AnsweredAssumed Answered

SOLVED - LDAP Basics - Help and posible HOW TO discussion

Question asked by mrojas73 on Oct 12, 2008
Latest reply on Mar 26, 2009 by luisg
EDIT 02/15/09

LDAP Authentication with local admin.  This is the easiest way to get your newly installation of Alfresco authenticating against Active directory just by renaming one file, editing another one and making a change to your active directory Adminstrator's account.

Step 1: Rename ldap-authentication-context.xml.sample to ldap-authentication-context.xml

Step 2: Add your active directory connection settings to the file ldap-authentication.properties as shown below:
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://your-domaincontroler.com or IP address:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=administrator

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=administrator's password

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

Step 3: Go to your active directory > open the properties of the administrator and type admin in the display name.  Restart alfresco and login using any account from Active Directory or admin and its ADUC password.

The only issue I have is not being able to login to tenants but I guess I can live without tenants.
———————————————————————————————————————————————————————————

This is a new threat I want to start based on another thread I started suggesting better documentation and easier implementation of LDAP support.  The original thread is here:  http://forums.alfresco.com/en/viewtopic.php?f=46&t=14737

Belmekki is working on a HOW TO he hopes to have ready by the 20th but in the mean time he gave me some basic information to try.

According to Belmekki, for basic LDAP authentication we need to modify a file called ldap-authentication-context.properties.  This and most of the configuration files for LDAP are located in Alfresco/tomcat/shared/classes/alfresco/extension.

Here is what I am using to play at this moment…worked on Linux and Open LDAP for weeks without any success so I moved onto a windows to see if it was any easier.

Alfresco version I have is: AlfrescoLabs 3b
Installation OS: Windows xp for testing at this time
LDAP Server: Windows 2003 Ent at this time

I have configured ldap-authentication-contect.xml many times without any success.  So I decided to configure only the files ldap-authentication-contect.porperties (shows as ldap-authentication in the windows directory)

Here is my ldap-authentication-context.properties file:

<?xml version="1.0" encoding="UTF-8"?>#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=cn=%s,ou=clients,dc=us,dc=local

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://192.168.1.42:389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=SIMPLE

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=administrator,dc=us,dc=local

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=**************

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

saved ldap-authentication-context.xml.sample to ldap-authentication-context.xml and no modifications made to the file.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>

<beans>
   
   <!– The main configuration has moved into a properties file –>
   
    <bean name="ldapAuthenticationPlaceholderConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreUnresolvablePlaceholders">
            <value>true</value>
        </property> 
        <property name="locations">
            <value>classpath:alfresco/extension/ldap-authentication.properties</value>
        </property>
    </bean>
   
    <!– DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings from the UI. –>
   
    <bean name="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao" >
        <property name="allowDeleteUser">
            <value>true</value>
        </property>
    </bean>   
  

    <!– LDAP authentication configuration –>
   
    <!–
   
    You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign on from the
    web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP store if it supports other
    authentication routes, like Active Directory.
   
    –>
   
    <bean id="authenticationComponent"
          class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
          parent="authenticationComponentBase">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <!–
           
            This maps between what the user types in and what is passed through to the underlying LDAP authentication.
           
            "%s" - the user id is passed through without modification.
            Used for LDAP authentication such as DIGEST-MD5, anything that is not "simple".
           
            "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com"
            Usually for simple authentication. Simple authentication always uses the DN for the user.
           
            –>
            <value>${ldap.authentication.userNameFormat}</value>
        </property>
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="personService">
            <ref bean="personService" />
        </property>
        <property name="transactionService">
            <ref bean="transactionService" />
        </property>  
        <property name="escapeCommasInBind">
            <value>${ldap.authentication.escapeCommasInBind}</value>
        </property>
        <property name="escapeCommasInUid">
            <value>${ldap.authentication.escapeCommasInUid}</value>
        </property>
    </bean>
   
    <!–
   
    This bean is used to support general LDAP authentication. It is also used to provide read only access to users and groups
    to pull them out of the LDAP reopsitory
   
    –>
   
    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
            <map>
                <!– The LDAP provider –>
                <entry key="java.naming.factory.initial">
                    <value>${ldap.authentication.java.naming.factory.initial}</value>
                </entry>
               
                <!– The url to the LDAP server –>
                <!– Note you can use space separated urls - they will be tried in turn until one works –>
                <!– This could be used to authenticate against one or more ldap servers (you will not know which one ….) –>
                <entry key="java.naming.provider.url">
                    <value>${ldap.authentication.java.naming.provider.url}</value>
                </entry>
               
                <!– The authentication mechanism to use      –>
                <!– Some sasl authentication mechanisms may require a realm to be set –>
                <!–                java.naming.security.sasl.realm –>
                <!– The available options will depend on your LDAP provider –>
                <entry key="java.naming.security.authentication">
                    <value>${ldap.authentication.java.naming.security.authentication}</value>
                </entry>
               
                <!– The id of a user who can read group and user information –>
                <!– This does not go through the pattern substitution defined above and is used "as is" –>
                <entry key="java.naming.security.principal">
                    <value>${ldap.authentication.java.naming.security.principal}</value>
                </entry>
               
                <!– The password for the user defined above –>
                <entry key="java.naming.security.credentials">
                    <value>${ldap.authentication.java.naming.security.credentials}</value>
                </entry>
            </map>
        </property>
    </bean>
   
</beans>

This configuration doesn't work, I get Unable to login - unknown username/password but I can login as admin.

Outcomes