cancel
Showing results for 
Search instead for 
Did you mean: 

Chaining and LDAP-Authentication

meyfisch
Champ in-the-making
Champ in-the-making
Hi,

I have a problem concerning the chaining mechanism and LDAP-Authentication. I am using the Alfresco 2.0 Comunity Editon. The aim is to chain alfresco and ldap user-authentication.

First of all here is my ldap-configuration which works for plain ldap-authentication (ldap-authentication-context.xml)


<beans>
   
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>false</value>
        </property>
    </bean>   
  

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>

    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
           
            –>
        <value>cn=%s,ou=people,ou=Entwickler,ou=Mitarbeiter,ou=mycompany,dc=company,dc=de</value>
        </property>
    </bean>

    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                  <value>ldap://????????:389</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
               <!–
           <entry key="java.naming.security.principal">
                    <value>reader</value>
                </entry>
      –>               
                <!– The password for the user defined above –>
                <!–
      <entry key="java.naming.security.credentials">
                    <value>secret</value>
                </entry>
      –>
            </map>
        </property>
    </bean>


So far so good. Then I have tried to follow the instructions given here http://forums.alfresco.com/viewtopic.php?t=3351&highlight=ldap+chaining and changed my ldap-authentication-context.xml as follows


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                  <value>ldap://??????:389</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
               <!–
           <entry key="java.naming.security.principal">
                    <value>reader</value>
                </entry>
      –>               
                <!– The password for the user defined above –>
                <!–
      <entry key="java.naming.security.credentials">
                    <value>secret</value>
                </entry>
      –>
            </map>
        </property>
    </bean>
….

and added the chaining (chaining-authentication-context.xml)


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>

    <!– Chaining –>
    <bean id="authenticationServiceImpl" class="org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl">
        <property name="authenticationServices">
            <list>
           <ref bean="authenticationServiceImplLDAP"/>
      <!–<ref bean="authenticationServiceImplAlfresco"/> –>
            </list>
        </property>
        <property name="mutableAuthenticationService">
      <ref bean="authenticationServiceImplAlfresco"/>
        </property>
    </bean>

    <!– Alfresco Auth –>

    <bean id="authenticationServiceImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
    </bean>
         
    <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="dictionaryService">
            <ref bean="dictionaryService"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="userNamesAreCaseSensitive">
            <value>${user.name.caseSensitive}</value>
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder"/>
        </property>
    </bean>

    <bean id="authenticationComponentImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="allowGuestLogin">
            <value>true</value>
        </property>
    </bean>

   <!– LDAP Auth –>
<bean id="authenticationServiceImplLDAP" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
       <property name="authenticationDao">
            <ref bean="authenticationDaoLDAP" />
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent" />
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplLDAP" />
        </property>
    </bean>

    <bean id="authenticationComponentImplLDAP" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <value>cn=%s,ou=people,ou=Entwickler,ou=Mitarbeiter,ou=mycompany,dc=company,dc=de</value>
        </property>
    </bean>


  <bean id="authenticationDaoLDAP" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao"/>

</beans>

After restarting Alfresco I tried to access Alfresco via the Webclient. I could now acces Alfresco using the alfresco users, but not using the ldap-users. Interestingly there is no network traffic to the ldap-Server in this case and I have no idea what to do next.

Thanks for your help,

Jan.
3 REPLIES 3

rcalmbac
Champ in-the-making
Champ in-the-making
See JIRA issue AR-1338 for the fix I applied to get chaining authentication working in Alfresco 2.0. I also notice that my ldapAuthenticationDao bean (authenticationDaoLDAP in your code) looks different from yours. I have:

    <bean name="ldapAuthenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>

This is the original bean definition from ldap-authentication-context.xml.sample (except for renaming). Yours looks like a hang-over from the original JAAS sample.

meyfisch
Champ in-the-making
Champ in-the-making
Thank you for your help.

Changing the bean-id authenticationServiceImpl to authenticationService in the chaining-authentication-context.xml solved the problem.

Now I am able to use both local and LDAP authentication.

melos
Champ in-the-making
Champ in-the-making
What is the difference between DefaultMutableAuthenticationDao and NullMutableAuthenticationDao?

I can't get my Alfresco recognize LDAP Users…HELP PLEASE!