AnsweredAssumed Answered

Alfresco 3, AD NTLM, LDAP Sync Issue

Question asked by rubicon49bc on Apr 6, 2009
Latest reply on Apr 21, 2009 by rubicon49bc
I have NTLM Authentication working and I can access the CIFS shares as a user with out a problem. My issue is with LDAP Sync, I can not seem to get it working. When I configure ldap-authentication.properties I can no longer get into Alfresco.


[#|2009-04-06T14:22:40.227+0000|INFO|sun-appserver2.1|org.springframework.beans.factory.support.DefaultListableBeanFactory|_ThreadID=16;_ThreadName=pool-1-thread-8;|Overriding bean definition for bean 'authenticationComponent': replacing [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ntlm.NTLMAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ntlm-authentication-context.xml]] with [Child bean with parent 'authenticationComponentBase': class [org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl]; scope=singleton; abstract=false; lazyInit=false; autowireCandidate=true; autowireMode=0; dependencyCheck=0; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null; defined in file [/opt/glassfish/domains/<domain>/lib/classes/alfresco/extension/ldap-authentication-context.xml]]|#]
[#|2009-04-06T14:22:49.839+0000|WARNING|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;_RequestID=7eaa0fa6-d2cf-457f-afee-7e2c50868f75;|LDAP server supports anonymous bind ldap://<ip address>|#]
[#|2009-04-06T14:22:49.860+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a string uid and password at ldap://<ip address>|#]
[#|2009-04-06T14:22:49.881+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for a simple dn and password at ldap://<ip address>|#]
[#|2009-04-06T14:22:49.913+0000|INFO|sun-appserver2.1|org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl|_ThreadID=16;_ThreadName=pool-1-thread-8;|LDAP server does not fall back to anonymous bind for known principal and invalid credentials at ldap://<ip address>|#]

I have tested the account who has delegated rights to the domain via ldapsearch without any problems.
ldap-authentication.properties

#
# This properties file brings together the common options for LDAP authentication rather than editing the bean definitions
#

# How to map the user id entered by the user to taht passed through to LDAP
# - simple
#    - this must be a DN and would be something like
#      CN=%s,DC=company,DC=com
# - digest
#    - usually pass through what is entered
#      %s    
ldap.authentication.userNameFormat=%s@company-inc.net
#also tried company-inc\%s and %s

# The LDAP context factory to use
ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory

# The URL to connect to the LDAP server
ldap.authentication.java.naming.provider.url=ldap://<ip address>

# The authentication mechanism to use
ldap.authentication.java.naming.security.authentication=simple

# The default principal to use (only used for LDAP sync)
ldap.authentication.java.naming.security.principal=cn=Alfresco Ldap,cn=users,dc=company-inc,dc=net
# The password for the default principal (only used for LDAP sync)
ldap.authentication.java.naming.security.credentials=password

# Escape commas entered by the user at bind time
# Useful when using simple authentication and the CN is part of the DN and contains commas
ldap.authentication.escapeCommasInBind=false

# Escape commas entered by the user when setting the authenticated user
# Useful when using simple authentication and the CN is part of the DN and contains commas, and the escaped \, is
# pulled in as part of an LDAP sync
# If this option is set to true it will break the default home folder provider as space names can not contain \
ldap.authentication.escapeCommasInUid=false


#
# This properties file is used to configure LDAP syncronisation
#

# The query to find the people to import
ldap.synchronisation.personQuery=(objectclass=organizationalPerson)

# The search base of the query to find people to import
ldap.synchronisation.personSearchBase=ou=users,ou=pkmm,dc=pkmm-inc,dc=net

# The attribute name on people objects found in LDAP to use as the uid in Alfresco
ldap.synchronisation.userIdAttributeName=sAMAccountName

# The attribute on person objects in LDAP to map to the first name property in Alfresco
ldap.synchronisation.userFirstNameAttributeName=givenName

# The attribute on person objects in LDAP to map to the last name property in Alfresco
ldap.synchronisation.userLastNameAttributeName=sn

# The attribute on person objects in LDAP to map to the email property in Alfresco
ldap.synchronisation.userEmailAttributeName=mail

# The attribute on person objects in LDAP to map to the organizational id  property in Alfresco
ldap.synchronisation.userOrganizationalIdAttributeName=o

# The default home folder provider to use for people created via LDAP import
ldap.synchronisation.defaultHomeFolderProvider=userHomesHomeFolderProvider

# The query to find group objects
ldap.synchronisation.groupQuery=(objectclass=group)

# The search base to use to find group objects
ldap.synchronisation.groupSearchBase=ou=groups,ou=pkmm,dc=pkmm-inc,dc=net

# The attribute on LDAP group objects to map to the gid property in Alfrecso
ldap.synchronisation.groupIdAttributeName=cn

# The group type in LDAP
ldap.synchronisation.groupType=group

# The person type in LDAP
ldap.synchronisation.personType=organizationalPerson

# The attribute in LDAP on group objects that defines the DN for its members
ldap.synchronisation.groupMemberAttributeName=member

# The cron expression defining when people imports should take place
ldap.synchronisation.import.person.cron=0 30 * * * ?

# The cron expression defining when group imports should take place
ldap.synchronisation.import.group.cron=0 30 * * * ?

# Should all groups be cleared out at import time?
# - this is safe as groups are not used in Alfresco for other things (unlike person objects which you should never clear out during an import)
# - setting this to true means old group definitions will be tidied up.
ldap.synchronisation.import.group.clearAllChildren=false

After I enable ldap-auth and ldap sync xmls, I get the above error and CIFS doesn't start nor can I login.

Outcomes