AnsweredAssumed Answered

authenticate using uid as ldap attribute & questions

Question asked by bparis on Nov 9, 2006
Latest reply on Nov 29, 2006 by andy
I can authenticate against our ldap server with Community Alfresco 1.3.0, using this userNameFormat :
employeenumber=%s,ou=person,o=myuniversity,c=be


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
    <!– DAO that rejects changes - LDAP is read only at the moment –>
   
    <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.repo.security.authentication.MutableAuthenticationDao</value>
        </property>
        <property name="transactionManager">
            <ref bean="transactionManager" />
        </property>
        <property name="target">
            <bean class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
        </property>
        <property name="transactionAttributes">
          <props>
               <prop key="*">${server.transaction.mode.default}</prop>
          </props>
        </property>
   </bean>

    <!– LDAP authentication configuration –>
   
    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
           
            –>
<value>employeenumber=%s,ou=person,o=myuniversity,c=be</value>
        </property>
    </bean>
   
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>ldap://192.168.251.20:389</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                     <!– <value>DIGEST-MD5</value> –>
                </entry>
   
       
            </map>
        </property>
    </bean>
</beans>


The problem we have is the following:
we do not want to authenticate using the employeeNumber in the DN.  We would like to use the user "uid" which is an attribute in our LDAP.

How could we do that ?

By the way: LDAP users' groups are not ldap nodes.  They just stand as LDAP users' attributes.   How could I map Alfresco users'groups with LDAP group attributes ?

Last question:
Are there (still?) any differences about ldap  between community version and enterprise ?  I've read in some old threads that ldap is not available in community version but I can see the ldap authentication works.


Thank's a lot.
Bernard
UCL - Belgium

Outcomes