Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Hyland Connect
- Enterprise Platforms
- Alfresco
- Alfresco Archive
- Yet another LDAP configuraiton question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Yet another LDAP configuraiton question
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-13-2011 01:39 PM
Hi,
I'm new to Alfresco, new to LDAP, and new to the forum. I have inherited a broken Alfresco 3.4.d installation from a co-worker, and am trying to get it online. We are running on a hosted system using x86_64 GNU/Linux. OpenLDAP, Crowd, and JIRA are all configured and working, but I have been unable to get Alfresco to authenticate using LDAP. It fails during the ChainingUserRegistrySynchronizer phase of startup. It appears to be a simple configuration issue, but I've been searching for two days and cannot find anything that hints at an answer for my situation. In fact, everything I've read seems to indicate this should work.
In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties I have set:
The failure seen in my alfresco.log is:
Can someone give me hint as to what to look for next?
Thanks in advance,
– Sam
I'm new to Alfresco, new to LDAP, and new to the forum. I have inherited a broken Alfresco 3.4.d installation from a co-worker, and am trying to get it online. We are running on a hosted system using x86_64 GNU/Linux. OpenLDAP, Crowd, and JIRA are all configured and working, but I have been unable to get Alfresco to authenticate using LDAP. It fails during the ChainingUserRegistrySynchronizer phase of startup. It appears to be a simple configuration issue, but I've been searching for two days and cannot find anything that hints at an answer for my situation. In fact, everything I've read seems to indicate this should work.
In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties I have set:
# The default authentication chain
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
ldap.authentication.userNameFormat=cn=%s,dc=hostname,dc=domainname,dc=com
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
ldap.authentication.java.naming.provider.url=ldap://localhost:389
ldap.authentication.java.naming.security.authentication=simple
ldap.authentication.escapeCommasInUid=false
ldap.authentication.defaultAdministratorUserNames=admin1,admin2,admin3,admin4
ldap.synchronization.active=true
# The default principal to use (only used for LDAP sync)
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=hostname,dc\=domainname,dc\=com
# The password for the default principal (only used for LDAP sync)
ldap.synchronization.java.naming.security.credentials=<obscured SSHA password>
The failure seen in my alfresco.log is:
05:02:16,860 ERROR [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Synchronization aborted due to error
org.alfresco.repo.security.authentication.AuthenticationException: 04130000 LDAP authentication failed.
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:114)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:89)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.getDefaultIntialDirContext(LDAPInitialDirContextFactoryImpl.java:82)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry$3.<init>(LDAPUserRegistry.java:670)
at org.alfresco.repo.security.sync.ldap.LDAPUserRegistry.getGroups(LDAPUserRegistry.java:667)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.syncWithPlugin(ChainingUserRegistrySynchronizer.java:618)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.synchronize(ChainingUserRegistrySynchronizer.java:434)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer$6.doWork(ChainingUserRegistrySynchronizer.java:1529)
at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:508)
at org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer.onBootstrap(ChainingUserRegistrySynchronizer.java:1523)
at org.springframework.extensions.surf.util.AbstractLifecycleBean.onApplicationEvent(AbstractLifecycleBean.java:56)
at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:97)
at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:294)
…
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
at org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl.buildInitialDirContext(LDAPInitialDirContextFactoryImpl.java:109)
… 50 more
05:02:16,880 WARN [org.alfresco.repo.security.sync.ChainingUserRegistrySynchronizer] Failed initial synchronize with user registries
org.alfresco.repo.security.authentication.AuthenticationException: 04130000 LDAP authentication failed.
Can someone give me hint as to what to look for next?
Thanks in advance,
– Sam
Labels:
- Labels:
-
Archive
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2011 06:20 PM
Wow, 41 views in two days and no responses. Is my question too vague? Too little info?
Since the original post I've learned a bit about LDAP and slapd, installed Softerra on my Windows machine, and have proved that the LDAP store is accessible. I have DNs that work from Softerra as well as the ldap and slapd -T utility sets.
I have eliminated the initial LDAP bind error from Alfresco startup by removing the "ldap1:" entry from the authentication chain; I noted it was blowing up on that entry, so my chain is now defined as "authentication.chain=ldap", and no error occurs at bind.
However, when users attempt to log in to Alfresco, it throws an invalid login exception, even when the user specifies the correct password:
I've tried different values in ldap.authentication.userNameFormat. The initial value, which was set when I took over, used:
I found that my slapd server is very picky about DNs. If I don't specify the entire DN for the user, as indicated above - in that exact order, even - it fails to authenticate. I don't know if this is normal or not, but it seems it should allow partial qualification, eg, -Dcn=user,dc=company,dc=com. Not in my case, anyway.
In any event, I still cannot log into Alfresco, and I'm fresh out of ideas as to what to look for next. Any suggestions?
– Sam
Since the original post I've learned a bit about LDAP and slapd, installed Softerra on my Windows machine, and have proved that the LDAP store is accessible. I have DNs that work from Softerra as well as the ldap and slapd -T utility sets.
I have eliminated the initial LDAP bind error from Alfresco startup by removing the "ldap1:" entry from the authentication chain; I noted it was blowing up on that entry, so my chain is now defined as "authentication.chain=ldap", and no error occurs at bind.
However, when users attempt to log in to Alfresco, it throws an invalid login exception, even when the user specifies the correct password:
21:50:28,268 ERROR [org.springframework.extensions.webscripts.AbstractRuntime] Exception from executeScript - redirecting to status template error: 04150001 Login failed
org.springframework.extensions.webscripts.WebScriptException: 04150001 Login failed
at org.alfresco.repo.web.scripts.bean.AbstractLoginBean.login(AbstractLoginBean.java:75)
I've tried different values in ldap.authentication.userNameFormat. The initial value, which was set when I took over, used:
ldap.authentication.userNameFormat=cn=%s,dc=machine,dc=company,dc=com
ldap.authentication.userNameFormat=cn=%s,ou=Users,dc=machine,dc=company,dc=com
from
ldap.synchronization.java.naming.security.principal=cn\=Manager,dc\=machine,dc\=company,dc\=com
to
ldap.synchronization.java.naming.security.principal=cn=Manager,dc=machine,dc=company,dc=com
I found that my slapd server is very picky about DNs. If I don't specify the entire DN for the user, as indicated above - in that exact order, even - it fails to authenticate. I don't know if this is normal or not, but it seems it should allow partial qualification, eg, -Dcn=user,dc=company,dc=com. Not in my case, anyway.
In any event, I still cannot log into Alfresco, and I'm fresh out of ideas as to what to look for next. Any suggestions?
– Sam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2011 05:11 AM
You shouldn't be hacking files below WEB-INF.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2011 10:49 AM
You shouldn't be hacking files below WEB-INF.Thanks, but that's not real helpful.
As stated in the original, I'm new at this, and am trying to work with a configuration I inherited from someone.
I tried moving the definitions to the alfresco-global.properties file and it had no effect, so I moved them back to where I found them.
– Sam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2011 09:51 AM
Hi
I am new as well but should not these settings be in /opt/alfresco/tomcat/shared/classes/alfresco.global.properties ?
I am new as well but should not these settings be in /opt/alfresco/tomcat/shared/classes/alfresco.global.properties ?
Hi,
In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/repository.properties I have set:In /opt/alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/ldap/ldap-authentication.properties
# The default authentication chain
authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap1:ldap
– Sam
Related Content
- Tech Talk Live #163 - Alfresco Enterprise Edition's Roadmap in Alfresco Blog
- Elasticsearch Frequently Asked Question in Alfresco Blog
- Any Google Professional Machine Learning Engineer Exam Questions or Practice Tests 2024? in Alfresco Forum
- Seamless transition to a better experience: Site freeze on 25 September 2024 in Alfresco Blog
- Upgrade pdfjs APS 2.4.12 in Alfresco Forum
Getting started
Tags
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.
