Hyland Connect

I have alfresco 6.2 docker installation and now I want to set up Kerberos and SSO. I was following these tutorials https://docs.alfresco.com/content-services/latest/admin/auth-sync/#manageauthdirsconfigkerberso and https://hub.alfresco.com/t5/alfresco-content-services-blog/setting-up-acs-docker-compose-with-kerber...

But my alfresco fails to start and I can’t see why, suggestions will be appreciated.

2021-03-31 13:09:42,654  ERROR [app.servlet.KerberosAuthenticationFilter] [localhost-startStop-1] HTTP Kerberos web filter error

javax.security.auth.login.LoginException: No LoginModules configured for AlfrescoHTTP

        at java.base/javax.security.auth.login.LoginContext.init(LoginContext.java:261)

        at java.base/javax.security.auth.login.LoginContext.<init>(LoginContext.java:412)

        at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.init(BaseKerberosAuthenticationFilter.java:189)

        at org.alfresco.web.app.servlet.KerberosAuthenticationFilter.init(KerberosAuthenticationFilter.java:62)

        at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.afterPropertiesSet(BaseSSOAuthenticationFilter.java:185)

2021-03-31 13:09:42,698  WARN  [management.subsystems.ChildApplicationContextFactory$ChildApplicationContext] [localhost-startStop-1] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'monitor' defined in URL [jar:file:/usr/local/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-7.134.1.jar!/alfresco/subsystems/Authentication/common-ldap-context.xml]: Cannot resolve reference to bean 'authenticationComponent' while setting bean property 'LDAPAuthenticationComponent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationComponent' defined in URL [jar:file:/usr/local/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-7.134.1.jar!/alfresco/subsystems/Authentication/common-ldap-context.xml]: Initialization of bean failed; nested exception is org.springframework.beans.TypeMismatchException: Failed to convert property value of type 'java.lang.String' to required type 'boolean' for property 'active'; nested exception is java.lang.IllegalArgumentException: Invalid boolean value []

2021-03-31 13:09:42,700  WARN  [management.subsystems.ChildApplicationContextFactory] [localhost-startStop-1] Startup of 'Authentication' subsystem, ID: [Authentication, managed, ldap1] failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'monitor' defined in URL [jar:file:/usr/local/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-7.134.1.jar!/alfresco/subsystems/Authentication/common-ldap-context.xml]: Cannot resolve reference to bean 'authenticationComponent' while setting bean property 'LDAPAuthenticationComponent'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationComponent' defined in URL [jar:file:/usr/local/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-7.134.1.jar!/alfresco/subsystems/Authentication/common-ldap-context.xml]: Initialization of bean failed; nested exception is org.springframework.beans.TypeMismatchException: Failed to convert property value of type 'java.lang.String' to required type 'boolean' for property 'active'; nested exception is java.lang.IllegalArgumentException: Invalid boolean value []

        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:314)

        at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:110)

…

Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationComponent' defined in URL [jar:file:/usr/local/tomcat/webapps/alfresco/WEB-INF/lib/alfresco-repository-7.134.1.jar!/alfresco/subsystems/Authentication/common-ldap-context.xml]: Initialization of bean failed; nested exception is org.springframework.beans.TypeMismatchException: Failed to convert property value of type 'java.lang.String' to required type 'boolean' for property 'active'; nested exception is java.lang.IllegalArgumentException: Invalid boolean value []

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:601)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:515)

        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:320)

        ... 56 more

Caused by: org.springframework.beans.TypeMismatchException: Failed to convert property value of type 'java.lang.String' to required type 'boolean' for property 'active'; nested exception is java.lang.IllegalArgumentException: Invalid boolean value []

        at org.springframework.beans.AbstractNestablePropertyAccessor.convertIfNecessary(AbstractNestablePropertyAccessor.java:595)

        at

        ... 62 more

31-Mar-2021 13:09:42.896 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more listeners failed to start. Full details will be found in the appropriate container log file

31-Mar-2021 13:09:42.898 SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [/alfresco] startup failed due to previous errors

31-Mar-2021 13:09:42.968 SEVERE [localhost-startStop-1] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [alfresco] created a ThreadLocal with key of type [java.lang.ThreadLocal.SuppliedThreadLocal] (value [java.lang.ThreadLocal$SuppliedThreadLocal@4aed5c9c]) and a value of type [org.alfresco.util.transaction.TransactionSupportUtil.ResourcesHolder] (value [org.alfresco.util.transaction.TransactionSupportUtil$ResourcesHolder@47abefab]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.

31-Mar-2021 13:09:42.968 SEVERE [localhost-startStop-1] org.apache.catalina.loader.WebappClassLoaderBase.checkThreadLocalMapForLeaks The web application [alfresco] created a ThreadLocal with key of type [org.alfresco.repo.template.QNameAwareObjectWrapper$1] (value [org.alfresco.repo.template.QNameAwareObjectWrapper$1@6e348753]) and a value of type [org.alfresco.repo.template.QNameAwareObjectWrapper$1$1] (value [org.alfresco.repo.template.QNameAwareObjectWrapper$1$1@74c2286b]) but failed to remove it when the web application was stopped. Threads are going to be renewed over time to try and avoid a probable memory leak.

I have created AD user kerbuser and kerbuser.keytab

Alfresco docker Java.login.config:

Alfresco {

  com.sun.security.auth.module.Krb5LoginModule sufficient;

};

AlfrescoHTTP

{

  com.sun.security.auth.module.Krb5LoginModule required

    storeKey=true

    useKeyTab=true

    doNotPrompt=true

    keyTab="/etc/kerbuser.keytab"

    principal="HTTP/alfresco.mydomain.com";

};

  com.sun.net.ssl.client {

    com.sun.security.auth.module.Krb5LoginModule sufficient;

};

other {

  com.sun.security.auth.module.Krb5LoginModule sufficient;

};

Alfresco Dockerfile:

ARG ALFRESCO_TAG

FROM alfresco/alfresco-content-repository-community:${ALFRESCO_TAG}

ARG TOMCAT_DIR=/usr/local/tomcat

USER root

# Install modules and addons

RUN mkdir -p $TOMCAT_DIR/amps

COPY modules/amps $TOMCAT_DIR/amps

COPY modules/jars $TOMCAT_DIR/webapps/alfresco/WEB-INF/lib

RUN java -jar $TOMCAT_DIR/alfresco-mmt/alfresco-mmt*.jar install \

    $TOMCAT_DIR/amps $TOMCAT_DIR/webapps/alfresco -directory -nobackup -force

# DATABASE

ARG DB

ENV DB $DB

#Kerberos

RUN apt install krb5-user -y

COPY kerberos_files/krb5.conf /etc

COPY kerberos_files/kerbuser.keytab /etc

COPY kerberos_files/java.login.config /usr/java/default/conf/security

RUN chown -R root:root /usr/java/default/conf/security /etc/krb5.conf /etc/*.keytab && \

    echo "login.config.url.1=file:/usr/java/default/conf/security/java.login.config" >> /usr/java/default/conf/security/java.security

fi

Share docker java.login.config

Alfresco {

  com.sun.security.auth.module.Krb5LoginModule sufficient;

};

AlfrescoHTTP

{

  com.sun.security.auth.module.Krb5LoginModule required

    storeKey=true

    useKeyTab=true

    doNotPrompt=true

    keyTab="/etc/kerbuser.keytab"

    principal="HTTP/kerbuser.mydomain.com";

};

ShareHTTP

{

   com.sun.security.auth.module.Krb5LoginModule required

   storeKey=true

   useKeyTab=true

   doNotPrompt=true

   keyTab="/etc/kerbuser.keytab"

   principal="HTTP/kerbuser.mydomain.com";

};

  com.sun.net.ssl.client {

    com.sun.security.auth.module.Krb5LoginModule sufficient;

};

other {

  com.sun.security.auth.module.Krb5LoginModule sufficient;

};

Share Dockerfile:

ARG SHARE_TAG

FROM alfresco/alfresco-share:${SHARE_TAG}

ARG TOMCAT_DIR=/usr/local/tomcat

# Server data

ARG SERVER_NAME

USER root

# Install modules and addons

RUN mkdir -p $TOMCAT_DIR/amps

COPY modules/amps $TOMCAT_DIR/amps

COPY modules/jars $TOMCAT_DIR/webapps/share/WEB-INF/lib

RUN java -jar $TOMCAT_DIR/alfresco-mmt/alfresco-mmt*.jar install \

    $TOMCAT_DIR/amps $TOMCAT_DIR/webapps/share -directory -nobackup -force

# Fix for https://github.com/Alfresco/acs-community-packaging/issues/367 in Share 6.2.0

COPY web-extension/share-config-custom-dev.xml $TOMCAT_DIR/shared/classes/alfresco/web-extension/

#Kerberos

RUN apt install krb5-user -y

COPY kerberos_files/krb5.conf /etc

COPY kerberos_files/kerbuser.keytab /etc

COPY kerberos_files/java.login.config.share /usr/java/default/conf/security/java.login.config

COPY kerberos_files/share-config-custom.xml /usr/local/tomcat/shared/classes/alfresco/web-extension/

RUN chown -R root:root /usr/java/default/conf/security /etc/krb5.conf /etc/*.keytab && \

    echo "login.config.url.1=file:/usr/java/default/conf/security/java.login.config" >> /usr/java/default/conf/security/java.security

docker-compose.yml Kerberos part

                -Dauthentication.chain=kerberos1:kerberos,ldap1:ldap-ad

                -Dntlm.authentication.sso.enabled=false

                -Dldap.authentication.userNameFormat=%s@mydomain.com

                -Dldap.authentication.allowGuestLogin=false

                -Dldap.authentication.active

                -Dsynchronization.autoCreatePeopleOnLogin=true

                -Dldap.synchronization.active=true

                -Dldap.authentication.java.naming.provider.url=ldap://dc1.mydomain.com:389

                -Dldap.authentication.defaultAdministratorUserNames=admin

                -Dldap.synchronization.java.naming.security.principal=user_alfresco@mydomain.com

                -Dldap.synchronization.java.naming.security.credentials=xxxxxx

                -Dldap.synchronization.groupSearchBase=dc\=mydomain,dc\=ru

                -Dldap.synchronization.userSearchBase=dc\=mydomain,dc\=ru

                -Dkerberos.authentication.realm=MYDOMAIN.COM

                -Dkerberos.authentication.user.configEntryName=Alfresco

                -Dkerberos.authentication.defaultAdministratorUserNames=admin

                -Dkerberos.authentication.http.configEntryName=AlfrescoHTTP

                -Dkerberos.authentication.http.password=xxxxxx

                -Dkerberos.authentication.sso.enabled=true