Obsolete Pages{{Obsolete}}
The official documentation is at: http://docs.alfresco.com
This is a quick guide to configure Alfresco to authenticate on a OpenLDAP server
over a SSL channel, secure encrypted communication.
On Alfresco 4.2 and possibly older versions too, add these entries to tomcat/shared/classes/alfresco-global.properties. The alfrescoNtlm authentication has been left in place in the example below as a fall-back authentication option.
ldap.authentication.active=true
authentication.chain=ldap1:ldap,alfrescoNtlm1:alfrescoNtlm
ldap.authentication.userNameFormat=cn=%s,o=users,ou=YOURCOMPANY,dc=COM
ldap.authentication.allowGuestLogin=false
ldap.authentication.java.naming.security.authentication=SIMPLE
ldap.authentication.java.naming.read.timeout=30000
ldap.authentication.java.naming.provider.url=ldaps://rtfwinf.rorotika:636
Pay special attention on ou=Users,dc=YOURCOMPANY,dc=COM in the examples, adapt to your OpenLDAP schema.
Note the line ldaps://YOURLDAPSERVER:636, the ldaps and port 636 indicates
the secure communication.
You can also add these sections to synchronise from LDAP to Alfresco.
ldap.synchronization.active=true
ldap.synchronization.java.naming.security.principal=cn=PRINCIPLEUSER
ldap.synchronization.java.naming.security.credentials=YOURPASSWORD
ldap.synchronization.userSearchBase=o=users,ou=YOURCOMPANY,dc=COM
ldap.synchronization.groupSearchBase=o=GROUPNAME,ou=YOURCOMPANY,dc=COM
The line ldap.synchronization.java.naming.security.principal refers to the username of the user with permissions
to search the LDAP base, in most cases, this parameter can be left empty. It is only required to synchronise users from the LDAP database to Alfresco.
Adapt o=users,ou=YOURCOMPANY,dc=COM, PRINCIPLEUSER, YOURPASSWORD and GROUPNAME to match your LDAP settings.
Passwords from LDAP do not seem to synchronise (confirmation required).
In older versions (2008 or earlier), it may have been necessary to follow these configuration instructions instead (based on the previous information on this page): (Confirmation required)
You will need to edit alfresco/tomcat/shared/classes/alfresco/extension/ldap-authentication-context.xml
If you don't find it, maybe a .sample will exist in the directory.
This file is something like:
<beans>
<bean name='authenticationDao' class='org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao' >
<property name='allowDeleteUser'>
<value>false</value>
</property>
</bean>
<bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl'>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='userNameFormat'>
<value>uid=%s,ou=Users,dc=YOURCOMPANY,dc=COM</value>
</property>
</bean>
<bean id='ldapInitialDirContextFactory' class='org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl'>
<property name='initialDirContextEnvironment'>
<map>
<entry key='java.naming.factory.initial'>
<value>com.sun.jndi.ldap.LdapCtxFactory</value>
</entry>
<entry key='java.naming.provider.url'>
<value>ldaps://YOURLDAPSERVER:636</value>
</entry>
<entry key='java.naming.security.authentication'>
<value>simple</value>
</entry>
<entry key='java.naming.security.principal'>
<value></value>
</entry>
<entry key='java.naming.security.credentials'>
<value></value>
</entry>
</map>
</property>
</bean>
<bean id='ldapPeopleExportSource' class='org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource'>
<property name='personQuery'>
<value>(objectclass=inetOrgPerson)</value>
</property>
<property name='searchBase'>
<value>ou=Users,dc=YOURCOMPANY,dc=COM</value>
</property>
<property name='userIdAttributeName'>
<value>uid</value>
</property>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='personService'>
<ref bean='personService'></ref>
</property>
<property name='namespaceService'>
<ref bean='namespaceService'/>
</property>
<property name='attributeMapping'>
<map>
<entry key='cm:userName'>
<value>uid</value>
</entry>
<entry key='cm:firstName'>
<value>givenName</value>
</entry>
<entry key='cm:lastName'>
<value>sn</value>
</entry>
<entry key='cm:email'>
<value>mail</value>
</entry>
<entry key='cm:organizationId'>
<value>o</value>
</entry>
<entry key='cm:homeFolderProvider'>
<null/>
</entry>
</map>
</property>
<property name='attributeDefaults'>
<map>
<entry key='cm:homeFolderProvider'>
<value>personalHomeFolderProvider</value>
</entry>
</map>
</property>
</bean>
<bean id='ldapGroupExportSource' class='org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource'>
<property name='groupQuery'>
<value>(objectclass=groupOfNames)</value>
</property>
<property name='searchBase'>
<value>ou=Groups,dc=YOURCOMPANY,dc=COM</value>
</property>
<property name='userIdAttributeName'>
<value>uid</value>
</property>
<property name='groupIdAttributeName'>
<value>cn</value>
</property>
<property name='groupType'>
<value>groupOfNames</value>
</property>
<property name='personType'>
<value>inetOrgPerson</value>
</property>
<property name='LDAPInitialDirContextFactory'>
<ref bean='ldapInitialDirContextFactory'/>
</property>
<property name='namespaceService'>
<ref bean='namespaceService'/>
</property>
<property name='memberAttribute'>
<value>member</value>
</property>
<property name='authorityDAO'>
<ref bean='authorityDAO'/>
</property>
</bean>
<bean id='ldapPeopleTrigger' class='org.alfresco.util.TriggerBean'>
<property name='jobDetail'>
<bean id='ldapPeopleJobDetail' class='org.springframework.scheduling.quartz.JobDetailBean'>
<property name='jobClass'>
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name='jobDataAsMap'>
<map>
<entry key='bean'>
<ref bean='ldapPeopleImport'/>
</entry>
</map>
</property>
</bean>
</property>
<property name='startDelay'>
<value>300000</value>
</property>
<property name='repeatInterval'>
<value>3600000</value>
</property>
</bean>
<bean id='ldapGroupTrigger' class='org.alfresco.util.TriggerBean'>
<property name='jobDetail'>
<bean id='ldapGroupJobDetail' class='org.springframework.scheduling.quartz.JobDetailBean'>
<property name='jobClass'>
<value>org.alfresco.repo.importer.ImporterJob</value>
</property>
<property name='jobDataAsMap'>
<map>
<entry key='bean'>
<ref bean='ldapGroupImport'/>
</entry>
</map>
</property>
</bean>
</property>
<property name='startDelay'>
<value>300000</value>
</property>
<property name='repeatInterval'>
<value>3600000</value>
</property>
</bean>
<bean id='ldapPeopleImport' class='org.alfresco.repo.importer.ExportSourceImporter'>
<property name='importerService'>
<ref bean='importerComponentWithBehaviour'/>
</property>
<property name='transactionService'>
<ref bean='transactionComponent'/>
</property>
<property name='authenticationComponent'>
<ref bean='authenticationComponent'/>
</property>
<property name='exportSource'>
<ref bean='ldapPeopleExportSource'/>
</property>
<property name='storeRef'>
<value>${spaces.store}</value>
</property>
<property name='path'>
<value>/${system.system_container.childname}/${system.people_container.childname}</value>
</property>
<property name='clearAllChildren'>
<value>false</value>
</property>
<property name='nodeService'>
<ref bean='nodeService'/>
</property>
<property name='searchService'>
<ref bean='searchService'/>
</property>
<property name='namespacePrefixResolver'>
<ref bean='namespaceService'/>
</property>
<property name='caches'>
<set>
<ref bean='permissionsAccessCache'/>
</set>
</property>
</bean>
<bean id='ldapGroupImport' class='org.alfresco.repo.importer.ExportSourceImporter'>
<property name='importerService'>
<ref bean='importerComponentWithBehaviour'/>
</property>
<property name='transactionService'>
<ref bean='transactionComponent'/>
</property>
<property name='authenticationComponent'>
<ref bean='authenticationComponent'/>
</property>
<property name='exportSource'>
<ref bean='ldapGroupExportSource'/>
</property>
<property name='storeRef'>
<value>${alfresco_user_store.store}</value>
</property>
<property name='path'>
<value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
</property>
<property name='clearAllChildren'>
<value>true</value>
</property>
<property name='nodeService'>
<ref bean='nodeService'/>
</property>
<property name='searchService'>
<ref bean='searchService'/>
</property>
<property name='namespacePrefixResolver'>
<ref bean='namespaceService'/>
</property>
<property name='caches'>
<set>
<ref bean='userToAuthorityCache'/>
<ref bean='permissionsAccessCache'/>
</set>
</property>
</bean>
</beans>
To comunicate with other computer using SSL or TLS, JAVA will need validate the certificate. I can't make this
work without it. Well, you will need to export the certificate to a file and import using keytool.
I used the certificate in DER format. (PEM format should work too...)
Tell java that you trust on that certificate.
keytool -import -alias FQDN.OF.YOURSERVER -keystore /etc/java/keystore -file YOURCERTIFICATE.der
I have some trouble without the alias option, I recommend that you use it.
Now the certificate is stored on /etc/java/keystore. You will have to pass this file as a parameter to the VM.
Edit the script that starts your server, (in Alfresco is alfresco.sh) (this is in /opt/alfresco-4.2.c/tomcat/scripts/ctl.sh on Linux), add to the JAVA_OPTS
the option -Djavax.net.ssl.trustStore=/etc/java/keystore
When your system authenticate users on LDAP, yours internal users will disappear
You can configure admin rights to a LDAP user just putting the username on the section
<property name='adminUsers'>
<set>
<value>admin</value>
<value>administrator</value>
<value>YOURUSERNAME</value>
</set>
</property>
in the file tomcat/webapps/alfresco/WEB-INF/classes/alfresco/authority-services-context.xml
Otherwise, you can configure the chaining property. There are several tutorials about chaining, so, I don't need to talk about it.