AnsweredAssumed Answered

Problems with AD + local authentication chaining

Question asked by aspa on Oct 11, 2007
Latest reply on May 1, 2008 by proxyprodigy
I'm trying to setup authentication chaining so that logins would be authenticated either Alfresco local user storage or Microsoft Active Directory server.

Local authentication works fine with my chaining setup but AD users are not correctly authenticated. When I try to log in using an AD account I get the following error:

"Unable to login - unknown username/password"

tcpdump shows no indication of a connection attempt to the AD server.
Alfresco is setup to import user/group data from AD and this appears to be working correctly.

Any ideas on what could be wrong here?
How could I try to debug this problem?
I've set the log level for org.alfresco.repo.security.authentication to debug but unfortunately that doesn't seem to provide any additional messages during the login process.

Here's what my ldap-authentication-context.xml (placed in tomcat/shared/classes/alfresco/extension) looks like:


    <bean id="authenticationServiceImpl" class="org.alfresco.repo.security.authentication.ChainingAuthenticationServiceImpl">
        <property name="authenticationServices">
            <list>
                <ref bean="authenticationServiceImplMSAD"/>
                <ref bean="authenticationServiceImplAlfresco"/>
            </list>
        </property>
        <property name="mutableAuthenticationService">
            <ref bean="authenticationServiceImplAlfresco"/>
        </property>
    </bean>

    <bean id="authenticationServiceImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplAlfresco"/>
        </property>
    </bean>

    <bean id="authenticationDaoAlfresco" class="org.alfresco.repo.security.authentication.RepositoryAuthenticationDao">
        <property name="nodeService">
            <ref bean="nodeService"/>
        </property>
        <property name="dictionaryService">
            <ref bean="dictionaryService"/>
        </property>
        <property name="namespaceService">
            <ref bean="namespaceService"/>
        </property>
        <property name="searchService">
            <ref bean="searchService"/>
        </property>
        <property name="userNamesAreCaseSensitive">
            <value>${user.name.caseSensitive}</value>
        </property>
        <property name="passwordEncoder">
            <ref bean="passwordEncoder"/>
        </property>
    </bean>

    <bean id="authenticationComponentImplAlfresco" class="org.alfresco.repo.security.authentication.AuthenticationComponentImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoAlfresco"/>
        </property>
        <property name="authenticationManager">
            <ref bean="authenticationManager"/>
        </property>
        <property name="allowGuestLogin">
            <value>true</value>
        </property>
    </bean>

   <bean id="authenticationServiceImplMSAD" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
        <property name="authenticationDao">
            <ref bean="authenticationDaoMSAD"/>
        </property>
        <property name="ticketComponent">
            <ref bean="ticketComponent"/>
        </property>
        <property name="authenticationComponent">
            <ref bean="authenticationComponentImplMSAD"/>
        </property>
    </bean>

    <bean id="authenticationDaoMSAD"class="org.alfresco.repo.security.authentic
ation.ntlm.NullMutableAuthenticationDao"/>
    <bean id="authenticationComponentImplMSAD" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl">
        <property name="LDAPInitialDirContextFactory">
            <ref bean="ldapInitialDirContextFactory"/>
        </property>
        <property name="userNameFormat">
            <value>sAMAccountName=%s</value>
        </property>
    </bean>

    <bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
        <property name="initialDirContextEnvironment">
        <!– …. –>
        </property>
    </bean>

Outcomes