AnsweredAssumed Answered

Alfresco Community 3.2 and Active Directory integration

Question asked by bmarkovic on Jul 20, 2009
Latest reply on Jul 22, 2009 by bmarkovic
Hi,

New to Alfresco all in all so bare with me. I was testing/playing with Labs 3.0 but never really got anywhere because of the whole "million XMLs in a WAR" configuration nightmare. As I understand it has been improved quite in 3.2 with the new subsystems and configuration in tomcat/share but I'm not quite sure do I get it, and/or do it right. Be it anyway the end result is that I haven't really got to the point where my Active Directory users can logon to Alfresco anything with either their NT credentials, nor their AD username/passwords (or the appropriate DOMAIN\user or user@domain.tld combos) neither to CIFS nor to the /alfresco web app.

All I did is more/less C/P from the PDFs and the wiki pages. As I understand I should have setup authentication chain in

/opt/Alfresco/tomcat/shared/classes/alfresco-global.properties

which I did like this:

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1

Now the Install & configure PDF says I have to place some settings for these authentication subsystem element instances. I banged my head around untill in the wiki section on subsystems I came across that it should be placed in:
$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/<category>/<type>/<id>/*.properties

So for my case I made these files (with contents below, I ommited the exact names for security reasons, hope you don't mind):
$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/alfrescoNtlm/alfrescoNtlm1/overrides.properties
ntlm.authentication.sso.enabled=false
alfresco.authentication.authenticateCIFS=false

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/passthru/passthru1/overrides.properties
tlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

passthru.authentication.domain=mydomain.tld
passthru.authentication.servers=dc1.mydomain.tld,dc2.mydomain.tld

Here the dc1.mydomain.tld is the FQDN cannonical name of the FSMO master of all things, and the second server is backup DC.

$TOMCAT_HOME/shared/classes/alfresco/extension/subsystems/Authentication/ldap-ad/ldap1/overrides.properties
ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s@mydomain.tld
ldap.authentication.java.naming.provider.url=ldap://dc1.mydomain.tld389

ldap.authentication.defaultAdministratorUserNames=administrator,<myself>
ldap.synchronization.java.naming.security.principal=administrator@mydomain.tld
ldap.synchronization.java.naming.security.credentials=<administrator-password>

Please note that the CentOS 5.3 host this is run on has no other CIFS daemons (ie no Samba) but I have left winbind on and the host is joined to the domain via winbind. Also no other Tomcat, DB is handled by local MySQL, and I also have a CentOS fileserver working perfectly as a windows domain fileserver using distro vanilla Samba, and I have integrated Zimbra Community into my domain as well, so I'm not exactly a novice in Linux, Windows admin nor interop of the two platforms.

But Alfresco is constantly doing my head in. The config process is terribly convoluted even tho I'm no "point-and-click adventurer", I prefer single config file to endless web of directories and miniature config tidbits of the Alfresco/Spring way. But I thoeught I groked it and it's finally manageable in 3.2, still I just cannot get what's wrong.

Here are some log bits that you might find interesting (and that I assume)

00:00:00,025 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Starting 'Authentication' subsystem, ID: [managed, ldap-ad]
00:00:00,031 INFO  [org.alfresco.config.JndiPropertyPlaceholderConfigurer] Loading properties file from class path resource [alfresco/alfresco-shared.properties]
00:00:00,031 INFO  [org.alfresco.repo.management.subsystems.ChildApplicationContextFactory] Startup of 'Authentication' subsystem, ID: [managed, ldap-ad] complete
12:59:40,222 WARN  [org.springframework.beans.factory.support.DefaultListableBeanFactory] Encountered FactoryBean creation exception for bean 'AuthenticationComponent' - couldn't check type! org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'AuthenticationComponent' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Cannot resolve reference to bean 'authenticationComponent' while setting bean property 'target'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationComponent' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Cannot resolve reference to bean 'passthruServers' while setting bean property 'passthruServers'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'passthruServers' defined in file [/opt/Alfresco/tomcat/webapps/alfresco/WEB-INF/classes/alfresco/subsystems/Authentication/passthru/passthru-authentication-context.xml]: Invocation of init method failed; nested exception is org.alfresco.error.AlfrescoRuntimeException: 06170006 Error setting passthru domain, Failed to find domain controller or browse master for DOMAIN

and Alfresco dies spouting pretty much this message as I log on. And this is verbatim, and my domain name is certainly not DOMAIN. So this i what I think is wrong, I just don't know where to override it.

If I slam all that stuff from subdirectories and override.properties files in the /opt/Alfresco/tomcat/shared/classes/alfresco-global.properties file (and it looks like)

authentication.chain=alfrescoNtlm1:alfrescoNtlm,passthru1:passthru,ldap-ad:ldap1


ntlm.authentication.sso.enabled=true
passthru.authentication.authenticateCIFS=true

passthru.authentication.domain=mydomain.tld
passthru.authentication.servers=dc1.mydomain.tld,dc2.mydomain.tld

ldap.authentication.active=false
ldap.synchronization.active=true

ldap.authentication.userNameFormat=%s@mydomain.tld
ldap.authentication.java.naming.provider.url=ldap://dc1.mydomain.tld:389

ldap.authentication.defaultAdministratorUserNames=administrator,<myself>

ldap.synchronization.java.naming.security.principal=administrator@mydomain.tld
ldap.synchronization.java.naming.security.credentials=<admin-password>

then it starts OK, accepts admin/admin (internal password system) but does not accept any of my AD users as described, and the log has these:

09:44:15,854 WARN  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] NTLM filter, error resolving CIFS host nameALFRESCOA
09:44:15,855 INFO  [org.alfresco.web.app.servlet.NTLMAuthenticationFilter] NTLM filter using server name alfresco
09:48:04,525 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,525 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:04,566 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,577 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:04,679 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:04,680 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:05,491 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:05,492 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException
09:48:05,498 ERROR [org.alfresco.smb.protocol.auth] Kerberos logon error
09:48:05,498 ERROR [org.alfresco.smb.protocol.auth] java.lang.NullPointerException

Which is interesting (despite being just a warning) since both NETBIOS and DNS server names of the host are just "alfresco", and I've tried to ovverride cifs.localname and cifs.domain to:
cifs.localname=alfresco
cifs.domain=mydomain.tld

But log errors are stil the same. The other part is Kerberos failing and not really saying why.

Hope someone can help me. Thank you in advance.

Outcomes