AnsweredAssumed Answered

NTLM authentication and Ldap user import

Question asked by mikmouk on Dec 4, 2006
Hello,

I'm facing a problem.

We have installed Alfresco 1.4 community on a Windows 2003 server.
Installation with Mysql and Alfresco as Windows services.

I can login automaticly with NTLM (like an SSO). This works perfectly.
I can import users from an Ldap sources correctly. I can still login after using NTLM.

I have configured Alfresco to create a Personal home folder when loggin in.

My problem reside in the fact that, the users have to login to Alfresco once before the Ldap import, otherwise it wont work any more after the import.

They receive the following error:

14:14:10,364 ERROR [[localhost].[/alfresco].[Faces Servlet]] "Servlet.service()" pour la servlet Faces Servlet a généré une exception

java.lang.NullPointerException at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.processType3(NTLMAuthenticationFilter.java:770)

at org.alfresco.web.app.servlet.NTLMAuthenticationFilter.doFilter(NTLMAuthenticationFilter.java:392)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)

            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:868)

            at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:663)

            at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)

            at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)

            at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

            at java.lang.Thread.run(Thread.java:595)

Here is my code for authentication.xml:


<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
                                                            
   
<beans>
                                                                –>

    <bean id="authenticationManager" class="net.sf.acegisecurity.providers.ProviderManager">
        <property name="providers">
            <list>
                <ref bean="authenticatedAuthenticationPassthroughProvider" />
                <ref bean="daoAuthenticationProvider" />
            </list>
        </property>
    </bean>

    <!– We provide a DAO to plug into the Acegi DaoAuthenticationProvider  –>

    <bean id="daoAuthenticationProvider" class="net.sf.acegisecurity.providers.dao.DaoAuthenticationProvider">
        <property name="authenticationDao">
            <ref bean="authenticationDao" />
        </property>
        <property name="saltSource">
            <ref bean="saltSource" />
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder" />
        </property>
    </bean>

    <!– An authentication Provider that just believes authentications      –>
    <!– bound to the local thread are valid if they are set as             –>
    <!– authenticated.                                                     –>

    <bean id="authenticatedAuthenticationPassthroughProvider" class="org.alfresco.repo.security.authentication.AuthenticatedAuthenticationPassthroughProvider" />

    <!– The authroity DAO implements an interface extended from the Acegi  –>
    <!– DAO that supports CRUD.                                            –>

    <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.repo.security.authentication.MutableAuthenticationDao</value>
        </property>
        <property name="transactionManager">
            <ref bean="transactionManager" />
        </property>
        <property name="target">
            <ref bean="authenticationDao"/>
        </property>
        <property name="transactionAttributes">
            <props>
                <prop key="*">${server.transaction.mode.default}</prop>
            </props>
        </property>
    </bean>
   
    <bean id="authenticationDao" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
       <property name="nodeService">
           <ref bean="nodeService" />
       </property>
       <property name="dictionaryService">
           <ref bean="dictionaryService" />
       </property>
       <property name="namespaceService">
           <ref bean="namespaceService" />
       </property>
       <property name="searchService">
           <ref bean="searchService" />
       </property>
       <property name="userNamesAreCaseSensitive">
          <value>${user.name.caseSensitive}</value>
       </property>
       <property name="passwordEncoder">
           <ref bean="passwordEncoder" />
       </property>
    </bean>

    <!– The DAO also acts as a salt provider.                              –>
   
    <alias alias="saltSource" name="alfDaoImpl"/>

    <!– Passwords are encoded using MD4                                    –>
    <!– This is not ideal and only done to be compatible with NTLM         –>
    <!– authentication against the default authentication mechanism.       –>

    <bean id="passwordEncoder" class="org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl"></bean>


    <!– A transactional wrapper around the implementation.                 –>
    <!– TODO: This should be removed.                                      –>             

    <bean id="authenticationService" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.service.cmr.security.AuthenticationService</value>
        </property>
        <property name="transactionManager">
            <ref bean="transactionManager" />
        </property>
        <property name="target">
            <ref bean="authenticationServiceImpl" />
        </property>
        <property name="transactionAttributes">
            <props>
                <prop key="*">${server.transaction.mode.default}</prop>
            </props>
        </property>
    </bean>

    <!– The Authentication Service implementation.                         –>
    <!–                                                                    –>
    <!– This delegates its work to two services:                           –>
    <!– an AuthenticationComponent and a MutableAuthenticationDAO.         –>
    <!–                                                                    –>
    <!– The permissions service is required so that permissions can be     –>
    <!– cleaned up when a user is deleted.                                 –>
   
    <bean id="authenticationServiceImpl" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDao" />
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent" />
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImpl" />
        </property>
    </bean>

    <!– A transactional wrapper that should be removed.                    –>

    <bean id="authenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
        </property>
        <property name="transactionManager">
            <ref bean="transactionManager" />
        </property>
        <property name="target">
            <ref bean="authenticationComponentImpl" />
        </property>
        <property name="transactionAttributes">
            <props>
                <prop key="*">${server.transaction.mode.default}</prop>
            </props>
        </property>
    </bean>

    <!– The authentication component.                                      –>

    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDao" />
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager" />
        </property>
        <property name="allowGuestLogin">
            <value>false</value>
        </property>
    </bean>

   
    <!– Simple Authentication component that rejects all authentication requests –>
    <!– Use this defintion for Novell IChain integration.                        –>
    <!– It should never go to the login screen  so this is not required          –>
    <!– (Enterprise version only)                                                –>
   
    <!–
    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.SimpleAcceptOrRejectAllAuthenticationComponentImpl">
        <property name="accept">
            <value>true</value>
        </property>   
    </bean>
    –>
   



    <!– The person service.                                                –>

    <bean id="personService" class="org.alfresco.repo.security.person.PersonServiceImpl">
      <property name="nodeService">
          <ref bean="nodeService" />
      </property>
      <property name="searchService">
          <ref bean="searchService" />
      </property>
      <property name="permissionServiceSPI">
         <ref bean="permissionServiceImpl" />
      </property>
        <property name="authorityService">
           <ref bean="authorityService" />
        </property>
      <property name="namespacePrefixResolver">
         <ref bean="namespaceService" />
      </property>
        <!– Configurable properties.                                 –>
        <!–                                                          –>
        <!– TODO:                                                    –>
        <!– Add support for creating real home spaces adn setting    –>
        <!– permissions on the hame space and people created.        –>
        <!–                                                          –>
        <!– The store in which people are persisted.                 –>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <!– Some authentication mechanisms may need to create people –>
        <!– in the repository on demand. This enables that feature.  –>
        <!– If dsiabled an error will be generated for missing       –>
        <!– people. If enabled then a person will be created and     –>
        <!– persisted.                                               –>
        <!–                                                          –>
        <!– This value should be false or only true if the           –>
        <!– repository is mutable; set from the property             –>
        <!– ${server.transaction.allow-writes}                       –>
        <property name="createMissingPeople">
           <value>${server.transaction.allow-writes}</value>
        </property>
      <property name="userNamesAreCaseSensitive">
          <value>${user.name.caseSensitive}</value>
        </property>
    </bean>

    <bean name="homeFolderManager" class="org.alfresco.repo.security.person.HomeFolderManager">
        <property name="nodeService">
          <ref bean="nodeService" />
      </property>
        <property name="policyComponent">
          <ref bean="policyComponent" />
      </property>
        <property name="defaultProvider">
          <ref bean="personalHomeFolderProvider" />
      </property>
    </bean>
   
    <bean name="companyHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
        <property name="serviceRegistry">
          <ref bean="ServiceRegistry" />
      </property>
        <property name="path">
           <value>/${spaces.company_home.childname}</value>
        </property>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <property name="homeFolderManager">
         <ref bean="homeFolderManager" />
      </property>
    </bean>
   
    <bean name="guestHomeFolderProvider" class="org.alfresco.repo.security.person.ExistingPathBasedHomeFolderProvider">
        <property name="serviceRegistry">
          <ref bean="ServiceRegistry" />
      </property>
        <property name="path">
           <value>/${spaces.company_home.childname}/${spaces.guest_home.childname}</value>
        </property>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <property name="homeFolderManager">
         <ref bean="homeFolderManager" />
      </property>
        <property name="userPemissions">
            <set>
                <value>Consumer</value>
            </set>
        </property>
    </bean>
   
    <bean name="bootstrapHomeFolderProvider" class="org.alfresco.repo.security.person.BootstrapHomeFolderProvider">
        <property name="homeFolderManager">
         <ref bean="homeFolderManager" />
      </property>
    </bean>
   
    <bean name="personalHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
        <property name="serviceRegistry">
          <ref bean="ServiceRegistry" />
      </property>
        <property name="path">
           <value>/${spaces.company_home.childname}/cm:Utilisateurs</value>
           <!–value>/${spaces.company_home.childname}</value–>
      <!–value>/${spaces.users_home.childname}/cm:Utilisateurs</value–>
        </property>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <property name="homeFolderManager">
         <ref bean="homeFolderManager" />
      </property>
        <property name="ownerOnCreate">
           <value>admin</value>
        </property>
        <property name="inheritsPermissionsOnCreate">
            <value>false</value>
        </property>
        <property name="clearExistingPermissionsOnCreate">
           <value>true</value>
           </property>
        <property name="ownerPemissionsToSetOnCreate">
            <set>
                <value>Coordinator</value>
                <value>All</value>
            </set>
        </property>
        <property name="userPemissions">
            <set>
                <value>All</value>
            </set>
        </property>
    </bean>
   
   
    <!– The ticket component.                                              –>
    <!– Used for reauthentication                                          –>
    <bean id="ticketComponent" class="org.alfresco.repo.security.authentication.InMemoryTicketComponentImpl">
        <!– The period for which tickets are valid in XML duration format. –>
        <!– The default is P1H for one hour.                               –>
        <property name="validDuration">
            <value>P1H</value>
        </property>
        <!– Do tickets expire or live for ever?                            –>
        <property name="ticketsExpire">
            <value>false</value>
        </property>
        <!– Are tickets only valid for a single use?                       –>
        <property name="oneOff">
            <value>false</value>
        </property>
    </bean>
   
</beans>


Notice the personalHomeFolderProvider, I have made some test. In every case, the problem can be reproduced.

Here is also my Ldap.xm

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
    <!– DAO that rejects changes - LDAP is read only at the moment –>
   
    <bean id="alfDaoImpl" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
        <property name="proxyInterfaces">
            <value>org.alfresco.repo.security.authentication.MutableAuthenticationDao</value>
        </property>
        <property name="transactionManager">
            <ref bean="transactionManager" />
        </property>
        <property name="target">
            <bean class="org.alfresco.repo.security.authentication.ntlm.NullMutableAuthenticationDao" />
        </property>
        <property name="transactionAttributes">
          <props>
               <prop key="*">${server.transaction.mode.default}</prop>
          </props>
        </property>
   </bean>

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
   
    <bean id="authenticationComponentImpl" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
           
           <!–
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authentricate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication.
            –>
           
            <value>%s</value>
        </property>
    </bean>
   
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>com.sun.jndi.ldap.LdapCtxFactory</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>ldap://server.domain:389</value>
                </entry>
                 
                <!– Specifies the default maximum number of results returned for
                a search request. 0 (zero) means that there is no limit.
                If not specified, the default value is 1000. –>

                <entry key="java.naming.ldap.maxresults">
                    <value>0</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>simple</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>alfresco</value>
                </entry>
               
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>alfresco</value>
                </entry>
            </map>
        </property>
    </bean>
   
    <!– Ldap Syncronisation support –>
   
    <!–
       
    There can be more than one stack of beans that import users or groups. For example, it may be easier
    to have a version of ldapPeopleExportSource, and associated beans, for each sub-tree of your ldap directory
    from which you want to import users. You could then limit users to be imported from two or more sub tress and ignore
    users found else where. The same applies to the import of groups.
        
    The defaults shown below are for OpenLDAP.   
       
    –>
       
  
    <!– Extract user information from LDAP and transform this to XML –>
    
    <bean id="ldapPeopleExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPPersonExportSource">
        <!–
        The query to select objects that represent the users to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=inetOrgPerson)
       
        For Active Directory:
        (objectclass=user)
        –>
        <property name="personQuery">
          <value><![CDATA[(&(userAccountControl=512)(givenName=*)(sn=*)(userPrincipalName=*)(extensionAttribute10=CTI)(mail=*)(department=DCTI))]]></value>
          <!–value><![CDATA[(&(userAccountControl=512)(givenName=*)(physicalDeliveryOfficeName=PROD-OSO-Gware)(sn=*)(userPrincipalName=*)(mail=*)(department=DCTI))]]></value–>
        </property>
       
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>DC=domain,DC=ad,DC=company,DC=ch</value>
        </property>
       
        <!–
        The unique identifier for the user.
       
        THIS MUST MATCH WHAT THE USER TYPES IN AT THE LOGIN PROMPT   
       
        For simple LDAP authentication this is likely to be "cn" or, less friendly, "distinguishedName"
       
        In OpenLDAP, using other authentication mechanisms "uid", but this depends on how you map
        from the id in the LDAP authentication request to search for the inetOrgPerson against which
        to authenticate.
       
        In Active Directory this is most likely to be "sAMAccountName"
       
        This property is mandatory and must appear on all users found by the query defined above.
       
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!– Services –>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="personService">
            <ref bean="personService"></ref>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>

        <!–
        This property defines a mapping between attributes held on LDAP user objects and
        the properties of user objects held in the repository. The key is the QName of an attribute in
        the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
        LDAP repository.    
        –>
        <property name="attributeMapping">
            <map>
                <entry key="cm:userName">
                    <!– Must match the same attribute as userIdAttributeName –>
                    <value>sAMAccountName</value>
                </entry>
                <entry key="cm:firstName">
                    <!– OpenLDAP: "givenName" –>
                    <!– Active Directory: "givenName" –>
                    <value>givenName</value>
                </entry>
                <entry key="cm:lastName">
                    <!– OpenLDAP: "sn" –>
                    <!– Active Directory: "sn" –>
                    <value>sn</value>
                </entry>
                <entry key="cm:email">
                    <!– OpenLDAP: "mail" –>
                    <!– Active Directory: "???" –>
                    <value>mail</value>
                </entry>
                <entry key="cm:organizationId">
                    <!– OpenLDAP: "o" –>
                    <!– Active Directory: "???" –>
                    <value>department</value>
                </entry>
            </map>
        </property>
        <property name="attributeDefaults">
            <map>
                <entry key="cm:homeFolderProvider">
                    <value>personalHomeFolderProvider</value>
                    <!–value>companyHomeFolderProvider</value–>
          
                </entry>
            </map>
        </property>
        </bean>
   
    <!– Extract group information from LDAP and transform this to XML –>
   
    <bean id="ldapGroupExportSource" class="org.alfresco.repo.security.authentication.ldap.LDAPGroupExportSource">
        <!–
        The query to select objects that represent the groups to import.
       
        For Open LDAP, using a basic schema, the following is probably what you want:
        (objectclass=groupOfNames)
       
        For Active Directory:
        (objectclass=group)
        –>
        <property name="groupQuery">
          <value><![CDATA[(&(objectclass=group)(sAMAccountName=GA-DCTI-*))]]></value>
        </property>
        
        <!–
        The seach base restricts the LDAP query to a sub section of tree on the LDAP server.
        –>
        <property name="searchBase">
            <value>OU=Groupes,OU=___,DC=domain,DC=ad,DC=company,DC=ch</value>
        </property>
       
        <!–
        The unique identifier for the user. This must match the userIdAttributeName on the ldapPeopleExportSource bean above.
        –>
        <property name="userIdAttributeName">
            <value>sAMAccountName</value>
        </property>
       
        <!–
        An attribute that is a unique identifier for each group found.
        This is also the name of the group with the current group implementation.
        This is mandatory for any groups found.
       
        OpenLDAP: "cn" as it is mandatory on groupOfNames
        Active Directory: "cn"
       
        –>
        <property name="groupIdAttributeName">
            <value>cn</value>
        </property>
       
        <!–
        The objectClass attribute for group members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a group.
        –>
        <property name="groupType">
            <value>group</value>
        </property>
       
        <!–
        The objectClass attribute for person members.
        For each member of a group, the distinguished name is given.
        The object is looked up by its DN. If the object is of this class it is treated as a person.
        –>
        <property name="personType">
            <value>person</value>
        </property>
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
       
        <!–
        The repeating attribute on group objects (found by query or as sub groups)
        used to define membership of the group. This is assumed to hold distinguished names of
        other groups or users/people; the above types are used to determine this.
       
        OpenLDAP: "member" as it is mandatory on groupOfNames
        Active Directory: "member"
       
        –>
        <property name="memberAttribute">
            <value>member</value>
        </property>
       
        <property name="authorityDAO">
            <ref bean="authorityDAO"/>
        </property>
    </bean>
   
    <!– Job definitions to import LDAP people and groups –>
    <!– The triggers register themselves with the scheduler –>
    <!– You may comment in the default scheduler to enable these triggers –>
    <!– If a cron base trigger is what you want seee scheduled-jobs-context.xml for examples. –>
   
    <!– Trigger to load poeple –>
    <!– Note you can have more than one initial (context, trigger, import job and export source) set –>
    <!– This would allow you to load people from more than one ldap store –>
   
    <bean id="ldapPeopleTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapPeopleJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapPeopleImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 5 seconds of starting the repository –>
        <property name="startDelay">
            <value>120000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Comment out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
        –>   
    </bean>
   
    <bean id="ldapGroupTrigger" class="org.alfresco.util.TriggerBean">
        <property name="jobDetail">
            <bean id="ldapGroupJobDetail" class="org.springframework.scheduling.quartz.JobDetailBean">
                <property name="jobClass">
                    <value>org.alfresco.repo.importer.ImporterJob</value>
                </property>
                <property name="jobDataAsMap">
                    <map>
                        <entry key="bean">
                            <ref bean="ldapGroupImport"/>
                        </entry>
                    </map>
                </property>
            </bean>
        </property>
        <!– Start after 30 seconds of starting the repository –>
        <property name="startDelay">
            <value>30000</value>
        </property>
        <!– Repeat every hour –>
        <property name="repeatInterval">
            <value>3600000</value>
        </property>
        <!– Comment out to disable
        <property name="scheduler">
            <ref bean="schedulerFactory" />
        </property>
          –>
    </bean>
   
    <!– The bean that imports xml describing people –>
   
    <bean id="ldapPeopleImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponent"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapPeopleExportSource"/>
        </property>

        <!– The store that contains people - this should not be changed –>
        <property name="storeRef">
            <value>${spaces.store}</value>
        </property>
       
        <!– The location of people nodes within the store defined above - this should not be changed –>
        <property name="path">
            <value>/${system.system_container.childname}/${system.people_container.childname}</value>
        </property>
       
        <!– If true, clear all existing people before import, if false update/add people from the xml –>
        <property name="clearAllChildren">
            <value>false</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
       
        <property name="caches">
            <set>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
    </bean>
   
    <!– The bean that imports xml descibing groups –>
   
    <bean id="ldapGroupImport" class="org.alfresco.repo.importer.ExportSourceImporter">
        <property name="importerService">
            <ref bean="importerComponent"/>
        </property>
        <property name="transactionService">
            <ref bean="transactionComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponent"/>
        </property>
        <property name="exportSource">
            <ref bean="ldapGroupExportSource"/>
        </property>
        <!– The store that contains group information - this should not be changed –>
        <property name="storeRef">
            <value>${alfresco_user_store.store}</value>
        </property>
       
        <!– The location of group information in the store above - this should not be changed –>
        <property name="path">
            <value>/${alfresco_user_store.system_container.childname}/${alfresco_user_store.authorities_container.childname}</value>
        </property>
       
        <!– If true, clear all existing groups before import, if false update/add groups from the xml –>
        <property name="clearAllChildren">
            <value>false</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="namespacePrefixResolver">
            <ref bean="namespaceService"/>
        </property>
       
        <!– caches to clear on import of groups –>
        <property name="caches">
            <set>
                <ref bean="userToAuthorityCache"/>
                <ref bean="permissionsAccessCache"/>
            </set>
        </property>
       
        <!– userToAuthorityCache –>
    </bean>
   
</beans>

I have referenced the personalHomeFolderProvider in the authentication-services-context.

To resume:

If the user open the url on Alfresco, NTLM logs him in and the home folder is automaticly created. The users rights follow also the user

If the same user try to loggin after the Ldap import, it still works

But if I import the users just after Alfresco is installed, (or after a Drop of the database), when the user open Alfresco, he receive the error message

I have been reading the post on wiki and forums to learn how to configure Ldap and NTLM. I thing I have gone through all the posts. And I couldn't find this kind of behavior…

I would appreciate any help.

Sincerly,
Michael

Outcomes