cancel
Showing results for 
Search instead for 
Did you mean: 

malgrès le nombre important de messages sur la configuration...

holyjoe
Champ in-the-making
Champ in-the-making
Bonjour,

malgrès le nombre important de messages sur la configuration LDAP, et NTLM, je bloque un peu depuis plusieurs jours sur cette configuration.
je m'excuse donc par avance de la non pertinance de mes questions…

Bon, je suis en cours de mise en place d'Alfresco version 2 communauty.
j'ai essayé la version "tout en un", puis je suis passé à l'installation des composants un à un.
actuellement, la version de test tourne :
- Vista pro
- Tomcat 5.5.23
- Java runtime 1.6
- Alfresco 2 build 185
- MySql 5.0.27 installé sur un serveur distant
- Domaine Active Directory

la mise en place a été relativement aisée une fois que j'ai un peu compris comment tout cela était lié.

Compte tenu de l'existence d'un domaine, mon objectif est d'avoir le moins d'authentification "manuelle" pour l'utilisateur lambda.
d'où ma volonté de faire fonctionner la synchro LDAP et l'authentification NTLM, simple ou passthru.
sachant que les utilisateurs utiliseront à  90% le serveur CIFS exclusivement (du moins dans un premier temps, avant de les former sur l'interface Alfresco)

Moyens pour configurer le tout :
vos précieux conseils sur ce forum ou celui en anglais, ainsi que le wifi

j'ai donc modifié tout d'abord le fichier ldap-authentification-context.xml du répertoire Extension :

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
    <!–
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
          
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
           
           
            <value>%s</value>
        </property>
    </bean>
    –>
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>ldap://Serveur.hadar.lan:389</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>SIMPLE</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>*******</value>
                </entry>
               
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>*******</value>
                </entry>
            </map>
        </property>
    </bean>
   
    <!– Ldap Syncronisation support –>
   
    <!–
       
    There can be more than one stack of beans that import users or groups. For example, it may be easier
    to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory
    from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore
    users found else where. The same applies to the import of groups.
        
    The defaults shown below are for OpenLDAP.   
       
    –>
       
  
    <!– Extract user information from LDAP and transform this to XML –>
    
    <bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
        <!–
        The query to select objects that represent the users to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=inetOrgPerson)
       
        For Active Directory:
        (objectclass=user)
        –>
        <property name="personQuery">
            <value>(objectclass=user)</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>ou=hadar,dc=hadar,dc=lan</value>
        </property>
       
        <!–
        The unique identifier for the user.
       
        THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT   
       
        For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
       
        In OpenLDAP, using other authentication mechanisms "uid", but this depends on how you map
        from the id in the LDAP authentication request to search for the inetOrgPerson against which
        to authenticate.
       
        In Active Directory this is most likely to be "sAMAccountName"
       
        This property is mandatory and must appear on all users found by the query defined above.
       
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!– Services –>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="personService">
            <ref bean="personService"></ref>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        This property defines a mapping between attributes held on LDAP user objects and
        the properties of user objects held in the repository. The key is the QName of an attribute in
        the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
        LDAP repository.    
        –>
        <property name="attributeMapping">
            <map>
                <entry key="cm:userName">
                    <!– Must match the same attribute as userIdAttributeName –>
                    <value>sAMAccountName</value>
                </entry>
                <entry key="cm:firstName">
                    <!– OpenLDAP: "givenName" –>
                    <!– Active Directory: "givenName" –>
                    <value>givenName</value>
                </entry>
                <entry key="cm:lastName">
                    <!– OpenLDAP: "sn" –>
                    <!– Active Directory: "sn" –>
                    <value>sn</value>
                </entry>
                <entry key="cm:email">
                    <!– OpenLDAP: "mail" –>
                    <!– Active Directory: "???" –>
                    <value>mail</value>
                </entry>
                <entry key="cm:organizationId">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <value>o</value>
                </entry>
                <!– Always use the default –>
                <entry key="cm:homeFolderProvider">
                    <null/>
                </entry>
            </map>
        </property>
        <!– Set a default home folder provider –>
        <!– Defaults only apply for values above –>
        <property name="attributeDefaults">
            <map>
                <entry key="cm:homeFolderProvider">
                    <value>personalHomeFolderProvider</value>
                </entry>
            </map>
        </property>
    </bean>
   
    <!– Extract group information from LDAP and transform this to XML –>
   
    <bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
        <!–
        The query to select objects that represent the groups to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=groupOfNames)
       
        For Active Directory:
        (objectclass=group)
        –>
        <property name="groupQuery">
            <value>(objectclass=group)</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>ou=hadar,dc=hadar,dc=lan</value>
        </property>
       
        <!–
        The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above.
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!–
        An attribute that is a unique identifier for each group found.
        This is also the name of the group with the current group implementation.
        This is mandatory for any groups found.
       
        OpenLDAP: "cn" as it is mandatory on groupOfNames
        Active Directory: "cn"
       
        –>
        <property name="groupIdAttributeName">
            <value>cn</value>
        </property>
       
        <!–
        The objectClass attribute for group members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a group.
        –>
        <property name="groupType">
            <value>groupOfNames</value>
        </property>
       
        <!–
        The objectClass attribute for person members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a person.
        –>
        <property name="personType">
            <value>inetOrgPerson</value>
        </property>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        The repeating attribute on group objects (found by query or as sub groups)
        used to define membership of the group. This is assumed to hold distinguished names of
        other groups or users/people; the above types are used to determine this.
       
        OpenLDAP: "member" as it is mandatory on groupOfNames
        Active Directory: "member"
       
        –>
        <property name="memberAttribute">
            <value>member</value>
        </property>
       
        <property name="authorityDAO">
            <ref bean="authorityDAO"/>
        </property>
    </bean>
   
    <!– Job definitions to import LDAP people and groups –>
    <!– The triggers register themselves with the scheduler –>
    <!– You may comment in the default scheduler to enable these triggers –>
    <!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
   
    <!– Trigger to load poeple –>
    <!– Note you can have more than one initial (context, trigger, import job and export source) set –>
    <!– This would allow you to load people from more than one ldap store –>
   
    <bean id="ldapPeopleTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapPeopleImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 5 minutes of starting the repository –>
        <property name="startDelay">
            <value>300000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Commented out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
        –>
    </bean>
   
    <bean id="ldapGroupTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapGroupImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 5 minutes of starting the repository –>
        <property name="startDelay">
            <value>300000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Commented out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
        –>
    </bean>
   
    <!– The bean that imports xml describing people –>
   
    <bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapPeopleExportSource"/>
        </property>

        <!– The store that contains people - this should not be changed –>
        <property name="storeRef">
            <value>${spaces.store}</value>
        </property>
       
        <!– The location of people nodes within the store defined above - this should not be changed –>
        <property name="path">
            <value>/${system.system_container.childname}/${system.people_container.childname}</value>
        </property>
       
        <!– If true, clear all existing people before import, if false update/add people from the xml –>
        <property name="clearAllChildren">
            <value>false</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
       
        <property name="caches">
            <set>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
    </bean>
   
    <!– The bean that imports xml descibing groups –>
   
    <bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapGroupExportSource"/>
        </property>
        <!– The store that contains group information - this should not be changed –>
        <property name="storeRef">
            <value>${alfresco_user_store.store}</value>
        </property>
       
        <!– The location of group information in the store above - this should not be changed –>
        <property name="path">
            <value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
        </property>
       
        <!– If true, clear all existing groups before import, if false update/add groups from the xml –>
        <property name="clearAllChildren">
            <value>true</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
        <!– caches to clear on import of groups –>
        <property name="caches">
            <set>
                <ref bean="userToAuthorityCache"/>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
       
        <!– userToAuthorityCache –>
    </bean>
   
</beans>
deuxième modification, le fichier web.xml

[…]

   <filter>
      <filter-name>Authentication Filter</filter-name>
      <!–<filter-class>org.alfresco.web.app.servlet.AuthenticationFilter</filter-class>–>
      <filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class>
     
      <!– For Novell IChain support use the following filter –>
      <!– (Enterprise version only)                          –>
      <!–
        <filter-class>org.alfresco.web.app.servlet.NovellIChainsHTTPRequestAuthenticationFilter</filter-class>
      –>
     
      <!– For NTLM authentication support use the following filter –>
      <!– (Enterprise version only)                                –>
      <!–
        <filter-class>org.alfresco.web.app.servlet.NTLMAuthenticationFilter</filter-class>
      –>
   </filter>
  
   <filter-mapping>
     <filter-name>Authentication Filter</filter-name>
     <url-pattern>/navigate/*</url-pattern>
   </filter-mapping>

   <filter>
      <filter-name>WebDAV Authentication Filter</filter-name>
      <!– <filter-class>org.alfresco.repo.webdav.auth.AuthenticationFilter</filter-class>–>
      <filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class>
     
      <!– For NTLM authentication support use the following filter –>
      <!– (Enterprise version only)                                –>
      <!–
        <filter-class>org.alfresco.repo.webdav.auth.NTLMAuthenticationFilter</filter-class>
      –>
   </filter>

   <filter>
      <filter-name>Admin Authentication Filter</filter-name>
      <filter-class>org.alfresco.web.app.servlet.AdminAuthenticationFilter</filter-class>
   </filter>

[…]
troisième modification, le fichier file-server-custom.xml ou j'ai rajouté ceci :

   <config evaluator="string-compare" condition="Filesystem Security">
      <authenticator type="alfresco">
      </authenticator>
   </config>
voici les erreurs que j'ai lorsque je me connecte à Alfresco (IE ou Firefox)

11:29:30,410 WARN  [org.springframework.remoting.rmi.RmiRegistryFactoryBean] Could not detect RMI registry - creating new one
11:29:34,357 INFO  [org.alfresco.repo.admin.ConfigurationChecker] The Alfresco root data directory ('dir.root') is: D:Applicatifsalf_data
11:29:34,547 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Vérification des correctifs à appliquer …
11:29:34,581 INFO  [org.alfresco.repo.admin.patch.PatchExecuter] Aucun correctif requis.
11:29:34,585 INFO  [org.alfresco.repo.module.ModuleServiceImpl] 0 module(s) trouvé(s).
11:29:34,706 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - v1.6.0_01-b06; maximum heap size 63,563MB
11:29:34,706 WARN  [org.alfresco.service.descriptor.DescriptorService] Alfresco JVM - WARNING - maximum heap size 63,563MB is less than recommended 512MB
11:29:34,707 INFO  [org.alfresco.service.descriptor.DescriptorService] Alfresco started (Community Network): Current version 2.0.0 (build-185) schema 38 - Installed version 2.0.0 (build-185) schema 38
11:29:44,649 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco].[jsp]] "Servlet.service()" pour la servlet jsp a lancé une exception
net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:477)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:355)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.alfresco.repo.audit.AuditComponentImpl.auditImpl(AuditComponentImpl.java:219)
   at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:165)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
   at $Proxy18.hasPermission(Unknown Source)
   at org.alfresco.web.bean.repository.Node.hasPermission(Node.java:363)
   at org.alfresco.web.bean.NavigationBean.getCompanyHomeVisible(NavigationBean.java:695)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.apache.myfaces.el.PropertyResolverImpl.getProperty(PropertyResolverImpl.java:400)
   at org.apache.myfaces.el.PropertyResolverImpl.getValue(PropertyResolverImpl.java:71)
   at org.apache.myfaces.el.ELParserHelper$MyPropertySuffix.evaluate(ELParserHelper.java:532)
   at org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:145)
   at org.apache.myfaces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:378)
   at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:822)
   at org.alfresco.web.ui.common.renderer.ModeListRenderer.encodeChildren(ModeListRenderer.java:271)
   at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:319)
   at javax.faces.webapp.UIComponentTag.encodeChildren(UIComponentTag.java:343)
   at javax.faces.webapp.UIComponentTag.doEndTag(UIComponentTag.java:251)
   at org.apache.jsp.jsp.dashboards.container_jsp._jspx_meth_a_005fmodeList_005f0(container_jsp.java:652)
   at org.apache.jsp.jsp.dashboards.container_jsp._jspService(container_jsp.java:219)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:328)
   at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:315)
   at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
   at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
   at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
   at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
   at org.apache.myfaces.context.servlet.ServletExternalContextImpl.dispatch(ServletExternalContextImpl.java:415)
   at org.apache.myfaces.application.jsp.JspViewHandlerImpl.renderView(JspViewHandlerImpl.java:234)
   at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:352)
   at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Unknown Source)
11:29:44,651 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco].[Faces Servlet]] "Servlet.service()" pour la servlet Faces Servlet a généré une exception
net.sf.acegisecurity.AuthenticationCredentialsNotFoundException: A valid SecureContext was not provided in the RequestContext
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:477)
   at net.sf.acegisecurity.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:355)
   at net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:77)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.alfresco.repo.security.permissions.impl.ExceptionTranslatorMethodInterceptor.invoke(ExceptionTranslatorMethodInterceptor.java:49)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.alfresco.repo.audit.AuditComponentImpl.auditImpl(AuditComponentImpl.java:219)
   at org.alfresco.repo.audit.AuditComponentImpl.audit(AuditComponentImpl.java:165)
   at org.alfresco.repo.audit.AuditMethodInterceptor.invoke(AuditMethodInterceptor.java:69)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:96)
   at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:170)
   at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:176)
   at $Proxy18.hasPermission(Unknown Source)
   at org.alfresco.web.bean.repository.Node.hasPermission(Node.java:363)
   at org.alfresco.web.bean.NavigationBean.getCompanyHomeVisible(NavigationBean.java:695)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
   at java.lang.reflect.Method.invoke(Unknown Source)
   at org.apache.myfaces.el.PropertyResolverImpl.getProperty(PropertyResolverImpl.java:400)
   at org.apache.myfaces.el.PropertyResolverImpl.getValue(PropertyResolverImpl.java:71)
   at org.apache.myfaces.el.ELParserHelper$MyPropertySuffix.evaluate(ELParserHelper.java:532)
   at org.apache.commons.el.ComplexValue.evaluate(ComplexValue.java:145)
   at org.apache.myfaces.el.ValueBindingImpl.getValue(ValueBindingImpl.java:378)
   at javax.faces.component.UIComponentBase.isRendered(UIComponentBase.java:822)
   at org.alfresco.web.ui.common.renderer.ModeListRenderer.encodeChildren(ModeListRenderer.java:271)
   at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:319)
   at javax.faces.webapp.UIComponentTag.encodeChildren(UIComponentTag.java:343)
   at javax.faces.webapp.UIComponentTag.doEndTag(UIComponentTag.java:251)
   at org.apache.jsp.jsp.dashboards.container_jsp._jspx_meth_a_005fmodeList_005f0(container_jsp.java:652)
   at org.apache.jsp.jsp.dashboards.container_jsp._jspService(container_jsp.java:219)
   at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:98)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:328)
   at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:315)
   at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:265)
   at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:691)
   at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
   at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
   at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
   at org.apache.myfaces.context.servlet.ServletExternalContextImpl.dispatch(ServletExternalContextImpl.java:415)
   at org.apache.myfaces.application.jsp.JspViewHandlerImpl.renderView(JspViewHandlerImpl.java:234)
   at org.apache.myfaces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:352)
   at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Unknown Source)
11:38:19,850 ERROR [org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/alfresco].[externalAccess]] "Servlet.service()" pour la servlet externalAccess a généré une exception
org.alfresco.error.AlfrescoRuntimeException: Not implemented
   at org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao.getMD4HashedPassword(DefaultMutableAuthenticationDao.java:394)
   at org.alfresco.repo.security.authentication.AuthenticationComponentImpl.getMD4HashedPassword(AuthenticationComponentImpl.java:107)
   at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:666)
   at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:400)
   at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
   at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
   at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
   at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
   at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
   at java.lang.Thread.run(Unknown Source)
j'ai suivi me semble-t-il à la lettre les instructions sur le wiki, mais peut-être ai-je raté une étape…
actuellement, je n'ai même pas la possibilité de rentrer un login/mot de passe

sinon, il y a t il une autre méthode pour avoir une authentification manuelle mais avec au moins l'utilisation du login de AD et non le nom complet (j'avais testé l'authentification LDAP sans importation et cela marchait pour l'interface Alfresco mais en rentrant donc un nom complet et non juste le login, et sans importation de l'adresse courriel)

En vous remerciant,

Michel
Smiley Happy
11 REPLIES 11

lme
Champ in-the-making
Champ in-the-making
Bonjour,

Rapidement quelques points :
- il faut jouer avec le fichier ntlm-authentication-context.xml.sample : le renommer et l'éditer
- pas besoin de modifier le fichier web.xml, fait déjà fonctionner l'authentification et tu verras plus tard pour faire du SSO
- évite de laisser trainer des mots de passe en clair quand tu postes dans forum Smiley Wink
- dans l'état actuel, la synchro LDAP -> alfresco ne peut pas fonctionner, tu as oublié de décommenter 2 parties dans ldap-authentification-context.xml

holyjoe
Champ in-the-making
Champ in-the-making
Merci pour tes précisions, je teste cela tout de suite ! Smiley Happy

holyjoe
Champ in-the-making
Champ in-the-making
Bon génial, après avoir pu me libérer un peu de temps pour travailler sur alfresco, j'ai pu faire les quelques modifications que tu m'as demandé de faire et j'ai des résultats très positifs :

- l'authentification NTLM fonctionne.
- la synchronisation LDAP fonctionne, pour les utilisateurs, et pour les groupes.
- le serveur CIFS fonctionne en mode "alfresco". pour le passthru je présume que je dois attendre la prochaine version d'alfresco pour que le bug soit corrigé ?

il ne me reste plus que le SSO, je présume que c'est à ce moment là que je peux modifier le fichier web.xml ?

j'ai tout de même quelques questions :
- le compte administrateur est effectivement administrateur dans alfresco. pour rajouter un administrateur, j'ai créé le fichier "custom-authority-services-context.xml" dans lequel j'ai rajouté mon identifiant, et pourtant, je reste simple utilisateur.
- il m'a importé dans les utilisateurs les noms d'ordinateur Smiley Indifferent
- troisième chose, de ce que j'ai compris d'alfresco, l'idéal est de ne modifier que les fichiers dans le répertoire extension. pourtant, j'avais mis

<config evaluator="string-compare" condition="Filesystem Security" replace="true">
      <authenticator type="alfresco">
      </authenticator>
   </config>
dans le fichier file-servers-custum.xml

or, cela n'a été pris en compte que lorsque j'ai fait la modification directement dans le fichier file-server.xml, ce qui est un peu génant je présume lorsque des mises à jour d'alfresco seront faites, vu qu'il me faudra penser à remodifier ce fichier (si j'ai bien compris comment les mises à jour devront être effectuées sur les version comunauté cad remplacer le fichier war)
comment fonctionne exactement "l'overriding" de ce fait?

En tout cas, vraiment un grand merci

Michel

holyjoe
Champ in-the-making
Champ in-the-making
Personne pour m'aiguiller ?Smiley Happy

holyjoe
Champ in-the-making
Champ in-the-making
Bon, la dernière chose, qui n'est pas bloquante, mais qui est vraiment curieuse…

la synchronisation fonctionne, j'ai pu changer le dossier par défaut des utilisateurs (userHomesHomeFolderProvider).
par contre, il me crée en tant qu'utilisateur, et en tant que nom de dossier utilisateur, des "nom de l'ordinateur$" alors que j'ai bien spécifié "object class=user" pour la synchronisation…
d'ou cela peut-il bien venir ?
il est vrai que dans mes unité d'organisation, il y a des utilisateurs, et des ordinateurs, mais le filtre aurait du empecher la création de ces objects dans Alfrescon, non ?

bertrand_5748
Champ in-the-making
Champ in-the-making
Bonjour  HolyJoe

J'ai le meme soucis que toi a savoir un probleme d'authentification NTLM et d'importation de l'AD sur une V2.0 et une AD 2003.
J'ai bien la mire pour l'authentification mais rien ne se passe quand j'essaie de me logguer. Donc je ne peux pas voir si l'importation de l'AD marche.
Peux tu me renseigner sur les configs a mettre en oeuvre, entre autre les deux parties qu'il faut decommenter (dixit LaurentM) dans le fichier ldap-authentification-context.xml et les modifs sur le fichier NTLM?
Ca marche du tonnerre sur une version 1.4 et une AD 2000

Merci

Bertrand

holyjoe
Champ in-the-making
Champ in-the-making
pour le fichier  ldap-authentification-context.xml, les deux parties à décommenter sont :

        <property name="startDelay">
            <value>300000</value>
        </property>
l'un dans le bean "ldapPeopleTrigger" le second dans le bean "ldapGroupTrigger"

pour le fichier ntml-authentification-context.xml, c'est très simple

<beans>

    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />

    <!– The authentication component.                                      –>

    <!– Use the passthru authentication component to authenticate using    –>
    <!– user accounts on one or more Windows servers.                      –>
   
    <!– Properties that specify the server(s) to use for passthru          –>
    <!– authentication :-                                                  –>
    <!–   useLocalServer   use the local server for authentication         –>
    <!–   domain           use domain controllers from the specified domain–>
    <!–   servers          comma delimted list of server addresses or      –>
    <!–                    names                                           –>
      
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl">
        <property name="servers">
            <value>Nom du serveur</value>
        </property>
        <!–
        <property name="useLocalServer">
            <value>true</value>
        </property>
        –>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="guestAccess">
            <value>false</value>
        </property>
    </bean>
   
</beans>
en espérant que cela t'aide.
si tu veux que je poste mon ldap-authentification-context.xml, n'hésite pas

bertrand_5748
Champ in-the-making
Champ in-the-making
Merci
Je vais déjà regarder avec ça.

Bertrand

bertrand_5748
Champ in-the-making
Champ in-the-making
J'ai modifié le fichier ntlm-authentication-context.xml. A priori je me connecte bien avec mon profil réseau donc ça semble tourner.
J'ai quand une question, est ce normal que je sois obligé de m'authentifier sur la fenetre de login ALfresco?
Dans la version 1.4, du moment que l'on est loggué au réseau, il n'y a aucune fenetre de login pour aller sur AlFresco.

De plus j'ai modifié le fichier ldap-authentication-context.xml afin d'importer les comptes et groupes de l'AD.
J'ai lancé Alfresco hier vers 18h30 et ce matin toujours pas de comptes importés !

ci joint mon fichier ldap-authentication-context.xml

 <?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
   
    <bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
           
            –>
            <value>%s</value>
        </property>
    </bean>
   
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>ldap://192.168.149.98:389</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>SIMPLE</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>admin</value>
                </entry>
               
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>****</value>
                </entry>
            </map>
        </property>
    </bean>
   
      <!– Ajout AMA –>
      <bean id="authorityService" class="org.alfresco.repo.security.authority.AuthorityServiceImpl" abstract="false" singleton="true" lazy-init="default" autowire="default" dependency-check="default">
         <property name="authenticationComponent">
            <ref bean="authenticationComponentImpl" />
         </property>
         <property name="personService">
            <ref bean="personService" />
         </property>
         <property name="nodeService">
            <ref bean="nodeService" />
         </property>
         <property name="authorityDAO">
            <ref bean="authorityDAO" />
         </property>
         <property name="permissionServiceSPI">
            <ref bean="permissionServiceImpl" />
         </property>
         <property name="adminUsers">
            <set>
               <value>admin</value>
               <value>administrateur</value>
               <
            </set>
   </property>
</bean>
      <!– Fin ajout AMA –>
      
      
    <!– Ldap Syncronisation support –>
   
    <!–
       
    There can be more than one stack of beans that import users or groups. For example, it may be easier
    to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory
    from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore
    users found else where. The same applies to the import of groups.
        
    The defaults shown below are for OpenLDAP.   
       
    –>
       
  
    <!– Extract user information from LDAP and transform this to XML –>
    
    <bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
        <!–
        The query to select objects that represent the users to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=inetOrgPerson)
       
        For Active Directory:
        (objectclass=user)
        –>
        <property name="personQuery">
            <value>(objectclass=user)</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>OU=AMA-Users,OU=Arsoe Manche-Atlantique,DC=arsoema,DC=com</value>
        </property>
       
        <!–
        The unique identifier for the user.
       
        THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT   
       
        For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
       
        In OpenLDAP, using other authentication mechanisms "uid", but this depends on how you map
        from the id in the LDAP authentication request to search for the inetOrgPerson against which
        to authenticate.
       
        In Active Directory this is most likely to be "sAMAccountName"
       
        This property is mandatory and must appear on all users found by the query defined above.
       
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!– Services –>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="personService">
            <ref bean="personService"></ref>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        This property defines a mapping between attributes held on LDAP user objects and
        the properties of user objects held in the repository. The key is the QName of an attribute in
        the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
        LDAP repository.    
        –>
        <property name="attributeMapping">
            <map>
                <entry key="cm:userName">
                    <!– Must match the same attribute as userIdAttributeName –>
                    <value>sAMAccountName</value>
                </entry>
                <entry key="cm:firstName">
                    <!– OpenLDAP: "givenName" –>
                    <!– Active Directory: "givenName" –>
                    <value>givenName</value>
                </entry>
                <entry key="cm:lastName">
                    <!– OpenLDAP: "sn" –>
                    <!– Active Directory: "sn" –>
                    <value>sn</value>
                </entry>
                <entry key="cm:email">
                    <!– OpenLDAP: "mail" –>
                    <!– Active Directory: "???" –>
                    <value>mail</value>
                </entry>
                <entry key="cm:organizationId">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <value>o</value>
                </entry>
                <!– Always use the default –>
                <entry key="cm:homeFolderProvider">
                    <null/>
                </entry>
            </map>
        </property>
        <!– Set a default home folder provider –>
        <!– Defaults only apply for values above –>
        <property name="attributeDefaults">
            <map>
                <entry key="cm:homeFolderProvider">
                    <value>companyHomeFolderProvider</value>
                </entry>
            </map>
        </property>
    </bean>
   
    <!– Extract group information from LDAP and transform this to XML –>
   
    <bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
        <!–
        The query to select objects that represent the groups to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=groupOfNames)
       
        For Active Directory:
        (objectclass=group)
        –>
        <property name="groupQuery">
            <value>(objectclass=group)</value>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>OU=AMA-Groupes,OU=Arsoe Manche-Atlantique,DC=arsoema,DC=com</value>
        </property>
       
        <!–
        The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above.
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!–
        An attribute that is a unique identifier for each group found.
        This is also the name of the group with the current group implementation.
        This is mandatory for any groups found.
       
        OpenLDAP: "cn" as it is mandatory on groupOfNames
        Active Directory: "cn"
       
        –>
        <property name="groupIdAttributeName">
            <value>cn</value>
        </property>
       
        <!–
        The objectClass attribute for group members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a group.
        –>
        <property name="groupType">
            <value>groupOfNames</value>
        </property>
       
        <!–
        The objectClass attribute for person members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a person.
        –>
        <property name="personType">
            <value>inetOrgPerson</value>
        </property>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        The repeating attribute on group objects (found by query or as sub groups)
        used to define membership of the group. This is assumed to hold distinguished names of
        other groups or users/people; the above types are used to determine this.
       
        OpenLDAP: "member" as it is mandatory on groupOfNames
        Active Directory: "member"
       
        –>
        <property name="memberAttribute">
            <value>member</value>
        </property>
       
        <property name="authorityDAO">
            <ref bean="authorityDAO"/>
        </property>
    </bean>
   
    <!– Job definitions to import LDAP people and groups –>
    <!– The triggers register themselves with the scheduler –>
    <!– You may comment in the default scheduler to enable these triggers –>
    <!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
   
    <!– Trigger to load poeple –>
    <!– Note you can have more than one initial (context, trigger, import job and export source) set –>
    <!– This would allow you to load people from more than one ldap store –>
   
    <bean id="ldapPeopleTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapPeopleImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 5 minutes of starting the repository –>
        <property name="startDelay">
            <value>300000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Commented out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
        –>
    </bean>
   
    <bean id="ldapGroupTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapGroupImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 5 minutes of starting the repository –>
        <property name="startDelay">
            <value>300000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Commented out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
        –>
    </bean>
   
    <!– The bean that imports xml describing people –>
   
    <bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapPeopleExportSource"/>
        </property>

        <!– The store that contains people - this should not be changed –>
        <property name="storeRef">
            <value>${spaces.store}</value>
        </property>
       
        <!– The location of people nodes within the store defined above - this should not be changed –>
        <property name="path">
            <value>/${system.system_container.childname}/${system.people_container.childname}</value>
        </property>
       
        <!– If true, clear all existing people before import, if false update/add people from the xml –>
        <property name="clearAllChildren">
            <value>false</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
       
        <property name="caches">
            <set>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
    </bean>
   
    <!– The bean that imports xml descibing groups –>
   
    <bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponentWithBehaviour"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapGroupExportSource"/>
        </property>
        <!– The store that contains group information - this should not be changed –>
        <property name="storeRef">
            <value>${alfresco_user_store.store}</value>
        </property>
       
        <!– The location of group information in the store above - this should not be changed –>
        <property name="path">
            <value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
        </property>
       
        <!– If true, clear all existing groups before import, if false update/add groups from the xml –>
        <property name="clearAllChildren">
            <value>true</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
        <!– caches to clear on import of groups –>
        <property name="caches">
            <set>
                <ref bean="userToAuthorityCache"/>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
       
        <!– userToAuthorityCache –>
    </bean>
   
</beans>
Aurais je oublié quelques choses?

Merci

Bertrand