cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco Community 3.2 and Active Directory integration

bmarkovic
Champ in-the-making
Champ in-the-making
Hi,

New to Alfresco all in all so bare with me. I was testing/playing with Labs 3.0 but never really got anywhere because of the whole "million XMLs in a WAR" configuration nightmare. As I understand it has been improved quite in 3.2 with the new subsystems and configuration in tomcat/share but I'm not quite sure do I get it, and/or do it right. Be it anyway the end result is that I haven't really got to the point where my Active Directory users can logon to Alfresco anything with either their NT credentials, nor their AD username/passwords (or the appropriate DOMAIN\user or user@domain.tld combos) neither to CIFS nor to the /alfresco web app.

All I did is more/less C/P from the PDFs and the wiki pages. As I understand I should have setup authentication chain in

/opt/Alfresco/tomcat/shared/classes/alfresco-global.properties

which I did like this:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1

Now the Install & configure PDF says I have to place some settings for these authentication subsystem element instances. I banged my head around untill in the wiki section on subsystems I came across that it should be placed in:
$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/<category>/<type>/<id>/*.properties

So for my case I made these files (with contents below, I ommited the exact names for security reasons, hope you don't mind):
$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/alfrescoNtlm/alfrescoNtlm1/overrides.properties
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/passthru/passthru1/overrides.properties
tlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

passthru.authentication.domain=mydomain.tld
passthru.authentication.servers=dc1.mydomain.tld,dc2.mydomain.tld

Here the dc1.mydomain.tld is the FQDN cannonical name of the FSMO master of all things, and the second server is backup DC.

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/overrides.properties
ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s@mydomain.tld
ldap.authentication.java.naming.provider.url=ldap://dc1.mydomain.tld389

ldap.authentication.defaultAdministratorUserNames=administrator,<myself>
ldap.synchronization.java.naming.security.principal=administrator@mydomain.tld
ldap.synchronization.java.naming.security.credentials=<administrator-password>

Please note that the CentOS 5.3 host this is run on has no other CIFS daemons (ie no Samba) but I have left winbind on and the host is joined to the domain via winbind. Also no other Tomcat, DB is handled by local MySQL, and I also have a CentOS fileserver working perfectly as a windows domain fileserver using distro vanilla Samba, and I have integrated Zimbra Community into my domain as well, so I'm not exactly a novice in Linux, Windows admin nor interop of the two platforms.

But Alfresco is constantly doing my head in. The config process is terribly convoluted even tho I'm no "point-and-click adventurer", I prefer single config file to endless web of directories and miniature config tidbits of the Alfresco/Spring way. But I thoeught I groked it and it's finally manageable in 3.2, still I just cannot get what's wrong.

Here are some log bits that you might find interesting (and that I assume)

00:00:00,025 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap-ad]
00:00:00,031 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
00:00:00,031 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap-ad] complete
12:59:40,222 WARN  [org.springframework.beans.factory.support.DefaultListableBeanFactory] Encountered FactoryBean creation exception for bean 'AuthenticationComponent' - couldn't check type! org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'AuthenticationComponent' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Cannot resolve reference to bean 'authenticationComponent' while setting bean property 'target'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationComponent' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Cannot resolve reference to bean 'passthruServers' while setting bean property 'passthruServers'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'passthruServers' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.error.AlfrescoRuntimeException: 06170006 Error setting passthru domain, Failed to find domain controller or browse master for DOMAIN

and Alfresco dies spouting pretty much this message as I log on. And this is verbatim, and my domain name is certainly not DOMAIN. So this i what I think is wrong, I just don't know where to override it.

If I slam all that stuff from subdirectories and override.properties files in the /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties file (and it looks like)

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1


ntlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

passthru.authentication.domain=mydomain.tld
passthru.authentication.servers=dc1.mydomain.tld,dc2.mydomain.tld

ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s@mydomain.tld
ldap.authentication.java.naming.provider.url=ldap://dc1.mydomain.tld:389

ldap.authentication.defaultAdministratorUserNames=administrator,<myself>

ldap.synchronization.java.naming.security.principal=administrator@mydomain.tld
ldap.synchronization.java.naming.security.credentials=<admin-password>

then it starts OK, accepts admin/admin (internal password system) but does not accept any of my AD users as described, and the log has these:

09:44:15,854 WARN  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] NTLM filter, error resolving CIFS host nameALFRESCOA
09:44:15,855 INFO  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] NTLM filter using server name alfresco
09:48:04,525 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,525 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:04,566 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,577 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:04,679 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,680 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:05,491 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:05,492 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:05,498 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:05,498 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException

Which is interesting (despite being just a warning) since both NETBIOS and DNS server names of the host are just "alfresco", and I've tried to ovverride cifs.localname and cifs.domain to:
cifs.localname=alfresco
cifs.domain=mydomain.tld

But log errors are stil the same. The other part is Kerberos failing and not really saying why.

Hope someone can help me. Thank you in advance.
5 REPLIES 5

bmarkovic
Champ in-the-making
Champ in-the-making
Ok still no reply, but I did get a bit further on my own.

Everything so far suggests that the proposed method of overriding properties using the paths (from wiki section on Configuring Subsystems) doesn't really work in my install, i.e. Alfresco does not read anything from my configuration files. I've triple-checked for grammar errors. Is there a syntax such that I can set these options in alfresco-global.properties since it obviously reads it, however for some reason authentication doesn't work this way, I'm assuming it's because default properties don't make it as they should to instances because they are globally defined.

dward
Champ on-the-rise
Champ on-the-rise
FYI it seems that the extension classpath based mechanism described here was broken in the v3.2 Community release

http://wiki.alfresco.com/wiki/Alfresco_Subsystems#Extension_classpath

See

http://forums.alfresco.com/en/viewtopic.php?f=8&t=20069#p66374

A fix for this is in the latest community nightly build (14th July).

bmarkovic
Champ in-the-making
Champ in-the-making
How would one go about downloading this nightly build?

edit: Rude me, I forgot to say thank you for replying to my post, so here it is: Thank you, Dward, and please respond to this question as well when you find time.

mikeh
Star Contributor
Star Contributor

bmarkovic
Champ in-the-making
Champ in-the-making
Thanks. Is there anything I have to bare in mind when rewriting this version over the old one (I intend to save the classpath folders, uninstall, then reinstall and restore folders)?