cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory authentification

francois12
Champ in-the-making
Champ in-the-making
Hello,

We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.
And we're trying to authentificate with an Active Directory account.

Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
He's connecting to Alfresco with his login jblack.

When using an active directory, the authentification mechanism should be :

[Alfresco] ———————–> [AD] : Search for jblack with sAMAccountName : CN=reader,OU=service,OU=admin,DC=company,DC=com
[Alfresco] <———————– [AD] : Response from AD : CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
[Alfresco] ———————–> [AD] : Login with CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com and typed jblack password
[Alfresco] <———————– [AD] : Access granted to Alfresco

Unfortunately, this mechanism doesn't work with our configuration. See our configuration below :

- ldap-authentication-context.xml :

ldap.authentication.userNameFormat=sAMAccountName=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ldap.company.com:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=***********
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

- ldap-authentication-context.xml : untouched

- Do we need to edit the ldap-synchronisation.properties file ?

Thank you for any help.
24 REPLIES 24

francois12
Champ in-the-making
Champ in-the-making
hi ofrxnz
I appreciate your help, thank you!

The thing is.. I came to the conclusion that Alfresco is a the moment not able to search and bind in many LDAP nodes. Sorry to contradict your saying.
Alfresco is only able to build a DN with the username we gave it and tries to connect with the password.
If you or someone knows how to patch Alfresco to add the search&bind feature.. let me know!

Moreover, I'd like to know if NTLM authentification needs LDAP to work or if it is another authentification method aside from LDAP(AD).
I'd also like to know if the clients needs to be on Windows, in the domain. We have users that are using Linux not binded to the domain.

Thanks again for you help

ofrxnz
Champ in-the-making
Champ in-the-making
Sorry its not working for you

Alfresco will only search/recurse under the folder defined by this line

ldap.synchronisation.personSearchBase=OU=Domain Users,DC=COMPANY,DC=com

you may want to set it to

ldap.synchronisation.personSearchBase=DC=COMPANY,DC=com

that way it should start at the bottom of your directory.  Mind you company and com should reflect your AD domain. 

LDAP against AD is kind of weird at times, but its always worked out of the box for me.  It may be an AD issue….I know in 2008 they closed down a bunch of stuff.  I also hate the windows firewall.  There is also a port in the 3000s i have had to use with AD/LDAP at times for other applications (apache). I don't remember the port number off the top of my head.  I believe it was "forest view" or something like that

I abandoned AD/LDAP because it kept locking out the bind user. We force a 3 strike rule. 

For NTLM you do not need LDAP

NTLM is a completely independent protocol. 

If i remember correctly NTLM was the main Windows Authentication protocol between NT4 and ME/2000.

With NTLM, the web interface (alfresco explorer, webdav, share) will prompt for a password when using NTLM.

If you opt for NTLM with Single Sign On (SSO) it will probably only SSO with windows clients joined to the domain.  For all others it will prompt for credentials. 

we have had no issues with non-domained windows boxes or non-domained OS X (personal) machines. 

We have had issues with Vista and SSO (not NTLM) but if you use the web logon, not the SSO it is fine.  The other issue is we have had is we had a  user who windows box was joined to another domain and they had the same username on our network.  In this case, it saw they were a valid username and didn't check domain.  This case was really strange though and never repeated its self

you would need to experimental with the file servers but i expect them to have similar behavior. 

The only requirement is that the user is a valid AD user. 

I have had no issues with a win 2k3R2 AD server.  2008 on the other hand seemed to pose more headaches when i beta tested it.

jriker1
Champ in-the-making
Champ in-the-making
So how do you know if Alfresco is using LDAP for authentication?  I have set my ldap-authentication.properties file as per this thread, however after restarting alfresco I can still login with the "admin" account but not my domain account.  It was my understanding that if LDAP authentication was enabled the system based internal accounts wouldn't work anymore.  Is there a way to know what's going on?

For that matter, how do you physicall add a domain user to the system when it asks for username and password?

Thanks.

JR

ofrxnz
Champ in-the-making
Champ in-the-making
try another account in LDAP.

If the authentication comes back valid, Alfresco will create a local user profile

LDAP typically just takes over (unless chaining is setup). 

Every ldap config is surprisingly custom to the environment.  Everyone does something slightly different to their LDAP/AD server. 

If its not working make sure you renamed the config file.  At the very least it usually locks everyone out. 

In alfresco 3 the users "admin" and "administrator" are admins by default no matter what the repo source is. 

On the other hand, im probably not as up on LDAP in the most recent iteration of Labs 3.  I switched to NTLM based Auth in version 3b they are at 3d now

jriker1
Champ in-the-making
Champ in-the-making
Thanks for the reply  ofrxnz.  May just be me but something just doesn't sound right.  The properties page was active by default (i.e. not .sample at the end), and had dummy config data in it.  Wouldn't think it would be reading that in and dying everytime to connect.  Would think there is some bean or something that has to be changed to enable this.  At a minimum perhaps a log or something of what is happening.  Hard for me to understand how the system knows the difference between internal username/password users and domain users when logging in.

JR

ofrxnz
Champ in-the-making
Champ in-the-making
ldap-authentication-context.xml.sample is the file that needs to be renamed (remove the .sample).  don't edit this file.  it reads its values over from the .properties file

I think this is where all the bean stuff is.

you can probably tweak the log4j configuration file and enable more levels of logging.  I dont know what is there for ldap.  have only touched the log config file once.   (somewhere in the deployed war file)(i think thats the correct name)

for the last one.  Im no expert on this, but from my understanding……  the short answer is….there really isnt a difference between internal users and external users.  only where to look for a password.

There are to halves to a person in alfresco.  one half is for the internal authentication mechanism and if i remember is more system oriented and the other is more of a repo by repo "profile" if you will.  when using external authentication, the "profile" stays and the internal mechanism is superseded

when a user logs into alfresco for the first time using an ldap directory, alfresco receives the "Valid Account" information from the repo.   It then trys to associate the account with a "profile".  If it cant find one it creates a blank profile with only a username. 

I am guessing there is an order of precedence in the authentication engine.  if bean A out ranks bean B the latter ie effectively disabled. 

It is more complicated than this but hats the high level of how i understand it. 

you can set up chaining so say….NTLM fails, it will try LDAP.  if LDAP fails it will try Alfresco.

Adam

jriker1
Champ in-the-making
Champ in-the-making
Thanks for the reply.  The ldap-authentication-context.xml is already set without the .sample.  Same with the ldap-authentication.properties.  I know I have this properties page setup right.  Not sure if I need to do something elsewhere but guess I'll keep looking.  Just get an exception that authentication failed with an existing user I added before that exists on the domain with the same network id.

JR

rchamy
Champ in-the-making
Champ in-the-making
Hi, I have LDAP (AD), NTLM and sync working propertly but I have a handicap. In my syncronization I import the users and groups of an especific OU. When I try to logon with a user member of this specific OU I can logon succesfully, otherwise, when I try to logon with a users not in that OU I also can logon!!. I don't want to allow logon for the users out of this OU, only for the users imported or for the users in the OU specified in the sample file.
Do you know wich is the problem?
Thanks.

dward
Champ on-the-rise
Champ on-the-rise
Try setting the autoCreatePeopleOnLogin property on the authenticationComponentBase bean to false. In theory that won't allow in anyone that hasn't been created by the LDAP sync.

We'll look into making this easier to configure in the v3.2 release.

rchamy
Champ in-the-making
Champ in-the-making
Thanks for the quickly reply. I'm looking for that bean in the ldap-authentication-context.xml and its look like:

    <bean id="authenticationComponent"
          class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
          parent="authenticationComponentBase">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication. Simple authentication always uses the DN for the user.
           
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>  
        <property name="escapeCommasInBind">
            <value>${ldap.authentication.escapeCommasInBind}</value>
        </property>
        <property name="escapeCommasInUid">
            <value>${ldap.authentication.escapeCommasInUid}</value>
        </property>
    </bean>

Can you specify tha correcto code for me? Thank you very much.