cancel
Showing results for 
Search instead for 
Did you mean: 

Import/Synchronize Users from AD to Alfresco 4.0d

pac22
Champ in-the-making
Champ in-the-making
Hello how they are doing, we recently operating a pilot test of Alfresco in our university and this authenticating against AD.
I see if someone has configured Alfresco 4.0d authenticating against Active Directory while importing / synchronizing users (name, lastname, mail, office) from AD.
If so, would appreciate greatly if you could send me or post in the forum the configuration of the necessary files and the corresponding path (as found in several places Redeemer of / opt/alfresco_4.0d / files with the same name) then I adapt it to our AD.

Otherwise, someone could help me to perform this configuration.

Thank you very much in advance, Crristian.
UTN Facultad Regional Delta
Buenos Aires, Argentina.
5 REPLIES 5

jonash
Champ in-the-making
Champ in-the-making
Hi,

To configure AD authentication and synchronization you need to add the ldap-ad subsystem to your authentication chain and configure it. All this is configured in alfresco-global.properties:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@your.domain.com
ldap.authentication.java.naming.provider.url=ldap://your.ldap.server:389
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=your.sync.user@your.domain.com
ldap.synchronization.java.naming.security.credentials=yourpassword
ldap.synchronization.groupSearchBase=dc\=your,dc\=domain,dc\=com
ldap.synchronization.userSearchBase=dc\=your,dc\=domain,dc\=com
synchronization.import.cron=0 0 * * * ?

pac22
Champ in-the-making
Champ in-the-making
Hi JonasH…

Thanks for you Reply!!… I advance much. With you settings now are synchronizing users and groups, but not Authenticate…

[img]http://www.frd.utn.edu.ar/pac/Alfresco_User_1.jpg[/img]

[img]http://www.frd.utn.edu.ar/pac/Alfresco_Groups_1.jpg[/img]

[img]http://www.frd.utn.edu.ar/pac/Alfresco_Auth_Error_1.jpg[/img]

This is authentication lines located in /opt/alfresco-4.0.d/tomcat/shared/classes/alfresco-global.properties


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@frd.utn.edu.ar
ldap.authentication.java.naming.provider.url=ldap://192.168.1.1:389
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=CN=test10,CN=Users,DC=delta,DC=utn
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=cn\=users,dc\=delta,dc\=utn
ldap.synchronization.userSearchBase=cn\=users,dc\=delta,dc\=utn
synchronization.import.cron=0 0 * * * ?

Questions, User in "ldap.synchronization.java.naming.security.principal" must have administrator rights ??

will need to add some additional line parameter in alfresco-global.properties ?

This is the configuration that successfully authenticates but does not synchronize:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap1:ldap-ad

### Autenticacion NTLM ###
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false
### Autenticacion Passthru ###
ntlm.authentication.sso.enabled=false
passthru.authentication.sso.enabled=false
passthru.authentication.authenticateCIFS=true
passthru.authentication.useLocalServer=false
passthru.authentication.domain=delta.utn
passthru.authentication.servers=delta.utn\\192.168.1.1
### Autenticacion LDAP ##
ldap.authentication.active=false
ldap.authentication.userNameFormat=%s@frd.utn.edu.ar
ldap.authentication.java.naming.provider.url=ldap://192.168.1.1:389

Any help or recommendation will be welcome…


Saludos, Cristian.

jonash
Champ in-the-making
Champ in-the-making
Hi Cristian,

ldap.synchronization.java.naming.security.principal is only used to perform the synchronization, it is not required for authentication.

For authentication ldap.authentication.userNameFormat is the most important parameter, are you sure it is correct? Based on your search base I would try setting this to %s@delta.utn

If you have ldapsearch installed you can test authentication with the following command:


ldapsearch -h 192.168.1.1 -D <username>@frd.utn.edu.ar -W -x

In the working authentication configuration you included LDAP authentication is disabled (ldap.authentication.active=false). Can you confirm this actually authenticates against AD and not the users defined in Alfresco (alfrescoNtlm subsystem).

pac22
Champ in-the-making
Champ in-the-making
Hello, how are you, apparently the problem was coming from there…

This are query with your recomendations:



With Wrong Password:

[root@frdllab10 classes]# ldapsearch -h 192.168.1.1 -D cpacheco@delta.utn -W -x
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

With Password OK:


[root@frdllab10 classes]# ldapsearch -h 192.168.1.1 -D cpacheco@delta.utn -W -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object
text: 0000208D: NameErr: DSID-031001A8, problem 2001 (NO_OBJECT), data 0, bes
t match of:
        ''


# numResponses: 1
[root@frdllab10 classes]#




Now alfresco-global.properties are this:


authentication.chain=alfrescoNtlm1:alfrescoNtlm,ldap-ad1:ldap-ad
ldap.authentication.active=true
ldap.authentication.userNameFormat=%s@delta.utn
ldap.authentication.java.naming.provider.url=ldap://192.168.1.1:389
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=CN=test10,CN=Users,DC=delta,DC=utn
ldap.synchronization.java.naming.security.credentials=password
ldap.synchronization.groupSearchBase=cn\=users,dc\=delta,dc\=utn
ldap.synchronization.userSearchBase=cn\=users,dc\=delta,dc\=utn
synchronization.import.cron=0 0 * * * ?


Now are autheticanting with AD, except a user who had used me "cpacheco" and belonged group Alfresco administrators.

Delete that user and allowed me to successfully access and authenticating with AD.

This entry in configuration is for synchronize all midnight users and data from AD to Alfresco right ??


synchronization.import.cron=0 0 * * * ?

I will continue testing and see if I can map any additional data AD accounts Alfresco.

I deeply appreciate your help.

if they have any links or posts that you can recommend me I thank you …

Thank you very much, Cristian.

jonash
Champ in-the-making
Champ in-the-making
Hi Cristian,

The synchronization cron expressions in my example syncs users and groups every hour.