFO [repo.module.ModuleServiceImpl] Found 0 module(s).
09:10:18,121 User:System WARN [alfresco.util.OpenOfficeConnectionTester] A connection to OpenOffice could not be established.
09:10:18,126 User:System INFO [service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_06-b02; maximum heap size 253.188MB
09:10:18,127 User:System WARN [service.descriptor.DescriptorService] Alfresco JVM - WARNING - maximum heap size 253.188MB is less than recommended 512MB
09:10:18,128 User:System INFO [service.descriptor.DescriptorService] Alfresco started (Community Network): Current version 2.9.0 (B 683) schema 116 - Installed version 2.9.0 (B 683) schema 116
Jun 30, 2008 9:10:26 AM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Jun 30, 2008 9:10:26 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Jun 30, 2008 9:10:26 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 126774 ms
]Configuration files for AD Sync :
ldap-synchronisation.properties
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
# How to map the user id entered by the user to taht passed through to LDAP
# - simple
# - this must be a DN and would be something like
# CN=%s,DC=company,DC=com
# - digest
# - usually pass through what is entered
# %s
ldap.authentication.userNameFormat=samaccountname=%s
#ldap.authentication.userNameFormat=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://srvtest.test.local:389
# The authentication mechanism to use
#ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.java.naming.security.authentication=SIMPLE
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=CN=alfresco,OU=OUALFRESCO,DC=TEST,dc=local
#ldap.authentication.java.naming.security.principal=alfresco
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=alfresco
ldap-synchronisation-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean name="ldapSynchronisationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreUnresolvablePlaceholders">
<value>true</value>
</property>
<property name="locations">
<value>classpath:alfresco/extension/ldap-synchronisation.properties</value>
</property>
</bean>
<!–
Wire up the same context as used for LDAP authentication. You could use another context: just replace this
alias with the bean definition
–>
<alias alias="ldapSyncInitialDirContextFactory" name="ldapInitialDirContextFactory"/>
<!– Ldap Syncronisation support –>
<!–
There can be more than one stack of beans that import users or groups. For example, it may be easier
to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory
from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore
users found else where. The same applies to the import of groups.
The defaults shown below are for OpenLDAP.
–>
<!– Extract user information from LDAP and transform this to XML –>
<bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
<!–
The query to select objects that represent the users to import.
For Open LDAP, using a basic schema, the following is probably what you want:
(objectclass=inetOrgPerson)
For Active Directory:
(objectclass=user)
–>
<property name="personQuery">
<value>${ldap.synchronisation.personQuery}</value>
</property>
<!–
The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
–>
<property name="searchBase">
<value>${ldap.synchronisation.personSearchBase}</value>
</property>
<!–
The unique identifier for the user.
THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT
For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
In OpenLDAP, using other authentication mechanisms "uid", but this depends on how you map
from the id in the LDAP authentication request to search for the inetOrgPerson against which
to authenticate.
In Active Directory this is most likely to be "sAMAccountName"
This property is mandatory and must appear on all users found by the query defined above.
–>
<property name="userIdAttributeName">
<value>${ldap.synchronisation.userIdAttributeName}</value>
</property>
<!– Services –>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapSyncInitialDirContextFactory"/>
</property>
<property name="personService">
<ref bean="personService"></ref>
</property>
<property name="namespaceService">
<ref bean="namespaceService"/>
</property>
<!–
This property defines a mapping between attributes held on LDAP user objects and
the properties of user objects held in the repository. The key is the QName of an attribute in
the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
LDAP repository.
–>
<property name="attributeMapping">
<map>
<entry key="cm:userName">
<!– Must match the same attribute as userIdAttributeName –>
<value>${ldap.synchronisation.userIdAttributeName}</value>
</entry>
<entry key="cm:firstName">
<!– OpenLDAP: "givenName" –>
<!– Active Directory: "givenName" –>
<value>${ldap.synchronisation.userFirstNameAttributeName}</value>
</entry>
<entry key="cm:lastName">
<!– OpenLDAP: "sn" –>
<!– Active Directory: "sn" –>
<value>${ldap.synchronisation.userLastNameAttributeName}</value>
</entry>
<entry key="cm:email">
<!– OpenLDAP: "mail" –>
<!– Active Directory: "???" –>
<value>${ldap.synchronisation.userEmailAttributeName}</value>
</entry>
<entry key="cm:organizationId">
<!– OpenLDAP: "o" –>
<!– Active Directory: "???" –>
<value>${ldap.synchronisation.userOrganizationalIdAttributeName}</value>
</entry>
<!– Always use the default –>
<entry key="cm:homeFolderProvider">
<null/>
</entry>
</map>
</property>
<!– Set a default home folder provider –>
<!– Defaults only apply for values above –>
<property name="attributeDefaults">
<map>
<entry key="cm:homeFolderProvider">
<value>${ldap.synchronisation.defaultHomeFolderProvider}</value>
</entry>
</map>
</property>
</bean>
<!– Extract group information from LDAP and transform this to XML –>
<bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
<!–
The query to select objects that represent the groups to import.
For Open LDAP, using a basic schema, the following is probably what you want:
(objectclass=groupOfNames)
For Active Directory:
(objectclass=group)
–>
<property name="groupQuery">
<value>${ldap.synchronisation.groupQuery}</value>
</property>
<!–
The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
–>
<property name="searchBase">
<value>${ldap.synchronisation.groupSearchBase}</value>
</property>
<!–
The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above.
–>
<property name="userIdAttributeName">
<value>${ldap.synchronisation.userIdAttributeName}</value>
</property>
<!–
An attribute that is a unique identifier for each group found.
This is also the name of the group with the current group implementation.
This is mandatory for any groups found.
OpenLDAP: "cn" as it is mandatory on groupOfNames
Active Directory: "cn"
–>
<property name="groupIdAttributeName">
<value>${ldap.synchronisation.groupIdAttributeName}</value>
</property>
<!–
The objectClass attribute for group members.
For each member of a group, the distinguished name is given.
The object is looked up by its DN. If the object is of this class it is treated as a group.
–>
<property name="groupType">
<value>${ldap.synchronisation.groupType}</value>
</property>
<!–
The objectClass attribute for person members.
For each member of a group, the distinguished name is given.
The object is looked up by its DN. If the object is of this class it is treated as a person.
–>
<property name="personType">
<value>${ldap.synchronisation.personType}</value>
</property>
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapSyncInitialDirContextFactory"/>
</property>
<property name="namespaceService">
<ref bean="namespaceService"/>
</property>
<!–
The repeating attribute on group objects (found by query or as sub groups)
used to define membership of the group. This is assumed to hold distinguished names of
other groups or users/people; the above types are used to determine this.
OpenLDAP: "member" as it is mandatory on groupOfNames
Active Directory: "member"
–>
<property name="memberAttribute">
<value>${ldap.synchronisation.groupMemberAttributeName}</value>
</property>
<property name="authorityDAO">
<ref bean="authorityDAO"/>
</property>
</bean>
<!– Job definitions to import LDAP people and groups –>
<!– The triggers register themselves with the scheduler –>
<!– You may comment in the default scheduler to enable these triggers –>
<!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
<!– Trigger to load poeple –>
<!– Note you can have more than one initial (context, trigger, import job and export source) set –>
<!– This would allow you to load people from more than one ldap store –>
<bean id="ldapPeopleTrigger" class="org.alfresco.util.CronTriggerBean">
<property name="jobDetail">
<bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="jobClass">
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name="jobDataAsMap">
<map>
<entry key="bean">
<ref bean="ldapPeopleImport"/>
</entry>
</map>
</property>
</bean>
</property>
<property name="cronExpression">
<value>${ldap.synchronisation.import.person.cron}</value>
</property>
<property name="scheduler">
<ref bean="schedulerFactory" />
</property>
</bean>
<bean id="ldapGroupTrigger" class="org.alfresco.util.CronTriggerBean">
<property name="jobDetail">
<bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
<property name="jobClass">
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name="jobDataAsMap">
<map>
<entry key="bean">
<ref bean="ldapGroupImport"/>
</entry>
</map>
</property>
</bean>
</property>
<property name="cronExpression">
<value>${ldap.synchronisation.import.group.cron}</value>
</property>
<property name="scheduler">
<ref bean="schedulerFactory" />
</property>
</bean>
<!– The bean that imports xml describing people –>
<bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
<property name="importerService">
<ref bean="importerComponentWithBehaviour"/>
</property>
<property name="transactionService">
<ref bean="transactionComponent"/>
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent"/>
</property>
<property name="exportSource">
<ref bean="ldapPeopleExportSource"/>
</property>
<!– The store that contains people - this should not be changed –>
<property name="storeRef">
<value>${spaces.store}</value>
</property>
<!– The location of people nodes within the store defined above - this should not be changed –>
<property name="path">
<value>/${system.system_container.childname}/${system.people_container.childname}</value>
</property>
<!– If true, clear all existing people before import, if false update/add people from the xml –>
<property name="clearAllChildren">
<value>false</value>
</property>
<property name="nodeService">
<ref bean="nodeService"/>
</property>
<property name="searchService">
<ref bean="searchService"/>
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService"/>
</property>
<property name="caches">
<set>
<ref bean="permissionsAccessCache"/>
</set>
</property>
</bean>
<!– The bean that imports xml descibing groups –>
<bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
<property name="importerService">
<ref bean="importerComponentWithBehaviour"/>
</property>
<property name="transactionService">
<ref bean="transactionComponent"/>
</property>
<property name="authenticationComponent">
<ref bean="authenticationComponent"/>
</property>
<property name="exportSource">
<ref bean="ldapGroupExportSource"/>
</property>
<!– The store that contains group information - this should not be changed –>
<property name="storeRef">
<value>${alfresco_user_store.store}</value>
</property>
<!– The location of group information in the store above - this should not be changed –>
<property name="path">
<value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
</property>
<!– If true, clear all existing groups before import, if false update/add groups from the xml –>
<property name="clearAllChildren">
<value>${ldap.synchronisation.import.group.clearAllChildren}</value>
</property>
<property name="nodeService">
<ref bean="nodeService"/>
</property>
<property name="searchService">
<ref bean="searchService"/>
</property>
<property name="namespacePrefixResolver">
<ref bean="namespaceService"/>
</property>
<!– caches to clear on import of groups –>
<property name="caches">
<set>
<ref bean="userToAuthorityCache"/>
<ref bean="permissionsAccessCache"/>
</set>
</property>
<!– userToAuthorityCache –>
</bean>
</beans>
ldap-authentication.properties
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#
# How to map the user id entered by the user to taht passed through to LDAP
# - simple
# - this must be a DN and would be something like
# CN=%s,DC=company,DC=com
# - digest
# - usually pass through what is entered
# %s
ldap.authentication.userNameFormat=samaccountname=%s
#ldap.authentication.userNameFormat=%s
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://srvtest.test.local:389
# The authentication mechanism to use
#ldap.authentication.java.naming.security.authentication=DIGEST-MD5
ldap.authentication.java.naming.security.authentication=SIMPLE
# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=CN=Al Fresco,OU=OUALFRESCO,DC=TEST,dc=local
#ldap.authentication.java.naming.security.principal=alfresco
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=alfresco
ldap-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<!– The main configuration has moved into a properties file –>
<bean name="ldapAuthenticationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="ignoreUnresolvablePlaceholders">
<value>true</value>
</property>
<property name="locations">
<value>classpath:alfresco/extension/ldap-authentication.properties</value>
</property>
</bean>
<!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
<bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
<property name="allowDeleteUser">
<value>true</value>
</property>
</bean>
<!– LDAP authentication configuration –>
<!–
You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
authentication routes, like Active Directory.
–>
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
<property name="LDAPInitialDirContextFactory">
<ref bean="ldapInitialDirContextFactory"/>
</property>
<property name="userNameFormat">
<!–
This maps between what the user types in and what is passed through to the underlying LDAP authentication.
"%s" - the user id is passed through without modification.
Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
"cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
Usually for simple authentication. Simple authentication always uses the DN for the user.
–>
<value>${ldap.authentication.userNameFormat}</value>
</property>
</bean>
<!–
This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
to pull them out of the LDAP reopsitory
–>
<bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
<property name="initialDirContextEnvironment">
<map>
<!– The LDAP provider –>
<entry key="java.naming.factory.initial">
<value>${ldap.authentication.java.naming.factory.initial}</value>
</entry>
<!– The url to the LDAP server –>
<!– Note you can use space separated urls - they will be tried in turn until one works –>
<!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
<entry key="java.naming.provider.url">
<value>${ldap.authentication.java.naming.provider.url}</value>
</entry>
<!– The authentication mechanism to use –>
<!– Some sasl authentication mechanisms may require a realm to be set –>
<!– java.naming.security.sasl.realm –>
<!– The available options will depend on your LDAP provider –>
<entry key="java.naming.security.authentication">
<value>${ldap.authentication.java.naming.security.authentication}</value>
</entry>
<!– The id of a user who can read group and user information –>
<!– This does not go through the pattern substitution defined above and is used "as is" –>
<entry key="java.naming.security.principal">
<value>${ldap.authentication.java.naming.security.principal}</value>
</entry>
<!– The password for the user defined above –>
<entry key="java.naming.security.credentials">
<value>${ldap.authentication.java.naming.security.credentials}</value>
</entry>
</map>
</property>
</bean>
</beans>
Screenshot of the capture produced by Wireshark:
[img]http://img60.imageshack.us/img60/1029/ldapreqrespdu3.th.jpg[/img]
![[img]http://img60.imageshack.us/img60/1029/ldapreqrespdu3.th.jpg[/img]](http://img60.imageshack.us/my.php?image=ldapreqrespdu3.jpg){kind=link}
Configuration files for NTLM Authentication :
Wy configuration was based on this tutorial :
http://forums.alfresco.com/en/viewtopic.php?t=7750&postdays=0&postorder=asc&start=15
ntlm-authentication-context.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
<beans>
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
<!– The authentication component. –>
<!– Use the passthru authentication component to authenticate using –>
<!– user accounts on one or more Windows servers. –>
<!– Properties that specify the server(s) to use for passthru –>
<!– authentication :- –>
<!– useLocalServer use the local server for authentication –>
<!– domain use domain controllers from the specified domain–>
<!– servers comma delimted list of server addresses or –>
<!– names –>
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl">
<property name="useLocalServer">
<value>true</value>
</property>
<property name="personService">
<ref bean="personService" />
</property>
<property name="nodeService">
<ref bean="nodeService" />
</property>
<property name="transactionService">
<ref bean="transactionComponent" />
</property>
<property name="guestAccess">
<value>false</value>
</property>
<property name="servers">
<value>TEST\SRVTEST</value>
</property>
</bean>
</beans>
web.xml
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>Alfresco Web Client</display-name>
<description>Alfresco Web Client</description>
<context-param>
<param-name>org.jboss.jbossfaces.WAR_BUNDLES_JSF_IMPL</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config-app.xml,/WEB-INF/faces-config-beans.xml,/WEB-INF/faces-config-navigation.xml,/WEB-INF/faces-config-common.xml,/WEB-INF/faces-config-repo.xml,/WEB-INF/faces-config-wcm.xml,/WEB-INF/faces-config-custom.xml</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
<param-value>false</param-value>
<description>This is an EXPERIMENTAL feature, so leave it off for now!</description>
</context-param>
<context-param>
<param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION</param-name>
<param-value>false</param-value>
<description>Stop MyFaces from Serializing the state to the session</description>
</context-param>
<!– TODO: Change this to false for production –>
<context-param>
<param-name>org.apache.myfaces.PRETTY_HTML</param-name>
<param-value>true</param-value>
<description>
If true, rendered HTML code will be formatted, so that it is "human readable".
i.e. additional line separators and whitespace will be written, that do not
influence the HTML code.
Default: "true"
</description>
</context-param>
<context-param>
<param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
<param-value>false</param-value>
<description>
If true, a javascript function will be rendered that is able to restore the
former vertical scroll on every request. Convenient feature if you have pages
with long lists and you do not want the browser page to always jump to the top
if you trigger a link or button action that stays on the same page.
Default: "false"
</description>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:alfresco/application-context.xml
classpath:alfresco/web-framework-application-context.xml
classpath:alfresco/web-client-application-context.xml
classpath:alfresco/web-scripts-application-context.xml
classpath:alfresco/web-pagerenderer-application-context.xml
classpath:web-services-application-context.xml
</param-value>
<description>Spring config file locations</description>
</context-param>
<filter>
<filter-name>Authentication Filter</filter-name>
<!– <filter-class>org.alfresco.web.app.servlet.AuthenticationFilter</filter-class>
–>
<!– For Novell IChain support use the following filter –>
<!–
<filter-class>org.alfresco.web.app.servlet.NovellIChainsHTTPRequestAuthenticationFilter</filter-class>
–>
<!– For NTLM authentication support use the following filter –>
<filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>WebDAV Authentication Filter</filter-name>
<!– <filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class>
–>
<!– For NTLM authentication support use the following filter –>
<filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class>
</filter>
<filter>
<filter-name>Admin Authentication Filter</filter-name>
<filter-class>org.alfresco.web.app.servlet.AdminAuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/faces/*</url-pattern>
</filter-mapping>
<!– For NTLM authentication support enable the following mapping –>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/navigate/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/command/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Authentication Filter</filter-name>
<url-pattern>/template/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>WebDAV Authentication Filter</filter-name>
<url-pattern>/webdav/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/categories/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/groups/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/users/delete-user.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/users/users.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Admin Authentication Filter</filter-name>
<url-pattern>/faces/jsp/dialog/system-info.jsp</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.alfresco.web.app.ContextListener</listener-class>
</listener>
<!– Faces Servlet –>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>uploadFile</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.UploadFileServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>uploadContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.UploadContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>downloadContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.DownloadContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>downloadRawContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.DownloadRawContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>guestDownloadContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.GuestDownloadContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>guestTemplateContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.GuestTemplateContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>externalAccess</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.ExternalAccessServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>templateContent</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.TemplateContentServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>commandServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.CommandServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>ajaxServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.ajax.AjaxServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>axis</servlet-name>
<servlet-class>org.apache.axis.transport.http.AxisServlet</servlet-class>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>WebDAV</servlet-name>
<servlet-class>org.alfresco.repo.webdav.WebDAVServlet</servlet-class>
<init-param>
<param-name>store</param-name>
<param-value>workspace://SpacesStore</param-value>
</init-param>
<init-param>
<param-name>rootPath</param-name>
<param-value>/app:company_home</param-value>
</init-param>
<load-on-startup>5</load-on-startup>
</servlet>
<servlet>
<servlet-name>apiServlet</servlet-name>
<servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
<init-param>
<param-name>authenticator</param-name>
<param-value>webscripts.authenticator.basic</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>wcapiServlet</servlet-name>
<servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
<init-param>
<param-name>authenticator</param-name>
<param-value>webscripts.authenticator.webclient</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>portalapiServlet</servlet-name>
<servlet-class>org.alfresco.web.scripts.servlet.WebScriptServlet</servlet-class>
<init-param>
<param-name>authenticator</param-name>
<param-value>webscripts.authenticator.jsr168.webclient</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>facebookServlet</servlet-name>
<servlet-class>org.alfresco.web.scripts.facebook.FacebookServlet</servlet-class>
<init-param>
<param-name>authenticator</param-name>
<param-value>webscripts.authenticator.facebook</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>fbapiServlet</servlet-name>
<servlet-class>org.alfresco.web.scripts.facebook.FacebookAPIServlet</servlet-class>
<init-param>
<param-name>authenticator</param-name>
<param-value>webscripts.authenticator.facebook</param-value>
</init-param>
</servlet>
<servlet>
<servlet-name>proxyServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.HTTPProxyServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>workflowDefinitionImageServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.WorkflowDefinitionImageServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.JBPMDeployProcessServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>pageRendererServlet</servlet-name>
<servlet-class>org.alfresco.web.app.servlet.PageRendererServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>uploadFile</servlet-name>
<url-pattern>/uploadFileServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>uploadContent</servlet-name>
<url-pattern>/upload/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>downloadContent</servlet-name>
<url-pattern>/download/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>downloadContent</servlet-name>
<url-pattern>/d/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>downloadRawContent</servlet-name>
<url-pattern>/dr</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>guestDownloadContent</servlet-name>
<url-pattern>/guestDownload/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>guestDownloadContent</servlet-name>
<url-pattern>/gd/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>templateContent</servlet-name>
<url-pattern>/template/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>templateContent</servlet-name>
<url-pattern>/t/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>guestTemplateContent</servlet-name>
<url-pattern>/guestTemplate/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>guestTemplateContent</servlet-name>
<url-pattern>/gt/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>externalAccess</servlet-name>
<url-pattern>/navigate/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>externalAccess</servlet-name>
<url-pattern>/n/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>commandServlet</servlet-name>
<url-pattern>/command/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>commandServlet</servlet-name>
<url-pattern>/c/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ajaxServlet</servlet-name>
<url-pattern>/ajax/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>axis</servlet-name>
<url-pattern>/api/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>WebDAV</servlet-name>
<url-pattern>/webdav/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>apiServlet</servlet-name>
<url-pattern>/service/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>apiServlet</servlet-name>
<url-pattern>/s/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>wcapiServlet</servlet-name>
<url-pattern>/wcservice/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>wcapiServlet</servlet-name>
<url-pattern>/wcs/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>portalapiServlet</servlet-name>
<url-pattern>/168service/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>portalapiServlet</servlet-name>
<url-pattern>/168s/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>facebookServlet</servlet-name>
<url-pattern>/facebook/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>facebookServlet</servlet-name>
<url-pattern>/fb/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>fbapiServlet</servlet-name>
<url-pattern>/fbservice/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>fbapiServlet</servlet-name>
<url-pattern>/fbs/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>proxyServlet</servlet-name>
<url-pattern>/proxy</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>workflowDefinitionImageServlet</servlet-name>
<url-pattern>/workflowdefinitionimage/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>pageRendererServlet</servlet-name>
<url-pattern>/page/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>60</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/jsp/error.jsp</location>
</error-page>
</web-app>
file-servers.xml
<alfresco-config area="file-servers">
<config evaluator="string-compare" condition="CIFS Server">
<serverEnable enabled="true"/>
<host name="${localname}A" domain="TEST"/>
<comment>Alfresco CIFS Server</comment>
<!– Set to the broadcast mask for the subnet –>
<broadcast>192.168.123.255</broadcast>
<!– Use Java socket based NetBIOS over TCP/IP and native SMB on linux –>
<tcpipSMB platforms="linux,solaris,macosx"/>
<netBIOSSMB platforms="linux,solaris,macosx"/>
<!– Can be mapped to non-privileged ports, then use firewall rules to forward
requests from the standard ports –>
<tcpipSMB port="1445" platforms="linux,solaris,macosx"/>
<netBIOSSMB sessionPort="1139" namePort="1137" datagramPort="1138" platforms="linux,solaris,macosx"/>
<hostAnnounce interval="5"/>
<!– Use Win32 NetBIOS interface on Windows –>
<Win32NetBIOS/>
<Win32Announce interval="5"/>
<!–
<WINS>
<primary>1.2.3.4</primary>
<secondary>5.6.7.8</secondary>
</WINS>
–>
<sessionDebug flags="Negotiate,Socket"/>
</config>
<config evaluator="string-compare" condition="FTP Server">
<serverEnable enabled="true"/>
<port>2121</port>
<!– <debug flags="File,Search,Error,Directory,Info,DataPort"/> –>
</config>
<config evaluator="string-compare" condition="NFS Server">
<serverEnable enabled="false"/>
</config>
<config evaluator="string-compare" condition="Filesystems">
<filesystems>
<!– Alfresco repository access shared filesystem –>
<filesystem name="Alfresco">
<store>workspace://SpacesStore</store>
<rootPath>/app:company_home</rootPath>
<!– Add a URL file to each folder that links back to the web client –>
<urlFile>
<filename>__AlfrescoClient.url</filename>
<webpath>http://${localname}:8080/alfresco/</webpath>
</urlFile>
<!– Mark locked files as offline –>
<offlineFiles/>
<!– Desktop actions –>
<!– Uses a client-side application to trigger a server-side action –>
<!– Echo - displays a message echoed from the server –>
<!– URL - launches a URL via the Windows shell –>
<!– CmdLine - launches the Notepad application –>
<!– CheckInOut - checks files in/out, drag and drop files onto the application –>
<!– JavaScript - run a server-side script –>
<!– JavaScriptURL - server-side script that generates a URL to the folder using a ticket –>
<!– to avoid having to logon –>
<!–
<desktopActions>
<global>
<path>alfresco/desktop/Alfresco.exe</path>
<webpath>http://${localname}:8080/alfresco/</webpath>
</global>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.EchoDesktopAction</class>
<name>Echo</name>
<filename>__AlfrescoEcho.exe</filename>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.URLDesktopAction</class>
<name>URL</name>
<filename>__AlfrescoURL.exe</filename>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.CmdLineDesktopAction</class>
<name>CmdLine</name>
<filename>__AlfrescoCmd.exe</filename>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.CheckInOutDesktopAction</class>
<name>CheckInOut</name>
<filename>__AlfrescoCheckInOut.exe</filename>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
<name>JavaScript</name>
<filename>__AlfrescoScript.exe</filename>
<script>alfresco/desktop/dumpRequest.js</script>
<attributes>anyFiles, multiplePaths , allowNoParams</attributes>
<preprocess>confirm, copyToTarget</preprocess>
</action>
<action>
<class>org.alfresco.filesys.smb.server.repo.desk.JavaScriptDesktopAction</class>
<name>JavaScriptURL</name>
<filename>__AlfrescoDetails.exe</filename>
<script>alfresco/desktop/showDetails.js</script>
<attributes>anyFiles</attributes>
<preprocess>copyToTarget</preprocess>
</action>
</desktopActions>
–>
<!–
<accessControl default="Write">
<user name="admin" access="Write"/>
<address subnet="90.1.0.0" mask="255.255.0.0" access="Write"/>
</accessControl>
–>
</filesystem>
<!– AVM virtualization view of all stores/versions for WCM –>
<avmfilesystem name="AVM">
<virtualView/>
</avmfilesystem>
</filesystems>
</config>
<config evaluator="string-compare" condition="Filesystem Security">
<authenticator type="alfresco">
</authenticator>
<!–
<globalAccessControl default="None">
<user name="admin" access="Write"/>
<address ip="90.1.0.90" access="Write"/>
</globalAccessControl>
<users>
<localuser name="user">
<password>user</password>
<comment>Normal user account</comment>
</localuser>
<localuser name="administrator">
<password>admin</password>
<administrator/>
<comment>Administrator account</comment>
</localuser>
</users>
–>
</config>
</alfresco-config>
You will find below a few links on which I have based to configure Alfresco and LDAP sync.
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#Active_Directory_...
http://forums.alfresco.com/en/viewtopic.php?f=9&t=2675
http://forums.alfresco.com/en/viewtopic.php?p=37456
http://forums.alfresco.com/fr/viewtopic.php?t=1339
http://forums.alfresco.com/fr/viewtopic.php?f=6&t=1010
http://forums.alfresco.com/fr/viewtopic.php?f=8&t=406&st=0&sk=t&sd=a
Thanks in advance,
Leodd
Labels:
- Labels:
-
Archive
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-18-2008 09:58 AM
Did you make sure you can bind with the specified user "CN=Al Fresco,OU=OUALFRESCO,DC=TEST,dc=local" from another app. eg like JXplorer? Also make sure the account is not locked. In our environment it sometimes happens that the sync account gets locked.
Related Content
- How can I upgrade pdf.js from 1.5.188 to 3.x or 4.x in Alfresco Forum
- System Administrator error in Alfresco Forum
- Alfresco Dockerfiles Bakery: Streamlining Container Builds for Alfresco Products in Alfresco Blog
- Streaming result set com.mysql.cj.protocol.a.result.ResultsetRowsStreaming@4d221f7a is still active in Alfresco Forum
- ldapS configuration for samba-ad in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
