cancel
Showing results for 
Search instead for 
Did you mean: 

Active Directory authentification

francois12
Champ in-the-making
Champ in-the-making
Hello,

We're using Alfresco Labs 3 final version and a shared tomcat (v.6) on Debian Etch.
And we're trying to authentificate with an Active Directory account.

Let the user called "Joe Black", his login is jblack and distinguishedName is CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
He's connecting to Alfresco with his login jblack.

When using an active directory, the authentification mechanism should be :

[Alfresco] ———————–> [AD] : Search for jblack with sAMAccountName : CN=reader,OU=service,OU=admin,DC=company,DC=com
[Alfresco] <———————– [AD] : Response from AD : CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com
[Alfresco] ———————–> [AD] : Login with CN=Joe Black,OU=marketing,OU=org1,DC=company,DC=com and typed jblack password
[Alfresco] <———————– [AD] : Access granted to Alfresco

Unfortunately, this mechanism doesn't work with our configuration. See our configuration below :

- ldap-authentication-context.xml :

ldap.authentication.userNameFormat=sAMAccountName=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://ldap.company.com:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=reader,ou=service,ou=admin,dc=company,dc=com

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=***********
# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

- ldap-authentication-context.xml : untouched

- Do we need to edit the ldap-synchronisation.properties file ?

Thank you for any help.
24 REPLIES 24

dward
Champ on-the-rise
Champ on-the-rise
Put this in your custom-repository-context.xml (so that it has an effect on all authentication components you might define in a chain)


    <!– Parent bean for beans derived from AbstractAuthenticationComponent –>
    <bean id="authenticationComponentBase" abstract="true">
       <property name="tenantService">
            <ref bean="tenantService"/>
        </property>
       <property name="autoCreatePeopleOnLogin">
            <value>false</value>
        </property>
    </bean>

Readers should note that the above definition is only valid for 3.0 - refer to the master copy in authentication-services-context.xml for other versions. We plan to remove the need to override this bean altogether.

rchamy
Champ in-the-making
Champ in-the-making
Thanks again. I open the custom-repository-context.xml from /alfresco/extension and I put the code you sent me. I receive an error telling me that the property autoCreatePeopleOnLogin was not found. I have Alfresco Labs 3.0.0 (1526) Stable. My custom-repository-context.xml is:

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<!–
       This shows the common minimum configuration overrides.
       By default, the content and indexes are located at a relative location, which should only
       be used when doing a quick preview of the Alfresco server.
–>
<beans>
  
    <!– overriding to point to custom properties –>
    <bean id="repository-properties" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property>
        <property name="locations">
            <list>
                <value>classpath:alfresco/repository.properties</value>
                <value>classpath:alfresco/version.properties</value>
                <value>classpath:alfresco/domain/transaction.properties</value>

                <!– Override basic repository properties –>
                <value>classpath:alfresco/extension/custom-repository.properties</value>
            </list>
        </property>
    </bean>

    <bean id="hibernateConfigProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean">
        <property name="locations">
            <list>
                <value>classpath:alfresco/domain/hibernate-cfg.properties</value>

                <!– Override hibernate dialect –>
                <value>classpath:alfresco/extension/custom-hibernate-dialect.properties</value>
            </list>
        </property>
    </bean>
   <!– Parent bean for beans derived from AbstractAuthenticationComponent –>
    <bean id="authenticationComponentBase" abstract="true">
       <property name="tenantService">
            <ref bean="tenantService"/>
        </property>
       <property name="autoCreatePeopleOnLogin">
            <value>false</value>
        </property>
    </bean>

</beans>

dward
Champ on-the-rise
Champ on-the-rise
My mistake. That property wasn't present in 3.0. Best to override it on the person service itself. Try this in custom-repository-context.xml (remove my previous suggestion). Note that I have set createMissingPeople to false.

    <bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl" init-method="init">
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="tenantService">
            <ref bean="tenantService"/>
        </property>
        <property name="searchService">
            <ref bean="admSearchService" />
        </property>
        <property name="permissionServiceSPI">
            <ref bean="permissionServiceImpl" />
        </property>
        <property name="authorityService">
           <ref bean="authorityService" />
        </property>
        <property name="dictionaryService">
           <ref bean="dictionaryService" />
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService" />
        </property>
        <property name="policyComponent">
            <ref bean="policyComponent"/>
        </property>
        <property name="personCache">
            <ref bean="personCache" />
        </property>
      <property name="personDao">
            <ref bean="personDaoImpl" />
        </property>
        <!– Configurable properties.                                 –>
        <!–                                                          –>
        <!– TODO:                                                    –>
        <!– Add support for creating real home spaces adn setting    –>
        <!– permissions on the hame space and people created.        –>
        <!–                                                          –>
        <!– The store in which people are persisted.                 –>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <!– Some authentication mechanisms may need to create people –>
        <!– in the repository on demand. This enables that feature.  –>
        <!– If dsiabled an error will be generated for missing       –>
        <!– people. If enabled then a person will be created and     –>
        <!– persisted.                                               –>
        <!– Valid values are                                         –>
        <!–     ${server.transaction.allow-writes}                   –>
        <!–     false                                                –>
        <property name="createMissingPeople">
           <value>false</value>
        </property>
        <property name="userNamesAreCaseSensitive">
          <value>${user.name.caseSensitive}</value>
        </property>
        <!– New properties after 1.4.0 to deal with duplicate user ids when found –>
        <property name="processDuplicates">
            <value>true</value>
        </property>
        <!– one of:  LEAVE, SPLIT, DELETE –>
        <property name="duplicateMode">
            <value>SPLIT</value>
        </property>
        <property name="lastIsBest">
            <value>true</value>
        </property>
        <property name="includeAutoCreated">
            <value>false</value>
        </property>
    </bean>

rchamy
Champ in-the-making
Champ in-the-making
Thank you very much. I change that property to false and I solved the problem but I changed that property in the authentication-services-context.xml file because in the custom-propoerties-properties.xml I don't have the bean id= personService and nothing to configure.

Now, I receive an error if I try to login with an user not imported by Alfresco:
11:46:07,513 ERROR [[Faces Servlet]] Servlet.service() for servlet Faces Servlet threw exception
org.alfresco.service.cmr.security.NoSuchPersonException: User does not exist and could not be created: rca25d
   at org.alfresco.repo.security.person.PersonServiceImpl.getPerson(PersonServiceImpl.java:249)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:296)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:177)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:144)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:80)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
   at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:275)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:107)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:166)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
   at $Proxy104.getPerson(Unknown Source)
   at org.alfresco.web.bean.LoginBean.login(LoginBean.java:283)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)
   at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)
   at javax.faces.component.UICommand.broadcast(UICommand.java:109)
   at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)
   at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)
   at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)
   at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)
   at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)
   at javax.faces.webapp.FacesServlet.service(FacesServlet.java:139)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.alfresco.repo.webdav.auth.BaseNTLMAuthenticationFilter.doFilter(BaseNTLMAuthenticationFilter.java:278)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
   at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
   at java.lang.Thread.run(Thread.java:619)

Any suggestion?

rchamy
Champ in-the-making
Champ in-the-making
I solved the problem. There was a mistake in one line. Thanks to all.