Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active Directory authentification

francois12
Champ in-the-making
Champ in-the-making

‎04-02-2009 11:42 AM

Hello,

We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.
And we're trying to authentificate with an Active Directory account.

Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
He's connecting to Alfresco with his login jblack.

When using an active directory, the authentification mechanism should be :

[Alfresco] ———————–> [AD] : Search for jblack with sAMAccountName : CN=reader,OU=service,OU=admin,DC=company,DC=com
[Alfresco] <———————– [AD] : Response from AD : CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
[Alfresco] ———————–> [AD] : Login with CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com and typed jblack password
[Alfresco] <———————– [AD] : Access granted to Alfresco

Unfortunately, this mechanism doesn't work with our configuration. See our configuration below :

- ldap-authentication-context.xml :

ldap.authentication.userNameFormat=sAMAccountName=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://ldap.company.com:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=***********
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

- ldap-authentication-context.xml : untouched

- Do we need to edit the ldap-synchronisation.properties file ?

Thank you for any help.
Labels:
0 Kudos
24 REPLIES 24

rliu
Champ in-the-making
Champ in-the-making

‎04-03-2009 04:27 PM

I just recently got AD authentication on my instance of Alfresco Labs3.

ldap.authentication.userNameFormat=sAMAccountName=%s

    # The default principal to use (only used for LDAP sync)
    ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com

    # The password for the default principal (only used for LDAP sync)
    ldap.authentication.java.naming.security.credentials=***********

In the ldap-authentication.properties, I believe you should have the following:

ldap.authentication.userNameFormat=cn=%s,ou=people,ou=admin,dc=company,dc=com
ldap.authentication.java.naming.security.principal=userID that can be used to connect to AD
ldap.authentication.java.naming.security.credentials=password for principal userID to connect with

Hope that helps. It was how I configured it.
0 Kudos

francois12
Champ in-the-making
Champ in-the-making

‎04-07-2009 12:09 PM 

ldap.authentication.userNameFormat=cn=%s,ou=people,ou=admin,dc=company,dc=com
And what if users are in many OU ?

Examples:
cn=%s,ou=people,ou=admin,dc=company,dc=com
cn=%s,ou=people1,ou=admin,dc=company,dc=com
cn=%s,ou=people2,ou=admin,dc=company,dc=com
cn=%s,ou=people3,ou=admin,dc=company,dc=com

thanks for your reply Smiley Wink
0 Kudos

rliu
Champ in-the-making
Champ in-the-making

‎04-07-2009 12:40 PM

My suggestion (and purely a guess as I have not encountered such a situation) is to try appending the other OUs to your line like this: 

cn=%s,ou=people,ou=people1,ou=people2,ou=people3,ou=admin,dc=company,dc=com

Worth a shot.
0 Kudos

francois12
Champ in-the-making
Champ in-the-making

‎04-08-2009 04:19 AM

huu.. unfortunately that's not working either

but thanks for your reply!
0 Kudos

ofrxnz
Champ in-the-making
Champ in-the-making

‎04-08-2009 04:45 PM

try this.  it works for me.  I am running Win 2K3 R2 for Active directory and Alfresco labs 3.0

Let me know if you want a working Sync file

watch capitalization on your DNs they have bit me before

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://server:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=COMPANY,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=Password for above user

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false
0 Kudos

francois12
Champ in-the-making
Champ in-the-making

‎04-09-2009 05:59 AM

try this.  it works for me.  I am running Win 2K3 R2 for Active directory and Alfresco labs 3.0

Let me know if you want a working Sync file

watch capitalization on your DNs they have bit me before

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple 
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s     
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server 
ldap.authentication.java.naming.provider.url=ldap://server:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=COMPANY,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=Password for above user

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is 
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

I don't understand how Alfresco search and bind the user without setting its full DN  in "ldap.authentication.userNameFormat".
Do you set this DN in the sync file? Yes I would like to check your file to understand.

Thanks for your help!
0 Kudos

ofrxnz
Champ in-the-making
Champ in-the-making

‎04-09-2009 07:49 AM

I don't understand how Alfresco search and bind the user without setting its full DN in "ldap.authentication.userNameFormat".
Do you set this DN in the sync file? Yes I would like to check your file to understand.

First, the Sync file is not needed for authentication.  it is only needed to populate phone numbers, locations, etc from active directory without manual entry….Ill still post it when i get to work in a couple hours.   

also, did that config work for you?

on to the explanation (or how i think it works)

Active Directory is already a fully functional LDAP server.  It is just not exactly Standards compliant. 

Once, the user you define in "ldap.authentication.java.naming.security.principal in  ldap-authentication-context.xml binds to AD you can search for %s in every portion of Active Directory as you would search Google for dirt on your boss.

so if we have a user with the first name of "Jane" a last name of "Doe" and a username "Jane.Doe" and she is located in the Company>Domain Users folder and in that folder they show up as "Jane Doe".  When you click on "Jane Doe" you can see some of their attributes (there are also many hidden attributes you can only see with an LDAP browser such as Apache Directory Studio")

then we successfully bind with the "ldap.authentication.java.naming.security.principal" user and  someone entered "Jane.Doe" as their user name

Alfresco will tell AD to search through everything in Active Directory for any attribute that ="Jane.Doe" 

so it could be sAMAccountName=Jane.Doe or SomeOtherAttribute=JaneDoe, or well anything =Jane.Doe

Once Active Directory has found some attribute that = "Jane.Doe" it will return  the full DN where it found "Jane.Doe".

so in the above case, Alfresco says search for *="Jane.Doe" then AD will tell Alfresco I found "Jane.Doe" in "cn=Jane Doe,ou=Domain Users,dc=COMPANY,dc=com". 

Alfresco then uses this returned DN to test the password.
0 Kudos

francois12
Champ in-the-making
Champ in-the-making

‎04-09-2009 09:54 AM

I tried to dump the ldap network packets and I discover that there is no "search and bind" :
Alfresco just binds. It buils a DN from the given login and tries to connect with the given password.

How can I activate the ldap search  ?

Thanks a lot for your help Smiley Happy
0 Kudos

ofrxnz
Champ in-the-making
Champ in-the-making

‎04-09-2009 10:27 AM

Personally, I find LDAP a bit of a pain, so i switched over to NTLM.  Its just easier but doesn't import any user data (email, phone, etc) nore does it import AD groups. 

http://wiki.alfresco.com/wiki/3.0_Configuring_NTLM

You ONLY need to do the bit AFTER this heading  "NTLM Passthru Authentication " the first part is for Single Sign on and that just adds unneeded complication at this point.  and SSO is broken in share so dont touch it. 


For LDAP

If it is successfully binding, it should automatically search with the config i posted earlier. 

How did you get your Bind user DN

I used this application

http://directory.apache.org/studio/

the settings for a connection should be

(Network tab)
hostname = serverIP or DNS anme
port = 389
encryption method = no encryption

(Authentication tab)
bind dn or user = administrator
bind password = **********

I am using administrator because its a bit of a pain to figure out what username they want out of the box. 

in my case it is the name the user shows up as in the left column of AD.  so in a jane.doe case, the username for Apache directory studio needs to be "Jane Doe"  because that is the "Real" uid  (have i mentioned AD is not standards compliant)

Once you successfully connect navigate around in your tree and find your bind user.  Once selected, the full DN will be at the top of the center frame.   and all you need to do is copy and paste it.  It can be CaSE SenSItiVe so be careful copying it

Here is the sync file i said i would post.  Its a bit of a pain to use because it can render share non functional.  Basically it will delete any group that is not in ad if this is set to true "ldap.synchronisation.import.group.clearAllChildren" and if it is set to false it will only add users to groups and never delete them. 

My advise is do not enable Sync until you are comfortable your authentication is working well.  


#
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=user)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=OU=Domain Users,DC=COMPANY,DC=com

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=company

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider

#personalHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The person type in LDAP
ldap.synchronisation.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=14 45 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=false
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC