AnsweredAssumed Answered

Alfresco/Ldap connect, but not authenticate - V3.0

Question asked by nowhere on Feb 17, 2009
Latest reply on Dec 7, 2009 by dward
Hi all,
i'm encountering problems with alfresco - apacheDS integration.
Now i'll try to explain my troubles…
Following wiki instuction and several posts in this forum I've configured and renamed (cut off ".sample") those files:

- ldap-authentication-context.xml
- ldap-authentication.properties
- ldap-synchronisation-context.xml
- ldap-synchronisation.properties

For avoiding cifs exception changed the file-server.xml and left unchanged chaining-authentication-context.xml.sample (i'm non interested at moment, I suppose I can leave it so).

Here my more important settings:
file ldap-authentication.properties
#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=cn=%s,ou=users,ou=system
# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://localhost:10389

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=reader

# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=secret

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false

file ldap-synchronisation.properties
# 
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=inetOrgPerson)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=ou=users,ou=system

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=uid

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=personalHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=groupOfNames)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=dc=company,dc=com

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=groupOfNames

# The person type in LDAP
ldap.synchronisation.personType=inetOrgPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 */10 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=true

and, finally, my ApacheDS server.xml


  <defaultDirectoryService id="directoryService" instanceId="default"
                           workingDirectory="example.com"
                           allowAnonymousAccess="false"
                           accessControlEnabled="false"
                           denormalizeOpAttrsEnabled="false">
    <systemPartition>
      <!– use the following partitionConfiguration to override defaults for –>
      <!– the system partition                                              –>
      <jdbmPartition id="system" cacheSize="100" suffix="ou=system" optimizerEnabled="true" syncOnWrite="true">
        <indexedAttributes>
          <jdbmIndex attributeId="1.3.6.1.4.1.18060.0.4.1.2.1" cacheSize="100"/>
           …
        </indexedAttributes>
      </jdbmPartition>
     </systemPartition>

    <partitions>
      …
      <jdbmPartition id="alfresco" cacheSize="100" suffix="dc=company,dc=com" optimizerEnabled="true" syncOnWrite="true"/>
    </partitions>

    <interceptors>
      <normalizationInterceptor/>
      <authenticationInterceptor/>
      <aciAuthorizationInterceptor/>
      <defaultAuthorizationInterceptor/>
      <exceptionInterceptor/>
      <operationalAttributeInterceptor/>

      <!– Uncomment to enable the password policy interceptor
      <passwordPolicyInterceptor/>
      <keyDerivationInterceptor/>
      –>

     …
  <ldapService id="ldapsService"
              enabled="true"
              ipPort="10636"
              enableLdaps="true">
    <directoryService>#directoryService</directoryService>
    <socketAcceptor>#socketAcceptor</socketAcceptor>
  </ldapService>


  <ldapService id="ldapService"
              ipPort="10389"
              allowAnonymousAccess="false"
              saslHost="ldap.example.com"
              saslPrincipal="ldap/ldap.example.com@EXAMPLE.COM"
              searchBaseDn="ou=users,ou=system"
              maxTimeLimit="15000"
              maxSizeLimit="1000">

    <directoryService>#directoryService</directoryService>
    <socketAcceptor>#socketAcceptor</socketAcceptor>

    <!– The list of supported authentication mechanisms.                   –>
    <saslMechanismHandlers>
      <simpleMechanismHandler mech-name="SIMPLE"/>
      <cramMd5MechanismHandler mech-name="CRAM-MD5" />
      <digestMd5MechanismHandler mech-name="DIGEST-MD5" />
      <gssapiMechanismHandler mech-name="GSSAPI" />
      <ntlmMechanismHandler mech-name="NTLM" ntlmProviderFqcn="com.foo.Bar"/>
      <ntlmMechanismHandler mech-name="GSS-SPNEGO" ntlmProviderFqcn="com.foo.Bar"/>
    </saslMechanismHandlers>

    <!– The desired quality-of-protection, used by DIGEST-MD5 and GSSAPI.  –>
    <saslQop>
      <s:value>auth</s:value>
      <s:value>auth-int</s:value>
      <s:value>auth-conf</s:value>
    </saslQop>

    <!– The realms serviced by this SASL host, used by DIGEST-MD5 and GSSAPI. –>
    <saslRealms>
      <s:value>example.com</s:value>
      <s:value>apache.org</s:value>
    </saslRealms>

      <apacheDS id="apacheDS"
            synchPeriodMillis="15000"
            allowAnonymousAccess="false">

    <directoryService>#directoryService</directoryService>
    <ldapService>#ldapService</ldapService>
    <ldapsService>#ldapsService</ldapsService>
  </apacheDS>


So, when I start catalina, I think i get connect to LDAP server and I get the following error:


[13:33:26] ERROR [org.apache.directory.shared.ldap.codec.LdapMessageGrammar] - Incorrect DN given : daftAsABrush (0x64 0x61 0x66 0x74 0x41 0x73 0x41 0x42 0x72 0x75 0x73 0x68 ) is invalid : Bad DN : daftAsABrush
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - >>>==========================================
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - –> Decoding a PDU
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - >>>——————————————
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = TAG_STATE_START —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x30
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - Tag 0x30 has been decoded
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = LENGTH_STATE_START —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x2F
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - — State = LENGTH_STATE_END —
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] -   current byte : 0x02
[13:33:26] DEBUG [org.apache.directory.shared.asn1.ber.Asn1Decoder] - Parent length : TLV expected length stack :  - null
Is this the problem?
No error in Tomcat Log.
I have this configuration in Ldap server, browsed with Apache Studio: Here

So, when i start alfresco and try to login with user paolo, I get "Unable to login - unknown username/password" message :(
Where am I in wrong? If you need any else configuration information ask me, i'll try to get it for you understanding!
Thanks in advance!

Outcomes