AnsweredAssumed Answered

Alfresco/Ldap connect, but not authenticate - V3.0

Question asked by nowhere on Feb 17, 2009
Latest reply on Dec 7, 2009 by dward
Hi all,
i'm encountering problems with alfresco - apacheDS integration.
Now i'll try to explain my troubles…
Following wiki instuction and several posts in this forum I've configured and renamed (cut off ".sample") those files:

- ldap-authentication-context.xml
- ldap-synchronisation-context.xml

For avoiding cifs exception changed the file-server.xml and left unchanged chaining-authentication-context.xml.sample (i'm non interested at moment, I suppose I can leave it so).

Here my more important settings:
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
# The LDAP context factory to use

# The URL to connect to the LDAP server

# The authentication mechanism to use

# The default principal to use (only used for LDAP sync)

# The password for the default principal (only used for LDAP sync)

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \

# This properties file is used to configure LDAP syncronisation

# The query to find the people to import

# The search base of the query to find people to import

# The attribute name on people objects found in LDAP to use as the uid in Alfresco

# The attribute on person objects in LDAP to map to the first name property in Alfresco

# The attribute on person objects in LDAP to map to the last name property in Alfresco

# The attribute on person objects in LDAP to map to the email property in Alfresco

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco

# The default home folder provider to use for people created via LDAP import

# The query to find group objects

# The search base to use to find group objects

# The attribute on LDAP group objects to map to the gid property in Alfrecso

# The group type in LDAP

# The person type in LDAP

# The attribute in LDAP on group objects that defines the DN for its members

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 */10 * * * ?

# The cron expression defining when group imports should take place 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.

and, finally, my ApacheDS server.xml

  <defaultDirectoryService id="directoryService" instanceId="default"
      <!– use the following partitionConfiguration to override defaults for –>
      <!– the system partition                                              –>
      <jdbmPartition id="system" cacheSize="100" suffix="ou=system" optimizerEnabled="true" syncOnWrite="true">
          <jdbmIndex attributeId="" cacheSize="100"/>

      <jdbmPartition id="alfresco" cacheSize="100" suffix="dc=company,dc=com" optimizerEnabled="true" syncOnWrite="true"/>


      <!– Uncomment to enable the password policy interceptor

  <ldapService id="ldapsService"

  <ldapService id="ldapService"


    <!– The list of supported authentication mechanisms.                   –>
      <simpleMechanismHandler mech-name="SIMPLE"/>
      <cramMd5MechanismHandler mech-name="CRAM-MD5" />
      <digestMd5MechanismHandler mech-name="DIGEST-MD5" />
      <gssapiMechanismHandler mech-name="GSSAPI" />
      <ntlmMechanismHandler mech-name="NTLM" ntlmProviderFqcn=""/>
      <ntlmMechanismHandler mech-name="GSS-SPNEGO" ntlmProviderFqcn=""/>

    <!– The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  –>

    <!– The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. –>

      <apacheDS id="apacheDS"


So, when I start catalina, I think i get connect to LDAP server and I get the following error:

[13:33:26] ERROR [] - Incorrect DN given : daftAsABrush (0x64 0x61 0x66 0x74 0x41 0x73 0x41 0x42 0x72 0x75 0x73 0x68 ) is invalid : Bad DN : daftAsABrush
[13:33:26] DEBUG [] - >>>==========================================
[13:33:26] DEBUG [] - –> Decoding a PDU
[13:33:26] DEBUG [] - >>>——————————————
[13:33:26] DEBUG [] - — State = TAG_STATE_START —
[13:33:26] DEBUG [] -   current byte : 0x30
[13:33:26] DEBUG [] - Tag 0x30 has been decoded
[13:33:26] DEBUG [] - — State = LENGTH_STATE_START —
[13:33:26] DEBUG [] -   current byte : 0x2F
[13:33:26] DEBUG [] - — State = LENGTH_STATE_END —
[13:33:26] DEBUG [] -   current byte : 0x02
[13:33:26] DEBUG [] - Parent length : TLV expected length stack :  - null
Is this the problem?
No error in Tomcat Log.
I have this configuration in Ldap server, browsed with Apache Studio: Here

So, when i start alfresco and try to login with user paolo, I get "Unable to login - unknown username/password" message :(
Where am I in wrong? If you need any else configuration information ask me, i'll try to get it for you understanding!
Thanks in advance!