AnsweredAssumed Answered

Creating User Spaces using NTLM/LDAP

Question asked by qasimh on Jan 31, 2008
Latest reply on Mar 29, 2010 by mko123
I use Alfresco 2.1 CE, on Tomcat and Windows, with NTLM authentication (SSO) and LDAP user/group sync

I'm having trouble changing the location of the user home space that is created when new users log in.

It should be simple to do.  I've done all my research, scanning through all these posts and wikiis:
http://forums.alfresco.com/viewtopic.php?t=4666&highlight=nonunique+path
http://forums.alfresco.com/viewtopic.php?t=7133&highlight=nonunique+path
http://wiki.alfresco.com/wiki/Security_and_Authentication#Creating_home_spaces_-_from_1.4_onwards
http://wiki.alfresco.com/wiki/Enterprise_Security_and_Authentication_Configuration#LDAP_People_synchronization

My current state:
- NTLM works fine with the built-in homeFolderManager (in authentication-services-context.xml)
- LDAP people sync works fine (using the default homeFolderManager - personalHomeFolderProvider)
- LDAP group sync works fine
All of this results in userhome spaces being created in the company home space.

I just wanted to change the homespaces location for new users.  I did the following:

1) authentication-services-context.xml, changed the defaultProvider so that NTLM uses the correct one

    <bean name="homeFolderManager" class="org.alfresco.repo.security.person.HomeFolderManager">
        <property name="nodeService">
            <ref bean="nodeService" />
        </property>
        <property name="policyComponent">
            <ref bean="policyComponent" />
        </property>
        <property name="defaultProvider">
            <ref bean="userHomesHomeFolderProvider" />  <!– Was personalHomeFolderProvider–>
        </property>
    </bean>

2) modified the path for userHomesHomeFolderProvider as follows:

    <bean name="userHomesHomeFolderProvider" class="org.alfresco.repo.security.person.UIDBasedHomeFolderProvider">
        <property name="serviceRegistry">
            <ref bean="ServiceRegistry" />
        </property>
        <property name="path">
           <value>/${spaces.company_home.childname}/${spaces.user_homes.childname}</value>
        </property>
        <property name="storeUrl">
           <value>${spaces.store}</value>
        </property>
        <property name="homeFolderManager">
            <ref bean="homeFolderManager" />
        </property>
        <property name="inheritsPermissionsOnCreate">
            <value>false</value>
        </property>
        <property name="ownerPemissionsToSetOnCreate">
            <set>
                <value>All</value>
            </set>
        </property>
        <property name="userPemissions">
            <set>
                <value>All</value>
            </set>
        </property>
    </bean>

That should have been enough for NTLM

3) For LDAP, modified ldapPeopleExport bean in ldap-authentication-context.xml

        <property name="attributeDefaults">
            <map>
                <entry key="cm:homeFolderProvider">
                    <value>userHomesHomeFolderProvider</value>
                </entry>
            </map>
        </property>

AFTER doing this, everything started to break.

A) ON first-time-login of users using NTLM, I get the following error:

net.sf.acegisecurity.AuthenticationServiceException: General error; nested exception is java.lang.IllegalStateException: Non-unique path: found : /app:company_home/app:user_homes 0
caused by:
java.lang.IllegalStateException: Non-unique path: found : /app:company_home/app:user_homes 0

B)  The LDAP import of people fails with the following error

15:23:35,418 ERROR [org.quartz.core.JobRunShell] Job DEFAULT.ldapPeopleJobDetail threw an unhandled Exception:
org.alfresco.repo.importer.ExportSourceImporterException: Failed to import
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:214)
   at org.alfresco.repo.importer.ImporterJob.execute(ImporterJob.java:44)
   at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
   at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:529)
Caused by: org.alfresco.service.cmr.view.ImporterException: Failed to import package at line 56; column 16 due to error: Non-unique path: found : /app:company_home/app:user_homes 0
   at org.alfresco.repo.importer.view.ViewParser.parse(ViewParser.java:190)
   at org.alfresco.repo.importer.ImporterComponent.parserImport(ImporterComponent.java:360)
   at org.alfresco.repo.importer.ImporterComponent.importView(ImporterComponent.java:224)
   at org.alfresco.repo.importer.ExportSourceImporter.doImport(ExportSourceImporter.java:182)
   … 3 more
Caused by: java.lang.IllegalStateException: Non-unique path: found : /app:company_home/app:user_homes 0
   at org.alfresco.repo.security.person.AbstractHomeFolderProvider.resolvePath(AbstractHomeFolderProvider.java:318)
   at org.alfresco.repo.security.person.AbstractHomeFolderProvider.getPathNodeRef(AbstractHomeFolderProvider.java:300)
   at org.alfresco.repo.security.person.UIDBasedHomeFolderProvider.getHomeFolder(UIDBasedHomeFolderProvider.java:74)
   at org.alfresco.repo.security.person.AbstractHomeFolderProvider$OnCreateNode.doWork(AbstractHomeFolderProvider.java:360)
   at org.alfresco.repo.security.person.AbstractHomeFolderProvider$OnCreateNode.doWork(AbstractHomeFolderProvider.java:345)
   at org.alfresco.repo.security.authentication.AuthenticationUtil.runAs(AuthenticationUtil.java:260)
   at org.alfresco.repo.security.person.AbstractHomeFolderProvider.onCreateNode(AbstractHomeFolderProvider.java:329)
   at org.alfresco.repo.security.person.HomeFolderManager.onCreateNode(HomeFolderManager.java:128)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
……….. it goes on and on……. 6 more

Looking at the ldap people import package (sample attached below, for 2 elements only), I see that some new users do not have a <sys:node-uuid> specified.  The import package fails on the first occurence of this missing data.  This does not happen for new users using personalHomeFolderProvider

   <cm:person view:childName="cm:person">
      <cm:ownable></cm:ownable>
      <cm:owner>LHE</cm:owner>
      <cm:userName>LHE</cm:userName>
      <cm:firstName>Liyan</cm:firstName>
      <cm:lastName>He</cm:lastName>
      <cm:email>LHe@company.com</cm:email>
      <cm:organizationId></cm:organizationId>
<cm:homeFolderProvider>userHomesHomeFolderProvider</cm:homeFolderProvider>
      <sys:node-uuid>85e91676-f1c8-11db-971b-9974654403be</sys:node-uuid>
   </cm:person>
   <cm:person view:childName="cm:person">
      <cm:ownable></cm:ownable>
      <cm:owner>liyantest</cm:owner>
      <cm:userName>liyantest</cm:userName>
      <cm:firstName>Liyan</cm:firstName>
      <cm:lastName>He</cm:lastName>
      <cm:email>liyantest@company.com</cm:email>
      <cm:organizationId></cm:organizationId>
<cm:homeFolderProvider>userHomesHomeFolderProvider</cm:homeFolderProvider>
   </cm:person>

Whew… that was a long one eh?  Sorry that it took soo long to describe the problem, but I've looked very hard for some clues but to no avail.

It seems like changing the "path" on the *HomeFolderProvider is interfereing with something else that prevents a unique space from being generated.  When that space is not generated, the user account is not created on demand (NTLM) and the user can not log-in.

Does anyone know what I should do?  :cry:

Outcomes