LDAP authentication with CIFS in 3.4

Document created by resplin Employee on Jun 6, 2015
Version 1Show Document
  • View in full screen mode

Obsolete Pages{{Obsolete}}

The official documentation is at: http://docs.alfresco.com



Dear community users,
this page is aimed at describing how to implement LDAP authentication for the CIFS subsystem in Alfresco Community 3.4b.

This work has been heavily based on the contribution of Mr. Vycital LDAP-CIFS on Alfresco Enterprise v3.0.0 about the same subject, that I STRONGLY suggest you to read, as I will not repeat the same concepts.

My only addition is about making it work under Alfresco 3.4b, which proved to be tough at the beginning.

After some run in debug mode and deep inspection of the Alfresco code, I basically found that there was a missing reference to the RepositoryAuthenticationDao in the scope of alfresco-authentication-context (for NTLM).

So, the RepositoryAuthenticationDao is the same as Mr. Vycital posted, while I changed the implementation of the LDAPAuthenticationComponentImpl bean into the following (changing also the name to CIFSLDAPAuthenticationComponentImpl to better see its use through the logs):

File:com/company/repo/security/authentication/ldap/CIFSLDAPAuthenticationComponentImpl.java



package com.company.repo.security.authentication.ldap;

import org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl;
import com.company.repo.security.authentication.RepositoryAuthenticationDao;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

public class CIFSLDAPAuthenticationComponentImpl extends LDAPAuthenticationComponentImpl {
    private RepositoryAuthenticationDao authenticationDao;
    protected static final Log logger = LogFactory.getLog(CIFSLDAPAuthenticationComponentImpl.class);
   
    public void setAuthenticationDao(RepositoryAuthenticationDao authenticationDao) {
        logger.debug('Wiring DAO object: '+authenticationDao);
        this.authenticationDao = authenticationDao;
    }

    public CIFSLDAPAuthenticationComponentImpl() {
        super();
    }
   
    /**
     * This provides supports MD4, so let's say so.
     */
    public NTLMMode getNTLMMode()
    {
        logger.debug('getNTLMMode');
        return NTLMMode.MD4_PROVIDER;
    }

    public String getMD4HashedPassword(String userName)
    {
        logger.debug('getMD4HashedPassword:'+userName);
        String result = authenticationDao.getMD4HashedPassword(userName);
        logger.debug('MD4:'+result);
        return result;
    }

    protected void authenticateImpl(String userName, char[] password) throws AuthenticationException
    {
        logger.debug('authenticateImpl:'+userName+' pwd:'+String.valueOf(password));
        super.authenticateImpl(userName,password);
        logger.debug('Updating');
        authenticationDao.updateUser(userName, password);
        logger.debug('authenticateImpl exit');
    }
}

This file should be compiled as usual and put into <ALF_HOME>/tomcat/shared/classes/com/company/repo/security/authentication/ldap/LDAPAuthenticationComponentImpl.class, together with the new RepositoryAuthenticationDao that you already found in Vycital page.

Once the code is there, you have to reference it in several places:


  1. tomcat/webapps/alfresco/WEB-INF/classes/alfresco/authentication-services-context.xml, where you need to just put the bean definition (it will be autowired by interface). Basically add this snippet where you want:

<bean id='authenticationDaoFull' class='com.company.repo.security.authentication.RepositoryAuthenticationDao'>
    <property name='nodeService'>
        <ref bean='nodeService' />
    </property>
    <property name='dictionaryService'>
        <ref bean='dictionaryService' />
    </property>
    <property name='namespaceService'>
        <ref bean='namespaceService' />
    </property>
    <property name='searchService'>
        <ref bean='admSearchService' />
    </property>
    <property name='retryingTransactionHelper'>
        <ref bean='retryingTransactionHelper'/>
    </property>
    <property name='userNamesAreCaseSensitive'>
        <value>${user.name.caseSensitive}</value>
    </property>
    <property name='passwordEncoder'>
        <ref bean='passwordEncoder' />
    </property>
</bean>

  1. tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/common-ldap-context.xml, where you should insert the bean definition for the new CIFSLDAPAuthenticationComponentImpl and the new dao itself:

  <bean id='authenticationDaoFull' class='com.company.repo.security.authentication.RepositoryAuthenticationDao' >
       <property name='nodeService'>
           <ref bean='nodeService' />
       </property>
       <property name='dictionaryService'>
           <ref bean='dictionaryService' />
       </property>
       <property name='namespaceService'>
           <ref bean='namespaceService' />
       </property>
       <property name='searchService'>
           <ref bean='admSearchService' />
       </property>
       <property name='userNamesAreCaseSensitive'>
          <value>${user.name.caseSensitive}</value>
       </property>
       <property name='passwordEncoder'>
           <ref bean='passwordEncoder' />
       </property>
    </bean>

<bean id='authenticationComponent' class='com.company.repo.security.authentication.ldap.CIFSLDAPAuthenticationComponentImpl'
      parent='authenticationComponentBase'>
      <property name='authenticationDao'>
         <ref bean='authenticationDaoFull' />
      </property>

The authentication component above is just like the original you already found in the file, but the name is changed (we use a different class) and the authentication DAO is explicitly wired through the property definition.


  1. tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/alfrescoNtlm/alfresco-authentication-context.xml, this the last file to change and it's the most important one. Here you change the DAO used to look for the user (and their credentials) in the store while doing the CIFS authentication. Basically you define another instance of the RepositoryAuthenticationDao and wire it to appropriate component:

<bean id='authenticationDaoFull' class='com.company.repo.security.authentication.RepositoryAuthenticationDao'>
    <property name='nodeService'>
        <ref bean='nodeService' />
    </property>
    <property name='dictionaryService'>
        <ref bean='dictionaryService' />
    </property>
    <property name='namespaceService'>
        <ref bean='namespaceService' />
    </property>
    <property name='searchService'>
        <ref bean='admSearchService' />
    </property>
    <property name='retryingTransactionHelper'>
        <ref bean='retryingTransactionHelper'/>
    </property>
    <property name='userNamesAreCaseSensitive'>
        <value>${user.name.caseSensitive}</value>
    </property>
    <property name='passwordEncoder'>
        <ref bean='passwordEncoder' />
    </property>
</bean>

   <bean id='authenticationComponent' class='org.alfresco.repo.security.authentication.AuthenticationComponentImpl'
      parent='authenticationComponentBase'>
      <property name='authenticationDao'>
         <ref bean='authenticationDaoFull' />
      </property>

In this file you just need to add the bean definition for the custom RepositoryAuthenticationDao but don't forget to change the reference in the authenticationComponent bean definition, by changing the property authenticationDao value to authenticationDaoFull in order to reference our custom DAO.

At this point, you should configure your LDAP and CIFS server according to your needs and the CIFS authentication will be made against the LDAP password.

Just keep in mind that, for the CIFS authentication subsystem in order to find the appropriate password, the user must have logged in into the system at least once and if they change the LDAP password, they must update their repository copy by logging in again into Alfresco.

Should you have any question about it, discuss this topic and I'll try to help you.

Claudio
3.4Authentication

Attachments

    Outcomes