cancel
Showing results for 
Search instead for 
Did you mean: 

SOLVED - LDAP Basics - Help and posible HOW TO discussion

mrojas73
Champ in-the-making
Champ in-the-making
EDIT 02/15/09

LDAP Authentication with local admin.  This is the easiest way to get your newly installation of Alfresco authenticating against Active directory just by renaming one file, editing another one and making a change to your active directory Adminstrator's account.

Step 1: Rename ldap-authentication-context.xml.sample to ldap-authentication-context.xml

Step 2: Add your active directory connection settings to the file ldap-authentication.properties as shown below:
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://your-domaincontroler.com or IP address:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=administrator

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=administrator's password

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

Step 3: Go to your active directory > open the properties of the administrator and type admin in the display name.  Restart alfresco and login using any account from Active Directory or admin and its ADUC password.

The only issue I have is not being able to login to tenants but I guess I can live without tenants.
———————————————————————————————————————————————————————————

This is a new threat I want to start based on another thread I started suggesting better documentation and easier implementation of LDAP support.  The original thread is here:  http://forums.alfresco.com/en/viewtopic.php?f=46&t=14737

Belmekki is working on a HOW TO he hopes to have ready by the 20th but in the mean time he gave me some basic information to try.

According to Belmekki, for basic LDAP authentication we need to modify a file called ldap-authentication-context.properties.  This and most of the configuration files for LDAP are located in Alfresco/tomcat/shared/classes/alfresco/extension.

Here is what I am using to play at this moment…worked on Linux and Open LDAP for weeks without any success so I moved onto a windows to see if it was any easier.

Alfresco version I have is: AlfrescoLabs 3b
Installation OS: Windows xp for testing at this time
LDAP Server: Windows 2003 Ent at this time

I have configured ldap-authentication-contect.xml many times without any success.  So I decided to configure only the files ldap-authentication-contect.porperties (shows as ldap-authentication in the windows directory)

Here is my ldap-authentication-context.properties file:

<?xml version="1.0" encoding="UTF-8"?>#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=cn=%s,ou=clients,dc=us,dc=local

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://192.168.1.42:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=administrator,dc=us,dc=local

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=**************

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

saved ldap-authentication-context.xml.sample to ldap-authentication-context.xml and no modifications made to the file.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
   <!– The main configuration has moved into a properties file –>
   
    <bean name="ldapAuthenticationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property> 
        <property name="locations">
            <value>classpath:alfresco/extension/ldap-authentication.properties</value>
        </property>
    </bean>
   
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
   
    <bean id="authenticationComponent"
          class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
          parent="authenticationComponentBase">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication. Simple authentication always uses the DN for the user.
           
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>  
        <property name="escapeCommasInBind">
            <value>${ldap.authentication.escapeCommasInBind}</value>
        </property>
        <property name="escapeCommasInUid">
            <value>${ldap.authentication.escapeCommasInUid}</value>
        </property>
    </bean>
   
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>${ldap.authentication.java.naming.factory.initial}</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>${ldap.authentication.java.naming.provider.url}</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>${ldap.authentication.java.naming.security.authentication}</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>${ldap.authentication.java.naming.security.principal}</value>
                </entry>
               
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>${ldap.authentication.java.naming.security.credentials}</value>
                </entry>
            </map>
        </property>
    </bean>
   
</beans>

This configuration doesn't work, I get Unable to login - unknown username/password but I can login as admin.
16 REPLIES 16

jruscio
Champ in-the-making
Champ in-the-making
Hello, I've managed to get Alfresco 3.0 talking to my LDAP server for authentication. I can log in as any LDAP user. The problems arise when any user attempts to edit their profile after logging in, such as setting an email address. Upon hitting the "Save Changes" button, the user is greeted with the following error message:

Failed to load script '/org/alfresco/components/profile/userprofile.post.json.js (in classpath store file:/opt/alfresco/tomcat/webapps/share/WEB-INF/classes/alfresco/site-webscripts)': Wrapped org.alfresco.error.AlfrescoRuntimeException: Unable to save user details: Remote error during User save: Server returned HTTP response code: 500 for URL: http://localhost:8080/alfresco/s/slingshot/profile/userprofile?alf_ticket=TICKET_5630f74a414f427fdee... (AlfrescoScript#43)

Any thoughts? This is kind of a show-stopper for us. Thanks in advance.

rbone100
Champ in-the-making
Champ in-the-making
THIS IS THE BEST POST EVER!!

I am up and running authenticating against AD because of this post!!! Smiley Very Happy  :mrgreen:

alexgein
Champ in-the-making
Champ in-the-making
I agree entirely with rbone100…. this topic (and to a lesser extent this topic - http://forums.alfresco.com/en/viewtopic.php?f=9&t=15298) have solved my authentication issues!

why is this information not in the wiki?

mikeh
Star Contributor
Star Contributor
why is this information not in the wiki?
Good question! The wiki is editable by anyone who registers - it's a community resource.

Mike

sumitweirminera
Champ in-the-making
Champ in-the-making
BELMEKKI,

Thank a ton, I was successful in LDAP Authentication after reading your post. But i have a problem with CIFS, it won't connect anymore after making the changes to ldap-authentication.properties and renaming authentication-context.xml.sample. I am using Labs Stable.

Kindly assist.

kibeki
Champ in-the-making
Champ in-the-making
Hi,
I am a beginner to Alfresco and followed step by step the instructions to setup the AD authentication from mrojas73.
So far I am able to authenticate against my AD controller but only on the Alfresco web page.
My alfresco.log still shows the following errors:
14:43:59,341 ERROR [org.alfresco.smb.protocol] Failed to get local domain/workgroup name, using default of WORKGROUP
14:43:59,342 ERROR [org.alfresco.smb.protocol] (This may be due to firewall settings or incorrect <broadcast> setting)
14:43:59,671 ERROR [org.alfresco.smb.protocol.auth] No valid CIFS authentication combination available
14:43:59,671 ERROR [org.alfresco.smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
14:43:59,706 ERROR [org.alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration

The file I changed after the fresh install was /opt/Alfresco/tomcat/shared/classes/alfresco/extension/ldap-authentication.properties to fit my AD controller and I  cp ldap-authentication-context.xml.sample ldap-authentication-context.xml. Thats all.

I forgot to mention that I use the package Alfresco-Labs-3Stable-Linux-x86-Install under Centos.

Thanks for your help,
Kibeki

luisg
Champ in-the-making
Champ in-the-making
hi there…

I have configured my CIFS and, after run alfresco, the following messages just disapear from the log:

ERROR [org.alfresco.smb.protocol] Failed to get local domain/workgroup name, using default of WORKGROUP
ERROR [org.alfresco.smb.protocol] (This may be due to firewall settings or incorrect <broadcast> setting)

After that, I did configured the ldap-authentication.properties and the ldap-synchronisation.properties with fields that I use in ApacheDirectoryStudio to conect to my ldap (and it works).
But when I run the alfresco again, I get the exception:

18:17:52,114 ERROR [org.alfresco.smb.protocol.auth] No valid CIFS authentication combination available
18:17:52,114 ERROR [org.alfresco.smb.protocol.auth] Either enable Kerberos support or use an authentication component that supports MD4 hashed passwords
18:17:52,115 ERROR [org.alfresco.smb.protocol] CIFS server configuration error, Invalid CIFS authenticator configuration
org.alfresco.error.AlfrescoRuntimeException: Invalid CIFS authenticator configuration
   at org.alfresco.filesys.auth.cifs.EnterpriseCifsAuthenticator.initialize(EnterpriseCifsAuthenticator.java:389)
   at org.alfresco.jlan.smb.server.CIFSConfigSection.setAuthenticator(CIFSConfigSection.java:607)
   at org.alfresco.filesys.ServerConfigurationBean.processCIFSServerConfig(ServerConfigurationBean.java:881)
   at org.alfresco.filesys.ServerConfigurationBean.init(ServerConfigurationBean.java:546)
   at org.alfresco.filesys.ServerConfigurationBean.onApplicationEvent(ServerConfigurationBean.java:3098)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
18:17:52,117 ERROR [org.alfresco.smb.protocol] FTP server configuration error, Wrong authentication setup for alfresco authenticator
org.alfresco.error.AlfrescoRuntimeException: Wrong authentication setup for alfresco authenticator
   at org.alfresco.filesys.ServerConfigurationBean.processFTPServerConfig(ServerConfigurationBean.java:1833)
   at org.alfresco.filesys.ServerConfigurationBean.init(ServerConfigurationBean.java:580)
   at org.alfresco.filesys.ServerConfigurationBean.onApplicationEvent(ServerConfigurationBean.java:3098)
   at org.springframework.context.event.SimpleApplicationEventMulticaster$1.run(SimpleApplicationEventMulticaster.java:77)
   at org.springframework.core.task.SyncTaskExecutor.execute(SyncTaskExecutor.java:49)
   at org.springframework.context.event.SimpleApplicationEventMulticaster.multicastEvent(SimpleApplicationEventMulticaster.java:75)
   at org.springframework.context.support.AbstractApplicationContext.publishEvent(AbstractApplicationContext.java:246)
   at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:355)
   at org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:244)
   at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:187)
   at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:49)
   at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:3843)
   at org.apache.catalina.core.StandardContext.start(StandardContext.java:4342)
   at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791)
   at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771)
   at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:525)
   at org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:830)
   at org.apache.catalina.startup.HostConfig.deployWARs(HostConfig.java:719)
   at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:490)
   at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1149)
   at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:311)
   at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:117)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053)
   at org.apache.catalina.core.StandardHost.start(StandardHost.java:719)
   at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045)
   at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443)
   at org.apache.catalina.core.StandardService.start(StandardService.java:516)
   at org.apache.catalina.core.StandardServer.start(StandardServer.java:710)
   at org.apache.catalina.startup.Catalina.start(Catalina.java:578)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:288)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)

Any of you know how to get throw this? Is this the result of inconsistent fields?
(I did find this too: https://issues.alfresco.com/jira/browse/ALFCOM-1820?actionOrder=desc)

Please help

Luis
Getting started

Tags


Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.